BreachExchange mailing list archives
Re: At Least 20 Big-Name Passports Breached
From: "Casey, Troy # Atlanta" <Troy.Casey () McKesson com>
Date: Fri, 28 Mar 2008 11:58:49 -0400
Someone is over-selling the accuracy of biometrics. Thanks, I've seen the false-positive and false-negative rates for fingerprint scanners, and I'm not buying. I'll stick with my 14-character password. And not only are biometrics far less accurate than the vendors advertise, they are prohibitively expensive for the types of large enterprises that house a lot of the subject data. Further, I will contend that if companies that don't monitor their audit logs today add biometrics, no meaningful improvement to security is achieved. If companies that don't bother to lock down data access to only those with a true "need to know" adopt biometrics, they only achieve the illusion of security. Real security requires that companies make the investment of time and effort to first lock down access to only those with a need to know, then maintain those access controls ongoing AND invest in personnel and technologies to review application audit logs - assuming they wrote their applications to audit access - then PROSECUTE violators of the access policy whenever they are found. How many of you are working at companies that are willing to erode their profits by making such investments? No technology is a panacea, and in the absence of these measures all that new technology will achieve is the illusion of security -- which is far more dangerous than a clear understanding of where security is lacking. As long as we as a society both accept the proliferation of our data as somehow not constituting a privacy violation, and kid ourselves that some silver bullet is going to solve the security problem, identity theft will never be solved. Yeesh, Troy Troy D. Casey -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Jim Kerr Sent: Friday, March 28, 2008 11:14 AM To: 'Allan Friedman' Cc: dataloss () attrition org Subject: Re: [Dataloss] At Least 20 Big-Name Passports Breached The fact of true accountability would address this issue. If a person needs to swipe a finger to gain access to information then that person knows there is a proof positive audit trail of that event (unlike a password that could be socially engineered or taken from under the keyboard). This would deter users from this activity knowing that their credentials could not be assumed by another. This is probably how it is happening so frequently. Just assume someone else's identity and have at it. a) There would be no reorganizing infrastructure since the technology available is non invasive to provide the credentialing. b) Again biometric technology gives you the ability to use 25 character passwords that don't need to be remembered (or typed in) and the print is converted into a proprietary algorithm that is encrypted in an AES 256 cipher. c) This could be done and again the accountabilty factor will dramatically reduce attempts. -----Original Message----- From: allan.friedman () gmail com [mailto:allan.friedman () gmail com] On Behalf Of Allan Friedman Sent: Friday, March 28, 2008 10:50 AM To: james.kerr () ceelox com Cc: mhozven () tealeaf com; dataloss () attrition org Subject: Re: [Dataloss] At Least 20 Big-Name Passports Breached On Fri, Mar 28, 2008 at 10:38 AM, <james.kerr () ceelox com> wrote:
We have had tremendous success in protecting identities within the banking industrie by use of biometric technology. The customer can pass
credentials
with more safety than pin numbers and pictures of ducks.
I'd love to learn more about this, particularly how it scales across bureaucracies, particularly if the customer isn't present. I'm not thinking about public databases but large private ones that have many people with many different functions doing different things, (e.g. medical records). I'm guessing that to prevent the above mentioned passport file snooping from happening to some one not on a pre-specified watch list you would need to a) reorganize the data architecture of the entire system b) overlay a pretty strong identity layer c) introduce secure credentialing that allow a yes/no query without leaking more info d) probably some chunk of all of the above. As long as access to databases is fairly unsupervised inside the organization, you're going to see identity theft. allan _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- At Least 20 Big-Name Passports Breached Richard Forno (Mar 26)
- Re: At Least 20 Big-Name Passports Breached Chris Walsh (Mar 27)
- Re: At Least 20 Big-Name Passports Breached Max Hozven (Mar 27)
- Re: At Least 20 Big-Name Passports Breached Allan Friedman (Mar 27)
- Re: At Least 20 Big-Name Passports Breached Max Hozven (Mar 27)
- Re: At Least 20 Big-Name Passports Breached Jim Kerr (Mar 28)
- Message not available
- Re: At Least 20 Big-Name Passports Breached Allan Friedman (Mar 28)
- Re: At Least 20 Big-Name Passports Breached Jim Kerr (Mar 28)
- Re: At Least 20 Big-Name Passports Breached Casey, Troy # Atlanta (Mar 28)
- Re: At Least 20 Big-Name Passports Breached Max Hozven (Mar 27)
- Re: At Least 20 Big-Name Passports Breached Chris Walsh (Mar 27)