BreachExchange mailing list archives
Re: time to name names (was Re: MORE BNY (Mellon Corp) Tapeslost)
From: "DAIL, WILLARD A" <ADAIL () sunocoinc com>
Date: Mon, 9 Jun 2008 07:56:53 -0400
Liability... if only I could get it through heads that you transfer risk, not liability... That said, liability occurs at the entity level. Most breaches originate internally, and are therefore the result of someone violating company policy and the law. They're not particularly focused on liability, but someone's lawyer most assuredly will. I should add to V's point as well that social engineering does not always require a bribe. I've heard anecdotal stories from law enforcement officers of point-of-sale equipment being compromised by someone who approached the store clerk and offered them a $50 to walk outside and have a smoke, or she could stay inside and get a bullet in the forehead. An employee who cannot be bribed may still be coerced through violence or threats against their families. Some of these criminals are very organized and often have larger "operating budgets" than their target organizations. ________________________________ From: Patricia Herberger [mailto:patricia57 () adelphia net] Sent: Sun 6/8/2008 11:54 PM To: 'V.'; DAIL, WILLARD A; 'security curmudgeon'; dataloss () attrition org Subject: RE: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapeslost) What about the "Liability Follows the Data" section of the FACTA Red Flags Rule? According to that Rule, both the courier and the company that gave their data to the courier would be at fault. Patricia L. Herberger Certified Identity Theft Risk Management Specialist -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of V. Sent: Saturday, June 07, 2008 8:45 PM To: DAIL, WILLARD A; security curmudgeon; dataloss () attrition org Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapeslost) At 07:30 PM 6/6/2008 -0400, DAIL, WILLARD A wrote:
Aside from the privacy issue, couriered tapes are also a concern due to the "Crash Restart" method of system attack. Basically, a hacker colludes with your courier to drop off your tapes in the morning. The courier then picks up the altered tapes that afternoon. A couple of really nasty things happened to your tapes that day.
<snip> In addition to the scenario outlined in Mr. Dail's post, imagine your tapes (or laptops) make an unauthorized stop just to be copied. Not so far fetched, and in many cases this type of loss would remain an unknown occurrence. All it requires is a payoff to someone -- the courier, or the custodian of the data. Almost everyone has a price; if bribed with enough money, many people will find they can't resist. Most identity loss is probably due to negligence and/or apathy, but collusion is a possibility which must be considered and investigated in many cases. If a courier is offered a large amount of cash to wait just a very few minutes while someone copies a hard disk, how many couriers could say no? While this scenario is hard to imagine in the case of a small business, tapes or backups belonging to big, influential entities are certainly at risk for this type of criminal behavior. (BTW, many people assume a laptop running Windoze is secure by virtue of having a boot password, but these can be bypassed by booting with a Linux CD. Remove the CD, shut down the laptop, return to courier.) $0.02, V. -- ___________________________________ /__________________________________ \ \ _______________________________/\ \ \ \ \ \ \ \ \ \ \(c)2008 veedot () earthlink net\ \ \ \ \ \____________________________\_\ \ \ \/_________________________________\ \___________________________________/ "Doubt is not a pleasant condition, but certainty is absurd." - Voltaire _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- MORE BNY (Mellon Corp) Tapes lost Henry Brown (Jun 06)
- Re: MORE BNY (Mellon Corp) Tapes lost TSG (Jun 06)
- time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost) security curmudgeon (Jun 06)
- Re: time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost) Corcoran, Michele (Jun 06)
- Re: time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost) security curmudgeon (Jun 06)
- Re: time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost) Arshad Noor (Jun 06)
- Re: time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost) lyger (Jun 06)
- Re: time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost) Corcoran, Michele (Jun 06)
- Re: time to name names (was Re: MORE BNY (Mellon Corp) Tapeslost) DAIL, WILLARD A (Jun 06)
- Message not available
- Re: time to name names (was Re: MORE BNY (Mellon Corp) Tapeslost) V. (Jun 07)
- Re: time to name names (was Re: MORE BNY (Mellon Corp) Tapeslost) Patricia Herberger (Jun 08)
- Re: time to name names (was Re: MORE BNY (Mellon Corp) Tapeslost) DAIL, WILLARD A (Jun 09)