funsec mailing list archives
RE: Oops
From: "Larry Seltzer" <Larry () larryseltzer com>
Date: Wed, 21 Nov 2007 14:55:35 -0500
surely even a junior clerk would know that you don't send 25 million
people-details to another department, without the right authorities? But a senior official wouldn't? This is the British version of Dilbert, right? "Password-protected" could mean a lot of things not necessarily entailing encryption, or at least not meaningful encryption. It could be a password-protected Excel file, which is trivially-broken, at least until more recent versions. Some Office password protection schemes are only breakable through brute force and a long and complex enough key could make that hard. Or it could be a ZIP file with the default password protection, which takes about 5 microseconds to break. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Drsolly Sent: Wednesday, November 21, 2007 2:38 PM To: Nick FitzGerald Cc: funsec () linuxbox org Subject: Re: [funsec] Oops I read in the newspaper that it wasn't encrytped. I don't really understand what "password protected" means if it isn't encrypted. And apparently, according to the Opposition, this was all sanctioned at a pretty senior level. Which sounds plausible to me - surely even a junior clerk would know that you don't send 25 million people-details to another department, without the right authorities? On Thu, 22 Nov 2007, Nick FitzGerald wrote:
Drsolly wrote:The Inland revenue have lost CDs containing the names, addresses, National Insurance Number and bank details, for about half the population of the country. http://news.bbc.co.uk/1/hi/uk_politics/7104840.stmBut note -- "password-protected" CDs. OK, so some junior-ish clerks broke protocol and didn't use receipt- required courier tracking (and maybe didn't use a suitably secure courier service?), BUT the big issue is how strong is the "password protected" bit of this? Unlike so many other recent data loss incidents, it seems that at least the data is encrypted which means (if this bit was done properly
_AND_ the proper procedure was well-designed) that there is actually no _data_ loss. "Noise loss" maybe, but no meaningful data loss. The authorities though don't seem to be stressing this so maybe the "password protection" bit of this is known to be not very effective? Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Oops Drsolly (Nov 20)
- RE: Oops David Harley (Nov 23)