RE: Oops

["Larry Seltzer" <Larry () larryseltzer com>]

> > surely even a junior clerk would know that you don't send 25 million
people-details to another department, without the right authorities? 

But a senior official wouldn't? This is the British version of Dilbert,
right?

"Password-protected" could mean a lot of things not necessarily
entailing encryption, or at least not meaningful encryption. It could be
a password-protected Excel file, which is trivially-broken, at least
until more recent versions. Some Office password protection schemes are
only breakable through brute force and a long and complex enough key
could make that hard. 

Or it could be a ZIP file with the default password protection, which
takes about 5 microseconds to break.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Drsolly
Sent: Wednesday, November 21, 2007 2:38 PM
To: Nick FitzGerald
Cc: funsec () linuxbox org
Subject: Re: [funsec] Oops

I read in the newspaper that it wasn't encrytped. I don't really
understand what "password protected" means if it isn't encrypted.

And apparently, according to the Opposition, this was all sanctioned at
a pretty senior level. Which sounds plausible to me - surely even a
junior clerk would know that you don't send 25 million people-details to
another department, without the right authorities?

On Thu, 22 Nov 2007, Nick FitzGerald wrote:

> Drsolly wrote:
>
> > The Inland revenue have lost CDs containing the names, addresses, 
> > National Insurance Number and bank details, for about half the 
> > population of the country.
> >
> > http://news.bbc.co.uk/1/hi/uk_politics/7104840.stm
>
> But note -- "password-protected" CDs.
>
> OK, so some junior-ish clerks broke protocol and didn't use receipt- 
> required courier tracking (and maybe didn't use a suitably secure 
> courier service?), BUT the big issue is how strong is the "password 
> protected" bit of this?
>
> Unlike so many other recent data loss incidents, it seems that at 
> least the data is encrypted which means (if this bit was done properly

> _AND_ the proper procedure was well-designed) that there is actually 
> no _data_ loss.  "Noise loss" maybe, but no meaningful data loss.
>
> The authorities though don't seem to be stressing this so maybe the 
> "password protection" bit of this is known to be not very effective?
>
>
> Regards,
>
> Nick FitzGerald
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.