My kids' Dad

I wrote a post on three security incidents and want to elaborate a little on the differences between the three.

First the ChoicePoint scandal wasn't a technical hack, it was a disclosure of personal information as a result of business policy. ChoicePoint sells personal information as its core business. This became an issue once the public learned that that a lot of identity thieves were legitimate clients of ChoicePoint and hundreds of people were suffering the effects of identity theft.

Second the Bank of America issue was probably not a technical hack either, but it deals with a failure of security architecture or processes. IT security best practices promotes off site storage of data for the sake of disaster recovery but if the data is sensitive care must be taken to protect it. For sensitive data this can be done by strongly encrypting the data or securely handling the media (such as having guards transport it). Classifying and handling data is no small challenge and many companies consider just getting working backups to be a victory. For encryption the data could be encrypted as it is stored - such as using database encryption before it is backed up - or it could be encrypted as it is written to tape. Obviously you need to consider how strong the encryption is in order to be safe if someone else gets the tape. I doubt that hackers somehow engineered the loss of the tapes - they are probably sitting in the same elephant's graveyard of lost luggage.

The third case is T-Mobile being hacked. It seems that Nicolas Jacobsen figured out how to hack the publicly exposed web application to give him access to customer's account information (such as social security numbers) as well as account access such as voice mail for almost a year now. This is a technical design failure. The web application wasn't configured properly or there is/was a flaw in the software or its logic.

Each case had very different reasons that each company is now under scrutiny and a very different set of 'solutions' to prevent a re-occurrence. What they all hold in common is that they all ended up exposing the same type of information which  is considered damaging to customers and the victims. The real outrage should be that any of this information is capable of causing us damage... after all much of this information is symbolic for accounts that government or businesses need to interface with us. This situation is not unlike the case when some credit card company mails you an offer for their product but the mail is stolen and you become responsible for the product you never received. We need to push to decouple these symbols from being close to synonymous with our real identity. I have offered Adam Shostack some comments on how we might use our DNA for this.