One of the basic tenets I’ve been living with for a while is if it’s online, it’s public. I consider everything I write online to be available to the public, whether it’s something I blog about, something I write on a closed mailing list or something I put on a social networking site. Most people don’t realize how true that really is and that their data is only a couple of lines of code from being posted all over the Internet at the best of times. Half a million MySpace users found out this week exactly how true that is; the photos they considered private were recently placed online in a 17 Gb file.
One of the things I find mildly surprising is that creator of the file, DMaul, says he hasn’t found any photos that we’re “obviously illegal”. I guess that means the folks doing bad things on the Internet are smart enough not to place photographic proof on a social networking site. The good news is even if your pictures were amongst those downloaded, the sheer size of the file is enough to keep most people from downloading it. Someone might index the files and place them in an online database though, which would make things interesting again.
The average end user thinks their information is safe with their social media company, if they think about it at all. But this isn’t the case, whether due to a vulnerability similar to what MySpace suffered or a business model that makes your private information a commodity like Facebook’s Beacon. This is a lesson we’ll have to teach our friends and end users, along with others like “never accept links from a stranger” and “don’t open unknown files”.
Dan Goodin was at the Fortify documentary earlier this week and draws some of the same conclusions I do about the loss of JC Penney’s customer data. And more importantly, he actually knows the names of the players, something I’m terrible at remembering.
NotEnough commented on my earlier post that GE Money is offering a year’s credit monitoring for those affected, which he says is not long enough. He’s specifically talking about SSN’s, which don’t have a expiration date, can be set aside for a year or two and used to commit identity fraud when no one’s actively looking for that data set anymore. This is part of why statistical correlation between a specific breach and identity theft is so hard. I’d like to see if anyone has done an academic survey of the difference in level of identity theft in populations that have been victims of a breach and the general population, specifically over the long term.
It’s becoming more obvious to me that despite many companies best efforts, my data is going to be at risk at some point in my lifetime. That feels cynical, but as a security professional, I know it’s just realistic. There are too many places that my data is being stored, too many connections being made, too many possible points of failure in the systems. I’ve never been a big fan of paying a monthly fee to make sure my credit is safe, but given that my information may already be a commodity somewhere in cyberspace (or Russia), a small inconvenience and a few dollars a month might not be a bad price to pay for peace of mind. Corporate America obviously can’t keep my data and credit safe, so it’s up to me to take steps of my own.
Rich Mogull recently switched to Debix and I’ll get him to talk about why and what they offer on the next podcast. At this point, I’m not even sure what the proper questions are to ask when choosing a credit protection service, but I’m sure Rich’ll help me understand. I already know I’m not going to choose LifeLock, but I am interested in knowing what other solutions are out there. I want something I can live with long term, especially since the problem isn’t going to go away any time soon.
Technorati Tags: security, McKeay, JC Penney, identity theft
I’d say this looks like another case of a box falling of the back of a truck somewhere: Iron Mountain has lost a backup tape belonging to GE Money with approximately 650,000 JC Penney customer records on it, and 150,000 of those records include customer social security numbers. There’s the usual patter about requiring specialized equipment to read the tape, but I’d feel more secure if they said it was encrypted. We all know that a tape backup drive isn’t that hard to get, especially if you’re targeting a specific merchant and have any sort of intelligence on them. We’re being told the number of JC Penney records that have been lost and that as many as 100 merchants could have been affected, so what is the total number of records on the tape? It could add up to be quite a number when all is said and done.
A representative from JC Penney was interviewed for the Fortify documentary last night, and this is one of the dangers of the information age he didn’t bring up. Not only do you have to worry about all of the bad guys attacking you directly, you have to worry about your partners, how they’re protecting your data and how their partners are protecting your data. I’m willing to think this is simply a case of human error and the tape in question fell under a floor panel or something, but it isn’t far outside the realm of possibility that someone took the tape purposefuly. In a lot of companies, it’d only take a conspiracy of two or three to get the tape, a drive for it and the encryption keys to unlock everything.
I agree that JC Penney isn’t responsible for the incident, but I get tired of reading the “We have no reason to believe …” statement. They also have no reason to believe it isn’t being used; there’s no reliable way to correlate a data breach of this sort and the repercussions. Even most of the people that have been caught in the TJ Maxx case have been the flunkies who were doing the in-person fraud using compromised data. If someone knows of a statistically significant way the credit card companies can track the affects of this breach, I’d like to hear about it.
We’d never have heard about this before California’s SB1386 and the other state laws that have followed. And in all likelihood, this probably is just a case of a lost tape, with no nefarious intent involved. We’re at a stage of the game where I’d rather hear about a couple of false alarms than miss one real event.
Technorati Tags: security, McKeay, Iron Mountain, backup, tape