Tuesday - August 23, 2005

Another Security Breach

Every time I read a story about another security breach and the theft of personal information on people I want to strangle someone. As an Oracle database administrator (DBA) in my “day job”, it is my personal responsibility to maintain these vast databases of information, keep them running smoothly and make sure they’re accessible as well as containing valid data.

A large part of my work is spent on security. There are a myriad of tools available to a DBA to monitor access as well as restrict that same access to only those who have a “need to know”. Over the last few decades, I have done a considerable amount of contract work for the Department Of Defense and a large part of that work involved setting up security fences around critical data.

The one major problem I usually encounter is some applications development group or member of management who whines and cries because they (1) don’t feel like changing their password every ninety days, (2) don’t like having to use a password that is at least eight characters and contains at least one alpha, one numeric and one special character, or (3) don’t understand why writing their password on a piece of paper and taping it to the bottom of their keyboard is a bad idea.

Yes, the biggest problem a DBA faces, where security is concerned, is STOOPID USERS. It’s not the script-kiddy out there surfing the internet or the hacker in Bulgaria that gives me the most grief. It’s the idjits within my own organization who cause me the most headaches. That applies to any organization out there, not just to me and my IT shop. That is why I am dead set against a national ID card or ntaional database of personal and private information on all citizens. As long as people remain stupid any database can be broken into. We don’t need a better database or a better security scheme. We need a better human.

Today’s ridiculous security breach comes to us courtesy of the US Air Force and involves the stolen personnel records of about half of the officer corps ....

Hacker Steals Air Force Officers’ Personal Information

(WASHINGTON POST)—Social Security numbers, birth dates and other private data on roughly 33,000 Air Force officers—about half the branch’s officer corps—were stolen from a military computer database, the service informed its personnel late last week. Officials of the Air Force Personnel Center, based at Randolph Air Force Base in San Antonio, said the intrusion occurred sometime in May or June, apparently by someone who used a legitimate user’s log-in information to gain access to the system.

The exposed data did not include financial records, but contained such personal information as marital status, number of children and academic records. No incidents of identity fraud have been tied to the theft, the military said, but officers were warned that Social Security numbers could be used to get other private data. Affected Air Force personnel were advised to monitor their credit reports closely.

The theft is the latest in a spate of data breaches over the past two years involving government agencies, universities, commercial firms and data brokers, resulting in the exposure of tens of millions of consumers to potential fraud. The Air Force information was contained in an online system designed to help officers manage their assignments and careers. The Air Force detected the breach after “we determined that there was one individual who was reviewing a lot of these records . . . it was very uncharacteristic,” Maj. Gen. Anthony F. Przybyslawski said in an interview.

The incident is being investigated by both military and civilian law-enforcement agencies. “We are conducting a wall-to-wall review of our personnel-related data systems to maximize the security of the systems,” Przybyslawski wrote in a letter on Friday to Air Force personnel. He wrote that the career-management system was shut down when the intrusion was discovered, but that personnel were not immediately notified pending an initial investigation.

The system was restored with enhanced security, the letter said, adding that “identity theft and other fraudulent uses of our resources steal from our operational budgets.” John E. Pike, director of GlobalSecurity.org, said the breach is part of a persistent problem with cyber-security that the Pentagon has been unable to overcome. While Pike said the military has a strong record of protecting classified information related to its mission, it has had less success guarding sensitive data about its people. “They have historically done much better at protecting operational systems than at protecting administrative systems,” Pike said.

The problem, he said, is that the Pentagon doesn’t make security for those systems a top priority. “Robust security can be expensive, and it can be annoying to implement,” he said.

Posted by The Skipper     on 08/23/2005 at 05:07 AM   
Filed Under: • Military •  
• Comments (26) • Trackbacks(0)  Permalink •  

DISCLAIMER

THE SERVICES AND MATERIALS ON THIS WEBSITE ARE PROVIDED "AS IS" AND THE HOSTS OF THIS SITE EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, TO THE EXTENT PERMITTED BY LAW INCLUDING BUT NOT LIMITED TO WARRANTIES OF SATISFACTORY QUALITY, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE SERVICE OR ANY MATERIALS.

Not that very many people ever read this far down, but this blog was the creation of Allan Kelly and his friend Vilmar. Vilmar moved on to his own blog some time ago, and Allan ran this place alone until his sudden and unexpected death partway through 2006. We all miss him. A lot. Even though he is gone this site will always still be more than a little bit his. We who are left to carry on the BMEWS tradition owe him a great debt of gratitude, and we hope to be able to pay that back by following his last advice to us all:

1. Keep a firm grasp of Right and Wrong
2. Stay involved with government on every level and don't let those bastards get away with a thing
3. Use every legal means to defend yourself in the event of real internal trouble, and, most importantly:
4. Keep talking to each other, whether here or elsewhere

It's been a long strange trip without you Skipper, but thanks for pointing us in the right direction and giving us a swift kick in the behind to get us going. Keep lookin' down on us, will ya? Thanks.

THE INFORMATION AND OTHER CONTENTS OF THIS WEBSITE ARE DESIGNED TO COMPLY WITH THE LAWS OF THE UNITED STATES OF AMERICA. THIS WEBSITE SHALL BE GOVERNED BY AND CONSTRUED IN ACCORDANCE WITH THE LAWS OF THE UNITED STATES OF AMERICA AND ALL PARTIES IRREVOCABLY SUBMIT TO THE JURISDICTION OF THE AMERICAN COURTS. IF ANYTHING ON THIS WEBSITE IS CONSTRUED AS BEING CONTRARY TO THE LAWS APPLICABLE IN ANY OTHER COUNTRY, THEN THIS WEBSITE IS NOT INTENDED TO BE ACCESSED BY PERSONS FROM THAT COUNTRY AND ANY PERSONS WHO ARE SUBJECT TO SUCH LAWS SHALL NOT BE ENTITLED TO USE OUR SERVICES UNLESS THEY CAN SATISFY US THAT SUCH USE WOULD BE LAWFUL.

Copyright © 2004-2015 Domain Owner