Last week, the University of California, Los Angeles began reaching out to former students, faculty members, and employees. They weren't sending Xmas cards, unfortunately, but were notifying these individuals that their privacy was compromised when hackers penetrated a university database through several undetected security holes.
According to a statement on a ucla.edu domain Web site, the records of more than 800,000 individuals were exposed, and the university has now determined that the hackers had been accessing the database for more than a year.
Names, Social Security numbers (SSNs), telephone numbers, and addresses were contained in the database. At present, the university does not know if this data is being inappropriately used for identity theft. However, because the databases in question contained SSNs, the FBI has been enlisted to investigate.
California state law requires any institution to notify victims in the event of such a breach, and UCLA began notifying individuals last week on December 12.
A String of High-Profile Security Breaches
A similar FBI investigation at Ohio University, after a breach was discovered last spring, uncovered four more exposed databases at that institution. The result of an administrative review caused the controversial firing of two IT personnel and the resignation of the CIO. (See "A Disgrace of Network Security.") Doubtless, the circumstances of the UCLA breach will cause the university to perform a similar systemwide review of security.
Our Most Important Responsibility
The UCLA statement from Jim Davis, UCLA's CIO, said in part, "Ensuring data security is one of the most important responsibilities we have to the campus community, and in recent years we have significantly strengthened our information security practices in response to increasing attacks. In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications."
As in the Ohio breach, UCLA IT network administrators began the investigating when they noticed an increased amount of network traffic on the restricted database.
But why did it take a year to discover the breach?
Priorities and IT Trust in Security Technologies
According to many IT analysts, some IT administrators have the perception that auditing database activity generates huge amounts of data, slows performance, and is generally a waste of resources. These administrators implicitly trust firewalls, security schemes, and the underlying programming technology to protect data assets. As a consequence, some IT database administrators actually turn off or tune down automated database security monitors. In the process, they can miss other potential security violations.
In addition, some computing operating systems and networks don't have consistent security policy mechanisms to alert administrators to exposures or breaches. "Best practices" for securing information are often highly technical and hardware/software vendor-specific. Coordinating such mechanisms—especially in a highly heterogeneous computing environment like a university setting—requires tremendous skill, attention to detail, and cross-platform standards that are often missing.
Finally, security holes in application software itself may go undetected, and these holes can open up a security exposure that is difficult to detect until hackers exploit it.
How the Breach Occurred
For instance, in the UCLA case, access to the restricted database was gained by a computer trespasser using a software program designed to exploit an undetected software flaw, according to UCLA officials. At this time, neither the author nor the manufacturer of that software has been identified.
Given the frequency at which high-profile data breaches are appearing in the news, it seems likely that this epidemic is just beginning. Yet the U.S. Congress has yet to respond with legislation defining the liability of institutions or companies that have had their stores of information breached.
Trends and Conflicting Analysis of ID Theft
The most recent Government Accounting Office report on identity theft, entitled "Identity Theft: Prevalence and Cost Appear to be Growing," was issued four years ago, and not much has been accomplished since then by our congressional representatives.
By way of down-playing the seriousness of the threat, some industry analysts use statistics of actual reported identity theft. According to their analyses, there were only 538,700 cases of true identity theft reported to the Department of Justice in the second half of 2004, and the Federal Trade Commission received only about 250,000 identity-theft complaints in 2005. So in their view, the problem is limited and actually declining.
Yet, in truth, the threat of large-scale database security breaches is cumulative to the viability of an entire spectrum of personal and corporate enterprises. Credit ratings, access to public and private services, and a host of other social mechanisms are predicated on a basic principle that individuals can document who they are. And the misappropriation of identity documentation may not be discovered for years to come.
Mandates That Miss the Mark
In the U.S., we have a schizophrenic attitude about the documentation of our individual identities, which has sent Congress in seemingly conflicting directions in the use of ID documentation.
For instance, Congress mandates employers to verify that every employee is a U.S. citizen with a Social Security number or has a Green Card.
Yet, on the same day that the UCLA press release about the security breach was released, U.S. Immigration and Customs Enforcement (ICE) officials rounded up more than 1,000 individuals in a raid of six facilities owned by the meat packing company Swift & Company.
Purportedly, these individuals are accused of identity theft, yet how can the ICE determine if these individuals are legal or illegal if the basis of everyone's identity documentation is open to question?
Certainly, Swift & Company cannot be held liable if the workers stole the Social Security numbers that they used for obtaining employment. But by the same token, an individual who is legally documented—but who is falsely accused of being illegal—faces an uphill battle if, in fact, his own identity was stolen. If so, then who is the real victim in that circumstance, and what recourse does that individual have?
In other words, if our databases containing ID documentation are regularly harvested and misappropriated, how can any institution verify that the people who are employees are actually the individuals whom they employ?
High-Profile Identity Thefts
This raises the question of the importance of an individual's virtual identity: How important is it if someone "borrows" your persona or mistakes you for someone else? In the world of prolific databases of identities, who cares if the information is correct, incomplete, or misappropriated? A quick look at some high-priority cases offers some clues:
- In September, Senate Minority Leader Harry Reid of Nevada discovered that his personal credit card number had been stolen and that $2,000 had been charged at a D.C. Wal-Mart. The FBI then investigated members of his staff and discovered that one individual was herself, in fact, "undocumented" but innocent of the crime. This raises questions of the validity of security clearances at the highest levels of government.
- In August of 2004, Senator Edward Kennedy—a highly respected and long-time member of the Washington community—was detained and refused transit at an airport in D.C. because his identity showed up on a Department of Homeland Security watch list. Clearly, this most important security database was in error.
- In 2004, a German national named Khaled el-Masri was allegedly kidnapped by the CIA in the U.S. after 9/11 and transported to Afghanistan, where he was allegedly held for four months before he was dumped in the woods of another country. This too was, according to the victim, a case of "stupid mistaken identity." He is currently attempting to sue the CIA for this error. But the CIA will neither acknowledge nor deny that this individual even exists.
So, virtual identity obviously matters, if only to enable you to successfully negotiate the physical world.
Implications for Virtual Identity
The unfortunate implications of these incidents represent more than a few simple mistakes that resulted in unfortunate consequences. They signify that something is seriously wrong with the manner by which we treat the information documenting individual identity.
What do I mean?
When Technology Fails
The technology of databases—the technologies that enable us to collect and store raw data—does not differentiate between one person's Social Security number, one person's credit card information, or one person's place of birth. It's all just "data"—raw material for the mechanisms of queries and calculations.
As IT technicians, it is possible to encrypt the raw data for security reasons, but generally speaking, this is not a standard practice that we use within our databases.
Who Is Responsible?
Instead, we generally rely upon a variety of other technologies to protect the databases themselves. These mechanisms may include firewalls, user IDs and passwords, and protocols like SSL. If those mechanisms fail as a result of malfunction, bugs, security breaches, or other malfeasance, the data itself—containing the identity information—is usually freely accessible.
Lack of Standards
Furthermore, there are no legal standards by which we can judge if we, as IT technicians, have adequately safeguarded the critical identity information in our care. On the contrary, responsibility is usually designated to the individual who, in most cases, is the source of such information. If something is amiss with your credit rating, you are personally obligated to discover this error and fix it.
Rebooting ID
Moreover, if an identity is compromised—through theft, misappropriation, or mistake—there is no universal way to "reset" the record to correct problems within agencies or institutions. Instead, the individual must step through a hit-and-miss set of processes to correct the errors, and these errors may not be discovered until years after the mistake has happened. If that individual fails—as in the case of Khaled el-Masri—there is no recourse.
Virtual Identity: A Broken Paradigm
What is needed, in the minds of many analysts, lawyers, and law-enforcement agencies, is a new paradigm for addressing the needs of identity security, and this new paradigm requires the recognition that we now exist in a virtual realm as well as a physical realm.
But the government and financial institutions are reluctant to change the manner by which they recognize us. Credit card companies send millions of unsolicited credit cards out to hundreds of thousands of individuals—to unverified addresses—based on identity databases that are themselves unverified and insecure.
As noted above, the government requires verification that an employee has a Social Security number to collect Social Security wages but does not verify that the person sending in the taxes is, in fact, the person to whom the number has been assigned.
Who Will Be Blamed?
There is little doubt that the IT professionals who discovered the security breach at UCLA will probably be the individuals who are blamed for the problem. This was the result in the Ohio University breach, and it's likely to be the case at UCLA.
Yet, had the State of California not passed a law requiring notification of the breach, it's doubtful that anyone would even know. Not the FBI! Not the UCLA administration! Not the newspapers! Not even the victims of the theft!
No one, of course, except the individuals, organizations, and/or cartels that stole the information itself. And it's doubtful that they will ever be caught anyway.
Thomas M. Stockwell is Editor in Chief of MC Press Online.
More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online