12
Sat, Oct
6 New Articles

Identity Theft: The Collapsing Universe of Virtual Identity

Analysis of News Events
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Last week, the University of California, Los Angeles began reaching out to former students, faculty members, and employees. They weren't sending Xmas cards, unfortunately, but were notifying these individuals that their privacy was compromised when hackers penetrated a university database through several undetected security holes.

According to a statement on a ucla.edu domain Web site, the records of more than 800,000 individuals were exposed, and the university has now determined that the hackers had been accessing the database for more than a year.

Names, Social Security numbers (SSNs), telephone numbers, and addresses were contained in the database. At present, the university does not know if this data is being inappropriately used for identity theft. However, because the databases in question contained SSNs, the FBI has been enlisted to investigate.

California state law requires any institution to notify victims in the event of such a breach, and UCLA began notifying individuals last week on December 12.

A String of High-Profile Security Breaches

A similar FBI investigation at Ohio University, after a breach was discovered last spring, uncovered four more exposed databases at that institution. The result of an administrative review caused the controversial firing of two IT personnel and the resignation of the CIO. (See "A Disgrace of Network Security.") Doubtless, the circumstances of the UCLA breach will cause the university to perform a similar systemwide review of security.

Our Most Important Responsibility

The UCLA statement from Jim Davis, UCLA's CIO, said in part, "Ensuring data security is one of the most important responsibilities we have to the campus community, and in recent years we have significantly strengthened our information security practices in response to increasing attacks. In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications."

As in the Ohio breach, UCLA IT network administrators began the investigating when they noticed an increased amount of network traffic on the restricted database.

But why did it take a year to discover the breach?

Priorities and IT Trust in Security Technologies

According to many IT analysts, some IT administrators have the perception that auditing database activity generates huge amounts of data, slows performance, and is generally a waste of resources. These administrators implicitly trust firewalls, security schemes, and the underlying programming technology to protect data assets. As a consequence, some IT database administrators actually turn off or tune down automated database security monitors. In the process, they can miss other potential security violations.

In addition, some computing operating systems and networks don't have consistent security policy mechanisms to alert administrators to exposures or breaches. "Best practices" for securing information are often highly technical and hardware/software vendor-specific. Coordinating such mechanisms—especially in a highly heterogeneous computing environment like a university setting—requires tremendous skill, attention to detail, and cross-platform standards that are often missing.

Finally, security holes in application software itself may go undetected, and these holes can open up a security exposure that is difficult to detect until hackers exploit it.

How the Breach Occurred

For instance, in the UCLA case, access to the restricted database was gained by a computer trespasser using a software program designed to exploit an undetected software flaw, according to UCLA officials. At this time, neither the author nor the manufacturer of that software has been identified.

Given the frequency at which high-profile data breaches are appearing in the news, it seems likely that this epidemic is just beginning. Yet the U.S. Congress has yet to respond with legislation defining the liability of institutions or companies that have had their stores of information breached.

Trends and Conflicting Analysis of ID Theft

The most recent Government Accounting Office report on identity theft, entitled "Identity Theft: Prevalence and Cost Appear to be Growing," was issued four years ago, and not much has been accomplished since then by our congressional representatives.

By way of down-playing the seriousness of the threat, some industry analysts use statistics of actual reported identity theft. According to their analyses, there were only 538,700 cases of true identity theft reported to the Department of Justice in the second half of 2004, and the Federal Trade Commission received only about 250,000 identity-theft complaints in 2005. So in their view, the problem is limited and actually declining.

Yet, in truth, the threat of large-scale database security breaches is cumulative to the viability of an entire spectrum of personal and corporate enterprises. Credit ratings, access to public and private services, and a host of other social mechanisms are predicated on a basic principle that individuals can document who they are. And the misappropriation of identity documentation may not be discovered for years to come.

Mandates That Miss the Mark

In the U.S., we have a schizophrenic attitude about the documentation of our individual identities, which has sent Congress in seemingly conflicting directions in the use of ID documentation.

For instance, Congress mandates employers to verify that every employee is a U.S. citizen with a Social Security number or has a Green Card.

Yet, on the same day that the UCLA press release about the security breach was released, U.S. Immigration and Customs Enforcement (ICE) officials rounded up more than 1,000 individuals in a raid of six facilities owned by the meat packing company Swift & Company.

Purportedly, these individuals are accused of identity theft, yet how can the ICE determine if these individuals are legal or illegal if the basis of everyone's identity documentation is open to question?

Certainly, Swift & Company cannot be held liable if the workers stole the Social Security numbers that they used for obtaining employment. But by the same token, an individual who is legally documented—but who is falsely accused of being illegal—faces an uphill battle if, in fact, his own identity was stolen. If so, then who is the real victim in that circumstance, and what recourse does that individual have?

In other words, if our databases containing ID documentation are regularly harvested and misappropriated, how can any institution verify that the people who are employees are actually the individuals whom they employ?

High-Profile Identity Thefts

This raises the question of the importance of an individual's virtual identity: How important is it if someone "borrows" your persona or mistakes you for someone else? In the world of prolific databases of identities, who cares if the information is correct, incomplete, or misappropriated? A quick look at some high-priority cases offers some clues:

  • In September, Senate Minority Leader Harry Reid of Nevada discovered that his personal credit card number had been stolen and that $2,000 had been charged at a D.C. Wal-Mart. The FBI then investigated members of his staff and discovered that one individual was herself, in fact, "undocumented" but innocent of the crime. This raises questions of the validity of security clearances at the highest levels of government.
  • In August of 2004, Senator Edward Kennedy—a highly respected and long-time member of the Washington community—was detained and refused transit at an airport in D.C. because his identity showed up on a Department of Homeland Security watch list. Clearly, this most important security database was in error.
  • In 2004, a German national named Khaled el-Masri was allegedly kidnapped by the CIA in the U.S. after 9/11 and transported to Afghanistan, where he was allegedly held for four months before he was dumped in the woods of another country. This too was, according to the victim, a case of "stupid mistaken identity." He is currently attempting to sue the CIA for this error. But the CIA will neither acknowledge nor deny that this individual even exists.

So, virtual identity obviously matters, if only to enable you to successfully negotiate the physical world.

Implications for Virtual Identity

The unfortunate implications of these incidents represent more than a few simple mistakes that resulted in unfortunate consequences. They signify that something is seriously wrong with the manner by which we treat the information documenting individual identity.

What do I mean?

When Technology Fails

The technology of databases—the technologies that enable us to collect and store raw data—does not differentiate between one person's Social Security number, one person's credit card information, or one person's place of birth. It's all just "data"—raw material for the mechanisms of queries and calculations.

As IT technicians, it is possible to encrypt the raw data for security reasons, but generally speaking, this is not a standard practice that we use within our databases.

Who Is Responsible?

Instead, we generally rely upon a variety of other technologies to protect the databases themselves. These mechanisms may include firewalls, user IDs and passwords, and protocols like SSL. If those mechanisms fail as a result of malfunction, bugs, security breaches, or other malfeasance, the data itself—containing the identity information—is usually freely accessible.

Lack of Standards

Furthermore, there are no legal standards by which we can judge if we, as IT technicians, have adequately safeguarded the critical identity information in our care. On the contrary, responsibility is usually designated to the individual who, in most cases, is the source of such information. If something is amiss with your credit rating, you are personally obligated to discover this error and fix it.

Rebooting ID

Moreover, if an identity is compromised—through theft, misappropriation, or mistake—there is no universal way to "reset" the record to correct problems within agencies or institutions. Instead, the individual must step through a hit-and-miss set of processes to correct the errors, and these errors may not be discovered until years after the mistake has happened. If that individual fails—as in the case of Khaled el-Masri—there is no recourse.

Virtual Identity: A Broken Paradigm

What is needed, in the minds of many analysts, lawyers, and law-enforcement agencies, is a new paradigm for addressing the needs of identity security, and this new paradigm requires the recognition that we now exist in a virtual realm as well as a physical realm.

But the government and financial institutions are reluctant to change the manner by which they recognize us. Credit card companies send millions of unsolicited credit cards out to hundreds of thousands of individuals—to unverified addresses—based on identity databases that are themselves unverified and insecure.

As noted above, the government requires verification that an employee has a Social Security number to collect Social Security wages but does not verify that the person sending in the taxes is, in fact, the person to whom the number has been assigned.

Who Will Be Blamed?

There is little doubt that the IT professionals who discovered the security breach at UCLA will probably be the individuals who are blamed for the problem. This was the result in the Ohio University breach, and it's likely to be the case at UCLA.

Yet, had the State of California not passed a law requiring notification of the breach, it's doubtful that anyone would even know. Not the FBI! Not the UCLA administration! Not the newspapers! Not even the victims of the theft!

No one, of course, except the individuals, organizations, and/or cartels that stole the information itself. And it's doubtful that they will ever be caught anyway.

Thomas M. Stockwell is Editor in Chief of MC Press Online.

Thomas Stockwell

Thomas M. Stockwell is an independent IT analyst and writer. He is the former Editor in Chief of MC Press Online and Midrange Computing magazine and has over 20 years of experience as a programmer, systems engineer, IT director, industry analyst, author, speaker, consultant, and editor.  

 

Tom works from his home in the Napa Valley in California. He can be reached at ITincendiary.com.

 

 

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: