Google
 
   
Login
Username:

Password:


Lost Password?

Register now!
Search

Advanced Search
Main Menu
top books
Polls
What do you think about php-deluxe.net?
Excellent!
Cool
Hmm..not bad
What the hell is this?
encyclopedia
Intentia
Apricot Computers
Interiot/Interests
Tompw
Internet Society
Privoxy
KeePass
recommendation
compare webbrowser
Freenet DSL
Who's Online
7 user(s) are online (7 user(s) are browsing encyclopedia)

Members: 0
Guests: 7

more...
browser tip
Unix Befehle
manual of unix befehle
recommendation!
Sponsored
partner

Security breaches

work on this article is in progress

= Definitions =

  • Breach normally means to break through something, which can be a good thing, as in Child Birth from the Womb.
  • Breach has many meanings such as the Comic Book.
  • In this article, it is used in the sense of breaking into, or violating Security.
  • Similar meanings include:
  • Military penetrating Fortifications
  • Breach of the peace
  • Breach of contract
  • Breach of promise
  • Security is Safety or Protection from Harm.
  • The world of Computers is often illustrated by Computer insecurity, requiring a variety of measures to protect against Malware, hackers, crackers, vandals, insiders, and human error.
  • Satisfactory Computer security can be achieved but often is not, for reasons of not considering security in the implementation of new systems, thinking that security is not needed, or more interested in speedy implementation of new products and services, than in good quality, not just of Security, but also a variety of other Quality goals, such as ease-of-use, performance. This common business attitude is fueled by market demand for the lowest price goods and services, irrespective of the consequences.
  • Quality information security design is possible, but many ingredients of computers are designed without considering security. Computer insecurity is related to the weakest link.
  • Intensive testing is essential to verify proper implementation. Software additions and enhancements are invariably done to achieve certain goals, so let s verify those goals have been achieved.
  • Computer Security in Business and Government requires a system of Change management to avoid unauthorized additions, or upgrades, that might compromise security. Computer change management also ensures other goals, such as good documentation, good performance, user-friendly, Interoperability, receptive to Business Information Data Mining, Corporate governance, and many other goals are achieved.
  • Regular Computer Security Audits can verify that certain Standards have been met, and identify areas in need of remediation or improvement.
    • **** Computer Security Audits go beyond Information technology audits which audit what is on the Computer system and how it is being used, to verify programs are working as intended, and the data is reliable, to also verify that none of the data is being tampered with, or can be tampered with, to show incorrect results. For example, no risk of Insider Embezzlement going undetected. **** Auditing_information_security can be part of an Information technology audit conducted by team of human Auditors with expertise in the Computer system being audited and the Application software there. However, most businesses limit their annual Financial audits and physical Inventory audits to the data content, irrespective of how it is stored, in computer or anywhere else, not auditing that storage area for anything, let alone Security. Home users of Personal Computers cannot afford the price tag of a standard audit so they have to make do with whatever diagnosis tools are readily available for their use. ***** Computer technology evolution has become like personal Automobiles, in that, except for the problems of Computer insecurity and too easily break down, just about any human can buy a computer, install it, start using it, with almost no training. ***** Many computer systems are delivered with defaults that are insecure if installed as the computers came from their manufacturers, ***** Lots of standard software is designed without concern for security, then sold to millions of unsuspecting computer users. ****** This is not because of any nefarious motives by the computer software publishers, but rather an outgrowth of Computer Security education being thought of as specialized training that is not deemed essential for Computer Programming. Thus the vast majority of computer Programmer]]s know absolutely nothing about how to design their work products for good Computer Security. ***** This has led to a market for Computer Security tools to test Computer systems to locate Computer insecurity problems that can be repaired, then provide the Personal Computer Users and owners with explicit instructions how to fix the problems. ****** If you have any of the more popular operating systems for Personal Computers or Computer Network systems used by Business and Government, then you can get Computer Security Audit tools to test your Computer Security to find any standard protections and settings that you may have overlooked, in achieving various Computer Security standards. ****** Business and Government using very popular Application software Packages can get Computer Security Audit Software that is tailored to the particular Package, to identify settings not in the best interests of good Computer security, and what needs fixing so as to achieve the best known standards of Computer security for the industries where that kind of Computer software is ordinarily deployed.

    = Security Expectations =

  • Security Breaches have been much in the news media in the year 2005.
  • Some people think this means we have some new catastrophic problem.
  • While it is true that Cyber Crime is a moving target with new problems periodically arriving, such as new kinds of Scams and Malware, with a constant drumbeat of new computer viruses exploiting Vulnerabilities that many believe should never have been in Software or operating systems in the first place,
  • there are some simple alternative explanations for the phenomena of sudden growth in news about security breaches, which this article intends to list. Different people will find different explanations more credible.
  • It may be appropriate to have different articles on the various theories, while keeping the main topic focused on links to time lines of Security Breaches, at various times in history, since this is not a new problem, just a new face on an evolving topic.
    • **** There was a time when computer systems did not yet have hackers, and bugs were the real insect kind. **** There was a time that computer viruses were a new phenomena.

    == Incidents can be Controversial ==

  • Security breaches have been with us so long as there was something that someone wanted to protect, and someone else wanted to take. Until recently, it was an embarrassment for anyone to be broken into. It sounded incompetent, so victim organizations tended to keep quiet about incidents.
  • Many people believe security can never be perfect, that there will be breaches to any system.
  • Look for examples at
    • **** Assassinations of National Leaders **** Currency Counterfeiting
  • These targets get the best security that money can buy, and yet security breaches still occur.
  • Ordinary people, and enterprises cannot afford the same kind of money that is used to protect a President, or national treasures like Crown Jewels, and if THEY cannot be protected, then what does that say for the rest of us
  • However, there is a risk factor. Perhaps the rest of us are less at risk of a security breach, so we need less protection.
  • Many people believe that collectively we can and ought to do a much better overall job sith security, than we have been doing.
  • We need to think outside the box and come up with better solutions, that are less hassle to implement.
  • What people believe. This contributes to faith in a company and its management, which has a significant impact on its stock market price, and success or failure in market share. Thus common perceptions of what it means for some enterprise to experience security breaches, that plays into decisions to conceal or publicize the fact that some occurred.

    • = Thanks California =

  • There were a series of laws passed in California, mandating that if there was a security breach in which the lost data involved residents of California personal data such as social security #, credit card account #, phone # etc. then those California victims needed to be promptly notified, so that they could take action to reduce their exposure to Identity Theft and other Fraud.
  • Prior to the California laws, there had been controversy where many people frustrated at inability to do anything about
  • Vast industry profiting from buying and selling info about us
  • Lots of inaccuracies in that data
  • Our freedoms impaired due to
    • **** the inaccuracies and how people acted on the belief they true ***** impossibility for the average person to get the inaccuracies corrected **** ease of access to the info by criminals such as those engaging in Identity Theft and other Fraud.

    = Choice Point Data Broker =

  • Then Choice Point demonstrated to the USA a wrong way to notify people about a security breach. They announced that a particular number of consumer s personal data had been taken inappropriately by persons unknown, and that they were notifying a much smaller number of people about the incident.
  • Why not all of the victims
    • # Only California had any laws mandating notification. # California law only required them to notify people who were victims from January 2003 onwards. # Therefore, they were only notifying those victims in California who were involved in breaches from Jan 2003 onwards.
  • This led to a storm of action in other states whose legislatures and attorneys general wanted for their citizens the same kind of notification that California consumers had a right to.
  • It was not just demands upon Choice Point that they inform victims in other states, but demands that any other company with a breach, extend to consumers in other states the same kinds of rights that California citizens enjoyed.
  • Thus there was explosive growth in news about breaches, as incidents pccurred that would have been kept quiet before the California law, and imitators in other states.
  • One scary thing is that this volume of nonsense has been going on for decades under our noses and most everyone was oblivious to it, because, until quite recently it was legal for companies to keep it a secret when such an incident occurred.
  • Ultimately Choice Point notified all victims.
  • The public reaction to Choice Point was so great a PR Disaster that since then, no other breached place has attempted a California Only notification.

    • = Thanks USA =

  • Just as California led the USA by having the first laws demanding notification of victims whose private data was lost or stolen from some company, other nations whose people have been victimized by these incidents are considering similar laws.
  • There is also debate about similar laws applying to government agencies, as well as companies.
  • The largest recent breach of which is aware of in terms of numbers of victims, placed at risk.
  • The largest computer disaster of which , was when the US Federal Reserve ran out of #s for issuing Bonds to finance the national debt.

    • = CardSystems Credit Card Transactions =

  • Here is a summary overview of the Cardsystems Breach story, from perspective of the story as it unfolded in the news media, with link to page for more details as they come out.
  • Lots of news media saying this was the largest computer breach ever, but knows of several larger ones, and will be adding details on them to this Wiki.
  • 17 June 2005, Master Card International told the world that there had been a breach of some 40 million credit card accounts at CardSystems Solutions, a company that processes credit card transactions on behalf of the banks that issue credit cards and the retailers that sell products and services on credit.
  • 13.9 million of the accounts were Master Card
  • later we learned 22 million of them Visa
  • the rest were Discover Financial, American Express, and other unnamed places
  • later we learned that this also included Government Welfare Benefits such as Food Stamps
  • later we learned that this also included Debit Cards that are used at ATM machines
  • CardSystems complained that they had found out about this independently of Master Card, promptly fixed the problem and notified the FBI, and the FBI had asked them not to discuss this topic with anyone.
  • We now had 2 stories.
  • Master Card had found out about this because of various banks reporting a pattern of fraud, which Master Card had investigated, traced it to CardSystems, then asked Cyber Trust s Ubizen [http://www.ubizen.com/] to do a computer security forensic examination to determine the details of the breach.
  • CardSystems found out about this by some magic not explained to the news media. The magic was NOT them being notified by Master Card but CardSystems internal staff doing something not stated. They went to a security firm approved by Master Card to learn details of what had happened, so they could fix everything needed. They also notified the FBI.
  • Master Card came out with more info, in which the news media was quite confused for several days.
    • # Although CardSystems had exposed 40 million credit cards in a totally inappropriate manner, ## 13.9 million Master Card ## 22 million Visa ## rest we not got break down on # Hackers had only walked off with 200,000 of those 40 million accounts. ## 68,000 Master Card ## 100,000 Visa ## 30,000 other break down we not told
  • Within a week we had a third version of the time line.
  • Australian banks had detected the fraud, that was eventually traced to CardSystems, as far back as the fall of 2004. They notified each other, the credit card companies, and conducted their own investigation.
  • January 2005 was when the National Australia Bank (NAB) investigation identified CardSystems as the source of the problem, and notified everyone that was supposed to be notified, under Australian laws.
  • Visa has confirmed to the Australian Parliament that NAB was in fact the first bank to bring this problem to their attention, and NAB statements about the time line are accurate.
  • However, even though Visa and Master Card had been notified about this problem starting late in 2004, then continuing as NAB and the other Australia investigations proceeded,
  • Master Card did not start their own investigation until April 2005
  • Visa did not start their investigation until May 2005
  • Apparently under current law, prompt notification of victims applies to when an investigation finds the facts. There is no mandate that an investigation must start promptly when there are suspicions indicating that one might be wise.
  • In addition to the FBI criminal investigation, banking regulators in several nations have launched investigations of CardSystems, the Credit Card Companies, the Banks that issued the Credit Cards, Merchants that authorized transactions to go thru CardSystems etc. This is because
  • there is the appearance that some laws have been broken.
  • there is the appearance that some management of these companies are ignorant with respect to their responsibilities.
  • there are conflicting stories from the different enterprises
  • Also, we have CardSystems saying that they found out about the problem May 22, 2005, fixed the problem IMMEDIATELY, and notified the FBI on May 23.
  • But a week later, they flunked a Visa security audit.
  • Had they REALLY fixed the problem, then they should have passed the security audit.
  • Then CardSystems talked about a computer security upgrade they purchased from eEye Digital Security June 10 and completed installing June 13.
  • But a week later, Master Card was complaining that CardSystems had still not fixed their security, and if they did not do so very soon, they would lose their Master Card business.
    • **

    == The stolen data included ==

  • Credit Card Account #s and their expiration dates
  • Names of people associated with the credit card account numbers
  • the 3-4 digit security #s found on the back of credit cards
  • What Bank issued the credit card
  • Brand name of credit card
  • Visa
  • Master Card
  • Discover Financial
  • American Express
  • Gov welfare benefits
  • etc.
  • Debit Card transactions in addition to Credit Card info, according to this news story [http://www.lamonitor.com/articles/2005/06/27/headline_news/news11.txt]

    • === not included in this theft ===

  • addresses or phone #s of the names of the people on the credit cards, their date of birth, mother s maiden name, and the like
  • social security # or other #s on the people, other than the credit card account #s
  • PIN # where the credit card can be used in an ATM machine
  • significance of PIN #
  • The theft includes all the info needed to do false charges on valid credit card accounts, or to manufacture facimile cards to masquerade for the real ones.

    • = Also see =

  • Security
  • information security
  • computer security
  • national security
    		•