[This was written with Lyger and originally published on attrition.org.]
In May of 2006, the United States Department of Veterans Affairs publicly disclosed the fact that “Personal data on about 26.5 million U.S. military veterans was stolen from the residence of a Department of Veterans Affairs data analyst who improperly took the material home”, prompting a mass concern that the information, if in the wrong hands, could have led to multiple cases of identity theft. At the very least, the fear that even a government entity could have let such sensitive data fall into the wrong hands led many to wonder about the data security of less protected sources. The additional fact that the breach wasn’t disclosed for almost three weeks after the theft did little to initially ease those fears.
Weeks later, the stolen laptop and hard drive were recovered from the back of a truck at a black market sale and sent to the United States Federal Bureau of Investigation for analysis. At the end of June 2006, the FBI issued a declaration that “the personal data on the hardware was not accessed by thieves” to which VA Secretary R. James Nicholson stated “This is a reason to be optimistic. It’s a very positive note in this entire tragic event.” The question that needs to be asked, however, is how could they be absolutely sure that the data wasn’t accessed? Simply because the FBI said so?
Here’s the inherent problem with situations such as these: anybody with a relative clue, or at least a copy of Knoppix or F.I.R.E., could potentially bypass security measures implemented on lost or stolen drives. Period. Unless data on a drive is encrypted with a key either unknown or inaccessible to an intruder, that data is open to compromise. We won’t even go into cracking AES256 or 3DES here; for the most part, such measures are impractical. Cracking algorithms over 128-bit is possible, but only with a lot of time and/or firepower. However, shoving a CD in the machine, rebooting, and typing:
# mount /dev/hda1 /tmp/stolen_info/
# cd /tmp/stolen_info/
# ls -la
It’s not that difficult and it makes all of that “password-protected” data quite readable, even for a casual computer user. If the person who stole the laptop were to remove the drive and perform a bit-by-bit copy, they would circumvent any password protection on the computer. Remember, BIOS and Operating System passwords rely on the computer and OS to boot up. If you remove the drive, neither will offer any level of protection and are completely worthless. The irony of law enforcement claiming the information was not accessed is that the method used to conduct a forensic examination is the exact same thing an attacker would do to access the data without detection. Law enforcement knows this, “independent examiners” know this and the the companies making these bogus statements know this.
In case you think this sounds either pretty high-tech or something we’re just making up:
Despite the fact that computer forensics can’t conclusively prove what happened before a machine was recovered, companies that have a data loss incident seem wont to instantly deny that any information was compromised. Cry as they might, the fact is… they simply don’t know. For companies that experience such a loss, learn from past statements. Like many spaghetti westerns, certain incidents should come with a soundtrack. Since we don’t host sound files on this site, quietly whistle these to yourself:
“The Good, the Bad, and the Ugly”:
“The good news: Nothing has happened since then to give us any concern that any of the files that were potentially on any of the computers have been used for anything related to identity theft.”
“UC police note that while a lab analysis could not determine whether the sensitive campus data was ever accessed, nothing in their investigation points to identity theft nor individuals involved in identity theft.”
“PSA has no indication that any of the information has been accessed or misused.”
“The ring did not target the data and did not even attempt to access the data on the laptops they stole,” the DOT inspector general’s office said in a statement.”
In an e-mail to employees within the past week, Senior Vice President Rick Stephens said Boeing and an outside security consultant had determined that the files containing personal information had not been read.
To take it one step further, what happens if a company hires an employee who either intentionally or unintentionally has access to not only company secrets, but client, customer or employee information… and they become involved in a possible breach? Who can determine what information may (or may not) have been accessed? What level of forensics exists to absolutely, positively confirm that a breach did (or did not) take place (answer: none)?
In short, just claiming that a breach did not happen, especially one that may or may not include personally identifying information, IS NOT ENOUGH. Even with an unbiased third-party examination of all of the details, there is no absolute guarantee that compromised data could not have been accessed. If personally identifying information is involved in a breach, either in possibility or actuality, it is in the best interest of all involved to disclose the (possibility of a) breach to their clients, customers, employees and any other parties involved instead of hiding behind legalities. Doing so only shows that the breached entity’s interest lies in their own bottom line and not in the interest of the people they went into business to serve.