Two On ID Theft
Newsfactor has a long story, “U.S. Passes the Buck on Identity Theft,” which discusses the Identity Theft Penalty Enhancement Act of 2004, some of a current crop of products designed to reduce ID theft risks at businesses, and the need to shift liability.
Speaking of shifting liability, in “Despite Claims of “Exceptional” Security, Acxiom’s Defenses Were Easily Sidestepped,” Chris Hoofnagle discusses the Acxiom case. He draws on a Wall St Journal article, “Trial Highlights Vulnerability of Databases.” Two key quotes:
The problem erupted when Mr. Levine and other Snipermail employees allegedly downloaded a file containing encrypted passwords, unscrambled about 40% of them and gained access to information from other Acxiom clients.
Mr. Jones, the company’s legal chief, says the password file shouldn’t have been accessible and that passwords should have been harder to decode.
“Oops.” No, actually, more than oops. In the 1996 edition of “Practical Unix and Internet Security,” Garfinkel and Spafford say “Replace the encrypted passwords with asterisks.” (Pg 491) Acxiom wasn’t following that decade-old, basic advice. I’m pretty sure that also in the first edition of Cheswick and Bellovin, amongst many other places.
Acxiom didn’t know it had been invaded until being contacted by investigators in Ohio following the 2003 arrest of a man who worked for an Acxiom subcontractor and was accused of illegally downloading information from a company computer server. Acxiom then detected more intrusions of the same server, which were traced to Snipermail.
So, they couldn’t configure their servers. They didn’t have effective log analysis or intrusion detection. What, precisely, was this “exceptional” security?
A transfer of liability to the public at large, and of investigative costs to the taxpayer? Nah. Even they’re not that cynical. So, what was this “exceptional” security?