Schneier on Security
A blog covering security and security technology.
« Identity Theft out of Golf Lockers |
| Sensitive Information on Used Hard Drives »
March 1, 2005
Choicepoint's CISO Speaks
Richard Baich, Choicepoint's CISO, is interviewed on SearchSecurity.com:
This is not an information security issue. My biggest concern is the impact this has on the industry from the standpoint that people are saying ChoicePoint was hacked. No we weren't. This type of fraud happens every day.
Nice spin job, but it just doesn't make sense. This isn't a computer hack in the traditional sense, but it's a social engineering hack of their system. Information security controls were compromised, and confidential information was leaked.
It's created a media frenzy; this has been mislabeled a hack and a security breach. That's such a negative impression that suggests we failed to provide adequate protection. Fraud happens every day. Hacks don't.
So, Choicepoint believes that providing adequate protection doesn't include preventing this kind of attack.
I'm sure he's exaggerating when he says that "this type of fraud happens every day" and "frauds happens every day," but if it's true then Choicepoint has a huge information security problem.
Posted on March 1, 2005 at 10:45 AM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Agreed - great spin on the issue. His arguments are not lucid either.
I don't see how anyone could question the idea that such frauds happen every day. Of course they do, but not just to Choicepoint. People gain access to information under false pretenses every day, all over the world. That's exactly what happened here.
I wonder if he was one of the folks at Choicepoint that benefited from their stock sale? If so, he has a motive for the spin, possibly two motives :)
Why does it matter whether it was a "hack" or a fraud? The facts speak for themselves -- ChoicePoint was unable to detect misrepresentations made by would-be customers. This, coupled with their inability to link records accessed to the customers accessing them prevented them from knowing the scope of the problem once they did become aware of it. The fact that ChoicePoint's entire business is based on helping others know whether they are dealing with someone who is misrepresenting him/herself makes this almost comically ironic. Add to this the fact that this non-hack seems to have cost their shareholders about $350 million in market cap, and you're looking at a very sizable oversight -- they seem to have operated as if this risk to their reputation simply did not exist. If Baich thinks that the reaction to this is as strong as it is because people think that ChoicePoint has a SQL Server connected directly to the internet or something, he needs to take his game up a notch. People are upset because valuable data were insufficiently protected from an obvious non-technical threat, where the custodian of the data had the means and the opportunity to protect them, but decided not to. The market has reacted to the news that ChoicePoint makes poor risk management decisions, that is all.
And hardware hacks also happen all the time. Put a computer on the internet wihtout proper security and it will be zombified in what? 15 sec average. Does this mean that ChoicePoint doesn't have a responsability to keep their servers secure? As arguments go it is pretty lame since their data is so valuable, it could be argued that their data is equaly valuable to their market cap. Of course this social hacking is not too efficient at stilling their whole database but it sure did a number on their credibility. They made a business decision to gamble with security and lost. Ohh well take the hit learn from it and keep going.
Kevin Mitnick - this is exactly how he accessed confidential information. The CISO comment is akin to saying our front door has the greatest lock in the world, what does it matter if the back door is off its hinges.
The attackers got what they needed and provided the means to do so. Such attackers do the same every second of the day and iterate through success and failure. It is russian-roulette playing the information game but instead of a bullet you get the microscope. One of these days people will get their information is not safe, nor can it be.
Am I missing something here? A couple of guys, "posing as businessmen" were given the keys to the kingdom. They used them to take what they said they were going to take. That would be the end of the story, were it not for the fact that they got causght using the info for purposes other than what they promised.
The first question is, what constitutes "posing as businessmen" for ChoicePoint? My guess would be having letterhead and a check with the right number of zeroes. Of course, the former is probably not nearly as important to ChoicePoint as the latter.
The analogous situation in the average person's world would be that, having loaned your keys to your Uncle Phil so he can run an errand in your car, he promptly robs a bank and uses your car for the getaway. The problem isn't with the lock on your garage or what kind of car you have. The problem is who you are giving your keys to.
The guy from Choice Point is right about the fraud part. But that fact that it is a fraud doesn't relieve them of their fiduciary responsibility to safeguard our information.
Unbelievable. Thanks for the link Bruce. What a mockery these people make of the security profession. Richard Baich says in the article that Howard Schmidt met him at RSA and said "This is fraud, it's not a hack".
Everyone in the business should know that people, processes and even physical access are fundamental to information security. A "hack" is simply an exploit of the weakest link in the chain. Fraud is deception deliberately practiced to secure unfair or unlawful gain. If they are unable to connect the dots, then they are just asking for trouble from organized crime as well as the wrath of their shareholders.
Note that Mr. Baich carries the propagandist line that the ChoicePoint's "vision is to make a safer, more secure world through the responsible use of information."
On the contrary, their profit-model is hard to distinguish from many of the groups that law enforcement is actively trying to shut-down for selling personal identity information without the consent of those who would be financially impacted:
"Prosecutors in Nicaragua, Mexico and elsewhere across Latin America have opened investigations into the business of private information mining after discovering that the U.S. Justice Department hired a Georgia company to collect personal information on up to 300 million people throughout the region without their knowledge."
So if I collect personal/financial data from people and then sell it to the US government without their consent, does that mean I am practicing "responsible use of information"? They were responsible to whom, Ashcroft? They certainly were not practicing "reasonable" use of information.
Beyond all the news about ChoicePoint's relationship with the Bush Administration and the Florida election disaster, there is another troubling aspect of Mr. Baich's philosophy. In the article he says "We worked with (authorities) and did the right thing disclosing the breach where a lot of companies may not have ever disclosed this."
Wow. As the Editor points out ChoicePoint was forced to disclose because the SB1386 law in California required it. I see no cause for celebration -- no pat on the back for complying with the law. Even more telling is the point that ChoicePoint initially did not disclose for anyone BUT Californians! They clearly were not interested in doing the right thing. Americans can thank California for regulation that protects consumers.
It seems to me that ChoicePoint's statements continue to show the antithesis of accountability and reasonable security management.
Kevin Mitnick's book, 'The Art of Deception', should be required reading for every computer user. I started it thinking I'd learn something, and finished realizing I knew nothing.
If I'm following these arguments correctly- it implies that a bank could make all of it's customers information easily accessible on their website. Upon entry the user is asked for their name, then presented their records. If someone enters a name other than their own and accesses another persons records, then they have committed fraud but the banks records can still be considered secure.
Based on the way Choicepoint is handling this issue, I expect them to be extinct in the future. The only reason they'll be mentioned in a few years is as an example of how not to build reputation and trust.
Tom Peters says it pretty well ...
SHIT HAPPENS TO YOU AND ME BECAUSE WE SOMETIMES DO STUPID SHIT.
WE RARELY GET IN TROUBLE FOR THE SHIT THAT HAPPENS AS A RESULT OF THE STUPID SHIT WE DO.
WE OFTEN GET IN TROUBLE FOR THE STUPID SHIT WE DO TO AVOID TELLING ABOUT THE SHIT THAT HAPPENED BECAUSE OF THE STUPID SHIT WE DID.
MESSAGE? FOUL UP. FESS UP.
SARCASM That is why DRM is needed. If the data from ChoicePoint was protected by DRM, then they wouldn't have been able to do anything with it but what ChoicePoint allows them to do. /SARCASM
What I would like to know is whether ChoicePoint can get away with that from a legal perspective. Can they be sued for negligence? Are they obliged by law to keep their data confidential and to take the ecessary precautions to make sure that unauthorized people don't get access to them? Is it at least to give date to unauthorized people or is this just another case where "market forces" are supposed to sort things out?
Sorry, mistakes... Again:
What I would like to know is whether ChoicePoint can get away with that from a legal perspective. Can they be sued for negligence? Are they obliged by law to keep their data confidential and to take the necessary precautions to make sure that unauthorized people don't get access to them? Is it at least illegal for them to give those data to unauthorized people or is this just another case where "market forces" are supposed to sort things out?
As I recall from my Business Law class, businesses have a fiduciary duty to its stakeholders, and if they do not perform that duty, they can be sued. Government *and* market forces are likely to sort this out.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.