90 replies to this topic

[SparrowHawk]

luvthe9, on 19 February 2012 - 10:54 AM, said:

Why wouldn't there be any personal pilot data on a USAPA laptop? Does the treasurer not have access to the addresses and some information related to billing addresses etc?

Ignoring the insults, I'll address your question(s).

The question isn't "Why wouldn't there be any personal pilot data on a USAPA laptop?" The more appropriate question is, How was it secured? In this case the answer appears to be "it wasn't" or "we don't know". Neither of which are acceptable in the world of information security. At a minimum said laptop should have been password protected at log on. The files containing ANYTHING remotely sensitive should have also be password protected separately AND encrypted. Encrypted files means you're talking NSA/CIA/FBI talent to read the files. With me so far Sparky? If you want to really anal then you do all of the above but only store the information on a removable media such as an external hard drive that is then locked in a safe when done. Do all of the above and the laptop is stolen?? No compromised data, no harm, no foul, no room for an appearance of shenanigans.

Does the treasurer not have access to the addresses and some information related to billing addresses etc? Again, wrong question. It should be and this is with any USAPA official. "Why does this person need access?" Proper security protocols must be determined and maintained. For example does a Treasurer need to have more than Name, Employee number and mailing address? or do we let him/her have access to all info?

It all depends on how secure you want your data to be. Judging from what I read here, data security wasn't much of an issue at USAPA.

[BoeingBoy]

Seriously, I doubt that the laptop in question was stolen.  Supposedly, review of the security camera footage revealed nothing out of the ordinary.  I do suspect that it was used to spoof the emails purporting to be from one employee of the Seham firm to another, and was purposely "misplaced" to hide the evidence.  If it was discarded it is a lot bigger issue than AOL inadvertently having access to password protected partial SS#'s for the pilots since anyone who found it would also have access to the information it contained.  Anyone dumb enough to claim that it was stolen from an office with security camera coverage isn't smart enough to wipe the drive or otherwise protect sensitive information contained on the "misplaced" computer.  Yet no one on the east side seems concerned.  Apparently it's ok to have your sensitive info handled recklessly by someone as long as they're in the DOH camp, but having fellow pilots have your address is a capital crime if they support the Nic.  That is the real crime...

Jim

[Iclubbabyseals]

BoeingBoy, on 19 February 2012 - 05:15 PM, said:

If it was discarded it is a lot bigger issue than AOL inadvertently having access to password protected partial SS#'s for the pilots

Sorry, Jim.  It was not "inadvertent".  and the SS#s were not password protected, at least on the list that was sent by PHX.

[BoeingBoy]

Iclubbabyseals, on 19 February 2012 - 05:22 PM, said:

Sorry, Jim.  It was not "inadvertent".  and the SS#s were not password protected, at least on the list that was sent by PHX.

The company said you're wrong.  Who to believe - clubby who makes it up as he goes or the company who would have no reason to lie....

Jim

[Move2CLT]

Iclubbabyseals, on 19 February 2012 - 05:22 PM, said:

Sorry, Jim.  It was not "inadvertent".  and the SS#s were not password protected, at least on the list that was sent by PHX.

Bzzzt!  WRONG!!!

They were in a hidden column and the company self-disclosed that SSN's were embedded in the file.  The company then had to show USAPA how to access said column.

And you should be more worried about your VP's "lost" computer.  That info was not PW'ed at all.

Wonder why that doesn't worry you and the fact that USAPA put nothing out to dispel that fear.

[SparrowHawk]

Move2CLT, on 24 February 2012 - 03:53 PM, said:

Bzzzt!  WRONG!!!

They were in a hidden column and the company self-disclosed that SSN's were embedded in the file.  The company then had to show USAPA how to access said column.

And you should be more worried about your VP's "lost" computer.  That info was not PW'ed at all.

Wonder why that doesn't worry you and the fact that USAPA put nothing out to dispel that fear.

Here is something you might find interesting:

Quote

Hackers Having A Field Day With Data Breaches
by Ron Arden on February 24th, 2012


Hackers Having A Field Day With Data BreachesIn the last few weeks, hackers have been taking advantage of lazy security practices on websites.  In two incidents involving the adult entertainment industry, almost 2 million customers have had usernames, passwords, email addresses, dates of birth and other personal information exposed.

On February 11, 2012, Luxembourg based Manwin Holding SARL had a data breach that compromised 350,000 user records, including usernames, encrypted passwords and email addresses.  A hacker who said he is affiliated with the group Anonymous accessed an inactive forum to help enter some linked websites.  And when he got there, he found a bonanza of data.  A small sample was posted to the Internet and I’m sure hackers are having a field day as they sift through the information.  Based on what was leaked, it was possible to determine some users’ full names and country of residence.  Hello fraud and phishing!

More

[BoeingBoy]

You are correct - password protecting parts or even all of a file is no more defense against hacking than the lock on your door is a defense against thieves.  Both protect against temptation in the basically honest.  However, no one has accused AOL of hacking the data to get access.  It's all been accusations of theft and criminal acts because of merely having the file containing password protected info.

Odd, then, that those who have been so vocal about criminal acts because AOL had the file apparently aren't concerned at all that the same data is supposedly in the hands of a real thief and may be used/sold for any purpose whatsoever.  Quite the contrary, one even said that obviously private information was on the supposedly stolen laptop but so what?

Jim

[SparrowHawk]

BoeingBoy, on 25 February 2012 - 04:08 PM, said:

You are correct - password protecting parts or even all of a file is no more defense against hacking than the lock on your door is a defense against thieves.  Both protect against temptation in the basically honest.  However, no one has accused AOL of hacking the data to get access.  It's all been accusations of theft and criminal acts because of merely having the file containing password protected info.

Odd, then, that those who have been so vocal about criminal acts because AOL had the file apparently aren't concerned at all that the same data is supposedly in the hands of a real thief and may be used/sold for any purpose whatsoever.  Quite the contrary, one even said that obviously private information was on the supposedly stolen laptop but so what?

Jim

Just as an FYI, the blog I posted is from one of the Industry Leaders in Enterprise Digital Rights Management - Persistent file security. To give an idea of the power of this type of Software, I asked Bill this, "If the Government had your Software installed how would that have effected the whole Wikileaks scandal"? He replied simply, "It never would have happened"

Security is no laughing matter although I'm beginning to see that USAPA is a rather cruel joke. Considering this security software prices out at about 5 to 7 billable hours of Lee Seham's time for a small organization like USAPA. I think USAPA could have squeezed it in the budget someplace.