On heels of VA's giant data breach, White House & GAO review security practices

On heels of VA's giant data breach, White House & GAO review security practices

Summary: According to ComputerWorld, the White House Office of Management and Budget (OMB) and the Government Accountability Office (GAO) are jointly looking into the data security practices of the Veterans Administration as well as several other agencies.  Recently, a computer containing the personal data of over 26.

TOPICS: Hardware

According to ComputerWorld, the White House Office of Management and Budget (OMB) and the Government Accountability Office (GAO) are jointly looking into the data security practices of the Veterans Administration as well as several other agencies.  Recently, a computer containing the personal data of over 26.5 million people was stolen from an analyst who was working for the Veteran's Administration.  In addition to the apparent inclusion of 2.2 million troops who are still on active duty, the breach is the largest of a long and growing list (at a rate of nearly one per day) of such breaches that you don't want to be on.

Writes ComputerWorld's Jaikumar Vijayan:

The recent breach disclosures prompted the OMB to direct all agency heads to describe the specific steps they are taking to implement the requirements of the Federal Information Security Management Act in their annual reports on their compliance with FISMA....."Agencies have a responsibility to ensure that they are FISMA-compliant and that their employees are trained to work with tough security measures," an OMB spokeswoman said. She added that the OMB has set "sound standards and policies" based on FISMA's mandates and is working with agencies "to make sure practices match these policies."

Clearly, there are some obvious questions that need asking.  When the data in question involves personal data that could result in a privacy or identity breach, how is it that these desktop and notebook computers can end up with an unencrypted copy, let alone a copy at all? What is it about the architecture of the applications that these people are working with that forces them to have a local copy of the databases on their systems.  Furthermore, as I just discovered in an exhausting system recovery excercise that I went through over the weekend, password protecting a Windows' system isn't enough.  You may need the right credentials in order to get at a system's hard drive if you boot that system with the operating system that's on it. But, if you boot it with some other operating system as I did to my crashed notebook with the Knoppix distribution of Linux, you can bypass Windows' login screens and get unbridled access to any part of the hard drive. 

At the very least, there are two things that should be done to such computers and files.  First, every computer can be password protected at the hardware (the BIOS level).  This is a password that comes into play before any operating system starts up.  In other words, the computer won't even attempt to start its operating system until you enter this password.  This password is set through a system's BIOS which is normally accessible by pressing F1 when a computer is first booting up.   Setting a password at the BIOS level is not foolproof.  But it raises the barrier over a system that doesn't have its hardware password set. Second, Windows XP has the built-in ability to encrypt any file.  All you have to do is find the icon for the file (eg: in the My Documents folder), right click on it, select Properties from the resulting menu, and then, on the "General" tab of the Properties dialog, click the "Advanced" button.  There, you will see a checkbox for encrypting the file.  You will be asked if you want to encrypt the entire folder that the file is in (something I didn't choose to do when playing around with the feature).  Encyrpting an entire folder is a good idea because, then, any files you drag into that folder are automatically encrypted.  Once encrypted, it doesn't matter what operating system someone boots the PC with, that file will significantly more difficult if not impossible to access for most hackers.

Vijayan's story goes on to report:

Rep. Tom Davis (R-Va.), chairman of the House Committee on Government Reform, last week promised to introduce legislation seeking to strengthen breach-notification requirements at agencies. His vow followed a belated disclosure by the Department of Energy that the Social Security numbers and other personal data of about 1,500 employees and contract workers were compromised by a hacker last September.

To this I say, why not focus on the legislation that's already in front of Congress regarding such enclosures for everybody?  Currently, there are at least six (and maybe more) bills being considered that basically contain proposed government prescriptions for disclosure when there's a data breach.  The problem is that some of the ones getting the most serious consideration leave it up to the institutions in question to determine whether or not any particular breach is significant enough to warrant disclosure.  It's sort of like passing a law that says "The fox will now watch the henhouse."  As you can see from my string of coverage over a shamelessly under-reported banking breach,  when institutions are left to their own decision-making when it comes to such disclosures, not only might that disclosure not happen, where it does happen, it will be accompanied by a signficant about of obfuscating language, spin control, and shoveling of blame onto some innocent party that doesn't deserve to be blamed. 

Topic: Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And Worst Of All

    some of these bills contain privisions to take away from consumers the right to freeze their credit, a right only recently granted to consumers by several states and the single best way of preventing identity theft.
    • Oops

      I should have said "take away from consumers who cannot prove they have been victims of identity theft the right to freeze their credit." If you've filed a police report on identity theft, you could still freeze your credit, but many of us would rather be proactive.
  • VA Data Breach

    I'm one of those 26 + million victims of the stolen VA database case, and I'm not happy with any of the information that the VA has produced regarding this affair. The letter that I received was obtuse and the instructions to protect my credit and my identity were vague. The "official" Website for this case is a mirror to the letter and its enclosure. Not only did the VA violate my privacy rights on a legal level, they refuse to offer even a free credit report for compensation. I discovered that I could receive a free report when I placed a "fraud alert" on my credit reports, but that information isn't freely available to the affected vets. Other than this, I support your opinion on this matter - if the VA had followed IT privacy protocol, I wouldn't feel the need to state that this affair is merely a reflection of an inept and backward administration.
    • The VA is just a common victim....but a big one...

      This is a World Wide people issue...information security...The VA data breach is just another addition to common everday victims...

      Whether individuals, or mom and pop businesses, to large corporate entities... or government...I find a key word...lazy people...from those who do not call their representatives to do something, to those who have been told about what to do and don't do it...and we all suffer the consequences some how...eventually...

      • The VA is an idiot

        This reeks on so many levels it?s not even funny. This is not an information security breech, this is stupidity at it?s finest.

        Lets first look at the facts:
        1. An employee copied the database to ?his? notebook to do ?work at home?.
        2. Said employee was told that would be a breech of security
        3. Said employee took notebook home anyway
        4. Notebook was stolen with the database contained
        5. 2.5mil people may be affected by this action

        I?m sorry but being apologetic doesn?t cut it. Not only is that employee so fired but he should now work with the 2.5mil who will be affected by his stupidity. No, he can?t be let off due to jail time, he needs to die for this. I can?t think of a punishment suitable for this crime. The notebook probably had Windows on it so you know it?s not protected at all. And it probably had a working copy of the database program on it so the database could be read. Doesn?t matter, if it?s in a DBF format, MS should be able to read it without provocation.

        The VA, the entire staff including upper and lower management should all be fired after they assist with filling out mounds of paperwork and reports just in case the data falls into bad hands, and this should be at the expense of the VA, not the victims. I strongly suggest that all of them spend some hard jail time, not just management, everyone there, all a bunch of idiots. Some of those who may be affected are guys who are out there working to keep and secure our freedoms. They deserve more than coming home to identity theft with only an apology from the VA about it.

        Any crook caught using this information for personal use (i.e. identity theft) should be killed on the spot. Our guys are out there risking their lives for us. They don?t deserve this lack of disrespect. I?m sorry, but this whole thing is just so royally stupid. And our justice system really needs a make over. The time doesn?t fit the crime, nor does the penalty.
  • You have to know where I'm going...

    As the old Navajo Code talker said..(and he's probably on the list of those on the stolen data base)..."You have to know where I'm going...to understand what I'm saying!"

    BIOS passwords can be cleared...even on server hardware if physical access is available...The drive could be removed and installed on Identical hardware...nothing is impossible if man made it...a program that integrates a BIOS password with the OS would be a double guard at the Front door where there is no physical access and would stop the afore mentioned attempt of installing the drive on identical hardware...encryption is the best solution to protect data...but again...nothing is fool proof given enough time and effort and access...

    If you understand the language and the culture of things...you can eventually figure it out...even if it is code...

    As the old Navajo Code talker said..(and he's probably on the list of those on the stolen data)..."You have to know where I'm going...to understand what I'm saying!"

    Thieves will try anything...desparate thieves have no conscience..they even steall good tools to do the job...and the goverment then hires them...smiles...

    With security...the issue is always access...always!

    BrookStone5 Communications
    • I would agree

      But the data was not at the VA, it was copied to a notebook that an employee took home against company policy.

      We need to ask the questions, why was the data so easily copied to the notebook and in spite of warnings, why was he still allowed to take it home?

      Your right, given enough time, it can be hacked, but why bother when you can just slip that HD into another system and just read it as a spare by passing all security? Get real, any theft who would still a notebook would have more than enough tools to gather the contents of the drive without effort.
      • Again...the point is Access...

        My response was to Berlind's statement on Access, with the understanding that he was able to access information not accessible with the same OS (assuming it was XP-NTSF that was being accessed), by using a different OS, like Linux, to read it.

        That point alone should have had the hair stand up on the neck on most readers.

        Say what? Something MS didn't tell me? Oh my! Smiles...

        Berlind's main point of safety was encryption.

        Again...the point is Access...and the data was at the VA...and it left the VA...so I take the responsibily back home to the VA (I would like to take it further than that since I'm a taxpayer helping foot the bill at the VA which I take as a responsiblity of ours as US citizens)...

        But somebody (or the somebodys) there let this happen...somehow...Access was given...as had been pointed out...and it was easily accessible info...no encryption I take it?...

        And a "breach of trust" was committed...Intentional human error...

        What if it was encrypted...well that would be like stealing a car and not having access to drive it until a key was made or something changed to alow the usability of the car...

        But in this case of information...until the data could be un-encrypted or a username and password was provided to access the drive...it would be dormant information...But the one who committed the "breach of trust" also had access.

        So give him his due punishement, "if any" is due...(I haven't seen the rules for this person's position and access to VA information).

        Bottom line...

        "Somebody" who had access to VA data...took data home..."somebody" should no longer have access...nor a job...

        The somebody who was lax and let this happen, mainly the IT department, and the manangement over them, should be held in question, including everyon that tries to pass the buck...and maybe even be demoted if not fired..."it's a breach of trust and security", so it requires more responsibility if you want the job...

        I personally have problems with arogant IT personell...they are dangerous...

        But somebody did find out the data had been breached...we are thankful for that...

        You said it yourself in a one word question..."why?"

        My point with Berlind was to agree...but to also point out to unknowing readers that it is easier than he made it sound to hack into information on a drive, or just to make it useable...not using the Linux route.

        That happens all of the time...especially if you run into a client who hasn't backed up their main drive...and the old drive is where you build from...that's only the case in less that one percent of my clients...

        If I pre-encrypt a file on a drive...it will not be readily accessable on another system as a slave drive unless I have a program created to either hack it, or readily decypher that encrytion language...

        I have to understand it's language first.

        If I install the drive as a master on identical hardware, say identical motherboard, memory and size, identical CPU, ect., I can pretty much have a possible clone, but in the startup of MS OS's, any changes will be identified, like MAC#'s of harware, CPU Serial ID's ect. I know for a fact that Windows Server and WIN XP OS's identify any changes and may require you to re-authenticate that particular unit's Key again. But...

        You would still need the password and username to access any profile requiring one. If you have the username...you are halfway there...if you have the password...you are halfway there...

        But...there are tools that let you change the Admin name and password in less than 10 minutes using a simple floppy and a CD of the OS. That is changing also...but access to the unit is neccesary...

        Again...Access is the key...whether from a distance or having the product in hand...Access...

        If you have all the data and it's not an issue of whether the drive was stolen, or thrown away and data left on it unsecured...yes then all I would need to do would be to put in in the right computer with the right OS to read it as a slave.

        Why do people have access that shouldn't, or why do they break the rules? Because they are humans...

        And because other people who can prevent it from happening don't take the security issues seriously...like following up on IT officials in charge...shake their world once in a while...it's ok...they will live and not die...smiles...

        This is not 'New' news guys...It's not about the VA...it's about being resposible or paying the price for the lack thereof.

        It's about taking care about who we hire for jobs involving Goverment Information, National Information (Our Government and Nation that we as citizens are to be watchdogs over, because they work for us, not visa-versa)...Information that needs to stay secure (as humanly possible).

        Hey, if it's stored on a computer, then it's stored in someone's brain also. People walk out of work at the VA, or the Defense Department with information everyday, in their heads. Are they responsible for what they know? You bet! Will they breach the trust we've given them? It's a possibility!!! We have hope that they have good conscience!

        President's walk away with information when their term is up. We hope that they do not breach any trust formerly given them.

        With the VA issue,it doesn't matter as much how he got it. He could have copied it from another worker's laptop via a ASR, or stored file on a CD or USB memory stick.

        In this case the abuser was able to leave the VA with the info. He should not of gotten that far with physical data.

        He could have a photgraphic memory (yes a little outrageous). But the point is made...data storage with human Access is Access!

        Along with Access is Trust...and they come at a price...

        Some IT departments have a tendancy to think that old parts are theirs for the taking when they are no longer used, or are removed because of redundancy.

        What if that had been the case with the laptop with the VA data on it? Just an old laptop being replaced, and the IT doesn't format the drive or remove and destroy the drive and they auction it off? That happens!

        IT officials need to be accountable and that is happening more and more...this is good...but there are many that are not...and I can name you a few that have used the statement..."I am God"...
        more than once. I don't trust these individuals, and I never will...they are dangerous..

        A few years ago a IT freind of mine into ran a Defense Department security issue with parts he purchased from an Online auction. When he started up the server he installed the drive on, (previously finding out that the drive had not been pre-cleaned of any previous data, and curious about it's content...according to his story,smiles)... along came a program from the Defence Department that gave off a warning that he was attempting a breach and was on the virge of criminal tresspass of goverment data. He said it was trying to phone home. Ha-ha...

        He immediately called the right people (being in a lage major city finding the rigt people locally was not too hard) and they were there within 2 hrs.
        My freind told me they had pointed out to him that he wouldn't have been able to access the drive anyway. My freind is a determined genius (his weakness), and told them he could access it, and they said OK, show us. So he did, within 5 minutes of time.

        That was six years ago, and the culprit was found who took the old hardware with sensitive data still on it and sold it Online.

        I would also believe that the Defence Department has made major changes in how it's old hardware parts leave Defence Department installations, and I should be able to sleep better at night...

        But I'm a night watchman...and breaches of trust happen all of the time...and because we are dealing with humans...we don't get the rest we want...

        Let's all do our part in keeping secure what needs to be secured...I've learned from the best...
  • even advocates don't use encryption

    I heard on an NPR report not too long ago that even some of the biggest security advocates for encryption technology don't use it themselves. Why? Some say it's the "extra step" one has to take to apply encryption to email and documents that keeps them from using encryption on a regular basis.

    Besides, encryption alone isn't enough. Real security should marry encryption and usage control of drm to data, and make it easy to use, too. Otherwise, that "extra step" will never get taken.
  • Giant Data Breaches

    On almost this subject I've learned that if your social security identity is stolen and used for someone elses employment, etc. a report to SS leads them to suggest notifying the companies that have accepted the stolen SS number and show little or no interest in arranging to federally pursue the thief. (This was discussed in detail on KFI radio in Los Angeles.)
  • Hard core

    I think the VA should stand accountable for the 2.5mil affected and start doing something to try and right the wrong before it gets worst. The VA should work side by side the victims in filing the paperwork, paying the related expenses and helping out. The law should get a list and start putting out flags just in case someone starts using this information for identity theft and start doing something to those caught with this information.

    We need to insist on more than just a slap on the wrist and not complicate it with jail time but restitution. We need to be less politically correct and seek more justice. This isn?t cutting it anymore, we need to do something about it. I was a victim of identity theft last year and it was up to me to fill out the paper work, fill out the reports at the police station per violation. And the crook, I?m sure is out having a good time on my expense.

    Getting back to the VA, the entire staff should be fired and the managers should be fired and their pensions depleted to help assist the enormous expense that this issue has caused. The guy who actually took the data home, his life should be over.
  • Encryption - Basic Stuff

    I wish I could remember but shortly after VA's Data Breach, NBC aired a spot with a VA Spokesperson. This very question was asked, What isn't Data Encryption used? The reply was "it makes the Analysis' job too difficult."

    O yea, 26.4 million Vets and 2.2 million active duty - let's call it what it is 28.6 million, rounding as the IRS would have us do that's 29 million.

    That's 29 million men and women, active duty and retired that has their person data lost. This doesn't include those that have give the ultimate scrafice. Military service, that's a difficult job! - USN Retired.