http://news.bbc.co.uk/2/hi/technology/7105212.stm



*How firms and fraudsters deal in data*

By Mark Ward
Technology correspondent, BBC News website


The information lost by the HMRC could prove very valuable to fraudsters,
computer security experts say.

"In the fraud underworld the quality of data directly impacts the
flexibility with which they can use it," said Andrew Moloney, financial
services market director for RSA Security.

The more data you have around a subject the more different ways you can use
that to commit fraud."

There was no evidence yet that the data was being talked about or sold on
the fraud boards and net markets that his company monitors, he said.

However, most vendors of stolen data rarely mention where they got it from.
Instead, they typically only mention its quality.

Mr Moloney said there was a well-established chain of buyers and sellers who
can handle large amounts of data and pass them on to those that wish to use
them to commit fraud.

Safeguarding data

"That's partly grown up to protect the anonymous individuals involved," he
said, "and partly because we have seen specialisms develop with individuals
finding their own niche in that underground economy."

What also made the data attractive to fraudsters, said Mr Moloney, was that
much of the data in it, such as names of children and birth dates, cannot be
changed and will be valuable if it reaches criminals in the next week or the
next year.

"Once it's compromised it is compromised for the long term," he said.



With computerised databases long established in large organisations, a
series of policies and practices has grown up to safeguard the sensitive
data they contain - in theory.

In the front line of these safeguards are the strictures laid down by the
Data Protection Act which is policed by the Information Commissioner.

The Act details what workers can and cannot do with sensitive data and how
it must be treated as well as what staff should do to ensure it is not
compromised.

In a statement issued after the HMRC data loss was made public Richard
Thomas, the information commissioner, said his organisation was already
investigating two other breaches at the government department.

Data commandments

"Searching questions need to be answered about systems, procedures and human
error inside both HMRC and the National Audit Office," said Mr Thomas.

Beyond data protection laws most organisations develop their own policies
which govern how staff should treat such sensitive information, said Paul
Simmonds, a board member of the Jericho Forum - a trade association for IT
security bosses at the world's largest organisations.

He said the Jericho Forum had developed a series of "commandments" which
organisations should strive to live up to. They detail what organisations
should do to ensure data is used appropriately.

They cover such things as levels of security for different types of data;
authentication to ensure data use is appropriate and how to share
responsibilities for safeguarding information.

"The Jericho Forum has long stated that data must be properly protected,
both in transit and at rest," said Mr Simmonds. "Effectively this means
sensitive data must always be encrypted.

"This data loss is just another in a long list of organisations who ignore
basic security principles," he added.

Shore up defences

Paul Davie, head of database security firm Secerno, said many companies were
turning to technology to help shore up their defences.

Security systems that oversaw interaction between a database and its users
helped to do more than just stop bad guys from the outside stealing data, he
said.

"They want to understand the way the database is being queried by authorised
users and what counts as normal use," said Mr Davie.

"The technology is there to detect unusual behaviour such as a junior
downloading huge amounts of data," he added.

Evidence suggests that technology has a significant role to play. A
University of Washington study released in March 2007 showed that 60% of
data breaches were the result of bad practices inside organisations rather
than hackers.


Although there is no evidence that the lost data has got in to the hands of
criminals, anyone who did get hold of it, said Mr Davie, would be able to
make great use of it.

"This is really high quality data," he said.

Hackers have increasingly targeted databases, he said, because the
information inside them was so valuable and well organised.

By contrast data gathered by other hacker tools such as key logging software
installed surreptitiously on PCs that watches what people type can produce
reams of information that must be cleaned up before it is useable or
saleable.


[Non-text portions of this message have been removed]

Kirim email ke