Comments: Sighting of near-extinct beast - the profitable crypto attacker

Insiders must be audited and tested to derive a risk level ie the listening function of security. A simple question might be asked if information of any value is being moved what is the risk. The method used to determine the risk did not include any evidence of testing and traps within the test for verification of the intended procedures out come. So what verification points can protect the theft of valuable information probably none since a better method would have copied the information in shipment and attributed it to delays in shipping. The correlation of the movement of third party providers employed for transportation of valued information requires a unified tracking method. A good example that might make some folks perk up is if gps information on troop movements where intercepted and altered only a little bit. The delay and inaccurate information could prove critical in a long haul theatre scenario like bombing runs from California to China. If the coordination of the supporting bombing needed to be timed with troop movements the Chinese might intercept the information and alter its accuracy. This could prove devastating in re-supply and deployment. The timing of events and the has a critical component that needs to be built into security systems so the state of security is not static. The FSA in London shuts down its registry during the weekends and this presents a changing security posture for maintenance. The bank shipping tapes of information should have had a manifest registry that could not be altered or with restricted access. The shipping company is a mere transporter and not aware of the cargos significance which in itself is a security feature. It is the shippers’ responsibility to ascertain the proper method of shipping based on the value of the information or material. If for example you shipped a kilo bar of gold in a shoe box using the US Postal service and it where stolen who can you blame but yourself. So the anonymity does not protect the shipping party from inside attacks because it is no longer anonymous. The loss of anonymity is a threat. To test for this threat traps must be devised and scenarios run to determine the risk and critical points of failure. The assumption of anonymity is the failure to assess the insiders as a threat. So the human engineering of counter espionage must be considered when the mundane information of clients is exposed to theft by internal enemies. Of course this reflects on the lack of concern banks and financial institutions have for clients in general. The banks have attained an undoing of some of the basic reasons for the United States via the new and improved bankruptcy code that cost $100 million and four years to undo the concept of debtors prisons a primary reason for the Revolutionary War. The banks where following the example established by child support laws that incarcerate the Dead Beat Dads a juridical method of imprisoning a debtor. So the property rights of individuals has eroded under eminent domain laws established by fiat of the Supreme Court via the taking of property for the greater good of the state redistributed to enhance the revenue rolls of the political subdivision. The institutions that hold valued information on their clients feel comfortable abusing their clients with no recourse. The utter abandonment of this institution by their users will create havoc similar to Goths approaching the walls of Rome and Rome without a penny to for an army. So as the institutions that have benefited from monopoly positions via legislative fiat fail to reinvest in the society they have no recourse but to fail when the users revolt from the inside and outside. These institutions are informational in essence and have the teeth of real police and armies for backing but they are under assault from the Gothic informational equivalents.

Posted by Jim Nesfield at December 17, 2005 11:10 AM

http://www.finextra.com/fullstory.asp?id=14677

Posted by Dave Birch at December 20, 2005 11:19 AM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x55e30fbfca50) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.