[ISN] Once more into the security breach

From: InfoSec News (alerts@private)
Date: Thu Feb 07 2008 - 02:34:24 PST


http://www.georgetownvoice.com/2008-02-07/voices/once-more-into-the-security-breach

By Tim Fernholz
The Georgetown Voice
February 7, 2008

Like a whole bunch of Georgetown students and alums, I woke up last week 
to an unpleasant e-mail from Georgetown: my name and Social Security 
number may have been exposed after a University hard drive was stolen. 
More exasperated than angrybetween Facebook, buying things on the 
internet and the U.S. governments tendency to lose private information, 
my privacy is nil anywayI had an advantage that most students didnt: a 
pre-arranged chat with Vice President of Safety and Security, Rocco 
DelMonaco, Jr., scheduled for later that afternoon.

DelMonaco has just finished his first term here at Georgetown, and I 
hoped to hear what he had learned from a semester of overseeing public 
safety on campus. His comment that more education was the key to 
preventing muggings came under criticism from this paper back in 
September. Indeed, this falls sensational early evening robbery at 
gunpoint just outside the Walsh building suggested that more focus on 
DPS training and patrols may be the answer to our security problems.

But DelMonaco, a compact, nattily dressed man whose second floor Gervase 
office sports a full humidor and a commemorative ROCCO license plate 
from Ronald Reagans second inaugural, seems unflappable. It was a tough 
fall for the new VP; in addition to the usual series of burglaries, 
muggings and fights, a bias-related assault shocked the campus early in 
the year. Despite a really good job by the University of preparing him 
for the ebb and flow of Georgetowns security situation particularly the 
spike of illegal activity around school breaksDelMonaco shook his head 
ruefully. Now that Ive lived it, it gives me a better idea of how to 
redeploy our personnel, to use other tactics and techniques, he said.

His biggest surprise? Students tendency to leave their doors unlocked 
and to tamper with outside security doors. Indeed, despite maintenance 
failures, particularly in Henle Village, many burglaries on campus are 
connected to students who left their doors unlocked, and no one can deny 
that circumventing Georgetowns security systems is a Saturday night 
tradition. All of which leads DelMonaco to plead, If it is a security 
device, keep it whole.

Maybe DelMonaco is just getting his sea legs, so to speak, here at 
Georgetown. (Hes certainly got the Catholic part down; he made it to 8 
a.m. Mass on Ash Wednesday). But what about the issue of the daythe 
38,000 missing Social Security numbers belonging to students who 
attended Georgetown as far back as 1998, including some 7,700 current 
students? While information security doesnt necessarily fall under 
DelMonacos umbrellathats the problem of David Lambert, the Universitys 
Chief Information Officer, whose policy of encrypting personal data was 
not followedthis was an out-and-out theft.

While details about the investigation are still sketchy, what we do know 
is this: sometime over winter break, someone got to the fifth floor of 
Leaveywhich requires a key outside normal business hoursand entered a 
locked office, taking only the hard drive that contained the missing 
information. There were no signs of forced entry, according to the 
Metropolitan Police Departments report. The only item reported as stolen 
was the hard drive. This leads to some interesting questions; the first 
being, could the crime have been committed by someone at the University?

[The investigators] have no assumptions at all, DelMonaco said. When you 
assume, you block out other possibilities.

But it appears that the University, and DelMonaco, still havent learned 
the lesson of this falls hate crime, which wasnt publicly announced 
until weeks after it occurred: no matter how embarrassing public 
knowledge of an incident might be, transparency must be the first step. 
Though DelMonaco told me that he has already personally installed the 
transparency recommendations made by a University working group formed 
in the wake of this falls public relations debacle, the University chose 
to sit on news of the robbery for three weeks, despite announcing it 
privately to the Alumni Board of Governors.

Those three weeks could have been critical, according to Linda Poley, 
founder of the Identity Theft Resource Center, who said that wide 
publicity is key to preventing identity theft. If thieves know their 
potential victims are aware of the danger they are in, they may wait to 
use the information, giving breach victims time to initiate fraud alerts 
and other protective steps. Poley recommended that those whose 
information was compromised keep fraud alerts active for at least a 
year.

You can never assume that youre safe, Poley said. These thieves may 
warehouse the information if they got hold of the information. They may 
not know they have the information. This has been a very well-publicized 
breach. These thieves are not stupid, if they do intend to use it, they 
are going to sit on it.

The University got lucky this time; thus far, no one who lost data has 
reported an incidence of identity theft. And in past incidences of data 
exposure at universities, relatively few identity crimes have come to 
light. But how many times will Georgetown get away with a lack of 
transparency surrounding an illegal act? DelMonaco has made community 
policing a key rhetorical theme of his still-short tenure; in the future 
he should make it a point to inform the community of what is happening 
on campus.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Thu Feb 07 2008 - 02:50:46 PST