NS-21: Who is going to wind up in deep shit over deep, dark deep-water data?
In case you missed the news, it appears that the HM Revenue and Customs put the details of approximately 25 million UK residents on CDs and sent them to another government department. The only problem was that the discs never reached the destination so nobody knows exactly what happened with them. Among the details copied on the CDs there were names, addresses, birth dates and more dangerous, bank details. That’s why the government advised all the residents who might be affected by this data loss to check their accounts for fraud. —Softpedia recently
Phishers target HMRC data loss victims: Finextra, a cheerful little news aggregator for the payments sector, reports on an attempt to exploit a widely reported case of data mismanagement.
Phishing fraudsters have been targeting people whose confidential details may have been contained on computer discs lost last year by HM Revenue and Customs (HMRC), according to Internet security firm McAfee.
Finextra tends to just run rewritten press releases.
McAfee says phishing e-mails have been sent to UK citizens offering an opportunity to claim a tax refund of £215 from the UK government. But the e-mails contain a link to a “suspect” Web site based in Germany. The bogus site has now been shut down.
Here in Brazil, the question of data security has made headlines recently with the theft of laptops in transit from an exploratory drilling platform that had just discovered what promise to be enormous gas and oil reserves off the Brazilian coast. See also
Was it industrial espionage or common theft? The debate, based on incomplete information and technically deficient reporting on technical issues, rages on, with the investigation leaking like mad in favor of the latter theory.
CartaCapital has an interview this week with the former president of the National Petroleum Agency (1998-2003). He opines that the spy hypothesis is improbable and has been given “moral panic” treatment in the press. The president of Brazil has called the possibility of industrial espionage “a question of state.”
The Estado de S. Paulo has been one of the few news organizations insisting that there is serious reason to run down the former theory of the case.
The ESP noted the other day, however, that the Economist had mocked these espionage concerns, noting that theft is common at the Port of Santos, for example, and other “corrupt and disorganized” Brazilian ports. I should see if I can find that article. I hardly ever read the Economist (the British one) anymore
We sent some personal stuff through Santos recently, and it all got here.
For what it’s worth.
Today, the ESP notes that a third theft of IT equipment belonging to Halliburton might also lead police away from the espionage theory.
The question of why you would continue to pay third-party service provider to store and transport valuable data after a fubar of this magnitude is another question, I guess.
A caixa estava sem o lacre e sem o drive de DVD. A empresa norte-americana comunicou o fato à Polícia Federal. Nos dois primeiros furtos, foram levadas peças de computador e de notebooks com informações sobre o Poço de Júpiter, recém-descoberto, na Bacia de Santos. O fato de terem roubado ontem apenas um drive de DVD, deixando intacto o HD que contém a memória da máquina, é, para a PF, sinal do interesse meramente comercial dos ladrões e corrobora a tese de que não houve busca de informações estratégicas sobre o poço de Júpiter.
The box was not sealed and was missing its DVD drive. The U.S. company [Halliburton] reported the incident to the federal police. In the first two thefts, computer components and notebooks with data on the recently discovered Jupiter well in the Santos Basin. The fact that only a DVD drive was taken, leaving the entire hard drive containing the machine’s memory is, in the view of the federal police, a sign that thieves were merely interested in [the cash value of the stuff they took], corroborating the hypothesis that there was no attempt to steal strategic information on the Jupiter well.
Anonymous sources inside the investigation, who to some extent are contradicting official statements on the case. That’s my impression, anyway. I have not had time to follow the story closely. Witnesses interviewed are running into the hundreds, according to TV news.
I am very confused at this point about what is really the case in this case.
There seem to be an awful lot of news organizations — mostly the ones I do not trust very much not to bullshit me — trying to get to me laugh the whole thing off.
Brazilian police forces tend to have poor institutional message control, and the Brazilian press tends to do a lot of leak journalism like this, where the “sources close to the investigation” — Bruno Surfistinha, for example — never seem to have a name.
Para os investigadores, um dado importante é que, no computador que teve seu HD roubado, permaneceu intacta uma placa especial, desenvolvida especificamente para a Halliburton ler os seus programas de trabalho nas plataformas petrolíferas. Caso o roubo fosse provocado por espionagem industrial, dificilmente esta placa deixaria de ser levada.
In the view of investigators, an important fact is that, in the computer that had its hard drive taken, a special chip, developed specifically to allow Halliburton to read its working programs on oil platforms. If the robbery was motivated by industrial espionage, the chip would scarcely have been left behind.
The contrary-to-fact conditional is the first refuge of a scoundrel.
What was it, a data encryption chip? I suppose you could dispense with taking it if you already had the technical means for decrypting the data, for example.
Why not put a reporter from the tech desk on the technical details of this explanation? This is, after all, a tech story.
(Could it be because the Estadão’s tech section, which I never bother reading, like “Circuits” in the New York Times, is mostly devoted to flacking for groovy new consumer gizmos rather than actually covering hard tech and tech business news in words of two syllables, for dummies to actually understand these issues — as this reporter has apparently has not bothered to do)?
And speaking of one-source stories in which the sources, whose interest in the case is not disclosed, mostly just engage in contrary-to-fact conjecture, Finextra continues:
Greg Day, security analyst, McAfee, says: “This phishing attack has echoes of traditional get rich quick scams, praying on the desire to be compensated for the government losing their data, but people must learn that there really is no such thing as free money.”
This is the quality of security analysis at McAfee?
All they really have to say in the final analysis is “caveat emptor” — or as former Harvard president Lawrence Summers famously said, “It’s a shitty world”?
HMRC’s disclosure of data loss to persons possibly affected has “battered its reputation” — but promoting moral panic over the incident may have actually helped “blunt” the attack.
However, Day says the attack is likely to have been blunted by HMRC’s battered reputation. “Recent high profile data loss incidents have left the public more vigilant about handing over information that has any link to HMRC, so this may not be the most thoroughly considered phishing attack,” he adds.
Security software vendors promoting an apocalyptic view of situations they perceive as selling opportunities: Flies on shit.
I never seem to have problems like this, and I have not bought a McAfee product in years. I compute with the Penguin.
We did have debit card data ripped off and exploited recently, however.
Most likely, as far as we can tell, through spyware installed on a Windows (Paraguayan Edition, the most frequently used version here) machine used by a less enlightened family member.
Here in Brazil, it is very common these days to see phishing attacks through e-mails purporting to come from official sources, the courts and the federal police among them.
It is not uncommon to visit the news section of a Brazilian government Web site these days and find an announcement to the efect that “contrary to what you may have heard, it is not our standard procedure to send out e-mails telling you are the target of a tax-evasion investigation and should click on the following link to find out what to do about it.”