Tuesday, June 16, 2015

Because dossiers

Here's the thing about computers -- even your laptop can support "big-data" applications. There are only 300-million people in the united states. At  1-kilobyte per person, that's still only 300-gigabytes -- which fits on my laptop hard-drive.

Building dossiers is becoming a thing in the hacking underground. Every time they break into a retail chain, hospital, insurance company, or government agency, they correlate everything back to the same dossier, based on such things as social security numbers, credit card numbers, email addresses, and even IP addresses. Beyond hacked secrets, public sources of information are likewise scanned in order to add to the dossier. Tools such as Maltego make it surprisingly easy to combine your own private information with public sources in order to build such dossiers.

When even the small hacking groups are focused on this effort, you can bet the big guys like China and Russia are even more interested in this.

This is one explanation behind the OPM hack. The hackers may have had something specific in mind, such as getting the personal information from SF86 forms where those seeking clearance are forced to disclose their various addictions and perversions. It may be used to blackmail people -- while the government knows their secrets, their friends won't.

Or it may have been as simple as the fact that the OPM was an easy target, and had useful information for building dossiers -- without any particular designs on what to do with the information.

I point this out because Occam's Razor. People are postulating complex scenarios for what the hackers wanted with the information. I think the more likely answer is simply because it was there, it wasn't hard to get, and it's something you ought to get now in case you need it for somebody's dossier later.

1 comment:

Ewing Fox said...

I frequently find myself appreciating your perspective - in this case, the simplest answer is usually the correct one. The OPM hack just drives home the need for every business to take a continual inventory of their risks, and seek areas to make improvements in their network security and process controls. Nobody wants to be the next Target, or OPM.

The days of simply eating compliance violation fines and rolling onward are over - I'm curious if you think that InfoSec standards are best left to the private sector, or if we need to see an increase in regulatory oversight - I.E.follow the EU's lead with their recently updated (again) EU95/46/EC.