A “security” consultant wrote a script that collected profile listings in Facebooks’ public profile directory according to the article “The Facebook Data Torrent Debacle:  Q&A“  appearing on Yahoo News yesterday.  Of course, this is all public information that is available to anybody who looks.  The difference in my opinion is a “security” consultant compiling such a list and then making it available online.  171 million Facebook profiles!   As of the date of the article, about 10,000 people have downloaded the entire file.

It doesn’t take a whole lot of imagination to think what a person with nefarious intentions might do with your e-mail address, phone number, and your home town.  A little more research on your “public” profile would make it easy for a criminal to know when you’re out of town so they can have uninterrupted access to your home.   Or perhaps someone notices where your kids go to school and that they will be home alone on Tuesdays because that’s what is publicly available.

Funny thing is, it’s not just this “security” consultant providing this type of consolidated information to whoever wants it, including criminals.  In my hometown, the local newspaper has been collecting the names, titles, work information, and salaries of public employees and publishing them online.  Sure, the story is about government spending but why invade people’s personal lives to do it?  Certainly the point could be made without attaching individual names.  Yellow journalism and a violation of individual privacy is all I can think of.

The bottom line is there is too much personal information available to anybody looking.  It is undoubtedly a self-inflicted problem that is exacerbated by so-called “security” consultants and news outlets that make the criminal’s job easier by consolidating and making this information available for download.   They should know better.

The White House just recently published a summary of the Comprehensive National Cybersecurity Initiative.  While there hasn’t been any time to debate this or even digest the implications of the 12 initiatives, I had some initial thoughts that I wanted to put down.  Certainly, this may change as (or if) more details are provided.

Initiative #1.  Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet. This is an effort of gargantuan proportions.  The enormous complexity of this initiative has failure written all over it.  If this somehow manages to be implemented I can only think “One ring to rule them all”… or “own” them all may be more appropriate.

Initiative #7.  Increase the security of our classified networks. Wow!  You think?  Common sense is not that common.

Initiative #8.  Expand cyber education. It will be interesting to see how programs are implemented when colleges and universities are dropping programs due to budget crisis.  Creating an InfoSec educated workforce is a long term strategy in a rapidly changing arena.  It may be difficult to find instructors who aren’t so grounded in academia that they become unaware of the changes in the environment..

Initiative #9.  Define and develop enduring “leap-ahead” technology, strategies, and programs. This assumes that an environment that rewards innovation in the private sector is created.  At least in writing, there appears to be a recognition of the need for public-private partnerships to be successful.

This may be a good start but without details on how government will implement these initiatives, it’s impossible to determine if this will be good, bad or ugly.  I’ll be keeping an eye on developments here.

Is this an omen of things to come?

Apptis Inc., a military information technology provider, repaid $1.3 million of a $5.4 million Pentagon contract after investigators said the company provided inadequate computer security and a subcontractors system was hacked from an Internet address in China.

http://www.washingtontimes.com/news/2009/jul/25/contractor-returns-money-to-pentagon/print/

Will implementation contractors be on the hook for failing to provide adequate information and network security for systems they install?  Quite frankly, you can’t outsource the responsibility for data security even if that “service” is provided by someone else.  Even if another party contributes to the financial burden of a breach, the impact to reputation can take some work to recover.

When using a consultant or contractor to implement any new system, having security oversight is an essential piece of the overall project.  It’s a dual responsibility at best.   Regardless of what the marketing slicks say, implementers, contractors, consultants, etc. are profit motivated.  Security may not be at the top of their list.