back to article Forget data thieves, data sabotage will be your next IT nightmare

For years, the security industry has been primarily focused on stopping information theft. Now more and more people in the trade are worried that the next wave of attacks won't steal data – they'll alter it instead. On Tuesday, the head of the NSA named data manipulation as one of his top three nightmares, and other vendors …

  1. Anonymous Coward
    Anonymous Coward

    This could be as simple as adjusting credit scores ... but there's not a lot of money in that

    Oh, come on!

    What about all those companies offering to sell YOU information they collected about YOU so YOU could see if they are wrong and correct them so YOUR credit score won't suffer? Even the ones that say "we monitor your credit score for free" are getting something somehow.

    Here's an idea to make money: invent a "personalized terrorism score" which could hypothetically be used to indicate your chance to be probed by TSA officers. Create a service that charges $10 per month to monitor your PTS, with an app to check if you've been near to suspicious places or called suspicious people or liked suspicious posts or did anything that could remotely be somehow considered in the general direction of anything suspicious. Profit.

    1. MachDiamond Silver badge

      Re: This could be as simple as adjusting credit scores ... but there's not a lot of money in that

      The main 3 credit report companies in the US are required to provide requestors a copy of their credit report at least once per year. They are also required to remove any incorrect credit data on ones account upon request if they are unable to substantiate the information.

      The bigger issue is with companies that are selling personal data besides credit information. There are no legal requirements for those companies to give somebody a copy of the data they hold about them and have no legal obligation to remove incorrect information.

      If you are trying to find a job and are not getting any return calls or emails, maybe your data profile has you down as being arrested for auto theft, rape or robbery. Many companies will screen applicants by using a data aggregators' services to dig up any negative information.

      1. quattroprorocked

        Already happens - World-Check

        Is a DB that is used by banks as part of there due diligence and classifies many people as terrorists, when those people are totally innocent.

        http://www.charityandsecurity.org/background/WorldCheck_Private_Databases_Raise_Concerns

      2. Doctor Syntax Silver badge

        Re: This could be as simple as adjusting credit scores ... but there's not a lot of money in that

        "The bigger issue is with companies that are selling personal data besides credit information. There are no legal requirements for those companies to give somebody a copy of the data they hold about them and have no legal obligation to remove incorrect information."

        That's one reason why we don't like personal data being sent to the US.

  2. gollux

    Best thing that could happen to Big Data, a little fiddling here, a little fiddling there, we could develop a lot of Intel that is quite brilliant based on guided misdirection. The sooner this happens, the better. With automation and no real fact checking, a brilliant future is in the offing.

    It's why surveys and all the other information collection sent my way get neat little novels written. Help them collect the future you want! Most of them are only asking for that which they want to hear.

  3. allthecoolshortnamesweretaken

    Not exactly a new phenomenom, is it? And it wouldn't be much of a problem if systems had better security and data was encrypted in the first place.

    1. Nick Ryan Silver badge

      It's far from a new problem and just daft that it's being touted as something new. Data has always been subject to accidental or malicious changes.

      Encrypting the data itself doesn't make a lot of difference really (except for passwords), it's another fad that while it does have practical benefit for security, the reality is that this is very limited. It's much more likely that user credentials are leaked and through those, and possibly programming and security faults, that data is changed.

      For example, I gave myself access to an MS-SQL database because an IIS .net application's web.config file had the credentials stored in plain text and this user was configured on the database server with the System Administrator role. Encrypting the database wouldn't have made a tiny bit of difference to this but it's an example of how easy it is go elevate access with relatively trivial initial access.

  4. John Tserkezis

    "keep paper records for everything"

    There goes that paperless office...

  5. g e

    So. This week....

    Strong encryption is our friend, is it?

    But what about all the paedos, terrorists and stuff we were supposed to be terrified of last week?

  6. Christoph

    Could be a bit worse than that. Shouldn't be too hard to get the USA to bomb someone based on false information - it's already happened at least once.

    1. Rich 11

      "Dear Mr Kim,

      Our records show that you are the owner of four (4) nuclear warheads. We would like to offer you the opportunity to provide a correction to our data if this figure is now out of date.

      A fee of $100 will apply. Please note that if you do not respond by return of post, your Global Trust Ranking may suffer and you may have difficulties in obtaining international financing and/or beneficial trade deals.

      Yours, etc"

  7. David Roberts

    Not much money in that

    Given that GDS were/are hot for the authentication of identity for the Government Gateway to be handed over to the credit agencies, plus decisions being made on large loans and new credit cards, there must be enormous scope to combine identity theft with credit score manipulation.

  8. Bc1609

    Blockchain

    Seems as though blockchains could, if properly managed, be a rather nice way of preventing this kind of sabotage. You'd have to replace the entire chain, which would be rather difficult to do unnoticed.

  9. Seajay#

    Sandra Bullock told us this 20 years ago

    http://www.imdb.com/title/tt0113957/

    Always listen to Sandra Bullock

    1. BebopWeBop

      Re: Sandra Bullock told us this 20 years ago

      Quite happy to just watch her

  10. Crazy Operations Guy

    Not a new problem

    Back during the halcyon days of the internet, it wasn't uncommon for attackers to modify log files.

    More recently, I worked for a manufacturer that was producing one of those toys that people were trampling fellow shoppers to get their hands on it. One of the assembly line drones hired to fill production gaps made his way into the factory mainframe. He patched the DB libraries so that finished products from his coworkers would be credited to him, earning him substantial performance bonuses. The data was also altered so that units built by him would appear as rejected by the inspector and thrown in the reject bin, but would really be going into his pocket, where he'd sell them for ~$500 a piece on eBay. The "rejected" units would be attributed to a random assembly drone and marked as being inspected by a random inspector.

    All the production numbers, QA numbers, and inventory control would be in line with each other at the end of the day, so no one noticed. The guy ended up defrauding the company for close to $350,000 in bonuses and in proceeds from the stolen property. We only found out after attempting an upgrade to the db software and the diffs for the libraries wouldn't apply properly (since he messed with the lines being used to determine the proper context for line changes)

    1. BebopWeBop

      Re: Not a new problem

      A little more than an assembly line drone then?

    2. Version 1.0 Silver badge

      Re: Not a new problem

      I'm always surprised how much effort some criminals are willing to invest in this sort of thing when they should be able to legitimately earn similar wages if they invested their talents on the honest side of the law. I'm convinced that the real message is - they weren't doing it for the money - and I have to admit that, in my youth, there was occasionally a real pleasure in the sound of breaking glass in the high street.

      1. h4rm0ny

        Re: Not a new problem

        Depends. Once you have a criminal record - no matter how irrelevant or what the circumstances - you are effectively barred from using any talents more sophisticated than picking litter or working on an assembly line.

  11. DCLXV

    And more recently...

    Remember this incident?

    http://www.theguardian.com/business/2013/apr/23/ap-tweet-hack-wall-street-freefall

    I'm stunned at how people still take as gospel the shite they read on the internet. There simply is no such thing as a reputable source. At the very least we should have already advanced to a stage where the common man expects not to trust any communique that doesn't come with some sort of verifiable digital signature, and at this rate if we ignore the need for such a solution then there's going to be hell to pay at some point in the near future.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like