MINNEAPOLIS – Thirty years have passed since the Internet Protocol was first described in a series of technical documents written by early experimenters. Since then, countless engineers have created systems and applications that rely on IP as the communications link between people and their computers.
Here's the rub: IP has continued to evolve, but no one has been carefully documenting all of the changes.
Sphere: Related ContentAlmost 14 months after Intel announced USB 3.0, the final protocol specification will be formally announced next Monday at the first SuperSpeed USB Developer Conference in San Jose, CA. The specs will then be handed over to early adopters that plan to design products around USB 3.0. The third generation of Universal Serial Bus has been hit by delay after delay, and it's been a very long, difficult and challenging three-year effort. Only several months ago, nVidia, AMD and a few others threatened to create its own USB 3.0 if Intel doesn't share the controller specs with them on time. This fortunately didn't sidetrack the effort to deliver USB 3.0 on time as both sides quickly reached an agreement.
While not formally unveiled, the SuperSpeed USB logo was shown at WinHEC 2008 last week where Redmond engineers held discussions on which OS will support the new USB. Windows 7 RTM unfortunately won't ship with native USB 3.0 support; that is, if the next Windows doesn't encounter delays. Hopefully, USB 3.0 is worth the wait with speed boost to 4.8Gbps, the use of optical cabling, and new power management. WinHEC 2008 has a a brief performance comparison sample for data transfer of 25GB HD movie:
Attackers could gain control of water treatment plants, natural gas pipelines and other critical utilities because of a vulnerability in the software that runs some of those facilities, security researchers reported Wednesday.
Experts with Boston-based Core Security Technologies, who discovered the deficiency and described it exclusively to The Associated Press before they issued a security advisory, said there's no evidence anyone else found or exploited the flaw.
Citect Pty. Ltd., which makes the program called CitectSCADA, patched the hole last week, five months after Core Security first notified Citect of the problem.
But the vulnerability could have counterparts in other so-called supervisory control and data acquisition, or SCADA, systems. And it's not clear whether all Citect clients have installed the patch.
SCADA systems remotely manage computers that control machinery, including water supply valves, industrial baking equipment and security systems at nuclear power plants.
Customers that use CitectSCADA include natural gas pipelines in
For an attack involving the vulnerability that Core Security revealed Wednesday to occur, the target network would have to be connected to the Internet. That goes against industry policy but does happen when companies have lax security measures, such as connecting control systems' computers and computers with Internet access to the same routers.
A rogue employee could also access the system internally.
Security experts say the finding highlights the possibility that hackers could cut the power to entire cities, poison a water supply by disrupting water treatment equipment, or cause a nuclear power plant to malfunction by attacking the utility's controls.
That possibility has grown in recent years as more of those systems are connected to the Internet.
Meanwhile, back here in reality, 155 students have actually lost their very real tax refunds because of another data breach.
They're among 1,132 graduate students at the University of California, Irvine, who participated in a university health insurance program in 2006. That program was run by United Healthcare, which admits that some students' personal data "may have been accessed without authorization."
Whoever grabbed the information apparently used it to file phony tax returns. Result: When the students tried to file their legitimate returns, the IRS told them that returns had already been filed using their Social Security numbers.
No one is talking about specifics of the data breach at United Healthcare. The IRS won't talk about its investigation or how much the crooks got away with, though it probably comes to a few hundred thousand dollars at most. The university says it's arranging emergency loans for students who need their tax refunds to pay their bills, but it isn't divulging many details either.
That's OK. We already know enough to say this:
We've got to stop using Social Security numbers as a single-factor identifier. And allowing access to Social Security numbers on anything but a need-to-know basis. And storing unencrypted personal information.
That's no longer theory. It's just reality.
Look, we all love hearing impossibly big numbers like the ones in the TransUnion settlement. Billions of dollars? Hundreds of millions of people? Those stratospheric numbers don't seem real.
Our reality comes at a smaller scale, hundreds or thousands of data records at a time. Names. Addresses. Birth dates. Social Security numbers. Credit card numbers. Bank account information. We tell ourselves that it's safe — that our employees are trustworthy, our security is good enough, our piddling collection of data too small to worry about.
But that's exactly what's being stolen, as those 1,132 students have painfully learned.
And week by week, year by year, the number of data breaches grows — and thieves grow ever more efficient at converting stolen information into stolen money.
They're getting better at this. We're not.
We know what we need to do. We need to abandon the use of Social Security numbers for customer identification and authentication — this means you too, IRS.
We need to treat Social Security numbers and other personal information like the highly valuable, easily stolen commodities they are, and make them much harder to access in our systems.
And we need to encrypt, encrypt, encrypt.
None of this is rocket science for corporate IT shops. None of it will be cheap, either. At a time when business is down and belts are being tightened yet again, it'll be a hard sell to the CEO.
But it's time to budget money for it. Not money for theoretically perfect data security — but for a realistic response to a real threat.
Because there's nothing theoretical about this: If thieves can steal 1,132 students' information and convert it into $100,000, they can do it again and again — and they will.
And that $9 billion is getting closer to reality every day.
Sphere: Related Content
