Map of life expectancy at birth from Global Education Project.

Friday, July 10, 2015

Stoopid Question

It so happens that I had a government background check done four or five years ago in order to do some work with the VA. Ergo, it appears the Chinese government now has a whole lot of information about me including my social security number, date and place of birth, and other info they could use to steal my identity and mess with me in all kinds of ways. I presume they aren't interested in doing that, in my case, but I also have to say you never know.

Douglas Rushkoff raises a very interesting question. Why is that database accessible via the Internet in the first place? It seems to me that most of these data breaches and other cybersecurity concerns, such as hackers taking down the electrical grid or whatever, involve systems that have no reason to be connected to the Internet in the first place. Examples include Home Depot heating and ventilation systems (which is how the hackers got into the credit card data in the cash register system), bank account data, and yes, the OPM background check database. If an authorized person wants to get access to a specific background check, for a good reason, they can send an e-mail and receive that individual background check in return, without having to connect the entire database to the Internet. This could even be automated. Yes, hackers might then be able to get background checks one at a time, but they would already need to have the individual person's identifying information.

Why are power grid components connected to the Internet? If they need to be controlled remotely, the electric company obviously is already connected to them and could just run parallel FO cable. You wouldn't be able to hack into it, you would need to physically breach the system -- which is already possible anyway. Ditto for my bank account. If somebody in a different branch needs my info, they can ask for it specifically without the underlying database being connected to the Internet.

Are Rushkoff and I missing something here?


Daniel said...

One can gain access to a system that has no external connection to the Internet by gaining access to a system that has an internal connection to the target. Example, an email virus allows a hacker (hate to use that term) control of the computer after the email is opened and that computer eventually leads to a protected system.

Cervantes said...

Well yeah but a) it's much harder and b) it is certainly possible to construct a network with no external connections at all.