Government have lost millions child benefit bank details

Paul_Herring

spook wrote: »

blind-as-a-bat wrote:

Their is no way the data wasnt encrypted and the chancellor not mentioning it does not prove to the contrary Passworded and encrypted in the case of data on a removable disc such as a CD ARE the same thing so he didnt need to

How strong the encryption is, is the qusestion that needs to be answered as ive already said

Sorry if you took my post the wrong way, I never said you were 'IT illiterate', but I can see that my post could be read that way.

I was simply making the point that the two terms do not mean the same thing, and the fact that people think they do actually causes people to be far more careless about security than they really should. Particularly with regard to companies storing sensitive data on laptops, for example.

Don't forget that politicians are very good at giving an impression that something is a fact, without actually saying anything concrete, so that they don't get caught out later when it turns out they weren't telling the full story. I think it's highly possible that this applies here.

I'm with Spook on this one. "Encrypted" implies connotations that "password protected" doesn't, namely that "Encrypted" is the more secure of the two, and requires much more effort to de-crypt.

Maybe politicians are not as tech savvy as they could be, but their advisors, especially in the data security areas, should at least inform them of this distinction so they can talk about it, if only to dissuade discussions about password protected vs encryption like we're having.

In fact, at the time of writing, there are numerous other people discussing this very distinction coming up on a a google search: http://www.google.co.uk/search?q=hmrc+encryption+password+protected

The first match: http://p10.hostingprod.com/@spyblog.org.uk/blog/2007/11/hmrc_25_million_personal_records_scandal_no_encryption.html

BBC1 TV Newsnight programme revealed last night, that after some evasive answers, Her Majesty's Revenue and Customs (HMRC) admitted that the two lost CDROM discs containing the entire Child Benefit database personal details of 25 million people, which were lost in the internal mail were only "password protected" and were, as we suspected yesterday, not encrypted

Another: Security experts savage HMRC over data regime

Chancellor Darling said yesterday that the discs were password protected but the data is not thought to have been encrypted.
Piper said: "Had it been encrypted, that's the first thing they would have said. HMRC said the discs were password protected, but had they been protected properly they would have been stated this."

gotnobread

Hi Blind-as-a-bat,

Sorry but I have to disagree with this statement:

blind-as-a-bat wrote: »

But lets get some perspective here IF the discs where encrypted or passprotected even with a program such as winzip or winrar (wich i doubt as they probebly use there own software) and if the password is over 8-10 alpha-numerical carrecters long then your looking at years to crack it with the pc power available to us mere mortals so it could be a long time until this is a threat to anyone

If you use 10 alphanumeric characters, it would take the average home computer around 14 days to crack the password:

• There are 36 possible characters (26 letters + 10 numbers);
• The password is 10 characters long, therefore there are 3,656,158,440,062,980 possible combinations (36 x 36 x 36 x 36 x 36 x 36 x 36 x 36 x 36 x 36);
• A fairly typical PC can carry out 3,000,000,000 calculations per second (3 billion - 3Ghz processor);
• 3,656,158,440,062,980 divided by 3,000,000,000 comes out at just over fourteen days.

"Password protected" and "encrypted" are really very different things. With a properly-encrypted file, it would take a supercomputer potentially millions of years to crunch all the data.

So, a password protected file with only a 10 character password is really very insecure, even against a bog-standard PC.

Cheers,
Gotnobread.

Paul_Herring

blind-as-a-bat wrote: »

Actually there are 62 possible characters including capitals as most pass systems are case sensitive and the rest of your calculation assumes that 100% of the clock cycles are used wich can never be the case due to the cpu overhead of operating systems and the internal running of the PC etc etc

Beleive me i have actually used a Rar/Zip cracking program and it takes a hell of a lot more than 14 days in a windows enviroment on a 3ghz machine, granted it can be made quicker under differant conditins (like a less bulky and cpu hungry OS) but not without more than likely writing your own code for the cracking routine

I think you're both overestimating the time required for these particular discs.

From another article I found, I estimate the time required to be approximately 30 seconds regardless of whether they were password protected or encrypted: http://politics.guardian.co.uk/economics/story/0,,2215025,00.html

Guardian wrote:

Shawn Williams, a partner in a law firm specialising in fraud cases, said he regularly received confidential data from Revenue & Customs in CDs with either no password or the password written on the disc itself.

While it was common in other cases for passwords to be provided by phone only once the data had been sent, Williams had never known Revenue & Customs to carry out this procedure. He said the data was often "substantial" and arrived on a regular basis.

"[...]It is our strongest suspicion that the discs forwarded to the National Audit Office will have been packaged together with the necessary instructions to enable the recipient to access the data.

"If so, then reassurances from the chancellor of the exchequer and chief secretary to the Treasury that the data has password or other encryption protection become meaningless."

:eek:

James

Latest from York: The Press (22 Nov 2007)

ID theft advice after child benefit fiasco

Does the concept work? YEP.

Debt_Free_Chick

I assume the CRAs have confirmed that they have the technology in place to verify the thumbprints?

Paul_Herring

Debt_Free_Chick wrote: »

I assume the CRAs have confirmed that they have the technology in place to verify the thumbprints?

Doubtful. I suspect what happens is they just verify the fact that something that looks like a thumbprint exists on the application form.

If there is contention about whether or not James has made an application, they
1) Verify the fact that a thumbprint was supplied (if not then the financial institution is at fault.)
2) If there was one, then the thumbprint would probably be sent off to the police for comparison with the one James sent in.

One would hope of course that the thumbprint on the application form is well formed(!) and could provide the required evidence to unequivocally exonorate James, and to implicate the stupid idiot that put theirs on there.

Of course, if a sufficient minority of people started using thumbprints, then they'd have to spend money on setting it up so they could do the initial comparison in-house rather than bothering the police every time there's fraud.

After all, they aren't interested in fraud at the moment (you can't report it to the police.) Why would they be interested in this method?

olly300

Debt_Free_Chick wrote: »

I assume the CRAs have confirmed that they have the technology in place to verify the thumbprints?

Systems that use thumb prints rely on the fact that crooks don't want to leave anything behind that could place them at the scene.

Finger print recognition is known to be a highly inaccurate science compared to other ID methods like DNA especially if you are using one finger or a print that is not well-formed.

delluver

dmg24 wrote: »

We all need to just wait and see. No need to panic unless something actually happens.

Someone might get run over by a bus tomorrow, are we all going to sit and panic 'just in case'?

That's a typical British view. Sit about and do nothing until something happens and then panic about it when it's too late. I think it's reasonable to take preventative measures as we don't know where this data is.

Llyllyll

I am also an employee of HMRC and would just like to add my tuppence worth.

I think everyone is agreed that this is an inexcusable error and should simply not have happened.

Making a scapegoat of a junior member of staff however (if they were honestly acting independently of any management – and I don’t believe that they were) will not fix the endemic problems created, IMHO, since Mr Brown (as Chancellor) started making money-saving (perhaps he visits this site ) sweeping changes with scant regard to the many problems this would create.

There are many policies in place that cover pretty much everything (including of course data security), however in practise these may be given a lower priority than they should simply because of what it would cost to follow them in full. Perhaps this is what happened in this instance (I simply do not know); however this appalling situation is the result of the bottom line being that cost (cutting) is THE most important target for the Board to meet.

siren13577

I used to work for HMRC also,I find it confusing, to put it mildly, how and why a junior member of staff was allowed to download this data to a disc, I don't believe for one second it was a junior member of staff. The computers which I used had all capacity to save to disc etc disabled. The only people who could do this were those with access to main computer servers/data storage and generally this is restricted to more senior members of staff.
I am delighted it in all probability means an end to ID cards.

I don't believe for one second any will be a victim of id fraud, besides you are covered by the banking code, and if it does occur the government will likely reimburse the banks.