CECOM data breach may not be last
Jan 07, 2013 (Asbury Park Press - McClatchy-Tribune Information Services via COMTEX) --
Last month's breach of information stored in a U.S. Army database wasn't the first and, experts say, probably won't be the last.
Some Shore-area residents who worked or visited the former Fort Monmouth were shocked late last month when they received letters telling them that elements of their personally identifiable information had been "compromised" by a hacker who broke into the CECOM (Communications-Electronics Command) database kept at Aberdeen Proving Ground, Md.
All told, the breach affected as many as 36,000 people, according to the letter from CECOM's commanding general, Maj. Gen. Robert S. Ferrell.
Such incidents are to be expected in the "cat and mouse" game played by attackers and defenders, said Vinod Ganapathy, an assistant professor of computer science at Rutgers University in New Brunswick.
"The history of computer security has shown that it is impossible to claim that a system is 'perfectly secure,' " Ganapathy said in an email. "Thus, as defenders, we must always assume that attackers will find means to attack our systems and steal our data."
CECOM's recent experience bears out Ganapathy's statement. Earlier last year, in March, a hacker known as "Black Jester" published sensitive information that was stored on a CECOM site, according to the website Softpedia.com. The information included names, user IDs, physical addresses, email addresses, telephone numbers and passwords, according to the site.
And in January 2011, a hacker put up for sale access to the CECOM site for $499, according to Imperva, a computer security product vendor.
In the latest breach of a CECOM database -- still under investigation by the Army's Cyber Command -- the information came from former Fort Monmouth visitor logs as well as CECOM Software Engineering Center personnel files, according to Ferrell's letter.
That information included "a mix of full names, dates and places of birth, Social Security numbers, home addresses and salaries" that were stored in databases maintained by CECOM located at Aberdeen Proving Ground in Maryland, CECOM spokeswoman Andricka Thomas has said. She said that at a minimum, names and Social Security numbers were accessed.
Thomas said no personally identifiable information was accessed in those two prior breaches.
She said the breach may have affected C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance) and nongovernmental personnel as well.
CECOM and C4ISR were both housed at Fort Monmouth before its closing in September 2011. They are now located at Aberdeen Proving Ground.
Ganapathy said the best defense against computer hacking is vigilance.
Strategies include having "multiple layers of defense (such as network-based intrusion detection systems and firewalls, host-based intrusion detection systems and anti-virus), and to make sure that our systems are properly patched," Ganapathy said in the email. "Large software vendors such as Microsoft and Apple routinely release patches against security vulnerabilities discovered periodically in their software, and it is important to apply these patches in a timely fashion."
Another tactic used is to encrypt the information that is stored on the databases, Ganapathy said.
"Encryption algorithms use a secret key to transform clear text data into cipher text, which cannot be deciphered without the key," Ganapathy said in the email. "If the data is stored encrypted and the key stored securely elsewhere, an attacker who illegally gains entry into a computer system will only again access to the cipher text, which is of no value without the encryption key."
Bill Bowman: bbowman@ njpressmedia.com
___ (c)2013 Asbury Park Press (Neptune, N.J.) Visit the Asbury Park Press
(Neptune, N.J.) at www.app.com Distributed by MCT Information Services
[ InfoTech Spotlight's Homepage ]