Data Privacy

(Updated) Security Bulletin: The OPM Hack & You

By now you should have heard about the massive data breach at the Office of Personnel Management, the government agency responsible for managing the personal records of every federal employee and member of the intelligence community. The most damning record comes to us in the form of the SF-86, a record that contains enough personally identifiable information to steal the identity of not only the professional obtaining the security clearance, but literally everyone they love.

This revelation is particularly sobering when it comes on the wake of a similarly damning bit of data mining:  Looking Glass.  The unfortunate realization that our security managers were right - be careful what you put on the internet - comes a little too late.  And, unfortunately, as both the OPM hack and the web crawler Looking Glass prove, you can be victimized even if you do everything right.

So, if you're a first cousin, or a spouse of a veteran, then everything necessary to end up with your identity stolen (your last known address, or two, your employer, your birth day, SSN, maiden names) is probably included in this data.  However, the amount of data leaked here is so massive that, unless you're named by a filtering program (like Looking Glass - or you post photos of your Mercedes on Twitter), you're probably not going to show up on any criminal's (or foreign government) radar.

For your average American, you might be included in this breach by name (e.g. "Airmen Johnny has coffee with Dr. Snuffy regularly"), but beyond your name you're probably without worry.

update: 16 june, 2015

From the CSID website:  $1,000,000 in identity theft protection services to be offered to those affected; notifications will be sent by e-mail or postal service by 19 June, 2015. SF-86s probably not compromised: "Your [family member] was not affected by this breach. The only data potentially exposed as a result of this incident is your personal data."

Furthermore, this incident did not affect military records; no contractors were affected unless they previously held Federal civilian positions. The incident affected current and former Federal civilian personnel, including Department of Defense civilian employees.

Unfortunately, there is a spearfishing campaign going on sending fictitious e-mails to DOD personnel. US Army CID states a phishing email is being sent to DOD personnel asking them to click on hyperlinks and enter a personal PIN number to verify their personal Information.

The Office of Personnel Management has issued a warning to its users to avoid clicking on links in e-mails, giving out personal information over the internet, or communicating with individuals of an unverified nature.

Data Mining, The Internet, and Counter Intelligence

Data Mining, The Internet, and Counter Intelligence

We can, and do, talk about Data Privacy and Ownership until we're blue in the face; we also talk about how seriously screwed up some of the things the National Security Agency did were, but we never really harp on the obvious fact:  All the security in the world doesn't do a damn bit of good if you give your information away; one ambitious JSON project over on Github called Looking Glass is capitalizing on just that very fact.

In fact, as of this publication, they have data mined over 139,361 resumes belonging to military and civilian officials within our nation's Intelligence, Surveillance, and Reconnaissance (ISR) fields.  Those handy little endorsements have been used by job seekers to categorize them into fields (e.g. "Security Clearance" or "ISR") where data miners have been more than willing to scoop that  information up.

(Update) Understanding IT

Over the past year I have been engaged in writing two books, Understanding IT: A Guide for Business Leaders, and Current Trends in Business Intelligence. My last update cited that I would be releasing both books in January's 2015, and I am pleased to announce that this date is still solid.  However, there has been one very significant adjustment to my original plan: Current Trends will no longer be a stand-alone work.

As it stood, Current Trends was going to end up being a short work of approximately forty pages with a large number of pictures and diagrams, and I just did not feel comfortable releasing it as its own product.  Simply put: I wasn't falling in love with where the book was going. As a result, I decided to scrap the forty page book and expand the topics covered in Understanding IT to also include data science fundamentals, the Information Technology Service Management framework, project management, and more case-studies in proper IT governance as it relates to first-time IT managers and small business owners.

It is my belief that, while it made sense to start the books as individual works, the combined manuscript will be more beneficial to the consumer while aligning more with my career goals (to obtain an ITIL and PMP certification) and producing a product in which I am more proud to claim ownership.

The process of combining the books was relatively easy, but the extra research load (namely reading through the libraries of ITSM and PMP) has proven to be a challenge.  However, given that I have an 80% complete manuscript (already line-edited), I've also started approaching agents and publishers to give traditional publishing a fair shot before moving on to independent alternatives.