August 2009

You are currently browsing the monthly archive for August 2009.

The Implications of Predictable SSNs

August 17, 2009 in Social Networking

social_security_626_article

Two researchers from Carnegie Mellon University recently released a showing that social security numbers (SSNs) can be predicted with a fairly high degree of accuracy by knowing just a few bits of personal information.  For example, with knowledge of a person’s birth date and town of birth, they were able to predict the SSN of 8.5% of people born between 1989 an 2003 with fewer than 1000 attempts.  The reason that this works is that SSNs are not randomly assigned, but instead are based on a complex yet regular (and thus predictable) pattern.

This research is of more than just an academic interest.  It has real implications for identity fraud and how to protect yourself from becoming a victim.  So how could a malicious person or organization could use this research to commit identity theft?  Since all one needs to know to be able to predict someone’s SSN is date of birth and hometown, the best place to begin is on a social networking site such as Facebook or Myspace.  Many people freely provide this information not only to their “friends”, but often to everyone.  It is easy to find out when and where just about anyone was born on these types of sites.  And even if you are careful about sharing this information only with friends, many people accept friendship invitations from just about anyone.  If I were targeting someone in particular who’s identity I wanted to steal, I would simply try to befriend some of their contacts before sending them a friend request.  This would lend credibility to the friendship request and make them more likely to accept it.  With a little social engineering, it would not be very difficult to determine the necessary personal information for just about anyone.

The next step would be to use the methods described in the research to predict a set of SSNs for the targeted victims.  Once a list of probable SSNs has been generated, it is possible to use online resources, such as instant online credit approval services or the Social Security Administration verification database, to verify correct SSNs.   Once someone has the name, birth date, hometown and SSN of someone, it is then very easy to steal their identity or obtain credit in their name.  All of this could easily be automated to increase the speed and efficiency of obtaining SSNs, making this a legitimate threat to the safety of personal information.  To protect yourself, be very careful about how much information you share on social networking sites and only accept known people into your online networks.

Even Security Pros Get Owned

August 1, 2009 in Hacking, Web

On Thursday we awoke to a good old-fashioned web site defacement and the of emails and other personal information of some of the most prominent names in the information security field.  A group hacked into the servers of Dan Kaminsky, Julien Tinnes, and Kevin Mitnick to name just a few.  The information they obtained and disclosed includes email correspondence, phone numbers, userids and passwords of many of the world’s most notable whitehat security researchers.  Some of this information is very personal and quite embarrassing to have publicly disclosed to the entire Internet.  Moreover, it is likely that this disclosure will lead to a great deal of spam and nuisance phone calls for the people who’s information was disclosed, as well as possible attacks on other systems.

These days it is unusual for hackers to deface web sites and publicly embarrass others.  Most are more concerned with making money and thus try to work silently without being noticed.  The defacement of Kaminsky’s web site is reminicent of the old school gamesmanship in which hackers would try to publicly humiliate others by defacing their web sites.  This attack has prompted Kaminsky take his site () offline, although you can still see the defaced version in Google’s cache.  I have also included it below.

doxpara

It is not known how the hackers were able to crack the servers, but it goes to show that a determined attacker can probably find an exploitable vulnerability in any system if given enough time and resources.  There is no such thing as a completely secure system, except one that is turned off.  It is the job of the security professional to reduce risk to an acceptable level given the value of the asset that is being protected.  While none of the information disclosed could be considered valuable in a monetary sense, having it disclosed so publicly is certainly embarrasing and could damage their reputations and their businesses.  No system is safe and we should all take heed to the threats that are out there.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved