Shocking News of the Day: Social Security Numbers Suck

Posted on January 9, 2012 by adam

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over the telephone or re-set a password.

All banks in the report used some version of the Social Security number as a means of authenticating the customer, Javelin found. The pervasive use of Social Security numbers was surprising, given the importance of Social Security numbers as a tool for identity theft, said Phil Blank, managing director of security, risk and fraud at Javelin. (“Banks Rely Too Heavily On Social Security Numbers, Report Finds“, Ann Carrns, New York Times)

Previously here: “Social Security Numbers are Worthless as Authenticators” (2009), or “Bad advice on SSNs” (2005).

Twitter Weekly Updates for 2012-01-08

Posted on January 8, 2012 by adam

RT @RegoftheDay Happy new year! 40,000 new laws take effect starting today. http://t.co/EOVyRya9 #
RT @StevenLevy Always suspected those xray "backscatter" machines will kill more of us than terrorists will. Now this. http://t.co/ag2lFWWc #
New podcast with @dgwbirch: http://t.co/HKeKOVyW #
New short blog: "The irony overfloweth" http://t.co/6VsrF9JO #
Wow. The Wikipedia article on Infosec certifications currently lacks any dissent on the value of certs. http://t.co/SzdJZHAp #
RT @jayjacobs I've taken a job with the Verizon Risk Intelligence team! << Congratulations to Jay, @wadebaker & the rest of the DBIR team! #
Reflections on trusting "Verified" http://t.co/2FgkajVz #
RT @gbullard The first correction listed is the greatest I've ever seen:
http://t.co/6aRN9uK6 #
New School blog: "Comments on Steve Bellovin's Lessons from Suppressing Research" http://t.co/W2wEUMDB #
RT @tgoetz glad to see the FDA issue some sort of restriction on antibiotics in animals, even if a watered-down version http://t.co/kCI5fZzo #
RT @DanielSolove I will be speaking at Microsoft (DC) tomorrow: about my PII article. Event description here: http://t.co/iMrPChQf #
Some additional comments on the password change paper: http://t.co/oYDhY0EA #
RT @hypatiadotca For all the Sous Vide geeks: Open Source PID (via @3ricj) http://t.co/zYFZ6DVA #
RT @thisisparker Very cool: @Schneier auctioning off galley copies of new book "Liars and Outliers"; proceeds to @EFF and @EPICPrivacy #
RT @ErrataRob Vint Cerf is profoundly wrong in saying that the Internet is not a human right http://t.co/wrfyIzA1 #
RT @Jim_Harper @adamshostack @thisisparker I think you mean @schneierblog #
RT @csoandy Ahhh, one hour, second trick of Elevation of Privilege. Good game, @adamshostack. << glad it helps! #
RT @csoandy Lots of trash talking. "I don't see how that's possible here!" "Can't you see how easy this is!" Good framework. #
RT @SecWonk CPEs 4Free: @adamshostack on @Kaspersky Podcast, Methods of Compromise+ New School & Learning http://t.co/uqRH3iBG #CPEs4Free #
RT @Ellen_CK Keynoting BSides PHX http://t.co/NgIIzh7F :) << Cool! #
RT @DanaEpp Get to introduce threat modeling via "Elevation of Privilege" game to new members of the dev team. Good way to end the week! #

The Irony Overfloweth

Posted on January 3, 2012 by adam

@RobArnold tweeted: “Someone thinks targeted Facebook ads are an effective way to ask for Firefox features. Any other Mozillians see this?”

The irony of using a targeted ad, on Facebook, to ask for more privacy protection…

Twitter Weekly Updates for 2012-01-01

Posted on January 1, 2012 by adam

RT @timoreilly Amazon patents inferring religion from choice of wrapping paper http://t.co/MmCMx2OO << Over the "creepy" line #
RT @kevinmitnick Did you ever want a blue box to make free calls? Now you can in the Apple app store. Search for "blue box". EPIC!!! #
I wonder what Woz thinks of being able to get a blue box on his apple phone? (cc @kevinmitnick) #
I'm super-happy to see @rmogull, @Beaker, @nselby & more arguing over quality & speed of breach disclosure. #AVeryNewSchoolChristmas :) #
It's cool that Skype's preferences uses a segment of 1984 as the sample chat when showing that logs are kept. #
Very interesting history of names at #28c3 http://t.co/dL1ztjmL /cc @_nomap @privacyint #
RT @doctorow Adversarial stylometry data-set/research https://t.co/SPtQ72XX #28C3 < Totally rad! #
RT @jeremiahg New blog post: "Terrified" http://t.co/AlorWtcd << Kudos on speaking up! #
RT @Beaker Easy, because "outcomes" require analysis, modeling & understanding. Controls can be bought, installed & checked off #
So has anyone written up an analysis of the GoD dump? (mm.txt) #
RT @evilcyber I can probably narrow the GOOG stuff down to about a 6 month window in 2003. :) << There's stuff when Aleph1 was at SFocus #
RT @argvee @evilcyber @adamshostack we got it down to 3. #

Cello Wars

Posted on December 28, 2011 by adam

For your holiday amusement:

Thanks, Jeff!

Living in a Shell

Posted on December 27, 2011 by adam

Check out this amazing house by Arquitectura Organica:

Twitter Weekly Updates for 2011-12-25

Posted on December 25, 2011 by adam

Weekend NewSchool blog: "APT Didn't Eat our Theme. Adam Did." http://t.co/JDvLTayG (cc @RealGeneKim, @alexhutton ) #
Really, TSA? The airline isn't allowed to auto-enter my freakin' date of birth? Has anyone calculated lifetimes wasted on red tape? #
RT @BillBrenner70 Stop them before they predict again! http://t.co/7qzuTchU #
I predict 90% of 2012 infosec predictions will contain no numbers and no dates. Prove me wrong, $100 to charity of your choice. #
Predictions out of some group of 10 or more, like "vendors" or "SBN" or "previous published top N blogger list" #
New School blog post, "Owning Up to Pwnage (Part 2)" http://t.co/qWISkasN #
Quick poll: how long have your Elevation of Privilege playing sessions lasted? How did they end? #
RT @josephmenn I wanted to let you know that my regular journalism will soon be easier to see. I am moving to Reuters http://t.co/RfHc5Shb #
MT @451wendy RT @mckt_: <Citation Needed> <- this. And that pretty much sums it up for [infosec today] #
RT @chriseng New blog post [video]: The Thought Leader… One Year Later http://t.co/V7nCqiQ2 << Chris, I'll respond in next hallway track #
New blog: "The New School of Security Predictions" http://t.co/9iyo3mKf (cc @BillBrenner70 @jack_daniel) #
New blog on the Emergent Chaos of the Pre-K Underground http://t.co/yb73FUJC #
I'm on the "Tomorrow's Transactions" with @dgwbirch! Had a great time covering New School, Zero-Knowledge & Games. http://t.co/HKeKOVyW #
"RT" @Walshman23 "Niels Bohr was right about predictions" http://t.co/lJpSFZdo #
RT @bobmcmillan There's a flying remote-controlled shark @wired today. A holiday tradition? < You're living in @greatdismal's world #
Update to "Top 5 Security Influencers" post to address critical questions from @beaker http://t.co/SUoTPZ6N (cc @oneraindrop again) #
RT @Beaker Hey @securityincite the captcha on your comment form is barfing. I can't add my comment. < +1 :( #
National Ass'n of Realtors discovers that public data is good, and their estimates were way off: http://t.co/zT1vrzMU #
Happy birthday @Mortman! #
RT @rcalo Local police issue vague/broad request to @Twitter for records on #occupy Boston. http://t.co/CCAZIaa9 (via @pogowasright) #
I hear Boston police have also issued @twitter subpoenas for @paulrevere, @samadams & @johnadams http://t.co/CCAZIaa9 (/cc @amac) #

Niels Bohr was right about predictions

Posted on December 21, 2011 by cwalsh

There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I figured I’d share.

With minor formatting changes, the following is from my email of April, 2010.

Prediction 1

Regulation E style accountholder liability limitation will be extended
to commercial accountholders with assets below some reasonably large
value by 12/31/2010.

Why:  ACH and wire fraud are an increasingly large, and increasingly
public, problem.  Financial institutions will accept regulation in order
to preserve confidence in on-line channel.

WRONG!

Prediction 2

An episode of "state-sponsored SSL certificate fraud/forgery" will make
the public press.

Why: There is insufficient audit of the root certs that browser vendors
innately trust, making it sufficiently easy for a motivated attacker to
"build insecurity in" by getting his untrustworthy root cert trusted by
default.  The recent Mozilla kerfuffle over CNNIC is an harbinger of
this[1].  Similarly, Chris Soghoian's recent work[2] will increase
awareness of this issue enough to result in a governmental actor who has
done it being exposed.

Right!

But only because for this one I forgot to put in a date (I meant to also say “by 12/31/2010″, which makes this one WRONG! too.

I was motivated to make this post because I once again came across Soghoian’s paper just the other day (I think he cited it in a blog post I was reading). He really nailed it. I predict he’ll do so again in 2012.

The Pre-K underground?

Posted on December 21, 2011 by adam

Not my headline, but the New York Times:

Beyond the effort was the challenge of getting different families to work together. When matters as personal as education, values and children are at stake, intense emotions are sure to follow, whether the issue is snacks (organic or not?), paint (machine washable?) or what religious holidays, if any, to acknowledge. Oh, and in many cases, forming a co-op school is illegal, because getting the required permits and passing background checks can be so prohibitively expensive and time-consuming that most co-ops simply don’t. (“The Pre-K Underground“, The New York Times, December 16)

Read the whole thing, and then give some thought to how effectively those policies, combined with the drug war, are de-legitimizing governments, and convincing people that to live their lives involves avoiding government rules. Eventually, even legitimate and necessary functions of government like courts will fall apart.

Think I’m exaggerating?

“There’s a fairly stringent code and byzantine process for getting certified and code-compliant,” said City Councilman Brad Lander, a Democrat from Brooklyn, whose office held a meeting over the summer for any co-ops interested in pooling their resources and securing permits. “Some are genuinely for the safety of kids, and some are more debatable.”

There’s a city councilman driving doubt over the system. What does that do to the legitimacy? What happens to the social contract?

Will the war on coop kindergardens join the war on drugs?

Twitter Weekly Updates for 2011-12-18

Posted on December 18, 2011 by adam

RT @jeremiahg "HBGary not only didnt lose biz customers in the past year, but "got additional business" -Hoglund http://t.co/ap9pP39F #
RT @bobblakley @Judgenap "Timid men prefer the calm of despotism to the tempestuous sea of liberty." Thomas Jefferson #
Weekend blog "Threat Modeling & Risk Assessment" follows up on conversation with @451wendy http://t.co/iFCRCJW3 #
RT @DennisF New podcast with @adamshostack. http://t.co/o2Y03gP0. Methods of compromise, New School and learning. #
RT @wikileaks What they don't want you know: ACLU compares redactions to WikiLeaks documents made by the US State Dept http://t.co/51aIoNGw #
RT @bobblakley RT @alexhutton Fox News still makes awesome charts http://t.co/l0qQ83kU < wow. HAND-CRAFTED lies! #
RT @BreakingNews Seattle police use flash-bang grenades to disperse Occupy protesters at city's port – AP << WTF? #
New blog "The output of a threat modeling session, or the creature from the bug lagoon" http://t.co/lqAcvL4e (cc @451wendy) #
RT @lwosterman A large part of the TM problem is it's hard to figure out what you really need to do. IMHO, EOPs are a copout < yes; huh? #
RT @lwosterman It's too easy to find EoP threats and they're not actionable. Every tampering is also an EoP. It's a basic flaw of STRIDE #
RT @michael_howard Software Security Engineering jobs @ MSFT http://t.co/t68zLwSK #
New blog "Outrage of the Day: DHS Takes Blog Offline for a year"
http://t.co/YA9j1V1q #
RT @michael_howard Software Security Engineering jobs @ MSFT http://t.co/t68zLwSK #
Quick blog pointer to my podcast with @DennisF http://t.co/vYBjelIn Short, sweet and fun! #
Hey Seattle, what's up with taxis being totally overbooked? #
New blog, "Top 5 Security Influencers of 2011" builds on @oneraindrop http://t.co/SUoTPZ6N #
MT normative Another TSA monkey Leaves Personalized Note In Passenger’s Bag (After Finding Marijuana) http://t.co/DRYgGSsw #
RT @aloria: Things I'm not allowed to do at work, #1337 say "boom goes the dynamite" when I PoC a vuln < we're hiring http://t.co/t68zLwSK #
RT @pmocek I can hardly wait for lunch to read the US DOJ's "devastating takedown" of the @SeattlePD http://t.co/q7YKBKPW #
But @pmocek how will you keep your lunch down when reading about @SeattlePD's 20% use of unnecessary force? http://t.co/q7YKBKPW #
So happy to hear my team's response to the insider question. #
RT @sfmnemonic Have law degree, good reputation, writing skills, speaking skills and some fame in my field. Please hire me. #
New NewSchool blog: "APT Didn't Eat our Theme. Adam Did." http://t.co/JDvLTayG #
New NewSchool blog: "APT Didn't Eat our Theme. Adam Did." http://t.co/JDvLTayG (cc @RealGeneKim, @alexhutton ) #
RT @quinnnorton Today #D17 is year anniversary of #Bouazizi trying to set himself on fire, accidentally catching the whole world instead. #