CMU researchers have published this paper which talks about statistical methods to predict SSN numbers from public data.
Overview of the paper :
The SSN Nomenclature :
SSN (9 digits) = AN (3 digits) + GN (2 digits)+ SN (4 digits)
AN - Area Number. It is assigned based on the zipcode of the mailing address provided in the SSN application form
GN - Group Number. Within each SSA area, GNs are assigned in a precise but nonconsecutive order between 01 and 99
SN - Serial Number. Within each GN, SNs are assigned "consecutively from 0001 through 9999"
Algorithm:
The prediction algorithm exploits the fact that people who were born in the same area are likely to have closer SSN numbers.
step 1: Use Death Master File (Itz a public file containing SSN #'s and place / date of birth of deceased people) to form clusters of people.
step 2: Now with the person's place / date of birth from social networking sites like Facebook or Orkut or watever, identify his / her cluster. This will reveal his / her ANGN.
step 3: Use regression to predict the SN.
Conclusion :
US Government is already working on randomizing SSN to defend against statistical attacks but those SSN's that we already hold are prone to prediction with certain accuracy as outlined above.
In the paper, they mention that aliens who got SSN long after their birth are outliers and wont be predicted. I am safe :) but nevertheless I will always remain skeptic & critic about the privacy of social networking sites
Excerpt from wired article
"With just two attempts, the researchers correctly guessed the first five digits of SSNs for 60 percent of deceased Americans born between 1989 and 2003. With fewer than 1,000 attempts, they could identify the entire nine digits for 8.5 percent of the group."
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Tuesday, July 07, 2009
Tuesday, January 20, 2009
Top 25 Programming errors
A good list of top programming errors compiled by a group of professors, security researches, industry people et more. As always, the top issue is Improper Input Validation.
Tuesday, October 07, 2008
OWASP AppSec NY 2008
During the last week of September, I attended the OWASP AppSec NY 2008 conference @ NYC. It was for 2 days and had several sessions running in parallel. Some of those that impressed me were
1. WAF - Web Application Firewall. This is like a hardware appliance that you plug in front of your web server. It intercepts all traffic to your webservers and analyzes for attack patterns (for eg : check for a 'and 1 = 1' pattern to narrow on a SQL injection attack). Security is not a layer / tier in your application stack / model but should be inherent in every part of it. So I was quite skeptical if this WAF is just a hype or myth or some marketing.. but I guess you can use WAF when things look really bad. For eg, if you are aware that your web app is under attack and dont have time to analyze and fix it, just plug in a WAF. Also I am planning to work on a survey paper on IDS for this sem. so I am kind of looking at analyzing how IDS in WAF works and their pros and cons.
2. Clickjacking - Although security researchers Jeremiah Grossman and Robert Hansen decided not to "zero-day" on this, they had a great presentation on some of the most common and interesting attacks that happen due to business logic flaws and coding flaws.
3. ESAPI - This is the Enterprise Security API. It is build on top of the various security functionality libraries like javax.crypto, JAAS etc. It looks really neat and makes sense. It is pioneered by Jeff Williams who is the chair of OWASP. I was really impressed with his simplicity
4. Security issues while Offshoring - This was presented by Rohyt Belani and he gave a great case study. I thoroughly enjoyed his theme that Offshore ITES companies should sell security as their differentiator.
All the presentations are made online. You can watch them here . Enjoy
1. WAF - Web Application Firewall. This is like a hardware appliance that you plug in front of your web server. It intercepts all traffic to your webservers and analyzes for attack patterns (for eg : check for a 'and 1 = 1' pattern to narrow on a SQL injection attack). Security is not a layer / tier in your application stack / model but should be inherent in every part of it. So I was quite skeptical if this WAF is just a hype or myth or some marketing.. but I guess you can use WAF when things look really bad. For eg, if you are aware that your web app is under attack and dont have time to analyze and fix it, just plug in a WAF. Also I am planning to work on a survey paper on IDS for this sem. so I am kind of looking at analyzing how IDS in WAF works and their pros and cons.
2. Clickjacking - Although security researchers Jeremiah Grossman and Robert Hansen decided not to "zero-day" on this, they had a great presentation on some of the most common and interesting attacks that happen due to business logic flaws and coding flaws.
3. ESAPI - This is the Enterprise Security API. It is build on top of the various security functionality libraries like javax.crypto, JAAS etc. It looks really neat and makes sense. It is pioneered by Jeff Williams who is the chair of OWASP. I was really impressed with his simplicity
4. Security issues while Offshoring - This was presented by Rohyt Belani and he gave a great case study. I thoroughly enjoyed his theme that Offshore ITES companies should sell security as their differentiator.
All the presentations are made online. You can watch them here . Enjoy
Tuesday, July 29, 2008
Thursday, July 03, 2008
Wednesday, March 12, 2008
Shutting down pacemakers
Schneier comments on this new research which has been on almost all the major news columns. Researchers have found a way to remotely access heart a combination heart defibrillator and pacemaker and they were able to shutdown the pacemaker.
Schneier finally concludes thus -
The general moral here: more and more, computer technology is becoming intimately embedded into our lives. And with each new application comes new security risks. And we have to take those risks seriously.
The general moral here is like an inconvenient truth...
Schneier finally concludes thus -
The general moral here: more and more, computer technology is becoming intimately embedded into our lives. And with each new application comes new security risks. And we have to take those risks seriously.
The general moral here is like an inconvenient truth...
Thursday, February 07, 2008
OpenID league expands
Google, IBM, Verisign and MS have officially joined the OpenID league today. This is bringing in lots of strength to the OpenID project and I hope that it prospers and helps simplify authentication
Lock-in in the name of Security
This is yet another brilliant article by Bruce Schneier. he starts with how iPhone is "bricked" by Apple in the name of security. talks about how vendors try to lock-in users and secure them from the customers.
excerpt -
Mostly, companies increase their lock-in through security mechanisms. Sometimes patents preserve lock-in, but more often it's copy protection, digital rights management (DRM), code signing or other security mechanisms. These security features aren't what we normally think of as security: They don't protect us from some outside threat, they protect the companies from us.
excerpt -
Mostly, companies increase their lock-in through security mechanisms. Sometimes patents preserve lock-in, but more often it's copy protection, digital rights management (DRM), code signing or other security mechanisms. These security features aren't what we normally think of as security: They don't protect us from some outside threat, they protect the companies from us.
Thursday, January 17, 2008
Yahoo joins OpenId
I really like the OpenId project. It is a framework which provides cross-domain SSO (single sign on). ie, if I have registered with 10 websites who all have implemented open id, then i can choose one among them to be my identity provider and authenticate on all the 10 web sites with this one single id. Yahoo has announced today that they would be providing a beta version of this identity provider service starting this 30th. There are already more than 10,000 sites using OpenId framework which means that if I opt Yahoo as my identity provider, I can login to the other 10,000 sites with my yahoo id/pwd. Google and MS have already shown interest in OpenId and are working on to implement this framework. The benefit I see with OpenId is, the less passwords I need to remember, more stronger,the passwords would be. For eg, since I have registered for services with 20 - 30 sites with 20-30 ids / pwds, I might forget one or the other and get bugged up, which would lead me to set passwords that are quite weak (and so easily crackable). As a coin always has 2 sides, there sure will be some security concerns and issues while using Open Id. For eg, there might be phishing attacks leading to a wider id theft. But still, I think OpenId is here to stay. Hoping to see more open id migrations..
Wednesday, December 12, 2007
Security in 10 years
A very interesting discussion between Schneier and Marcus Ranum on the future of Security.
Excerpt --
"But throughout history and into the future, the one constant is human nature. There hasn't been a new crime invented in millennia. Fraud, theft, impersonation and counterfeiting are perennial problems that have been around since the beginning of society. During the last 10 years, these crimes have migrated into cyberspace, and over the next 10, they will migrate into whatever computing, communications and commerce platforms we're using."
Excerpt --
"But throughout history and into the future, the one constant is human nature. There hasn't been a new crime invented in millennia. Fraud, theft, impersonation and counterfeiting are perennial problems that have been around since the beginning of society. During the last 10 years, these crimes have migrated into cyberspace, and over the next 10, they will migrate into whatever computing, communications and commerce platforms we're using."
Both of them point out that Simplicity is the way to go and some of the current complex systems will lead us to disaster. An interesting piece which I read about simple and complex systems is from this site called betterexplained. one of my friends referred this site and I really enjoy this site. Lot of basic concepts on various subjects are explained in simple terms with apt examples.
Sunday, November 04, 2007
My concerns on Social Networking
Social Networking has really caught up and is catching up with a lot of people. Some statistics here.
It has really become a great platform to catch up with friends. Orkut helped me get back in touch with one of my good old friend who moved out of my school after fifth std. As a coin has 2 sides so does social networking. I have used only Orkut and thought of sharing some of the concerns I have.
I was very uncomfortable after seeing that the scraps (scraps are short messages you can leave with for another orkut member)are public. If someone wants to profile on you, they could go through the trail of scraps to know the relationship you maintain with your friends (yeah.. itz crazy rite).
User profile is public. why would I want to share my interests, my favorite movies, my hobbies etc in public ? This data will help a lot to launch social engineering attack. For example, in some of the sites, the FYP (Forgot Your Password) asks for a security question and answer. Most of these security questions (i dont understand why they call it as a security question) are standard like "First School you studied in", "Name of your pet", "favorite passtime" etc. Most of the answers could be found from a well documented user profile in orkut. I dont have statistics but my gut feeling says that most of your passwords are atleast remotely linked to something you have on your profile (when i had my profile, atleast one of my password was linked to the data on my profile). For eg, your password might be linked to your passion or your favorite movie or one of the community you are a part of. So things are made easy for a cracker, he just have to try out all possible or widely used passwords relating to watever data you have on your profile.
Although social networking is on the uphill, it surely seems to aid social engineering. Alrite, with this problem in hand, the solution I could see is whitelisting. Provide power to the user to manage who could access(read / write ) what data. Although, Orkut has customizable profile views for friends and everyone, they might have to bring in something similar to the scrap / photo / video sections. Any thots ??
It has really become a great platform to catch up with friends. Orkut helped me get back in touch with one of my good old friend who moved out of my school after fifth std. As a coin has 2 sides so does social networking. I have used only Orkut and thought of sharing some of the concerns I have.
I was very uncomfortable after seeing that the scraps (scraps are short messages you can leave with for another orkut member)are public. If someone wants to profile on you, they could go through the trail of scraps to know the relationship you maintain with your friends (yeah.. itz crazy rite).
User profile is public. why would I want to share my interests, my favorite movies, my hobbies etc in public ? This data will help a lot to launch social engineering attack. For example, in some of the sites, the FYP (Forgot Your Password) asks for a security question and answer. Most of these security questions (i dont understand why they call it as a security question) are standard like "First School you studied in", "Name of your pet", "favorite passtime" etc. Most of the answers could be found from a well documented user profile in orkut. I dont have statistics but my gut feeling says that most of your passwords are atleast remotely linked to something you have on your profile (when i had my profile, atleast one of my password was linked to the data on my profile). For eg, your password might be linked to your passion or your favorite movie or one of the community you are a part of. So things are made easy for a cracker, he just have to try out all possible or widely used passwords relating to watever data you have on your profile.
Although social networking is on the uphill, it surely seems to aid social engineering. Alrite, with this problem in hand, the solution I could see is whitelisting. Provide power to the user to manage who could access(read / write
Wednesday, October 24, 2007
my visit to the National Cryptology museum
First weekend of October myself and Prasath visited the National Cryptology museum at Fort Meade. It is situated adjacent to NSA and is the only museum in US dedicated to cryptology. Some volunteers from NSA conduct scheduled tours at the museum and we tagged along with a group of people who had scheduled a tour. It was just great. Our tour guide explained the history of cryptology and focussed on how cryptology helped US during the World Wars and cold wars. He gave a demo of how the enigma works and I had an opportunity to operate an enigma machine. A piece of advice he gave after sharing about the enigma was "Dont think something is impossible. If someone thinks it is possible, then surely it is". He was referring to how the Germans actually believed that the engima cipher was unbreakable and paid a heavy price for being stubborn on that thought. An interesting concept I learnt from the tour was "code talking". During WWI and WWII, US troops deployed native americans who speak rare dialects on the communication points. Even if the enemy intercepts the message, there is no way they would understand the meaning. That was the first time I heard about this simple but interesting concept. He was referring to a native american tribe called navajo who lives intact and whose dialect is really hard to learn for anyone. Overall, it was a good trip, esp with the guided tour. It was really neat to learn about how cryptology helped making decisions and saving lives during wars.
Thursday, October 18, 2007
ASLR - another appln of Randomization in Security
Just read that the upcoming OSX Leopard is using ASLR (Address Space Layout Randomization) to defend against malwares. Using ASLR, Leopard would allocate memory for critical operations in a random way so that malwares would fail in accessing memory area where OS related critical code gets executed. It is interesting to see another application of Randomization in Security. If you would want to read more about Randomization, you might want to check out this book.
Sunday, October 07, 2007
Randomization powered Security
Last week I read about an interesting move made by LAX to improve security by implementing a system called ARMOR. ARMOR which was developed at USC will help in randomizing the checkpoints and patrols and searches done at LAX. By this, the bad guyz wont be able to analyze and study the patterns of security measures at LAX and so their confidence level on clearing security would go down. I was actually waiting for Schneier to write a great post about this idea but he just referred to itis a "great idea". I found a reference to this paper published in 2002 talking about a similar implementation of randomization to improve airport security. Initially I was not able to understand as to how randomization could be better than a deterministic model / approach (which is currently in use at airport security systems) but the paper referred above was very useful in clarifying my ignorance.
Tuesday, August 14, 2007
ECC to replace RSA
This article reports that NSA is pushing to migrate over from RSA to ECC (Elliptic Curve Cryptography). RSA is nearly 30 yrs old and still a 1024 bit RSA key is unbreakable. Although quantum computing has the potential to solve the Integer Factorization and thereby break RSA, we need to have the quantum computing concept materialize for use. Anywayz plans are on to migrate all assymetric encryptions to use ECC starting 2010 and ECC would become the NIST (National Institute of Standards and Technology) standard.
Excerpt from the report --
ECC, a complex mathematical algorithm used to secure data in transit, will replace RSA and Diffie-Hellman because it can provide much greater security at a smaller key size. ECC takes less computational time and can be used to secure information on smaller machines, including cell phones, smart cards and wireless devices.
Gud that ECC requires smaller keys and is fast.
Excerpt from the report --
ECC, a complex mathematical algorithm used to secure data in transit, will replace RSA and Diffie-Hellman because it can provide much greater security at a smaller key size. ECC takes less computational time and can be used to secure information on smaller machines, including cell phones, smart cards and wireless devices.
Gud that ECC requires smaller keys and is fast.
Saturday, July 28, 2007
Gigapixels and Security
Recently I got to see this image which was taken by a camera with a resolution of 1500 mega pixels. I was marvelled and amazed at itz capability to zoom in to such a granular level. I kept zooming in on this Sydney picture and could even see the rooms in that building. It was then I realized that this amazingly awesome camera could pose such a great security risk. what if someone from your next street wants to zoom in and record your every move in your house ? what if someone eyes onto military / business confidential conferences ? the list could go on.. Even though the advancements in technology tries to make us look powerful, it surely seems to add a weak link somewhere !!
Wednesday, July 11, 2007
Google and postini
Google recently announced their acquisition of Postini, a company that provides hosted email security. Though it seems to be a very positive move for corporates planning on Google Apps , I am not very much convinced that Google can improve security by acquisitions. You cannot buy something and add it to your stack and claim to be secure. Security has to be layered. I mean Security has to be layered. If you are running a web application, your application code, the server (web / App / DB / Media / watever) on which it is deployed, the Operation System on which the server runs and the HW on which the OS is installed and the Network on which this whole system is setup, all have to be secure. Only then you could achieve a better score in security. I am sure Google is aware of this and is strengthening security on all their layers. I hope Google is not on a shopping spree for boosting their shares
Wednesday, March 07, 2007
Security audits on open source Java apps
Fortify, a company which develops software for conducting security audits on code, provided complimentary service for auditing open source projects. They've concluded that Java inherently enforces programmers to write secure code than C or C++ . Also they've found very few issues with Tomcat, Struts and Spring; thereby crediting greater assurance to these projects. I think I'll probably go over the entire report sometime.
Monday, February 19, 2007
Why more processing power is bad ?
Intel and IBM recently announced breakthroughs in integrated chip design recently and thereby increasing the processing powers to several folds. These breakthroughs in chip design is good news for gamers and graphic lovers but no good news for security folks. With most of the widely used cryptography algorithms being dependant on the class of NP complex problems, more processing power would definitely put the strength of these algorithms at risk. The current processing powers might not help you break RSA but with the current rate of innovations and advances in chip design, RSA would be more vulnerable in the years to come. I hope the security community is concerned about the chip industry and tries to provide appropriate solutions before it is not too late.
Subscribe to:
Posts (Atom)