WASHINGTON (AP) — For all the concern about identity theft, researchers say there’s a surprisingly easy way for the technology-savvy to figure out the precious nine digits of Americans’ Social Security numbers.

“It’s good that we found it before the bad guys,” Alessandro Acquisti of Carnegie-Mellon University in Pittsburgh said of the method for predicting the numbers.

Acquisti and Ralph Gross report in Tuesday’s edition of Proceedings of the National Academy of Sciences that they were able to make the predictions using data available in public records as well as information such as birthdates cheerfully provided on social networks such as Facebook.

For people born after 1988 — when the government began issuing numbers at birth — the researchers were able to identify, in a single attempt, the first five Social Security digits for 44 percent of individuals. And they got all nine digits for 8.5 percent of those people in fewer than 1,000 attempts.

For smaller states their accuracy was considerably higher than in larger ones.

Acquisti said in a telephone interview that he has sent the findings to the Social Security Administration and other government agencies with a suggestion they adopt a more random system for assigning numbers.

Social Security spokesman Mark Lassiter said the public should not be alarmed by the report “because there is no foolproof method for predicting a person’s Social Security number.”

“The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration,” Lassiter said via e-mail.

However, he added: “For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs. This system will be in place next year.”

The researchers say their report omits some details to make sure they aren’t providing criminals a blueprint for obtaining the numbers.

The predictability of the numbers increases the risk of identity theft, which cost Americans almost $50 billion in 2007 alone, Acquisti said.

A problem in the battle against identity thieves is that many businesses use Social Security numbers as passwords or for other forms of authentication, something that was not anticipated when Social Security was devised in the 1930s. The Social Security Administration has long cautioned educational, financial and health care institutions against using the numbers as personal identifiers.

“In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone,” he said, warning against providing too much data on social network sites.

Acquisti, who researches the economics of privacy, said he got interested in what could be learned from easily available by looking at social networks, which he termed “a great experiment in self-revelation.”

People were willing to include their date of birth and hometown, he said, and he already knew that was part of the information used in issuing Social Security numbers.

So the researchers turned to the SSA’s “Death Master File,” which lists the numbers of people who have died. The purpose of making that file public is to prevent impostors from assuming the Social Security numbers of deceased people.

But by plotting the data for people listed on the file between 1973 and 2003 the researchers were able to develop patterns for number issuance.

“I was surprised by the accuracy of certain predictions,” Acquisti said.

The system can produce a range of possibilities for the last four numbers, making it easier for a computer to test the possibilities until the correct number is found for an individual, Acquisti explained.

In addition, “attackers can exploit various public- and private-sector online services, such as online “instant” credit approval sites, to test subsets of variations to verify which number corresponds to an individual with a given birth date.

While it was well known that the numbers have a geographic component, past studies have used the patterns plus other data to estimate when and where a specific number may have been issued.

“Our work focuses on the inverse, harder, and much more consequential inference: it shows that it is possible to exploit the presumptive time and location of SSN issuance to estimate, quite reliably, unknown SSNs,” Acquisti said.

The research was supported by the National Science Foundation, the U.S. Army Research Office, Carnegie-Mellon University and the Pittsburgh Supercomputing Center.

___

On the Net:

PNAS: http://www.pnas.org

http://newsok.com/social-security-number-code-cracked-study-claims/article/feed/55270?custom_click=pod_headline_national-politics

File this under “It really is less expensive to prevent an attack then to pay for cleaning up an attack”

Pentagon spends $100 million to fix cyber attacks

Passwords..  I don’t think there is a single person that doesn’t know what a password does.  And most people understand why a good password is important. But how many people actually have a fairly strong personal password policy.

A Personal Password Policy?? 

Simply put, how do you create a strong password and how do you determine when to use a particular password.

Many people have a very similar method.  They will create a single password, some will create a fairly strong but cryptic password, others will create one just strong enough to pass their company’s password policy (maryk uses m@ryk1, then m@ryk2 etc etc).  They will then use this password everywhere possible. Sound Familar?

For us security nerds, we refer to a password as something we know, (a smartcard would be something we have, hence dual authentication).  This password gives us access to either information or power to perform functions.  Some of these privledged areas are more important than others.  

So what is the issue?

When you use your password at a site or on an application that password is being stored somewhere at that location (how else could they verify you are typing the correct password in??).  You do not know who is looking at that password, you cannot control if that site or application is hacked and your password is stolen.  Or if someone you know may have knowledge of your password.  Going back to your single password, we have a problem.  Essentially someone with the knowledge of that password could gain access to pretty much anywhere you authenticate.  Not a good policy….

Let’s take a look at how to create a good personal password policy.  Let’s start with the when….

I need how many Passwords??

When developing your password policy you need to determine when to use a particular password.  Always look at what you are protecting, how important is it?  Determine your levels of sensitivity and from their create passwords to be use only in those various levels.  How many levels do you need?  Many say between 3 -5, but hey this is YOUR personal policy, do what is best for you.  Here is a great example from the folks at www.joomla.org.

Overview

Most users may not need more than 3 levels of passwords and webmasters no more than 5. Each level must be completely unrelated to the others in terms of which ids and passwords are used.

Directions

Level 5 (Public) - is the password you use on public sites. It is not imperative that you use a different password on every site. In fact it’s more effective to use a different username on every site than it is to use a different password truth be told! Knowing the username allows easy hacking…half the work is done! knowing the password is useless unless you know what account it goes to!

Level 4 (Webmaster) - Reserved for SQL Only. this is a password that would only be used by SQL and limited to a specific database in SQL. The best way to protect SQL is by limiting each account to just being able to do the minimum that DB requires. In some cases it is even wise to have a read only account for display and a separate write account that the backend write functions use. But that doesn’t apply to J! at all… for J! the best practice is to set up an individual account (not root for sure) that only has read and write access to the J! DB nothing else.

Level 3 (Webmaster) - FTP and Server Access. these can be the same user:pass combo since both if compromised can do the most damage. doesn’t matter if the backend or Cpanel is safe if the FTP is not and the same goes the other way!

Level 2 (Personal Data Access) - This password should be used for any sites or locations that contain personal data with the exception of Banking (see level 1). these sites are often used for social engineering data such as medical records, service accounts and any financial records not directly related to banking! You want these to be secure but also different from the real threat of security…your money!

Level 1 (Banking!) - this needs to be the most secure in fact if you have two different banks it actually pays to have a different user:pass for each just to be sure!

As you see in this example, they discuss that in many cases your username is more important to change between sites than your password.  There is some obvious issues, first in many sites and applications your username is picked for you.  And in many other sites (with public sites such as myspace or youtube) your username identifies you to others.  With that being said, it is not a bad idea to have various usernames you use for your different levels of sensitivity.

Now how many passwords per level?  The more the merrier.  Now before you start worring about how many passwords you will have to tattoo to your arm to remember them, let’s talk about a few methods to create secure but easy to remember passwords.

Goodbye Password, Hello PassPhrases

Look at these two passwords

m@h1lodK

Mary had 1 little lamb

Which one is the stronger? Which one is easier to remember?

If you said the second to both you are correct…   But wait Dave! that first password has it all special characters, numbers, upper and lower case.  The second is a childs rhyme that everyone knows.

True.. Let’s breakdown these passwords.  The first one is eight characters long. It is alpha numeric, as well as a special character (@)

Our second password is twenty-two characters, it is also alpha-numeric, as this password has four special characters.  Don’t see them?  Read between the lines, or should I say the words..

The space.  As human’s we see a space as nothingness, a way to separate words.  Computers don’t see “nothingness”, to them a space is a special character.  Welcome to the world of passphrases.

To date most operating systems allow spaces in their passwords, as well as long passwords.  Windows XP and above allow up to 256 characters.  Wouldn’t your system admin be proud .  Now you only need something easy to remember.  How about song titles from your least favorite band, sports teams (city included), historical figures. Pretty much anything will work, well almost anything.  Stay away from personal relationships (Quit using your dog’s name or your son’s cute nickname), you like ford vehicles eh? You even have a blog about Fords?  Well I would then stay away from usuing their car models for pass phrases.  These type of passwords are easier to figure out by a competent attacker.

For those other sites that don’t allow passphrases.  Well you’re gonna have to suck it up and come up some of the trust ole complex passwords, hard to crack, harder to remember. That brings me to our final consideration.

It is not a sin to write a password down

That’s right! Nothing wrong with it.  I mean do we really expect you to remember that database password you will only type once a year?  Of course not!  There is nothing wrong with writing them down, as long as they are stored in a protected place.  This protected place is not under your keyboard, or in you desk drawer, or in that file cabinet you share with five people.  This place is a secure location that you can verify who has access and if someone has read those password.  This could be a electronic wallet on your PC (that uses biometrics or other security access) or it could even be in a sealed envelope in a safe or vault.  In fact, this was a common practice I would do with the network administrator passwords, in case I ever got “run over by that train” those that came behind me wouldn’t be out of luck.

I know that coming up with new passwords are about as fun as brushing your dog’s teeth.  It is a must do these days, and hey you’ll impress the next person that watches you log in at work.

Dave