WASHINGTON (AP) — For all the concern about identity theft, researchers say there’s a surprisingly easy way for the technology-savvy to figure out the precious nine digits of Americans’ Social Security numbers.

“It’s good that we found it before the bad guys,” Alessandro Acquisti of Carnegie-Mellon University in Pittsburgh said of the method for predicting the numbers.

Acquisti and Ralph Gross report in Tuesday’s edition of Proceedings of the National Academy of Sciences that they were able to make the predictions using data available in public records as well as information such as birthdates cheerfully provided on social networks such as Facebook.

For people born after 1988 — when the government began issuing numbers at birth — the researchers were able to identify, in a single attempt, the first five Social Security digits for 44 percent of individuals. And they got all nine digits for 8.5 percent of those people in fewer than 1,000 attempts.

For smaller states their accuracy was considerably higher than in larger ones.

Acquisti said in a telephone interview that he has sent the findings to the Social Security Administration and other government agencies with a suggestion they adopt a more random system for assigning numbers.

Social Security spokesman Mark Lassiter said the public should not be alarmed by the report “because there is no foolproof method for predicting a person’s Social Security number.”

“The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration,” Lassiter said via e-mail.

However, he added: “For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs. This system will be in place next year.”

The researchers say their report omits some details to make sure they aren’t providing criminals a blueprint for obtaining the numbers.

The predictability of the numbers increases the risk of identity theft, which cost Americans almost $50 billion in 2007 alone, Acquisti said.

A problem in the battle against identity thieves is that many businesses use Social Security numbers as passwords or for other forms of authentication, something that was not anticipated when Social Security was devised in the 1930s. The Social Security Administration has long cautioned educational, financial and health care institutions against using the numbers as personal identifiers.

“In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone,” he said, warning against providing too much data on social network sites.

Acquisti, who researches the economics of privacy, said he got interested in what could be learned from easily available by looking at social networks, which he termed “a great experiment in self-revelation.”

People were willing to include their date of birth and hometown, he said, and he already knew that was part of the information used in issuing Social Security numbers.

So the researchers turned to the SSA’s “Death Master File,” which lists the numbers of people who have died. The purpose of making that file public is to prevent impostors from assuming the Social Security numbers of deceased people.

But by plotting the data for people listed on the file between 1973 and 2003 the researchers were able to develop patterns for number issuance.

“I was surprised by the accuracy of certain predictions,” Acquisti said.

The system can produce a range of possibilities for the last four numbers, making it easier for a computer to test the possibilities until the correct number is found for an individual, Acquisti explained.

In addition, “attackers can exploit various public- and private-sector online services, such as online “instant” credit approval sites, to test subsets of variations to verify which number corresponds to an individual with a given birth date.

While it was well known that the numbers have a geographic component, past studies have used the patterns plus other data to estimate when and where a specific number may have been issued.

“Our work focuses on the inverse, harder, and much more consequential inference: it shows that it is possible to exploit the presumptive time and location of SSN issuance to estimate, quite reliably, unknown SSNs,” Acquisti said.

The research was supported by the National Science Foundation, the U.S. Army Research Office, Carnegie-Mellon University and the Pittsburgh Supercomputing Center.

___

On the Net:

PNAS: http://www.pnas.org

http://newsok.com/social-security-number-code-cracked-study-claims/article/feed/55270?custom_click=pod_headline_national-politics

This isn’t really security news. But I am a big Dave Gilmour fan and I love UFO stories so this is a great story for me.  As far as Gary McKinnon’s actions, I believe if NASA had UFO information they would most likely bury it.  But again hacking is still illegal.

Speaking of mysteries, does anyone remember this Floyd mystery?

~~Dave

PS.. If Mr Gilmour by chance reads this, I am free to jam whenever you are

Musicians from such diverse groups as Pink Floyd and Boyzone have joined forces in a last-ditch campaign to halt the extradition to the US of north London computer hacker Gary McKinnon.

The family and friends of McKinnon, who has Asperger’s syndrome, are hoping that a campaign also supported by well-known names including Terry Waite, Boris Johnson, Sting, Lord Carlile and Jane Asher, will finally bear fruit.

Next month, McKinnon is due to have what is likely to be his final legal appearance in a judicial review over the decision of home secretary,Jacqui Smith, to send him to stand trial in the US for hacking into the US defence department and Nasa computer systems in a search for evidence about UFOs.

An earlier judicial review ruled that Smith had failed to take adequate consideration of evidence of McKinnon’s medical condition. If McKinnon failed in this bid for a reconsideration of the extradition decision, he could be sent immediately for trial in the US and face a lengthy jail sentence.

To help the case, Graham Nash has authorised a reworking of his song Chicago, written when he was part of Crosby, Stills and Nash in the wake of the violent 1968 Democratic party convention in Chicago and the subsequent trial of the so-called Chicago Seven.

David Gilmour, the Pink Floyd musician and political activist, has agreed to produce a fresh recording of the song to publicise McKinnon’s plight.

Boyzone singer Keith Duffy has also expressed his support for McKinnon. “As the parent of a child with autism I know only too well that getting support at the right time can be crucial,” said Duffy

http://www.guardian.co.uk/uk/2009/may/25/gary-mckinnon-extradition-pink-floyd-hacker-us

Over the past few days I have seen a few of these new PC/Mac guys commericals.  While I am not a big fan of Apple (that is a discussion for another day) I do think these commercials are pretty funny.  These newest commercials have had some statements that made me stop and listen.  Cut to a woman looking for a PC (Yes windows/linux/macs are all PCs).  She says “I want a computer that doesn’t get viruses” and all of the “PC Guys” walk away.

What??  I know I didn’t see that correctly.  Did Apple say they do not get viruses??  So I went back on my TiVo.  Yup that was exactly what they said.  A couple of commercial breaks later another Mac ad comes on and again they say they are not vulnerable to viruses.  You have got to be kidding me…  What ever happened to truth in advertising.  Obviously people don’t believe this..    So I posted on my facebook status “I just saw an ad claiming Macintoshes don’t get viruses, and I laughed my butt off.  Do people really believe this??”  Within one of my friends replied and the follow facebook conversation ensued..

Friend: You’re the expert, but I’ve had a Mac (a few different obviously) since I was 17. I’ve never once had a virus. Most people I know on PC’s have them constantly. Just sayin’.

Dave: And did you have a virus scanner installed?

Friend: No. But zero performance issues. Pc people amuse me though this is entertaining to me.

Dave: So… Let me get this straight.. No Virus detector, and you know you never had a virus??? Sooooooo…. Yeah….. Need I say more??

About this time I was getting a bit annoyed about this.  This guy says he has never had a virus, but has never run a scan.  He knows because he has not had any performance issues.  And HE IS ENTERTAINED BY PC PEOPLE??!?!?  So I added the following

Dave: Besides been rockin the Ubuntu lately.. I still run at least ClamAV on it

Around this time another friend of mine chimes in (and this is one of my old BBS friends, a big linux guy)

Friend #2: people write linux viruses? since when?

Well I guess beliefs like this will keep me employed…

Fact: There are Macintosh viruses, malware, vulnerabilities, etc.

Meet OSX/Leap-A, this little worm is the first virus discovered for Mac OS X.  It was discovered back in early 2006.  Since then many Trojans, worms, OS specific vulnerabilities and other nasty mal-ware have been discovered.  The folks over Securemac are doing a great job at keeping everyone up to date.  In fact it may be a good idea if Apple would have their advertising group look at their entry from 12/2008

12.02.2008 News
Apple has officially acknowledged that Mac users should use anti-virus solutions in this technical note. As their market share continues to grow, so do the threats to the users.

Related Articles:
Washington Post: Apple: Mac Users Should Get Antivirus Software
The Tech Herald: Apple Encourages Anti-Virus Protection
CNet: Apple suggests Mac users install antivirus software
Apple Insider: Apple encourages Anti-Virus Software

Again, where is the truth in advertising.

For my Linux friends, yes Linux and Unix have Mal-Ware also.  Here is an old list from 2005.

Fact: There are more Windows malware, because there are more Windows machines

If you are going to spend the time to  build a virus, you will probably want to do the most damage.  Windows machines out number Macintoshes 10 to 1.  Simple math, more machines, more dangers.  However we are seeing a growth in Mac malware.  While Apple says this is due to an increase in Mac growth, I would tend to believe it is due to the lax security practices of the average Mac user.

Solution: Run Anti-virus

Anti-virus is an insurance policy, better to have it and not ever need it than to wish you had it when infected.  Make sure the software looks for virus, worms, and Trojans.  Securemac would be a good resource to find the best solution for you.

In conclusion be safe, remember virus authors know the weaknesses of a system and the attitude of the users.

Bonus -

Hats off to fellow St. Louisian Charlie Miller for hacking a MacBook Air in less than 2 minutes.  You can read about it at Infoworld

Dave – You starting to see a trend??

By Jim Finkle

BOSTON (Reuters) – Hackers launched an attack on Facebook’s 200 million users on Thursday, successfully gathering passwords from some of them in the latest campaign to prey on members of the popular social networking site.

Facebook spokesman Barry Schnitt said on Thursday that the site was in the process of cleaning up damage from the attack.

He said that Facebook was blocking compromised accounts.

Schnitt declined to say how many accounts had been compromised.

The hackers got passwords through what is known as a phishing attack, breaking into accounts of some Facebook members, then sending e-mails to friends and urging them to click on links to fake websites.

Those sites were designed to look like the Facebook home page. The victims were directed to log back in to the site, but actually logged into the one controlled by the hackers, unwittingly giving away their passwords.

The purpose of such attacks is generally identify theft and to spread spam.

The fake domains include www.151.im, www.121.im and www.123.im. Facebook has deleted all references to those domains.

Schnitt said that Facebook’s security team believes the hackers intended to collect a large number of credentials, then use those accounts at a later time to send spam hawking fake pharmaceuticals and other goods to Facebook members.

The site fought off a similar attack two weeks ago, he said.

Privately held Facebook and rival social network MySpace, which is owned by News Corp, require senders of messages within the network to be members and hide user data from people who do not have accounts. Because of that, users tend to be far less suspicious of messages they receive.

Hackers used a phishing attack last year to spread a malicious virus known as Koobface (a reference to Facebook). It was downloaded onto Facebook members’ PCs when they clicked on a link sent to them in an email that looked like it had been sent by a friend on Facebook.

(Reporting by Jim Finkle; Editing by Toni Reinhold)