Monday, August 27, 2007

A Monster Paradigm Shift

With all of the work I am doing related to PCI Compliance right now, I found the coverage on the Trojan at Monster very interesting for a couple of reasons:

The type of information it was designed to capture
The possible reasons behind it
And will we be seeing more of this activity?

The PCI-DSS is designed to enable best practices around data security for customer data. What I found interesting about the Monster incident was that the Trojan was designed to get key pieces of data from a group of people likely to provide it, since who is going to lie about where they live if they are looking for a job? Clever.

I can understand why criminals (or clever idiot savants) would do this – It’s public information for the most part – or you can get it through public records (tedious but not impossible) – and while is not the coveted SSN, through social engineering one could probably open up a line of credit someplace without giving the SSN up at all.

This got me wondering on a larger scale if this type of thing would occur, and where the juicy targets are. If retailers are going to be more difficult to hack because of implementing PCI compliant systems, then where is the low hanging fruit, that will give the clever criminals license to steal?

Job Boards
Public records/town offices of wealthy towns

What happens when a 3rd party violates your privacy policy?

Thursday, August 09, 2007

Dilbert's ID Theft

Monday, August 06, 2007

What happens in Vegas...

I was in Las Vegas last week for Sun Microsystems Sales kickoff and MAN what a pain in the ass it was to get out there. I'm grounding myself for at least two weeks - flying at the end of the month is more hassle than it's worth. My flight was canceled twice, then I find a deal on a last minute ticket, as in my travel agent says 'How close to the airport are you?' I connect in Detroit and then wind up in Minneapolis for an unscheduled plane change for an hour and a half. I did finally get into Las Vegas after being up for 24 hours.

I have to give a shout out to the Palms hotel. Nice place. My room even had a dance floor and stripper pole in it, complete with strobe lights and the whole 9 yards. Too bad I was too tired to soak it all in.

So as I was checking in, I noticed that there were all these really tall guys there too, like NBA tall guys, and I noticed that when they checked in they all used a false name (duh). It got me thinking about a conversation I had with Ian Glazer maybe a year ago, about managing identity and what role dis-information plays in our identity. The thought popped into my head again when I saw No Way Out for the 87th time, and how over a period of years you could really craft a persona and migrate it to a full blown identity in short order through social engineering, working the system, and not a lot of effort.

So let's say I wanted to become someone else, how hard would it be? Especially if over a period of years I had built up a cadre of professional credentials that I exploited to assume a new identity. I think the issue in actually doing this lies with the processes, and the lack of challenges built into the processes that govern the establishment of identity. I heard the Brad Paisley song the other day, Online, where a short fat guy who lives with his mom is someone completely different online.

I have blogged about this before - that we need a Federated Trust of some sort that vets identities, however I am not sure it could work. Take the Bourne Identity (or any other movie that flashes a dozen passports from a dozen different countries) or Bourne Ultimatum, and look at the processes that were exploited to create an identity that is maintained. Then look at all of the interconnected systems that maintain that identity or those identities without challenge.

I think there is a thesis in here somewhere for someone who wanted to create a few new identities and study on how to do it and point out the importance of disinformation and its effect on identity in general. It seems the more we wish to be secure and identifiable, the more we realize what a difficult task that is.