<![CDATA[[SecurityRatty] tag: register]]> http://securityratty.com/tag/register Wed, 30 Jul 2008 17:56:51 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Security Matters: How to Create the Perfect Fake Identity]]> http://securityratty.com/article/978beddfbfcfa8c96d83a85e27f028f6 http://securityratty.com/article/978beddfbfcfa8c96d83a85e27f028f6 Let me start off by saying that I'm making this whole thing up.

Imagine you're in charge of infiltrating sleeper agents into the United States. The year is 1983, and the proliferation of identity databases is making it increasingly difficult to create fake credentials. Ten years ago, someone could have just shown up in the country and gotten a driver's license, Social Security card and bank account -- possibly using the identity of someone roughly the same age who died as a young child -- but it's getting harder. And you know that trend will only continue. So you decide to grow your own identities.

Call it "identity farming." You invent a handful of infants. You apply for Social Security numbers for them. Eventually, you open bank accounts for them, file tax returns for them, register them to vote, and apply for credit cards in their name. And now, 25 years later, you have a handful of identities ready and waiting for some real people to step into them.

There are some complications, of course. Maybe you need people to sign their name as parents -- or, at least, mothers. Maybe you need to doctors to fill out birth certificates. Maybe you need to fill out paperwork certifying that you're home-schooling these children. You'll certainly want to exercise their financial identity: depositing money into their bank accounts and withdrawing it from ATMs, using their credit cards and paying the bills, and so on. And you'll need to establish some sort of addresses for them, even if it is just a mail drop.

You won't be able to get driver's licenses or photo IDs on their name. That isn't critical, though; in the U.S., more than 20 million adult citizens don't have photo IDs. But other than that, I can't think of any reason why identity farming wouldn't work.

Here's the real question: Do you actually have to show up for any part of your life?

Again, I made this all up. I have no evidence that anyone is actually doing this. It's not something a criminal organization is likely to do; twenty-five years is too distant a payoff horizon. The same logic holds true for terrorist organizations; it's not worth it. It might have been worth it to the KGB -- although perhaps harder to justify after the Soviet Union broke up in 1991 -- and might be an attractive option to existing intelligence adversaries like China.

Immortals could also use this trick to self-perpetuate themselves, inventing their own children and gradually assuming their identity, then killing their parents off. They could even show up for their own driver's license photos, wearing a beard as the father and blue spiked hair as the son. I’m told this is a common idea in Highlander fan fiction.

The point isn't to create another movie plot threat, but to point out the central role that data has taken on in our lives. Previously, I've said that we all have a data shadow that follows us around, and that more and more institutions interact with our data shadows instead of with us. We only intersect with our data shadows once in a while -- when we apply for a driver's license or passport, for example -- and those interactions are authenticated by older, less-secure interactions. The rest of the world assumes that our photo IDs glue us to our data shadows, ignoring the rather flimsy connection between us and our plastic cards. (And, no, REAL-ID won't help.)

It seems to me that our data shadows are becoming increasingly distinct from us, almost with a life of their own. What's important now is our shadows; we're secondary. And as our society relies more and more on these shadows, we might even become unnecessary.

Our data shadows can live a perfectly normal life without us.

---

Bruce Schneier is Chief Security Technology Officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.


]]> Thu, 04 Sep 2008 00:00:00 +0000 security identity data data shadow data shadows shadows social security card financial identity photo ids glue Security Matters: How to Create the Perfect Fake Identity <![CDATA[Software to Facilitate Retail Tax Fraud]]> http://securityratty.com/article/c541c0e2a682f8958bb71c87da49a528 http://securityratty.com/article/c541c0e2a682f8958bb71c87da49a528 Interesting:

Thanks to a software program called a zapper, even technologically illiterate restaurant and store owners can siphon cash from computer cash registers and cheat tax officials.

[...]

Zappers alter the electronic sales records in a cash register. To satisfy tax collectors, the tally of food orders, for example, must match the register's final cash total. To hide the removal of cash from the till, a crooked business owner has to erase the record of food orders equal to the amount of cash taken; otherwise, the imbalance is obvious to any auditor.

[...]

The more sophisticated zappers are easy to use, according to several experts. A dialogue box, which shows the day's tally, pops up on the register's screen.

In a second dialogue box, the thief chooses to take a dollar amount or percentage of the till. The program then calculates which orders to erase to get close to the amount of cash the person wants to remove. Then it suggests how much cash to take, and it erases the entries from the books and a corresponding amount in orders, so the register balances.

]]> Tue, 02 Sep 2008 08:24:22 +0000 cash cash register siphon cash computer cash registers final cash total register dollar amount amount dialogue box Software to Facilitate Retail Tax Fraud <![CDATA[This week in history - volcanos, hurricanes, and the risk of Black Swans]]> http://securityratty.com/article/1c99044530f3bdcc78ac07456ab99c44 http://securityratty.com/article/1c99044530f3bdcc78ac07456ab99c44 Chris McClean

Pouring over endless details of risks, regulations, taxonomies, and technologies can sometimes give us a narrow view of the world, so it seems worthwhile to take a minute to mark the 125th anniversary of the cataclysmic eruption of Krakatoa this week. For those of us that want to think big but can’t remember that far back, this week is also the 3rd anniversary of Hurricane Katrina’s devastating sweep across a wide stretch of the US Gulf Coast.

By now, I expect that most of you have read or are familiar with the 2007 book, The Black Swan, by Nassim Nicholas Taleb, which argues that these kinds of unpredictable, outlying occurrences are the ones that really shape businesses, countries, economies, and people. Taleb argues that although these “Black Swan” events are almost completely unforeseeable, we mistakenly try to explain the circumstances at the time and make predictions about similar events in the future.

In my ERM work with clients, and especially in the context of research I’ve been doing with my colleague Stephanie Balaouras on business continuity and resiliency, questions come up about how to plan for catastrophes... and they’re good questions. Were the CardSystems or TJX data breaches foreseeable? What about the Societe General debacle or the 2004 Indian Ocean tsunami? What’s next? Should these types of events be included in our risk assessments?

We’d like to get your opinion on these and other risks that may be on the very edge of the statistical tail. At what point do they belong in your risk register?

Of course, it’s possible to define mitigating controls for crises, disasters, or incidents without knowing for sure what they’re going to look like. That’s one of the hallmarks of a good crisis management plan. And that’s an important point, because trying to predict the next unforeseeable event can be a real challenge sometimes.

]]> Thu, 28 Aug 2008 07:07:47 +0000 similar events events black swan events black swan plan crisis management plan week colleague stephanie balaouras argues This week in history - volcanos, hurricanes, and the risk of Black Swans <![CDATA[Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...]]> http://securityratty.com/article/ab8e0e22ebb1851ff664c3be0a3baa7d http://securityratty.com/article/ab8e0e22ebb1851ff664c3be0a3baa7d

Synopsis:  Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content: