ID Theft – Be Always Diligent – Lesson from My Accountant

I am always careful of what information I give out. When the DMV was asking me for my Social Security number to put on my license I protested. Why does the DMV need this info? After a letter writing campaign, the DMV switched to a new ID system. When my health care provider sent me an ID card with my SS# on it I protested.  I was happy to get their first “fake-o” ID card as they called it. If there isn’t a good reason to give my info to you I will not give it.

I just filled out my tax return for my accountant. He looked it over and asked why am I putting the full account number of my financial institutions on my tax form. Good question. The IRS computers can match my tax return and my account info. Why put the full number on the form to give an opportunity for a data entry clerk or someone else to steal my ID? Thanks Matt.

Better to ask why then to get your identity stolen.

If you are in the Northern Virginia area and need an accountant, I recommend Matt Miller (  Knows his taxes and tax planning.


DNSSec Works for Consumers, Almost

Every since I found heard about Dan Kaminsky’s research on flaws in DNS in 2008 I have been looking forward to the industry’s response, DNSSEC (Domain Name System Security Extensions). Unfortunately DNSSEC required an end-to-end solution from the root DNS servers to ISP servers to routers to operating systems to browsers. Parts have been working for awhile like my ISP’s DNS server. Finally this weekend with some beta software from my home router my dream of seeing DNSSEC for consumers has been completed.

My Verizon’s DNS server supports DNSSEC (note that as of today not all of Verizon’s servers are supporting DNSSEC). My Asatro router has implemented DNSSEC. Firefox and Windows 8 support it. With the help of the Firefox DNSSEC validator plug in you can see in the screenshot below the validation that Symantec’s website is the real site and could not have been spoofed by a DNS exploit. Yeah!

Now its time for Cisco/Linksys, Netgear, D-Link, etc. to support DNSSEC.

DNSSec in Action

The Average Number of Mobile Apps per Phone is 41 and Growing – The Malware Threat

Reading the study below from Nielsen re mobile apps is a bit scary when you consider the opportunity for malware to affect your phone. 41 apps per phone and growing is extraordinary. I’d be surprised if there are more than 15 or 20 apps per PC and that number is probably stagnant. Nielsen might have also checked on the source of the apps. On a PC the user is likely to know the software vendor before installing the app. I doubt with 41 apps that smartphone users know the reputation of the vendors. With the explosion of appstores including the entrance of Microsoft with Windows 8 and Windows Phone 8, it will be hard for the stores to protect users from malware. It is made more difficult because the smartphone app could be safe when installed but a few days later via the update mechanism which app store vendors cannot police, the legit app can become malicious.

The sheer number of apps along with the source of the apps is daunting from a malware perspective. Add in the 24 hour a day broadcasting of the smartphone users location and the opportunity for bad guys to exploit you via the phone will be a big problem. Combating mobile malware will be also be a large opportunity.



State of the Appnation – A Year of Change and Growth in U.S. Smartphones

May 16, 2012

Roughly a year ago when we summarized the state of smartphones at the Appnation conference, less than 40 percent of mobile subscribers in the U.S. had smartphones. Today, one in two mobile subscribers has a smartphone and that figure is moving steadily upwards. By most measures, it has been the year of the App once again, driven mostly by the rise of Android and iOS users who have more than doubled in a year and account for 88 percent of those who have downloaded an app in the past 30 days. In just a year, the average number of apps per smartphone has jumped 28 percent, from 32 apps to 41. Not only is the 2012 smartphone owner downloading more apps, they are increasingly spending more time using them vs. using the mobile web — about 10 percent more than last year.

Some things haven’t changed, however. The Top Five Apps continue to be Facebook, YouTube, Android Market, Google Search, and Gmail. And smartphone owners spend just about the same amount of time on apps each day (37 minutes a day in 2011 compared to 39 minutes today). Finally, privacy continues to be a concern with the vast majority (70% in 2011 and 73% in 2012) expressing concern over personal data collection and 55 percent wary of sharing information about their location via smartphone apps.


© 2012 The Nielsen Company. All Rights Reserved.

The Unintended Consequences of Social Networking

With today being Facebook’s IPO I wanted to address an unintended consequence of social networking. I am a huge fan of LinkedIn for expanding my professional network, for learning and collaborating with other security/privacy pros, and it certainly helps with a job search. I teach advanced LinkedIn every week to 20 to 30 people in career transition.

Bad guys are using LinkedIn to create org charts of their targets. Odds are high that you are connected to your manager and your team is connected to you. If you or your team received an e-mail from your boss (or someone spoofing your bosses e-mail address) and it contained an attachment labeled “Corporate Strategic Plans – Confidential” (or any document containing malware), would you open the mail and the attachment? Highly likely.

Good guys a.k.a. your competitors are watching the new LinkedIn connections from your executives, especially the business dev team. They look for patterns. A few execs connecting to a particular company can be a clue about M&A activity. Want to know who a company’s suppliers are? Check LinkedIn. Competitors are also looking at new hires gleaming information about new products being developed.

Actionable advice: Security teams need to advise HR, business dev, and product teams about the information bad guys and competitors can learn from social networking.

Guidance for Enterprises on Protecting Passwords

A report from Imperva on how enterprises can protect passwords. A little salt on the hash will do the trick.

Stupid Password Reset Questions

When I was at AOL we fought a constant battle between bad guys and executives who thought that customers should have easy access to their accounts. The bad guys loved “easy to guess” passwords and password reset questions which were used in case a customer forgot their password. One of my projects was to update the reset process for current vulnerabilities. AOL had the last 4-digits of the customers Social Security number. Two problems: a) If you know someone’s age and U.S. birthplace you can figure out the first five digits so the only random part was the last four digits. For an ID thief, this was the part they wanted the most. b) Many states were including partial SS#’s as PII in the definition for “data breach notification.” Other reset questions were easy to guess. If you have to guess someone’s favorite food, it is probably not brussel sprouts (although they are tasty). In five guesses you can probably figure out 98% of the U.S. populations favorite food (donuts, cake, ice cream, etc.).

Websites need to ensure that reset questions are not easy to guess. To shame websites, especially banking and financial institutions, to use reasonable steps to protect our data I am creating a list of real “stupid” password reset questions. Of course if a website asks me for my brothers middle name I’ll say “ju8klw#nq.”


What color was your first car? Would it be chartreuse or Lavender? How many car colors are there? Who cares if its your first car or your fifth car the color choices are the same.

What year were you born? Until people start living until age 1,000, the choice of birth years is 100 or less. Certainly few babies born last year of using banking sites and most people in the 90’s are unlikely also. The universe of birth years is about 50 numbers. Hackers like those odds.

Cybersecurity/Privacy Predictions for 2012

Now that I am closing my consulting business and looking for my next great adventure I wanted to get advice from cybersec, privacy, and business leaders. I called this this “thought leader 2011 tour.” I wanted to know the issues that we’d be dealing with in the next year. Here are some common themes I heard:

a)     Big data – Online activities that leave easy-to-follow digital footprints which provide a rich profile of what we buy, where we go, who are our friends, and who we are. Hadoop and advanced analytics can drive innovation. Personal data is more valuable than gold. What is the appropriate balance between privacy and innovation?

b)     Data warehouse in your pocket – Smartphones can collect a treasure trove of data. Where you are, who are your friends, your speech, your shopping list, your health and diet data, etc. A smartphone is always with us and is always on. It is hard for end users to control their mobile privacy by deleting cookies or blocking unique ID’s identifying a specific phone. Protecting this info from bad guys and unscrupulous marketers will be of great concern in the future.

c)      The “personalized attack” – As the amount of personal info online grows it provides bad guys with the information they need to personalize an attack. This includes using info to guess your password reset question (“what is your favorite food”) or sending an email with malicious content from a friend or co-workers e-mail address. Personalizing the attack increases the effectiveness.

d)     Be prepared for the inevitable breach

e)     The merger of cybersecurity and privacy – In the past these organizations typically did not work closely. There needs to be a tight coupling to ensure that the right data is being collected and used as well as ensuring that it is protected. Protecting the “corporate gold” is a difficult task requiring collaboration.