Protecting Personally Identifiable information (PII) has always been a concern but is required now in most states because almost every network is now connected to the Internet. It is easier than ever for a criminal to obtain your social security number and other information needed to “steal” your identity.

Why is it so easy to steal a person’s identity once only a few things are known about a person, such as a social security number and place of birth? Because fake cards can be made with these numbers, and when taken to an agency to get a valid Driver’s license, or open a utility account, or obtain a Birth Certificate.  Using these valid ID’s, other ID’s (Even the social security card that was issued based on the fake ID) can now be obtained.

How do we “break the chain”? This is a battle that has been ongoing for some time; a “National ID Card” is constantly facing challenges by “rights” groups saying loss of personal anonymity would occur. (This is a good place to insert duh!)  Either we can know and verify who you are or we can’t. So the challenge is great, but the solution can be simpler.

SSN’s are guessable, according to a SANS report published last week. The Social Security Administration has issued a statement including: "There effectively is no way you can keep {SSNs} totally confidential."

http://www.nytimes.com/2009/07/07/us/07numbers.html?_r=1

http://www.theregister.co.uk/2009/07/07/ssn_guessing_algorithm/

We should be concentrating on how to mitigate the risks of disclosure, focusing on processes to prevent improper use. For instance, when a SSN is originally issued by the SSA, they require complete up to date information. Before a SSN can be used, similar to a credit card, the information could be checked electronically before an account is opened, job obtained, etc.

For instance;

Employers use a system called “E-Verify” to help verify the validity of social security numbers. This system can be expanded to banks, utility companies, and loan companies to determine if the presented card is valid. So in any case, a federal agency would be the anchor point for any such system. It would be relatively easy to implement and fund.

Forcing companies to use this system and obtain a valid “authorization code” would prevent - almost stop all identity thefts in their tracks. When an identity is stolen, it will be very easy to catch as the credit reporting agencies should also be required to verify their information before publishing it. Any red flags would cause everyone in the chain to receive change notification.

Fraud involving a valid authorization code will spring a federal agency into action to reverse the wrong actions, challenge the information, utilize intelligence and enforce Title 18 laws on a national level.

The banking system is a large part of the problem. The day of walking into a bank to open a credit card account has been replaced by just a signature on a pre-approved form in the mailbox.  But the banks would welcome an automated way to verify a SSN and other PII; this would help cut down on their losses. We know the track record of credit reporting agencies (mainly who they rely on today), and the stories about people’s dogs obtaining credit. The job of the “Feds” would be to provide a vehicle for real verification.

We may never eliminate fraud, but finding ways to make obtaining the information ineffectual will greatly reduce identity theft.

We’re upset every time we hear about a security breach involving thousands of names and social security numbers or credit cards. In many cases we have no choice to give the information to doctors, etc. I was recently at a medical clinic (ERLANGER PEDIATRICS OF DALTON) on January 22nd, and saw a young lady surfing her MySpace account on the same computer my information was entered. I had a sick feeling in my stomach. In short order I expect my personal information to be on the Internet for sale to the highest bidder. It might fetch up to $50.

Part of the problem is there isn't an understanding of WHAT needs to be done to protect data and fight cyber crime. Law enforcement is helping there, but they can go overboard, case in point the new federal laws being presented that would require all Internet providers and operators of millions of Wi-Fi access points to keep logs for two years. That means you, the homeowner, the businessman, the coffee shop, hotels, etc etc. http://www.cnn.com/2009/TECH/02/20/internet.records.bill/index.html?eref=rss_tech

Most of you have never seen a log, now you will have to preserve them. When that guy pulls up to your neighbor's house and surfs YOUR unprotected access point he/she may be downloading child porn, and it will be up to you to assist law enforcement to catch them.

So yes, YOU will be responsible for maintaining logs if this law is passed. It's not that it is a bad law, there are many good components. But like I said, there isn't an understanding of WHAT needs to be done, let's start there.

First, secure your access point. Force manufacturers to enforce encryption and authentication on their products. Second, know who you're giving access to. Third, place the burden on the ISP to maintain the logs for you as part of their service (Another law). THEY should know WHO is on their network at all times. I can hear the shouting now, rights issues. But let's face it, it's out of control. Who needs to hide when there are open access points all over the world. Fourth, let's get real, these things will stop an amateur, but it's the pro's committing the big crimes. Let’s give government the flexibility they need to catch these "pro's". Fifth - ask the government to create real standards and hold business AND government agencies accountable, punishable by law. (Please don't let people surf the Internet on the same network as my SSN)

There is no magic bullet. But it will be up to us, WE THE PEOPLE, not business, not government, but a collaboration, starting with us requiring our government and business to work toward a common goal: Securing our networks. 

Ask the question, see what answers you get. Money issues always rates top, next family, work, and then the answers are varied. What if you ask a two year old? (Mine said puppies, toys, going to see Bubba (favorite uncle), Anna, (a next store neighbor) You see their perspective is quite different. How about a teen? (I have three awesome boys, two are teens) Yes, different even still, girls, muscles, time off of school, money, food.What do I consider important? God, family, work. But even that changes depending on the day. Last week my wife and I took my two year old daughter to Disney. When things go well, seems there is not a care in the world. When something bad happens, nothing else matters. When my two year old slipped and went under water (I was very close by) my heart stopped, I grabbed her and got her up out of the water in a split second. She coughed, but was ok. What do you think went through my mind? She was the most important thing in the world to me. I hugged her tight and you can bet the water was a little saltier from my tears that day.

My daughter saw new things, experienced new things, smells, tastes and sounds. I noticed in many pictures it seemed she wasn’t smiling, but she was taking it all in, and when she wasn’t laughing, she was struck with awe. I asked her several times after the trip what she liked the most about Disney, I was surprised, meeting Mickey and Mini Mouse rated top. We don’t watch much TV, although we do read Disney books to her often, I guessed I was a little surprised that meeting the characters stood out. Riding on the Dumbo ride was her response once. Recently, I’ve noticed she has been asking to read stories about Flick, a character in the Bugs Life. I’m sure it’s because she met (the character) Flick in person. What stands out about that is before we went, she was bitten by several ants in our yard, and when we told her that Flick was an ant, at first she wouldn’t get near him. After a little coaxing explaining he didn’t bite, she gave him five and we got a couple of pictures. And I appreciate Flick apologizing to her from the whole ant population. Pictures at http://www.middleton-howington.com/Photos.aspx?AlbumID=6

When I spend time with my boys little else matters. They don’t live with me, so I greatly cherish the time with them. My oldest has a drumming video that showed up on a Google rating higher than my sites (http://www.theslapstik.com/videos/Charles-Corcoran.html) today, of course I’m proud. My middle son is focused on IT in High School, winning awards for most improved student, hard to be more proud of him, and that he has direction. And my youngest son is simply known as the wiz, with a wit I wouldn’t dare contend with, again, it makes me sing inside with pride. All three of my boys are very sharp and I love them with all my heart.

As I think about what’s important to me, showing my children there is a purpose in life and an internal need for dedication to a lifelong goal. And in whatever direction they choose, be the best they can be at it, I’m behind you 100%. Again, what’s important is dependent on the day, and right now, mowing the lawn is way up there. Who you were will be measured by the impact you have made today. Now, I’m off to impress the neighbors.

It’s a disappointing day for the security information professionals. When a man elected by the people sides with business concerns, we all lose. According to http://idtheftcenter.org/workplace_facts.html claims “One study said that identity theft cost U.S. businesses and consumers $56.6 billion in 2005” and “According to the U.S.  Department of Justice Statistics, identity theft is now passing up drug trafficking as the number one crime in the nation”.

On October 5^th, 2008 I read a report from SANS that detailed how California Governor Arnold Schwarzenegger vetoed the Consumer Data Protection Act again on October the 2^nd. His comments regarding his reasoning included "by requiring notification even where no information was obtained improperly, this bill would likely result in significant costs to businesses and to the state."

Identity theft is life changing. Imagine for a moment, opening your credit card bills one month and seeing that all the interest rates raised to 24%, and the payments doubling. If you are trying to finance a home, forget about it because your ratio will change significantly, and your credit rating will be in the toilet. After you pull a credit report, you realize someone has opened a credit card account in your name, charged $20K, and to boot, they are late on the payment! Correction, YOU are late on the payment! That is why all of your credit card companies have revised their terms with you. Even if you get the card company convinced it wasn’t you and the charges are removed from your credit file, you are responsible for the increased payments on all the other cards, and getting the terms revised, well, ask anyone who is in that position, you can pretty much forget it.

Three months later, you’re considering bankruptcy, you’re savings account depleted, and you are considering cashing out your 401K to pay off the credit cards. You have no budget because you can’t meet the payments as they are. Now all it takes is a car repair, an increase in gas price, well, you get the picture. The most the “company” responsible is going to offer you is a free credit report.

According to http://ag.ca.gov/idtheft/ there were 45,175 victims reported from California in 2005. This will increase. As a security specialist I have a few observations. Businesses as a rule are lazy, doing only what they have to. (This is not a reflection of any company I have worked for who hired me to improve their security.) If only the businesses treated the personal information like how they HAVE to treat VISA credit card information (That still doesn’t mean they will, case in point TJX), we would be much better off. The credit card industry has come together and produced a simple list of requirements; (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml), the first of which is “Build and Maintain a Secure Network”. Wait, you mean this is a requirement? Wouldn’t you think that is a given? Don’t fool yourself. If you have ever found a company that took credit cards but doesn’t take VISA credit, think again about doing business with them because most likely they can’t (or won’t ) meet these simple standards.

Unless business HAS to meet certain standards (AND IS AUDITED BY A THIRD PARTY), your data is in jeopardy. You would be very surprised what I have seen as a security professional.

So back to Arnold. He is in a position to make change to affect people’s lives, not only in California, but possibly worldwide. Many states follow California, and let’s face it, many countries follow the US. I have always seen Arnold as the underdog, man against the bad world. My favorite movie of all time is Total Recall, where he saves the planet Mars. If I could speak to him, I would only say I wished you could see the blatant disregard of personal data I have seen, not with the companies I was/am with, but the companies they do business with, and shared information from other security professionals.

Laws don’t fix everything, but they do cause change. It would be a shame to think that every company would have to make the headlines before they made the changes required to secure personal information. Without laws, this is what will happen. Meanwhile, your information is not only in your state, but in every home office of every company you do business with. A little multiplication, and the 45K people for just one state for one year, now think of the odds of your information being exposed. If you do business on the Internet, use a credit card in a restaurant or retailer, your odds are not good. Someone will use that card, your information, or otherwise get at the data because of the fact there are weak controls, or for the smaller companies, no controls in place since they won’t fall under any of the other control standards such as SOX, HIPPA, or PCI. That's where a law comes in to play. It gives security professionals like myself the grease to make internal changes.

Arnold, you have shown us that the sword is mightier than the pen.

There is a dry spell in the North Georgia area.  In the Atlanta area, citizens are being commended for saving water in time of drought.  It's amazing what a society can do when called upon to work together. But there are losers, for one, the water company. By "selling" less water, the revenue goes down, so they raised the prices for water.  In effect the citizens feel like they are being punished for saving water.  The biggest loser?  The citizen.

Another conundrum seems to exist with power companies. We are also in a time of economic drought. So larger businesses are turning to human energy to focus on reducing the energy bills. But the reward systems for energy use are backwards. The more you use, the cheaper it is! So it doesn't take a lot of math to figure out that sometimes using more energy will put you in another "bracket" and SAVE you money!

In both cases above, what is good for the environment is against the built in mechanisms for saving money. So which green do we want? Green or $Green$? It's time to rethink energy use, water and natural resource use. Let's see some real incentives. Lawmakers?

Re:  http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209601006

The Internet should be treated as a "Highway" that has global "laws" governing use and abuse.  We have seen shrinking global authority when it comes to how to handle human rights issues, and blatant country sponsored attacks.

The ability to "unplug" nations that can't play nice together seems only natural.  Shame on the US service providers that elect to give in to human rights abuse because it's "legal" in that country. (Fear is the parent of cruelty.—Froude )  If China wants your service they should sign your contract.  Adhering to a countries law in violation to human rights is in essence alignment. (Let the cock crow thrice. —Mathew 26:75)  The past should have taught us that human rights should always reign.  Companies should be held globally responsible to what is tantamount to treason, disclosing information to allow/assist persecution of a human rights victim.  (http://en.wikipedia.org/wiki/Treason)  At the very least pay the families involved billions of dollars for the decision to do that type of business with the country. 

It’s not the US’s Internet, nor any countries.  We need common ground, establish some rules when coming to the table, and mind your manners.  Better yet, EARN your license to drive on the information highway.  If you allow your people to attack and break in to other people's computers, you as a country are responsible.  (Get a ticket, suspend after XXX violations)  When a country needs information to assist in law enforcement, where the laws are international, your obliged to give it to them.  When it's not international law, use judgment (play nice), but never violate what is a law in your own country.  They are (China in this case) trying to apply one countries laws to a company in another country.  This should be on the top of the agenda for United Nations and G8 summits.

G8 was to launch a international pedophile database:

http://www.guardian.co.uk/society/2005/jun/18/childrensservices.crime

G8 countries take action to direct course of nuclear energy:

http://www.cnp.ca/resources/g8-and-nuclear.html

G8 to pool data on terrorism:

http://www.guardian.co.uk/uk/2005/jun/18/g8.usa

G8 commitment to global health lauded by UN agencies:

http://www.un.org/apps/news/story.asp?NewsID=27322&Cr=mdg&Cr1

I get excited when I see my 2 year old daughter smile. When I come home from work, when I tell her I want to take a hike with her, when I tell her I want to read a story to her. Even if it's the same old book she wants me to read, I'll do it with enthusiasm. This past weekend while we were hiking in our yard, she asked me if she could hug a tree. I thought if that tree only knew how lucky it was to get an unsolicited hug from such a beautiful little girl.

I say that because although she isn't the most generous hugger, she will give you one if you ask. Every once in a while she will walk up to me and hug my leg. I'll get down on the floor and give her a hug back, and I'll ask what the hug was for. There doesn't seem to be any reason, and that's a good thing. I wrote this to remind me when she might get on my nerves, or I’m too busy to spend time with her, or she gets mad because she doesn’t want to go to bed. Nurture that love, it’s more important than me. Just ask a tree.