National ID push is back

Originally posted 06/15/2011 on lubbockonline.com

They're doing it again. Pushing for a national ID card. I've looked at the issue before and I'm sure I will again. It's an issue that won't go away. Recently a Ron Paul video was put up on youtube, though it's not dated beyond the upload date. On June 10th Bob Barr of the Atlanta Journal Constitution commented on the new push to use E-Verify to implement a defacto national ID based on another post at the Cato institute by Jim Harper. E-Verify is a national program designed to decrease hiring of illgal aliens. Participation is voluntary, but there is a push to make compliance mandatory for all employers. That would effectively create a cardless national ID system for workers.

'

Epic has filed a brief with the Department of Homeland Security (DHS) and posted it at JDSupra opposing the expansion of E-Verify. It notes that despite legal limits imposed on E-Verify, the DHS refuses to limit it to employment records:

First, the SORN claims E-Verify data "may also be used for law enforcement," followed by specified examples in parentheses, "(to prevent fraud and misuse of E-Verify, and to prevent discrimination and identity theft)." 36 It is important to note that the agency fails explicitly to commit to these parenthetical examples as legal limitations. Second, the agency seeks unfettered power to distribute E-Verify records both to public and private parties.

Before E-Verify has been expanded, the DHS is already trying to expand the uses of it beyond the limits imposed by law. We cannot trust government agencies with our personal, identifying data. The risk of abuse is too great.

Would you recognize a human-hacker?

Originally published 3/11/11 on lubbockonline.com/glasshouses

As much as we focus on computer viruses, trojans, vulnerabilities and exploits, they are not the biggest risk to security - online or off. The biggest risk is us. Books have been written about it, from Kevin Mitnick's classic "The Art of Deception: Controlling the Human Element of Security" to Christopher Hadnagy's latest, "Social Engineering: The Art of Human Hacking" the subject has been pretty thoroughly covered. But we don't have to space for that kind of detail, so we're going to look at a more succinct study, the Department of Homeland Security's pamphlet on elicitation, (pdf) the art of using ordinary conversation to coax out the information people want to keep secret. From the pamphlet:

In the espionage trade, elicitation is a technique frequently used by intelligence officers to subtly extract information about you, your work, and your colleagues.

Said another way, elicitation is the art of conversation honed by intelligence services to its finest edge.

Elicitation is nonthreatening, easy to disguise (and hard to prove) and it works. Why does it work? Because it's ordinary conversation, the type of thing we do all the time. Is that attractive person you just met so interested in your job because they want to get to know you, or because they're trying to find out something you know? That telemarketer that struck up a conversation with you yesterday - did you really tell him about your vacation plans next month? Just how did he get you to tell him that?

According to the DHS pamphlet the tools are something we all use to some degree:

Appeals to ego: "You must be really important. Everyone here seems to know you." You may respond with a denial, then talk about why what you do isn't really important.

Mutual interest: The person expresses an interest in something you're interested in and uses that to build a bond and increased trust.

Deliberate lies: "I've heard that..." A deliberate lie told knowing you know the truth. Most people have a strong desire to correct the mistake, and we all like to be part of the "in crowd" with insider knowledge.

Volunteering information: It's a simple trade. They give you something in hopes you will give them something. Sales people do this all the time, usually telling you that the price is about to go up, the offer is about to expire or their almost out and it's going to be weeks before they get more.  If it works, you buy whatever they're selling. For a scam artist, you give them your information, such as credit card numbers, name, address, and maybe even SS#.

Assumed knowledge: Just enough is said to give the impression of knowledge in an area so you'll discuss it.

As I read this list I thought about calls I'd received, both at work and at home, from telemarketers. Almost every one of these tools had been used against me in one form or another.  Then in the WalMart parking lot tonight another one was used on me, the appeal for help:

"Could you spare some change? I'm trying to get some food for me and my wife."

I've had my own answer to this type of appeal for years, "Come with me and I'll buy you some food." He said he was getting his wife, got in the passenger seat of a car a row over, and they left.

The DHS pamphlet is aimed at preventing espionage, but the same techniques are used by malware authors and conmen to build trust and encourage us to give them what they want. One reason these techniques are so effective is that they are the things we all do in the normal course of communicating with others. Try going through a day looking for the things you and the people you interact with do as you communicate. Then see if you can tell who is just making conversation and who is trying to get something from you.

 

 

Wikileaks is a symptom, not the disease

Wikileaks has created a tempest with the release of millions of stolen U.S. secret documents. It's also created serious problems for it's founder. Problems that may exist more for the convenience of the embarrassed governments than for any real events. But that's not the reason for this post. Wikileaks has forced governments in general, and the U.S. government in particular to look at just what types of security they have, and how close it really is to what they need.

Redorbit.com reports that the U.S. lags behind safeguarding against cyber attacks. I don't know if anyone really finds that idea surprising. If we can't even prevent a soldier (trusted with clearance or not) from physically stealing secret documents, why should we think we're successfully securing the networks that hold those documents from outside intruders?

The Department of Homeland Security (DHS) has plans to secure those networks, but they will take time to implement. Steps are being taken to plug the holes that made the wikileaks revelation possible, too. The problem is, those steps should have been taken years ago. There should have been no thumb drives allowed, and the ability to burn CD's should have been limited to particular people, if it was allowed at all.

For at least a decade government agencies have been getting a failing grade when it comes to network and computer system security. The DHS has been receiving failing grades since it's creation - though I think last year for the first time it received a "D." It was one of the few sections of our government to do so. If we want to remain a real player in the world - not just in politics, but in economics, science, and technology - we have to step back and look at what we are doing. We have to honestly evaluate everything. Is this policy effective? Or does it just "look good?" Is there a more effective way? If it is effective, is it effective at the right thing? If we are trying to keep thieves from stealing data off of our networks, do our policies at least make it harder to get data off of our network, even if you are sitting on a computer inside the network perimeter?

If I am trying to keep our businesses competitive with foreign companies, are my policies doing that, or are they actually hurting the competitive capabilities of U.S. companies?

We have to look at ourselves honestly, evaluate ourselves dispassionately, and work at improving diligently if we are going to secure our networks and our borders. If we aren't willing to do that, we should fold up now.