I’m taking a break from virtualization to spend a few minutes with my roots: security. You know what they say: you can take the boy out of security but can’t take security out of the paranoid, tin-foil hat wearing, walls painted with wifi-blocking paint boy. :)

My co-worker, Peter Silva (the real security guy in the house), passed along some research yesterday about a group of individuals who claim to be able to predict a US citizen’s social security number based on a few small social-security-number-card pieces of publicly available information – name, birth date, and birth city – and they say they can gather this data from your social media breadcrumbs. Now you’re probably thinking “Big deal. No one on the Interwebs(TM) knows where I was born or when, so I’m safe.” You and me both, friend, because we don’t use Facebook. Oh wait, you do you use Facebook? And you have your birthday posted on your page? And you’ve made comments on someone’s wall about growing up on a farm in Kentucky? Oh, well it sounds like you’ve just been socially engineered and you didn’t even know it. Watch that SSN#, you never know who’s looking. :)

Social engineering has long been both a staple and a foil of security. Traditional social engineering attacks focus on usernames, passwords, bank PINs, or “forcing” a user to do something malicious, such as connect a virus-laden USB key the found in a parking lot to their laptop. Password engineering is probably the most common, because most passwords are rooted in something users know extremely well and something they can remember. It’s fairly common to find passwords that include nicknames, anniversary dates, birth dates, pet names, spouse names, etc. Bob was born in NYC, loves the Yankees, has a dog named Chase, and was born in 1972. His password may be “YankChase72” If I know enough about Bob, or can coax certain personal information out of him then I have a better chance of brute force attacking his authentication credentials.

On the flip side of the password coin, it’s becoming more common to find businesses that use extremely specific personal information to verify identity: almost social engineering for good. The theory is that no one but Bob will know the address where he lived when he applied for his first credit card, or if his sister recently purchased a large plot of land in Montana. If Bob’s bank detects any type of fraud on his account, they can call Bob and ask him these questions that only he will be able to answer (in theory) and determine with a good bit of accuracy (in theory) if Bob really is Bob. While this model is a good start, it still suffers from flaws. This model relies on the real Bob actually being able to answer these questions correctly, but can anyone expect Bob to remember which apartment he lived in during college when he applied for his first credit card? Or maybe Bob hasn’t spoken to his sister in 2 years and has no idea she’s become Montana’s latest land barren.

This exact problem happened to yours truly recently. My credit card issuer detected what they thought was fraud on my account (turns out it wasn’t, they were just being over-vigilant) and I got a call from them letting me know what was going on. Props to them for being pro-active, but we had to have a few calls to clear things up due to too much social engineering security on their part. Here’s how the first call went (names and details have been changed to protect the innocent, ie me, so you can’t social engineer your way into my wallet):

Bank: Hi Mr. Murphy. I’m going to ask you a few questions to verify your identity.
Me: Ok.
Bank: What’s your SSN?
Me: 123-45-6789
Bank: What state did you grow up in?
Me: Colorado
Bank: Uhm…123 isn’t a social security prefix used in Colorado.
Me: I know, I wasn’t assigned that SSN in Colorado, I was assigned that SSN in the state I was born.
Bank: Oh. What state was that?
Me: Vermont
Bank: Ah, ok, that matches what we have on file. One last question: what color was the car you bought with your first car loan?
Me: Pancake Brown.
Bank: Thanks, Alan. You’ve been verified.

My personal experience coupled with the claim that SSN’s can be predicted based on personal information really got me thinking about the overlap of social engineering and social networking. Before the advent of social networking, I think most people were reticent to share personal information. If a stranger approached me on the street and asked me my birthday and birth city I’d assume they were trying to scam me. Now people willingly post this information for everyone to see, and freely share all types of personal information.

Another example of social engineering and social networking overlap is a recent story on an MI6 agent’s wife who posted their family’s home address on her Facebook page. “Why yes, my spouse does work in national security. And we’re having a garage sale at 123 Elm St. this weekend.” Couple what we’re willing to share in text on Facebook with what we post on YouTube and we’re building a table of contents for our lives that anyone can access, use, and steal. This (rhetorical) question gets asked too often these days, but will the Myspace/Twitter/Facebook generation have any sense of personal and private information as they grow up?

Me, I think some things should be kept personal, and there’s no need for the entire world to know that I was born in Vermont but grew up in Colorado, and thus deduce that I’m a ski bum. But I realize I’m in the minority. I’m only one of 2 people in my social circle who doesn’t have a Facebook page, and the two of us are standing strong in solidarity. When I want to know what he’s doing, I call him.

If you’re going to guess my SSN, then you’re going to have to do it the old fashioned way and trick it out of me in person – which in the end is easier than engineering my birth date, city of birth, and then trying to guess my unique serial number combination.