Identity Education Consortium

Russian Connection in Land of Ten Thousand Dogs

2008-12-21T04:56:00.000-08:00

I find myself again in the Crimean region of Ukraine, which has very close ties to Russia. The fabled Black Fleet is docked in her ports, only Russian is spoken on the streets, and our flat is across from Lenin Square. When the Ukrainian flag is displayed, the Russian flag is displayed alongside. Kiev is supposedly the seat of power, but it seems that Russia is pulling at least some of the strings. We noticed the flats had better heat in Crimea than in Kiev, which is not suprising, as most of the country's energy derives from its eastern neighbor.

So what defines a country? Geography? Culture? Randomness assigned by a former colonial power? In the case of Crimea, it was "given" as a gift to Ukraine by the Russians, who never at the time considered their empire would fade. Imagine the surprise of the former Russian inhabitants when they found out they needed new passports. And the resentment appears to have sustained a half century. The economic crisis that began in the US has certainly "trickled down" to Ukraine as well. The first day the electricity went out. I was told that all the utilities are scarce and unreliable. The usual trash exists in the streets, but it may be even worse now. And the hounds still have free roam in the land of 10,000 dogs.

Protect, Don't Eliminate Borders

2008-10-26T09:15:00.000-07:00

In its report entitled "Building a North American Community: Report of an Independent Task Force Sponsored by the Council on Foreign Relations," Global elitists advocate the elimination of North American nation-state borders. In other words, wages across North America and indeed the world will equalize as migrants from Mexico and other countries freely cross what used to be the southern border.

According to Forbes magazine (ref. 1), Pedro Aspe, one of the task force co-chairs, is also co-chairman/director of Evercore Partners, is a member of the board of the Carnegie Foundation, and sits on the Advisory Board of Stanford University's Institute of International Studies and the Visiting Committee of the Department of Economics of the Massachusetts Institute of Technology.

According to Carnegie (ref. 2), since 1996 he has advised in more than 200 transactions, including private equity placements, mergers and acquisitions, project financing, and municipal bonds. He has also held a number of positions with the Mexican government, including the Minister of Finance and Public Credit of Mexico from 1988 through 1994 (ref. 3) and Budget Minister from 1987 to 1988 (ref. 4). Perhaps no one is in a position to benefit more from such an open border policy than Mr. Aspe, as he and other globalists seek to drive down wages and raise revenue from privatized toll roads American taxpayers are forced to use.

In a section of the report entitled "What We Should do by 2010," the plan to bring in cheap labor and abandon the borders is clearly laid out:

By 2010, CFR want to "Lay the groundwork for the freer flow of people within North America. The three governments should commit themselves to the long-term goal of dramatically diminishing the need for the current intensity of the governments’ physical control of cross-border traffic, travel, and trade within North America."

Is CFR working in the best interest of the average American? Do you want Pedro Aspe to orchestrate mergers on your behalf and bring in busloads of Mexicans to take your job? Me neither.

For the full text of the report, please visit the link below:

http://www.cfr.org/content/publications/attachments/NorthAmerica_TF_final.pdf

References:

1. http://people.forbes.com/profile/pedro-aspe/51991
2. http://www.carnegie.org/sub/about/p.aspe.html
3. http://www.evercore.com/userdetail/index.php?userid=1247
4. http://ecorner.stanford.edu/authorMaterialInfo.html?author=265

Contact the author at rick.newbold@identityeducation.org

New Federal Law Targets ID Theft, Cybercrime

2008-10-23T05:01:00.000-07:00

Brian Krebs on Computer Security
Washington Post
October 2008

President Bush last week signed into law a bill that seeks to make it easier for prosecutors to go after cybercrooks, while ensuring that identity theft victims are compensated for their time and trouble when convicted identity thieves are forced to cough up ill-gotten gains.

The Identity Theft Enforcement and Restitution Act of 2008 lowers the bar prosecutors need to clear before bringing hacking and other cybercrime charges against an individual. Under current federal cybercrime laws, prosecutors must show that the illegal activity caused at least $5,000 in damages before they can bring charges for unauthorized access to a computer. The new law eliminates that requirement.

The law makes it a felony, during any one-year period, to damage 10 or more protected computers used by or for the federal government or a financial institution, and directs the U.S. Sentencing Commission to review its guidelines and consider increasing the penalties for those convicted of identity theft, computer fraud, illegal wiretapping or breaking into computer systems.

The new law allows federal courts to prosecute when the cybercriminal and the victim live in the same state. Under current law, federal courts only have jurisdiction if the thief uses interstate communication to access the victim's PC. In addition, the law also expands the definition of cyber-extortion.

Identity theft victims could find it easier to win compensation for their trouble as a result of this law, assuming their attackers are brought to justice. The law requires that in cases where convicted identity thieves are ordered to pay restitution, the victim should get a chunk of that money "equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense."

Some ID theft victims can spend thousands of dollars and months or years dealing with credit bureaus and debtors from accounts fraudulently opened in their names, but the law doesn't appear to take into account lost opportunities associated with identity theft. According to the Federal Trade Commission, some consumers victimized by identity theft may lose out on job opportunities or be denied loans for education, housing or cars because of negative information on their credit reports. In rare cases, they may even be arrested for crimes they did not commit.

Graduate Schools Consult Facebook

2008-10-23T04:59:00.000-07:00

By Reilly Kiernan
Senior Writer
Published: Friday, September 26th, 2008

Calling all seniors: It may be time to clean up your facebook.com profiles. According to a survey conducted by Kaplan Test Prep between June and August, 15 percent of law school admissions officers and 10 percent of undergraduate admissions officers have “personally visited personal networking sites to help [them] evaluate an applicant.”

One hundred and fifty-two law schools and 320 of the top 500 colleges participated in the survey, though Princeton did not.

Kaplan annually surveys law schools, medical schools, business schools and undergraduate programs, “all for the purposes of getting information for students and applicants who come to use to give them the up-to-date landscape for admissions,” Glen Stohr, admissions and pre-law director at Kaplan, said in an interview.

Use of social networking sites by admissions officers has risen so dramatically in recent years that 17 percent of law schools are in the process of formulating a policy about how to deal with the use of personal networking sites in the admission process, Stohr explained.

“I think this is sort of a Wild Wild West time for admission officers,” Stohr said.

Dean of Admission Janet Rapelye said that the University does not have a specific policy on searching social networking sites.

“If something were brought to our attention, we would of course check it out, but given that we have 21,000 applications, we are not scouring Facebook,” Rapelye said.

“If there were any reason for us to doubt the character of a student because of what they put on their Facebook page, we would take that into consideration,” she added.

The survey found that law school admissions officers are the most likely to search social networking websites.

“Law schools, unlike medical schools or business schools, very rarely do face-to-face interviews,” Stohr said, adding that profiles give law schools a chance to assess applicants’ characters.

“[Law schools] are probably under the greatest pressure to say ‘this is a person of character,’ ” Stohr noted, explaining that the character and fitness of law school graduates will be carefully evaluated by bar associations.

Using discretion

Fifty-two percent of the admissions officers who responded that they had visited personal networking sites reported that their visit had a negative impact on the applicant’s chances.
Though many students believe that photos are the greatest danger to their application success, Stohr explained that wall posts may be much more damaging.

“Many people ... think it will be a picture of me drinking at a party,” he explained. “I think what is far more likely to hurt your chances is having a discussion on your wall about your [graduate school] applications.”

In fact, photos of parties and drinks may not necessarily cause a problem, Stohr said, explaining that he believes “that admission officers know that college kids are college kids.”

Wall posts or discussions that reveal damaging information, on the other hand, such as academic problems or past legal history, could be fatal to a graduate school application, Stohr explained.

“What you put on a social networking site ... [is] not very likely to get you into law school, but it could keep you out,” Stohr said.

Laurie Frey ’09, who is applying to law school, said she believes the use of Facebook by admissions officers “a bit like an invasion of privacy,” but added that she has made an effort to keep her profile “clean.”

“Really, you have to know that kind of thing is possible when you sign up for any kind of networking site, so it is your responsibility to only put up things you would be ok with an admissions office seeing,” Frey said.

Rapelye urged similar caution. “Students who are in the application process should be mindful of what they make public,” she said.

Though it is easy to get caught up in the privacy fixation, Stohr said that the thing that gets you into law school is still great grades, great scores and great personal statements.

“Seventy percent of those admissions officers said [the] LSAT is their number one criteria, and GPA is second,” Stohr said. Still, Stohr recommends that students play it safe.

Original URL: http://www.dailyprincetonian.com/2008/09/26/21548/

Privacy is a Thing of the Past

2008-10-11T16:05:00.000-07:00

October 10, 2008 (Computerworld) In his 25 years in business, Steven Rambam has worked on some high-profile cases, including tracking down Nazi war criminals in Canada. He also owns PallTech, an investigative database service with more than 25 billion records on U.S. citizens and businesses.

What do you do as a private investigator?

We are not the traditional Rockford or Magnum, P.I. type of investigator. We'll do very difficult missing persons cases, a lot of sophisticated financial fraud work, a lot of insurance company work, a lot of disappearances.

What's in your PallTech databases?

We have pretty much every American's name, address, date of birth, Social Security number, telephone number, personal relationships, businesses, motor vehicles, driver's licenses, bankruptcies, liens, judgments -- I could go on and on.

Who has access to your data?

This is a database that's restricted to law enforcement, private investigators, security directors of companies and people who have a genuine need.

How do you safeguard it?

The most restrictive rule is my own personal ethics. In 20 years, we haven't had a single lawsuit or complaint.

What has changed in the past few decades?

Two things. The first is computing power. I have in my office storage and databases and artificial intelligence scripts and behind-the-scenes links that are far more powerful and comprehensive than J. Edgar Hoover's wildest dreams.

Favorite technology: "E-mail with attachments. I don't think I've turned on my fax machine in years."

If he wasn't in this business, he'd probably be: A reporter.

Number of times he's been shot at on the job: "It's bad karma to count."

Favorite nonwork pastime: Anything on or near the water.

Philosophy in a nutshell: Do the right thing, no matter the personal cost.

Favorite vice: "I'm not going to tell you. I can assure you that it's not chocolate."

Favorite movie: "Ruggles of Red Gap, about a butler who is gambled away by a British lord and relocates with his new master to Montana. It's the most patriotically positive movie ever made about America."

The other thing is the mind-boggling level of self-contributed data. The average person now willingly puts on the Internet personal information about himself that 20 years ago people would hire an investigator to try and get. It's extraordinary. If you know how to use the Internet, 75% of an investigation can be conducted sitting in your pajamas.

Do you see this as a bad thing?

On the contrary, there are good reasons for most of this to be out there. It's not out there because these are nefarious, evil people trying to be the new Big Brother. It's because this is truly a new engine of capitalism. Where it gets a little creepy is when they aggregate all of this data together and have an extraordinary profile of you.

How can businesses protect their intellectual capital, particularly when it's in electronic form?

You can have five firewalls in a safe room with the most current locks monitored by 24/7 motion-detecting, IP-addressable cameras, and all of that is meaningless if a 16-year-old kid can social-engineer a root password out of you. The downside to all of this publicly available information is that it's now a lot easier to social-engineer somebody.

Should businesses hire a company like yours?

They should if they don't want a back door or a Trojan [horse] on their system. A year ago, a company called me from Hong Kong and said, "We're being extorted. We're getting e-mails from an individual saying if we don't give a series of payments through PayPal, he is going to take [our] source code and post it on the Internet."

We were able to determine who the guy was in 24 hours. He was a 14-year-old kid in California.

What about smear campaigns on the Web? If you're a victim, what should you do about it?

You have to have zero tolerance. You have to find out who the person is, and you have to sue them within an inch of their life, and you have to do it publicly and post it on your Web site, talking about the entire case from beginning to end.

Government databases are the biggest repository of private information. Should the public be concerned about that?

The scary thing to me is not that information is open, but that the government is trying to use every pretext and every trick to hide information from its citizens. That I think is much more nefarious and will be much more detrimental in the long run than having information out there.

Some of the things the Bush administration is doing are just incomprehensible. For example, they're reclassifying data that's been in the public eye -- that has been available to the public since 1991. Why, I can't begin to guess.
Privacy is dead. Get over it. You can't put the genie back in the bottle.

Another slippery, slimy thing is that the FBI has signed contracts with some private data providers. Polygraphs [and] background investigations are being outsourced, and the Freedom of Information Act does not apply. If you say to the FBI, "I want the report that ChoicePoint furnished to you about me," they say to you, "Sorry, we can't give that to you. That's a private business record." This is really a fairly sinister development. And it's one that's profoundly un-American.

Given the amount of personal information out there and the fact that you aggregate it, does the public have reason to fear the misuse of personal data controlled by PallTech or other aggregators?

No, because frankly, we are more accountable than the U.S. government. You can sue us; you can subpoena us. You can hold us to task if we do something improper. Not so the U.S. government.

Der Echte Clark Rockefeller, Bitte

2008-08-24T20:20:00.000-07:00

Although the news of Clark Rockefeller has begun to die down, it is still disturbing that evil doers can hide in plain sight under assumed names after the war on terrorism has been waged for the better part of a decade. If anonymity were the goal, an alias like John Smith would have been a more suitable choice. Apparently "Clark Rockefeller" was only feeding his ego.

Fox News reported the following story on August 9th regarding details in the Clark Rockefeller case that seemed to confirm some of the other names police suspect he used.

----------------------

A German man who lives in a small mountain town called Bergen positively identified photographs of Rockefeller and a man known as Christopher Chichester as his long-lost older brother, Christian Karl Gerhartsreiter, who left home at age 17.

Alexander Gerhartsreiter, 34, who was only 5 or 6 when his brother left home, said the man told the family in his last phone call to them in 1985 that he had changed his name to Christopher Chichester because Americans were unable to pronounce his birth name.

"It seems you found my brother," Alexander, who was only 5 or 6 when his brother left home, said to the Boston Herald from his home in Upper Bavaria, Germany. "It really is a shock. That is definitely him. ... This is quite heavy."

Rockefeller's attorney, Stephen Hrones, had an hourlong jailhouse meeting with his client Friday afternoon and said Rockefeller speaks German but only remembers "bits and pieces" of his childhood, according to The Boston Globe.

Rockefeller, 48, who is in a Boston jail, is accused of parental kidnapping for allegedly snatching his 7-year-old daughter, Reigh "Snooks" Storrow Mills Boss, from a city street on July 27 during a supervised visit.

He was caught in Baltimore with the child, allegedly using another assumed name, Charles "Chip" Smith, and had purchased a home and boat in an apparent attempt to start a new life. About $12,000 in cash and 300 1-ounce gold coins also were found in his apartment after his arrest, police said.

Christopher Chichester has been wanted for questioning in the 1985 disappearance and presumed murder of Jonathan and Linda Sohus, a San Marino, Calif., couple from whom he rented a carriage house.

In 1994, bones believed to be those of John Sohus were found in three separate bags on the property when the residents were installing a swimming pool. But police have never been able to positively identify the skeleton as belonging to the missing man, and the remains of his wife have never been found.

Shortly after the newlywed couple vanished, their tenant Chichester did, too.

Detectives allege Rockefeller is a con artist who has for decades been traveling across the United States, concocting stories and using multiple aliases to live a lavish life.

Authorities have not confirmed that Christian Gerhartsreiter, Christopher Chichester and Clark Rockefeller are the same person. Gerhartsreiter was a German exchange student who lived with at least two Connecticut families when he came to the United States.

But the Suffolk District Attorney's Office in Massachusetts estimates that Rockefeller has at least a dozen different aliases. Another they're investigating is Christopher Crowe, the name of a Connecticut man who tried to sell a pickup truck belonging to John Sohus after he disappeared.

Rockefeller's attorney said his client's memory is spotty. He recalls, for instance, a Scottish nanny and a family road trip to Mount Rushmore in a station wagon, Hrones said.

"He has no memory of being from Germany or of having a German brother," his lawyer told the Globe on Friday. "He tells me he's Clark Rockefeller. I believe him. I haven't been shown any hard evidence that he's something other than what he tells me he is."

Hrones said his client has no recollection of coming to the United States in the late '70s and living in Berlin, Conn., as an exchange student, according to the Globe. He also doesn't remember marrying a Wisconsin woman named Amy Jersild in 1981 at the very young age of 19, only to leave her a day after their wedding, according to marriage papers.

Rockefeller doesn't recall being a tenant of John and Linda Sohus, though he remembers living in California. And though he has memories of working on New York's Wall Street as a stockbroker, he doesn't know what name he used or where and when he had the job.

"He tells me he still doesn't remember about the past. He remembers bits and pieces, silly sorts of things," Hrones told the Globe. "He doesn't remember murdering anybody ... and he doesn't remember being a tenant of the couple that were murdered."

Germany's BKA, the equivalent of the FBI, told FOX it has no criminal record associated with anyone by the name of Christian Gerhartsreiter.

U.S. law enforcement officials have enlisted the help of German authorities to figure out Rockefeller's identity, the Foreign Ministry in Berlin confirmed to the Globe.

"We are now checking if he could be the German citizen Christian Karl Gerhartsreiter," a spokeswoman told the paper during an interview in German.

Police in Boston and Los Angeles say they have no record of Rockefeller before 1993, which is about when his foggy memories become clearer. He remembers marrying Reigh's mother, Sandra Boss, in 1995. The couple divorced in December, in large part because she grew suspicious about his past.

Childhood friends have described Gerhartsreiter as a mischievous, restless loner, the Globe and the Herald reported.

Alexander and Christian Gerhartsreiter's ailing mother, 78-year-old Irmengard Gerhartsreiter, told the Herald that she didn't know the man in the pictures of Rockefeller and Chichester.

But her younger son recognized him right away.

Alexander said the older brother he barely knew was born in Siegsdorf, Germany, in 1961, left home as a teenager to move to Connecticut as a student and then cut ties with the family about 20 years ago, around the time the Sohus couple disappeared.

Germany and his hometown in the Alps were "too small" for Christian, who had his sights set on bigger and better things, his brother told the Herald.

"He wants always to be in a big world," Alexander said.

When the Herald reporter informed him of the Clark Rockefeller alias, Alexander wasn't surprised.

"Sounds like my brother."

Justice: Hackers Steal 40 Million Credit Card Numbers

2008-08-06T13:18:00.000-07:00

(CNN) -- Eleven people were indicted Tuesday for allegedly stealing more than 40 million credit and debit card numbers, federal authorities said.

The indictments, which alleged that at least nine major U.S. retailers were hacked, were unsealed Tuesday in Boston, Massachusetts, and San Diego, California, prosecutors said.

It is believed to be the largest hacking case that the Justice Department has ever tried to prosecute.

Three of the defendants are from the United States; three are from Estonia; three are from Ukraine, two are from China and one is from Belarus.

The remaining individual is known only by an alias and authorities do not know where that person is.

Under the indictments, three Miami, Florida, men -- Albert "Segvec" Gonzalez, Christopher Scott and Damon Patrick Toey -- are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall's and T.J. Maxx, BJ's Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.

The three men installed "sniffer" programs designed to capture credit card numbers, passwords and account information as they moved through the retailers' card processing networks, said Michael Sullivan, the U.S. attorney in Boston.

"This has other personal numbers that could give them access to credit or debit cards that have already been issued and are active," Sullivan told CNN.

The probe began in late 2006, Sullivan said. In addition to the Justice Department, the Secret Service has been conducting an undercover investigation for more than three years through the U.S. attorney's office in San Diego, he said.

The three then concealed the data in encrypted computer servers they controlled in the United States and eastern Europe, the Justice Department said.

Some credit and debit card numbers were sold on the Internet, and were "cashed out" by encoding the numbers on the magnetic strips of blank cards. "The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs," authorities said.

Gonzalez and the others used anonymous Internet-based currencies to conceal and launder their proceeds, as well as channeling funds through bank accounts in Eastern Europe, the department said.

"There are ties between all three districts and ties internationally that go all the way to the Ukraine and Latvia," Sullivan said. "The 41 million credit and debit numbers were used internationally."

Gonzalez was previously arrested in 2003 by the Secret Service on suspicion of access device fraud, the Department of Justice said, and was working as a confidential informant for the agency. However, the Secret Service discovered during the investigation that Gonzalez was involved in this case, authorities said.

The California indictment charged eight others with operating an international stolen credit and debit card distribution ring, selling stolen card information for personal gain -- millions of dollars, in at least one case, authorities said.

Three of the defendants in the most recent case, among them Gonzalez, were also charged in May in a related indictment in New York, Justice said. Those charges allege the three were engaged in a scheme to hack into computer networks run by the Dave & Buster's restaurant chain and steal credit and debit card numbers from at least 11 locations.

The three installed "sniffer" programs at the cash register terminals of the locations, capturing credit and debit card numbers, authorities said. At one location, the sniffer captured data for some 5,000 cards, causing some $600,000 in losses to the banks that issued the credit and debit cards.

Gonzalez is awaiting trial on the New York charges. The other two of the international defendants are also in custody, police said.

"Identity theft can involve a single criminal stealing the personal financial information of a single victim or, as it did here, it can involve a group of criminals stealing the credit card numbers of millions of people, many of whom may not even learn that they were victims for months or years," said Attorney General Michael Mukasey.

"Identity theft victims suffer well beyond the immediate financial costs; they suffer lost confidence in their privacy and security, as well as the emotional strain and the time it can take to repair damaged financial lives and credit histories. In many cases, the effects of these crimes can be felt for years after they are committed."

Mukasey and other officials said the case serves as a reminder that computer crimes can cross international borders.

"We have been working with countries around the world to identify and address technical vulnerabilities in computer networks, and to ensure that laws and procedures are adequate to deal with these kinds of crime," Mukasey said. "And we have been working closely with our international partners to crack specific cases when they take us beyond our borders."

(http://www.cnn.com/2008/CRIME/08/05/card.fraud.charges/index.html)

Police Director Sues for Critical Bloggers' Names

2008-08-05T20:51:00.000-07:00

Site popular with citizens, officers

By Amos Maki (Contact), Memphis Commercial AppealTuesday, July 22, 2008

Memphis Police Director Larry Godwin and the city of Memphis have filed a lawsuit to learn who operates a blog harshly critical of Godwin and his department.

The lawsuit asks AOL to produce all information related to the identity of an e-mail address linked to MPD Enforcer 2.0, a blog popular with police officers that has been extremely critical of police leadership at 201 Poplar.

"In what could be a landmark case of privacy and the 1st Amendment," the anonymous bloggers write on the site, "Godwin has illegally used his position and the City of Memphis as a ram to ruin the Constitution of the United States.

"Some members of the Enforcer 2.0 have contacted their attorneys and we are in the process of filing a lawsuit against Larry and the City of Memphis. What's wrong Larry? The truth hurt?"

It wasn't clear if the lawsuit is aimed at shutting down the site or if it's part of an effort to stop leaks that might affect investigations.

Many of the documents in the case, filed in Chancery Court on July 10, have been sealed by Chancellor Kenny Armstrong. Police officials would not discuss the action, citing pending litigation.

Whatever the reason, Internet and free-speech advocates said they had serious problems with the city's actions.

"You can complain about the government, and you should be able to do that without fear of retaliation or threatening actions on the part of the people in these positions," said Lillie Coney, associate director of the Electronic Privacy Information Center, a Washington-based watchdog group. "I guess they've kind of annoyed them at some level, but you really don't want to see law enforcement or government resources spent in this way."

AOL has been ordered to turn over similar records in the past.

In 2001, Japanese company Nam Tai filed a complaint in California state court against unknown Web posters claiming they committed libel and violated the state's unfair business practices statute.

Nam Tai was able to obtain the e-mail address of one of the posters and then obtained a subpoena from a Virginia state court to AOL seeking the name behind the e-mail address.

AOL filed a motion to have the order quashed, but lost that bid in trial court and the Supreme Court of Virginia.

Officials with the American Civil Liberties Union of Tennessee said they will be watching the case closely and that anonymous speech is essential to the free flow of ideas in a democracy.

"We are quite interested in preserving the anonymity of the bloggers," said Hedy Weinberg, executive director of the ACLU of Tennessee. "Anonymous speech has long been protected speech under the First Amendment."

The bloggers, who operate under the name of Dirk Diggler -- the name of the porn star in "Boogie Nights" -- say their site provides an important service to officers and citizens.

"This is another attempt at disrupting an outlet for officers to gather and complain about the administration," they said on the site.

"Further, this allows us unrestricted communication with the citizens of Memphis. The citizens should be made aware of the scandals that rock the administration and shudder the rocky foundation in which they operate today."

The bloggers also said city attorneys earlier this year wrote a threatening letter on city letterhead to a company that produced T-shirts for the bloggers.

(http://www.commercialappeal.com/news/2008/jul/22/police-director-sues-find-identity-blogger-critica/)

New Systems Keep a Close Eye on Online Students at Home

2008-08-04T11:41:00.000-07:00

By ANDREA L. FOSTER

Tucked away in a 1,200-page bill now in Congress is a small paragraph that could lead distance-education institutions to require spy cameras in their students' homes.

It sounds Orwellian, but the paragraph — part of legislation renewing the Higher Education Act — is all but assured of becoming law by the fall. No one in Congress objects to it.

The paragraph is actually about clamping down on cheating. It says that an institution that offers an online program must prove that an enrolled student is the same person who does the work.

Already, the language is spurring some colleges to try technologies that authenticate online test takers by reading their fingerprints, watching them via Web cameras, or recording their keystrokes. Some colleges claim there are advantages for students: The devices allow them to take tests anytime, anywhere. Many students must now travel to distant locations so a proctor can watch them take exams on paper.

But some college officials are wary of the technologies, noting that they are run by third-party vendors that may not safeguard students' privacy. Among the information the vendors collect are students' fingerprints, and possibly even images from inside their homes.

"This is taking a step into a student's private life," said Rhonda M. Epper, co-executive director of Colorado Community Colleges Online. "I don't know if we want to extend our presence that far."

The officials also want flexibility to comply with the proposed law. They worry that the government will force them to use a particular method that could be too expensive or that would emphasize exams over other assessments. They also complain that the provision implies that cheating is more of a problem among students online than among students in a classroom.

Biometric Solutions

Three technologies, which vendors have been promoting at college conferences and which colleges are evaluating, illustrate the promises and pitfalls of this kind of monitoring.

Troy University, in Alabama, has been testing a gadget that features a mirrored sphere suspended above a small pedestal. Called Securexam Remote Proctor, it's about the size of a large paperweight and plugs into a standard port on a home computer. The pedestal includes a groove for scanning fingerprints, a tiny microphone, and a camera. The sphere reflects a 360-degree view around the test taker, which the camera picks up.

Students are recorded during exams, and anything suspicious — such as someone else's presence or voice in the room — is flagged.

To use the system, a student sits in front of a computer and places a finger on the pedestal. Securexam checks whether the digital fingerprint and the image of the student match those the student provided at registration. Then the test opens online via a course-management system. The student is prevented from viewing anything else online.

The system is not cheap. Students pay $150 for the device. Further, it works only with the Windows operating system and an Internet Explorer browser, creating a problem for students who have Macs, for instance.

Software Secure Inc., based in Cambridge, Mass., developed the device with $1.1-million in seed money from Troy. In return, the university gets the first 10,000 Securexams that the company produces. If it sells more than that, the university receives a share of the proceeds.

By the end of this fall, the university anticipates that about 800 of its 17,000 eCampus students from across the world will have used Securexam. Thousands more will begin using the device in January.

World Campus, the online arm of the Pennsylvania State University system, is testing another system called Webassessor. It uses proctors, Web cameras, and software that recognizes students' typing styles, such as their speed and whether they pause between certain letters. Students purchase the cameras for $50 to $80 apiece. They allow proctors to view a student's face, keyboard, and workspace.

The Phoenix-based provider of the system, Kryterion Inc., employs proctors who remotely observe and listen to as many as 50 students at a time. If the keystroke pattern of a student who is taking an exam does not match the one he or she provided at registration, or if the image of a student taking an exam does not match a digital photograph that the student provided at enrollment, then the student cannot start the exam. A proctor can also stop a student who is acting suspiciously from completing an exam. Students must have a broadband connection to use the service.

Kryterion charges institutions $20,000 to customize the software and for training. It also charges colleges each time students sit for an exam.

World Campus has been trying out Webassessor this summer on undergraduates in two courses. "At the moment, things look promising for a complete rollout," says Rick L. Shearer, interim director of World Campus Learning Design, a division of World Campus.

Challenging Questions

Several other universities are forming partnerships with Acxiom Corporation. The company's system relies on test takers' answering detailed, personal "challenge" questions. Acxiom, based in Little Rock, Ark., gathers information from a variety of databases, including criminal files and property records. The company uses the data to ask students questions, such as streets they lived on, house numbers, and previous employers. If students answer the questions correctly, they proceed to the exams.

National American University Online is testing the system on its students, and the Colorado community-college consortium is also considering using it.

Jeffrey L. Bailie, dean of online instruction for National, says he anticipates that the system will be used on students when they take final exams or other high-stakes assessments. "We want to take just one added step to make sure that the person on the other end is who they're reporting to be," he says.

He declines to reveal how much the system costs. But Michael A. Jortberg, who is leading Acxiom's higher-education efforts, says it costs roughly $10 a student.

Unfair Burdens?

Despite the lure of these technologies, many college officials have decided to wait to test them on their students, noting the cost. Furthermore, officials say, it's unclear what requirements the Education Department would impose on institutions to comply with the proposed law.

"It's going to reduce access," says John F. Ebersole, president of Excelsior College, an online institution based in Albany, N.Y. "It's going to increase costs."

Other officials are disturbed that the proposed law singles out online education.

"We're feeling a little picked on," says Lori McNabb, assistant director of student and faculty services at the UT TeleCampus, the online arm of the University of Texas system.

She says there's no evidence that cheating or fraud happens more often with its students than with students in face-to-face classes.

How do professors know that a student enrolled in a large lecture class is the same one handing in an assignment or test, she asks?

She and others say online instructors rely more on discussions, writing assignments, quizzes, group work, and "capstone" projects to judge their students' performance, and less on big exams. Tests, when they are administered, are often randomized so students in the same class get different questions, which must be answered quickly, making it difficult for those unfamiliar with the material to take tests for students. Instructors become familiar with students' writing styles so they can spot fraudulent work, officials add.

Mr. Ebersole, despite his worries about reduced access for students, does see one upside to the proposed law. If the provision causes online colleges to document that their enrolled students are indeed the same ones completing course work, online education could garner more respect, he says.

"If it raises confidence and credibility in the eyes of regulators and traditional educators," says Mr. Ebersole, "it's worth it."

(http://chronicle.com/temp/email2.php?id=wHYRmQ5ZKbyGxBHvt8Q6WmmgVs4qfzpB; from issue dated Jul 25, 2008)

DMX the Identity Thief

2008-07-25T18:44:00.000-07:00

Earlier this week, CNN reported the rapper DMX was arrested at a Phoenix mall on suspicion of giving a false name and Social Security number to a hospital to avoid paying medical expenses.

Earl Simmons (aka DMX) was accused of giving false information to the hospital. "Troy Jones" failed to pay his $7,500 bill, and it was not his first run-in with the law. Sheriff Joe Arpaio said his office had conducted an animal neglect investigation last year at the 37-year-old rapper's north Phoenix home--in addition drug possession and animal cruelty.

The musician and actor has had other recent run-ins with the law, including an arrest at Phoenix Sky Harbor International Airport this month on outstanding warrants after he failed to appear in court.

If DMX remains jailed, the sheriff said, he would be isolated from the rest of the inmates for his own safety. Come on, Joe, his music's not THAT bad...

National Identity and the Night Train

2008-07-12T02:23:00.000-07:00

I recently returned from Ukraine and had the rare opportunity of enjoying a 16-hour train ride from Simferopol to Kiev in the company of two large-bellied, shirt-less, sweaty Ukrainian men. They were kind enough to share their vodka, someone else's cognac, and community salted pork fat with me and rest of the cabin, while I shared my chocolate with them--along with two scoops of American charm and diplomacy.

The translator accompanying me on the trip picked and chose the conversations and jokes, so I assumed bad things were being said about my fellow countrymen (or me?). This was confirmed when--after offering more pork fat to my translator--one twin Ukrainian Buddha uttered "And what about your capitalist friend?"

After several drinks, the men bemoaned the state of Ukrainian politics and the plight of the simple man just trying to get back to life in the city after a quick vacation in the Russian-esque Crimean region. The countries change, but the issues remain the same. 85% of the assets are controlled by the top 50 wealthiest in Ukraine, according to a recent article in the Kiev Post. And most "earned" their wealth by serving in a government post during a chaotic period of privatization.

Every country has its problems, but I was glad when my plane landed back in DC, where I scrambled to my SUV and cranked up the air conditioner as I fondly remembered my ride on the night train.

Contact the author at rick.newbold@identityeducation.org

DHS Begins Collecting 10 Fingerprints from International Visitors at New York’s John F. Kennedy International Airport

2008-05-18T20:34:00.000-07:00

Contact: US-VISIT Public Affairs, 202-298-5200
CBP Public Affairs 212-514-8324

The U.S. Department of Homeland Security (DHS) announced today that it has begun collecting additional fingerprints from international visitors arriving at New York’s John F. Kennedy International Airport (JFK). The change is part of the department’s upgrade from two- to 10-fingerprint collection to enhance security and facilitate legitimate travel by more accurately and efficiently establishing and verifying visitors’ identities.

“Biometrics have revolutionized our ability to prevent dangerous people from entering the United States since 2004. Our upgrade to 10‑fingerprint collection builds on our success, enabling us to focus more attention on stopping potential security risks,” US‑VISIT Director Robert Mocny said.

For more than four years, U.S. Department of State (DOS) consular officers and U.S. Customs and Border Protection (CBP) officers have been collecting biometrics—digital fingerprints and a photograph—from all non-U.S. citizens between the ages of 14 and 79, with some exceptions, when they apply for visas or arrive at U.S. ports of entry.

“Quite simply, this change gives our officers a more accurate idea of who is in front of them. For legitimate visitors, the process becomes more efficient and their identities are better protected from theft. For those who may pose a risk, we will have greater insight into who they are,” added Paul Morris, Executive Director of Admissibility and Passenger Programs, Office of Field Operations, CBP.

The department’s US-VISIT program currently checks a visitor’s fingerprints against DHS records of immigration violators and Federal Bureau of Investigations (FBI) records of wanted persons and known or suspected terrorists. Checking biometrics against the watch list helps officers make visa determinations and admissibility decisions. Collecting 10 fingerprints also improves fingerprint matching accuracy and the department’s ability to compare a visitor’s fingerprints against latent fingerprints collected by Department of Defense (DOD) and the FBI from known and unknown terrorists all over the world. Additionally, visitors’ fingerprints are checked against the FBI’s Criminal Master File.

On an average day at JFK, almost 14,400 international visitors complete US‑VISIT biometric procedures. Visitors from Mexico, the United Kingdom, Germany, Italy, France and Japan comprise the largest numbers of international visitors arriving at JFK.

JFK is the tenth port of entry to begin collecting 10 fingerprints from international visitors. Washington Dulles International Airport began 10-fingerprint collection on November 29, 2007. Hartsfield‑Jackson Atlanta International Airport, Boston Logan International Airport, Chicago O’Hare International Airport, George Bush Houston Intercontinental Airport, San Francisco International Airport, Miami International Airport, Orlando International Airport and Detroit Metropolitan Wayne County Airport have also begun 10-fingerprint collection.

US‑VISIT is evaluating 10‑fingerprint collection at these airports. It will use the results to inform the deployment of the technology to the remaining air, sea and land border ports of entry that will transition to collecting 10 fingerprints by December 2008.

Since US‑VISIT began in 2004, DHS has used biometric identifiers to prevent the use of fraudulent documents, protect visitors from identity theft, and stop thousands of criminals and immigration violators from entering the country. US‑VISIT, in cooperation with CBP, is leading the transition to a 10-fingerprint collection standard. This upgrade is the result of an interagency partnership among DHS, FBI, DOD and DOS.

Privacy in the 21st Century

2008-04-23T15:36:00.000-07:00

How do we best define "privacy" in the 21st century? Certainly, "anonymity" would not be the likely answer, especially for today's society in the United States. Anonymity has been difficult to achieve for some time in our country, at least dating back to the issuance of Social Security numbers. So what is an appropriate definition for today's paradigm? One can posit that privacy today is the binding of a true and accurate identity to its claimant, such that the identity cannot be stolen, reproduced, or altered in any way. Perhaps most importantly to those who hold their privacy rights as sacred, the lack of ubiquity of reference data across domains might very well be defined as the underpinning of 21st century privacy. What is meant by this? If an individual provides a rendering of his or her identity in digital form (i.e. biometrics), let's say to a retailer, he or she would have the presumption in a society such as ours that the digital identity would not be shared, or inadvertently released, to another and separate database that might make disadvantageous use of that identity (such as a criminal database). In other words, containment of digital identities within a single domain ensures that individuals' identities do not become overly accessible to parties who have an alternative intent for using those identities. Furthermore, digital identity renderings that are in uncommon formats or modalities reduce the likelihood that an errant release of the digital identity can lead to any significant harm. An example of this would be the disparate effect of a person's fingerprints being accidentally lost or shared, versus a template of the vein pattern in his hand or finger.

Biometrics in the Private Sector

2008-04-22T07:54:00.000-07:00

It remains to be seen just how much the private sector will embrace biometrics. Certain isolated implementations notwithstanding, to date, this technology has been largely underutilized by industries such as finance, retail, health care, and others. It is likely a matter of time before each of these sectors recognizes the benefits that biometric technology and overall robust identity management programs can bring to their business operations. Unfortunately, the impetus for such a transition may very well be precipitated by a significant breach of current non-digital identity management protocols. Biometrics currently offers the best, albeit not perfect, option for "fixing" an individual's identity and subsequently vetting that individual with a high degree of confidence. Combined with traditional approaches such as PINs, access cards or tokens, and other identification documentation, biometrics can reduce the likelihood that an organization will experience a breach in its identity management protocols.

On-card Fingerprint Match Is Secure, Speedy

2008-04-11T05:46:00.000-07:00

ScienceDaily (Apr. 3, 2008) — A fingerprint identification technology for use in Personal Identification Verification (PIV) cards that offers improved protection from identity theft meets the standardized accuracy criteria for federal identification cards according to researchers at the National Institute of Standards and Technology (NIST).

Under Homeland Security Presidential Directive 12 (HSPD 12), by this fall most federal employees and contractors will be using federally approved PIV cards to "authenticate" their identity when seeking entrance to federal facilities. In 2006 NIST published a standard* for the new credentials that specifies that the cards store a digital representation of key features or "minutiae" of the bearer's fingerprints for biometric identification.

Under the current standard, a user seeking to enter a biometrically controlled access point would insert his or her PIV smart card into a slot--just like using an ATM card--and place their fingers on a fingerprint scanner. Authentication proceeds in two steps: the cardholder enters a personal identification number to allow the fingerprint minutiae to be read from the card, and the card reader matches the stored minutiae against the newly scanned image of the cardholder's fingerprints.

In recent tests,** NIST researchers assessed the accuracy and security of two variations on this model that, if accepted for government use, would offered improved features. The first allows the biometric data on the card to travel across a secure wireless interface to eliminate the need to insert the card into a reader. The second uses an alternative authentication technique called "match-on-card" in which biometric data from the fingerprint scanner is sent to the PIV smart card for matching by a processor chip embedded in the card. The stored minutiae data never leave the card. The advantage of this, as computer scientist Patrick Grother explains, is that "if your card is lost and then found in the street, your fingerprint template cannot be copied."

The NIST tests addressed two outstanding questions associated with match-on-cards. The first was whether the smart cards' electronic "keys" can keep the wireless data transmissions between the fingerprint reader and the cards secure and execute the match operation all within a time budget of 2.5 seconds. The second question was whether the "match-on-card" operation will produce as few false acceptance and false rejection decisions as traditional match-off-card schemes where more computational power is available.

The researchers found that 10 cards with a standard 128-byte-long key and seven cards that use a more secure 256-byte key passed the security and timing test using wireless. On the accuracy side, one team met the criteria set by NIST and two others missed narrowly. The computer scientists plan a new round of tests soon to allow wider participation. For copies of the test report and details of the next test round, see the MINEX (Minutiae Interoperability Exchange Test) Phase II Web pages.

NIST has been at the forefront of security and biometric research and standardization for decades. Prior NIST work, in 2005, quantified the speed versus accuracy tradeoffs associated with storing an individual's fingerprint minutiae rather than the full fingerprint images on PIV cards. These studies were funded by NIST and the Department of Homeland Security's Science and Technology Directorate.

* Federal Information Processing Standard (FIPS) 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors. March, 2006.

** P. Grother, W. Salamon, C. Watson, M. Indovina and P. Flanagan. MINEX II--Performance of Fingerprint Match-on-Card Algorithms, Phase II Report. NIST Interagency Report 7477, Feb. 29, 2008.

The Right Balance

2008-04-07T15:57:00.000-07:00

Optimal biometric implementations manage to strike an ideal balance of security, convenience, and privacy. The privacy attribute is particularly crucial for private sector implementations, which rely on customer confidence in using a biometric system. Studies have shown that once this trust is established, consumers will adapt quickly and prefer using the biometric system (as opposed to traditional identification methods). In addition, use of biometric systems in retail has shown increases in sales, most likely due to reduction in transaction processing time. In many ways, these results lead back to the ability of the implementer to uphold privacy rights and gain consumer trust.

Trust Is Good, Biometrics Are Better

2008-04-05T04:08:00.000-07:00

By Mandy Kühn, journalist in Munich, Germany

With a staff of 3,000, Susquehanna Health, based in Williamsport, Pennsylvania, is the region’s largest employer. There are three hospitals in the network, treating 14,000 inpatients and 500,000 outpatients a year. Especially in times when costs and compliance pressure are increasing the Health complex is always looking for innovations. The introduction of biometric access, for example, allows the health center not only to manage patient data more securely but also to save administrative costs and free up more time for patients.

As elsewhere in the USA, patient and data protection plays a central role at Susquehanna Health. Patient data in the USA has to be handled in accordance with comprehensive statutory compliance regulations. The most important of these is the Health Insurance Portability and Accountability Act (HIPAA), the aim of which is to standardize and simplify electronic data transfer in healthcare and ensure a high level of data security. To ensure data protection and privacy, anyone using medical or patient data is legally required to authenticate themselves. In order to comply with these guidelines with a minimum of effort, Susquehanna Health has been using biometrics since October 2002.

Biometric IT access ensures compliance and convenience

Susquehanna Health IT administrator Tim Schoener associates two things, above all, with this identification technology: “compliance and convenience – making it easy to comply with the rules is what makes biometrics so special.” In an initial test phase, 250 doctors and IT staff used their fingerprints to gain access to the IT system. Just under two years later, the user group was extended to all hospital and administrative staff. The main reason for this step was the implementation of a new release of a medical information system in 2004. The solution chosen in order to coordinate hospital processes across the different hospitals, support the workflow and offer comprehensive access to relevant information was Soarian from Siemens Medical Solutions USA, Inc. According to Schoener, the decision in favor of Siemens owed much to a partnership stretching back many years: “We have been working with Siemens for 35 years, and throughout that time our experiences have been nothing but good. Thanks to this partnership, we were very closely involved in the development of Soarian. That was enormously important to us – after all, getting a technology that will be able to meet our future demands is one of our top priorities.”

Because the new IT system allowed all hospital data to be viewed and edited from any authorized workstation, a reliable and secure means of identifying personnel was absolutely essential. Until that point, most staff had been using a user name and password to access the system in the usual way. But in the hustle and bustle of a working day, medical staff often found the procedure too time-consuming. In addition, the passwords had to be changed every 90 days for security reasons. In order to protect sensitive data adequately while minimizing the efforts required of staff, Siemens added biometric IT access control to the Soarian system.

The hospital benefited from synergies within the Siemens group when Siemens Healthcare brought specialists from Siemens IT Solutions and Services on board to integrate the biometric ID center solution. The IT service provider equipped around 1,200 workstations with ID mice, around 300 mobile tablet PCs with fingerprint sensors and installed a biometric authentication system. This saves the encrypted biometric profiles of the staff in a secure central database and compares them with the fingerprints scanned by the ID mouse. Any changes a user makes in the system can be traced without problems, and it is easy to find out who made them. “This traceability allows us to meet requirements in terms of compliance and data security with ease. Moreover, our staff now take more care to protect their workstations when they leave them for a short time,” says Schoener.

A further benefit, which improves data protection and security enormously, is that it is easy to set up different access levels for financial, administrative and medical staff, for example. Depending on their authorization, users are given access to applications on their desktops. These range from applications for admitting patients to clinical programs, hospital reports, care plans and the distribution of medications.

Expansion of the system to cope with growing demands

Following an implementation period of around two months, biometric recognition for the first 300 members of staff went off smoothly, starting in October 2002. It was therefore planned to extend the solution to all 3,000 members of staff at the end of 2003. At this point, the Siemens experts were confronted with a particular challenge. The original ID Center solution was designed for a maximum of 1,000 users. With three times that number of users, the system's response times for fingerprint recognition became unsatisfactory.

The team from Siemens IT Solutions and Services worked under great pressure for three months to improve the system’s performance. Gerd Hribernig head of the Biometrics Center of Siemens IT Solutions and Services in Graz, recalls: “Instead of using new, more powerful but more expensive servers, we thoroughly revised the search strategies in the algorithms. Very satisfactory results were obtained with this new software. Although this delayed the rollout by around three months, it meant that Siemens had a unique biometric solution on the market with the new feature 'Fast Identify'”. Today, the system provides identification rates in a matter of seconds.

Widespread acceptance thanks to training and security

If you ask IT manager Schoener whether the biometric solution has been well received by hospital staff, he laughs and exclaims simply: “They love it!” But it wasn’t always like that, not for everyone and not right from the start at any rate. When the solution was introduced, some staff were concerned that images of their fingerprints would be stored in databases or that the technical complexity and thus the effort required by the identification process could increase. But the doubts turned out to be unfounded: “After detailed training and instruction about the system, we were quickly able to dispel the concerns of our staff. It soon became clear that the biometric system does not interfere with individuals’ rights and makes things much simpler for people,” says Schoener.

There is also no doubt that introduction of the new system was made easier by the fact that its use was voluntary. Skeptical staff always had the alternative of continuing to log in with their user name and password. It speaks volumes for the biometric solution that after just a few short months over 95 percent of staff were using it to log in: “Practical experience has repeatedly shown that even skeptics switch to biometrics very quickly on grounds of convenience alone,” reports Hribernig.

Nevertheless, the German IT service provider wanted to leave nothing to chance in terms of data protection. The data of all three hospitals is stored on a central database server in the form of biometric templates. These attribute records are encrypted point clouds that allow the differences between fingerprints to be revealed, but not the attributes themselves. This data cannot be used forensically, for example. In addition, the key used to decrypt the data is stored locally with the user and thus cannot be misused by a third party. "Communicating this effectively to customers and their staff is perhaps one of the most important tasks in a project like this," asserts Hribernig. "The success of the project depends on whether or not staff accept it."

The biometric future at Susquehanna Health Center

Still in this year, it is expected that staff at Susquehanna Health will be working with ID Center Version 4.0. The most important innovation will be the extension of fingerprint recognition with palm vein recognition. This new technology scans the vein pattern under the palm, which is unique in each person. A contactless infrared scanner scans the palm of the hand at a distance of a few centimeters in a matter of seconds. The vein pattern scanned is compared with the vein pattern image stored for that person. Since the veins are under the skin, it is particularly difficult to fool the system. Schoener is excited about this new technology: “Fingerprint recognition doesn’t work with staff who have suffered bad injuries to their fingertips, so they still have to use passwords. With the planned vein scanners, they too will soon be able to get the benefits of biometrics.”

The hospitals are also planning to extend the fields of application of biometrics. A new patient building with a physical building admission control system is planned in the next few years. Patients, too, will benefit from the technology in the long term. There are a whole range of possibilities, explains the IT administrator: “If patients could register and identify themselves biometrically, that would bring great benefits in terms of convenience. Registration procedures would be accelerated, while mistaken identity and misuse of insurance cards would be eliminated.” (Photo source - Mandy Kühn)

"Biologger" Steals Fingerprint, Other Biometric Data

2008-04-01T05:20:00.000-07:00

MARCH 31, 2008 5:00 PM

By Kelly Jackson Higgins
Senior Editor, Dark Reading

If you think biometric scans are necessarily secure, think again: A European researcher has built a biometric keylogger that can capture fingerprint or other scans.

The so-called Biologger intercepts biometric data sent between a biometric scanner and its processing server, says Matt Lewis, a researcher with Information Risk Management, who demonstrated the tool and released proof-of-concept source code for it last week at Black Hat Europe in Amsterdam.

"It is the biometric equivalent of a traditional keylogger," Lewis says. Biologger easily captures the biometric traffic, which then can be taken offline for the attacker to analyze and to find ways to subvert the biometric system, he says, adding that an attacker could use that information to recreate a user's raw biometric image.

The attacker then could use that biometric to stage a spoofing attack, or to open a locked door, for instance, he says. "For example, if the system is a physical access control solution, then it may be possible to replay control signals that open locked doors, without the requirement for the presence of a valid biometric."

Lewis says an attacker could configure Biologger in several ways -- for sniffing biometric devices in a domain; as an inline wire tap or proxy device; for ARP poisoning; and as a memory-resident keylogger on a host.

But planting Biologger in the victim network isn't so easy: "Biologging as an attack vector is trivial. The difficult part might be getting the Biologger onto a network," he says.
"This could be done through physical means, or if the circumstances permitted, through exploitation of vulnerabilities via the Internet."

So what exactly is Biologger exploiting? The fact that many biometric systems don't encrypt biometric data during the authentication process, according to Lewis. "Strong encryption of all biometric-related data during all transactions is the best way to defend against the attacks described in my paper," he says. "This includes encryption over the network, and when storing biometric data in back-end databases."

Lewis says biometrics isn't about security: "Biometrics can work incredibly well under the right circumstances. It is just important that proper security controls are placed around biometric systems, as the biometric component alone cannot be relied upon for security."

Biologger is also aimed at building a penetration testing tool for biometric systems, he says -- capturing the traffic would be the core component of such a test.

Lewis says the Biologger source code he released is merely a POC of a proxy that captures data. "The aim of the POC was to highlight the simplicity of biologging, and how strong encryption would go a long way in protecting against the types of attacks that can be executed as a result of intercepted and unencrypted biometric data."

Financial Health

2008-03-31T18:35:00.000-07:00

I found it ironic yesterday while reading an article about free credit reports that the Google ad in the corner of the page was www.freecreditreport.com rather than the correct site www.annualcreditreport.com. Remember that your right to free credit reports does not require you to purchase or subscribe to any services. While you may decide to do so, you are not required to spend any money to exercise your right to a free credit report.