Illegal immigration part 1

I would be so nice if the problem of illegal immigration was simple to solve. There are really a number of issuers that need to be addressed.

Social Security name number mismatch. If an illegal immigrant comes to this country and tries to get a job they are going to need a social security number. Frequently a SSN is acquired and the illegal immigrant continues to use their real name. The upside of this is the employer pays into to social security under that name, but the benefits are not applied to the real owner of the social security number. Currently these funds go into a holding fund until it can be determined where the money should be applied. At this point in time, the holding fund has about $585 Billion. Yup, that’s right over ½ of a Trillion dollars sitting there in the government coffers just waiting to be used.

You would believe the government would be happy to have all that extra money floating around. Now I would like to find out what happens to the money once it is determined that it was put there from illegal immigration. I would also like to know, how much money goes into this holding fund every quarter. And what has been the trend over the past ten years. What percentage of the fund is actually moved over to the real owner (i.e. A person gets married and does not change the name with SSA.)

There is much more to come, like what if the illegal immigrant uses the correct name with the SSN? (i.e. Identity theft.) There is a lot to consider there. Because W2’s will be generated on that SSN, the IRS will get involved because they believe someone is under reporting their income.

Later Dive / Fly / Ride / Sail Safe
-Rob

IRS and Social engineering attacks.

I can apply every CPU (Critical Patch Update) that Oracle comes out with. I look at parts of the database that are not secure such as powerful packages that are granted to public and then revoke privileges on those packages. But what I can’t do is get people to be smart on the phone.

The IRS IG did a simple audit of security. Call a user and convince them to reset their password.

Here is how the attack goes:

Attacker: Hi, I am with the help desk and trying to track a problem with the network, can you log into your account so I see what is going on?

Attacker: Okay what are you typing now.

User: I’m typing my user name

Attacker: tell me each key stroke:

User: user name

Attacker: okay now what are you typing:

User: my password.

Attacker: I don’t see it, can you temporally reset your password to password? Here is how you do it.

User: okay

The user has now been hacked. Not all attacks involve exploiting bugs in the software. Frequently the attacker exploits bugs in the wetware. The willingness to help is a big problem when it comes to security.

If someone calls you asking to help. Get as much information from them as you can. What phone number can I reach you at? Who do you work for? If they are not willing to give you that information, call your security group. If they do give you the information, lookup in the employee directory the name of their boss, call him/her and confirm they do work for them and what they are asking. Then call the person back to help. But never give out your password or reset your password. If that person is truly with the help desk, they can reset your password for you and in many cases become you on the system.

Read the IG’s report, the percentages of people who gave up their password are staggering

http://www.ustreas.gov/tigta/auditreports/2007reports/200720107fr.pdf