Tax man cometh – Whose Identity is it anyways?

If you are like me, I am sure you waited until the very last minute, milking every second of it, before you filed your taxes last week. Now that it is all taken care of, I want to talk about a video that I happen
to watch on CNBC about how an innovative tax scam is evolving. This is about how any individual who is filing tax can be scammed, so you better read up. (No I don’t have a solution that I want to sell you and make money; just being a good citizen educating others who follow my blog).

First of all, I was sitting there and watching on how that is done, CNBC was pretty much giving away step by step instructions on how to do it and wondering; so why is CNBC broadcasting it to the whole world. Much same way as Discovery channel would broadcast our weapons capabilities to our enemies. Anyways, this simple scheme works like this.

The Identity thieves are getting bolder and smarter these days. They gave up on applying for credit cards and loans using your name now that you can freeze your credit or have an alert set notifying you when suspicious activity happens using your name. Unfortunately, they are going after the IRS inefficiencies and lack of security verification, using their easy exploitation that occurs once each year.

What is shocking is that IRS requires you to have ONLY Name, SS#, DOB to file a tax return. That is it, mama mia!. They don’t check if the filing address was same as last year (or years), why your filing status has changed suddenly, why you don’t have proper W2 filing information, why your dependents have changed, etc. Maybe it is just me but when I see a tax return with every information from last year has changed shouldn’t that flag something for them?. Thieves have people working for them where they pick up this information such as hospitals, car dealerships, etc., but of course these are easy pieces of information that you can even buy as a list from online sources. Worst thing is that if they target the dead, active military service personnel, or people abroad then it can be months or years before anyone can find out. The thieves then make up income, withholding taxes, and deductions and have the refund wired to a pre-paid debit card that can be used in retail stores and banks to cash out. Contrary to what people think IRS takes days, or months before they verify/ match up the income stated in your tax return. At that time, neither IRS nor you have means to trace these guys. What is worse IRS thinks you owe them that money as they supposedly paid it out to you, ouch!

According to IRS, they stopped about 200,000 returns worth $1.15 B with questionable return submissions. Imagine how much slipped through. This is all because of IRS inability to verify the Identity. Identity is the main cause for this fraud. Wow!. Fair enough that IRS has to process about 145 million tax returns with about 110 million refund for requests, but come on, with about 75% of the population filing electronically how difficult it is to do a colon search on the rest 25%?. (BTW, if you file electronically they ask you for information from last year tax returns before they accept it. But the problem is if yours was already filed by an Identity thief as a paper return you can’t file at this point, so you are scrutinized but they are not – double whammy huh?).

Why is it so easy for the Identity thieves to do this.

Hard to detect, Easy to cheat, Takes months before the issue is found, Thieves know the loop holes in our system.

Fix: Have a government mandated universal identity system with bullet proof detection. (ya right, like that is going to happen).

Right now it is done mostly by small time scammers, just imagine if a well organized crime gang or a foreign government funded group picks this up. We will all be screwed.

How this could be fixed?. Well very simple,
1. In Tax returns ask for something from last year only you would know – such as your AGI, your total deductions or even your refund amount.
2. Mail the check to the address as of last year’s return. If the address given is other than last years then put them on suspend.
3. Debit only to last year’s bank account and stop fly by night refund activities such as debit card scheme.

Unfortunately, IRS is not doing any of this. I can think of a roundabout way this can be prevented, but would love to hear from you all, if there is a way we all can benefit by stopping these identity thieves.

Let me know your thoughts and save the fellow geeks from losing their hard earned money.

Perfection Series – Data Leak Prevention – Taking it to next level with McAfee DLP integration in stopping data leakage

Intel recently announced that by combining the strength of Intel® accelerated processing and McAfee® enterprise-level security we are taking our solutions to the next level and help our customers to extend their applications far beyond the traditional perimeters in a very secure manner.

I had the privilege of a preview of our integration between the Enterprise Service Gateway (ESG) and McAfee DLP (Data Leakage Prevention) and it was amazing. I am so excited and wanted to share with you some of those features and what you can expect in coming releases.

McAfee DLP (Data Loss Prevention) is a data leakage solution that safeguards business critical information by scanning the network for sensitive data and ensures that data doesn’t leak outside the corporate network. It also offers pre-configured policies for HIPAA, PCI, etc.

Think of ESG as a Swiss army knife, which can be used as a secure gateway, XML Firewall, application level gateway, identity mediator, Web Service proxy, edge security device, etc.

Obviously this applies only to data in motion and not for data at rest. What is more interesting is that it is policy driven and can be identity based or role based. Now, that is powerful. If you can make decisions based on identity of the user and the role they are assuming when they are sending the data out.

The ESG is in the line of traffic and sends the messages to DLP to find out if any part of the message is considered sensitive. If the message is considered sensitive then it can be terminated. Keep in mind it could act as a reverse proxy as well for the incoming messages if you want messages containing certain sensitive information to enter your enterprise for compliance, auditing reasons.

As you can see integrating with a DLP is as simple as dragging the DLP action item and drop it in the palette and enter host/port and other appropriate information and your workflow is DLP activated. Essentially this means all of your edge devices can be connected to one central place to scan for outgoing sensitive information to stop sensitive data leaks. Now imagine the power of that. All of your edge devices – whether it is Application Firewalls, Web Gateways, XML Firewalls – can all be connected to a central place, which can scan your outgoing (and incoming if necessary) messages for sensitive information based on corporate policies and compliance requirements.

The great thing is you can start building policies as needed. McAfee DLP has a what is called capture. Using McAfee capture technology you can not only look for data, but you can capture all the data that is going out. The captured data helps you see real world patterns of data usage and possibly a replay this history to adjust and refine your scans. This provides the comfort and confidence you are aware of planned and new threat as they evolve.

We integrated with McAfee DLP, not just because we want to show off that we are part of a bigger security organization, but also that the analysts agree (as you can see in the picture below by Gartner and Forrester) that this is a top notch solution available in the market.

I hope you will be as excited as I am when you see this solution in action and see how easy it is to configure and use (and re-use).

Perfection Series – Forgotten data in your logs (Log Redaction service)

From business standpoint, leaking sensitive information into your logs is not only bad, but could lead to compliance, liability and risk disaster sooner than you think. While there are solutions, including DLP, out there to inspect the data traffic to help capture sensitive data leakage, not many solutions out there are proactive and intrusive enough inspect the backplane of your systems for sensitive data leakage or regulatory appliance analysis. This becomes more pronounced when you have multiple ways you allows users (especially the admin users) to access your system – such as browser, command line, XML interface, etc. You need to not only worry about the logs for each of those interfaces, but also you need to worry about the types are logs that are kept and where they may go in the future; i.e. – record of such as trace log, transactional log, exception log, command log, admin log. Etc.

Recently Intel / McAfee Service Gateway (ESG/MSG) have seen a lot of activity and interest in providing API/ services in/from the cloud. One of the major issues they all faced was the fact that the log, which is stored in the cloud, might contain information that is sensitive or a compliance issue, especially when you offer this as a service (*aaS) and exposed 24×7 to the hackers in the cloud. While this detailed logging may not be an issue for the enterprise customers, where the actual log information stored in a centralized secure storage, most times this becomes an issue when you offer a multi-tenant environment and you share resource with other users. In order to provide more control to the customers in the cloud we introduced a new log redaction future, which can be used either in the enterprise version or in the cloud version. This helps customers with sensitive information such as PAN data (especially when there are some credit card information is sent over for processing), personal data PII, names, addresses, SS#, DOB and other pertinent information including passwords in verbose modes. Intel solution allows that data to be removed/masked with ease and it is user definable, both for patterns and for masking specifics.

I was talking to a customer of mine few days ago on this very topic and I told them how cool this is. He was like, “I think our system is very secure and we have taken “extra measures” given that they deal with multiple compliance standards and issues.” So I suggested to perform a log spider scan. He called me 2 days later panicked with what he found. If you don’t know whether you should worry about this or not there are spider scan tools available on the net, just Google it and see what your logs tell you. If you don’t like what you see don’t blame me :).

While most customers take extra care of their transactional messages, I have seen a lot of customers a bit lax in regards to logging and administrative interfaces. I had recently blogged about an incident with a customer with an exposed data in the logs which you can read here.

Our solution allows them to tighten their logs up multiple notches. We come with about 30 or so pre-defined filters, with an option for customers to build more on their own, using a simple visual tool. It can be applied to any level of logs including the most verbose levels. The masks are user defined and are flexible. Once you turn them on, define them, there is no need to restart your system, it is always on after that until you explicitly turn it off. What is more cool is that the logs would be instantly cleaned once you push the config and the push is cluster wide into all node points. Imagine the power of controlling the sensitive log data in all edge devices (whether Enterprise edge or extended to the cloud) in one push of a button.

In reality, the logging system normally logs the content given from many different underlying components, such as from Input Server, Invocation Agent, runtime Workflow, mediation Engine, Security engine, etc. This makes it complicated to manage when you deal with so many components as when you log things from input side, at some verbose log levels (such as detailed trace), it can log the wire data which can be anything (imagine that most solutions out there log everything comes on the wire for auditing purposes). So it is very hard to prevent the sensitive data logged in the log without special handling such as these contrary to what you think.

Imagine if you are dealing with PCI, HIPAA, etc and have an edge device to define saying I need my logs to be clean from these sensitive data and define masking / encryption on transactional data as well. You can be sure that from your edge inside, or going out, your message and logs are all cleanup to your satisfaction and for compliance.

If you need more information on this or on our solutions in general please check out or reach out to me.

Cloud Identity Services – Models and Challenges

I am co-presenting with Martin Kuppinger (of KuppingerCole) on a panel about Cloud Identity Services – Models and Challenges. Please stop by for my session if you are attending European Identity Conference and want to understand the challenges of how Cloud based Identity is totally different than Enterprise Identity.

Cloud Identity Services – Models and Challenges
Martin Kuppinger, KuppingerCole
Andy Thurai, Intel

As the software-as-a-service (SaaS) market explodes, more and more organizations struggle to gain control over their user’s identities in the cloud. Some are also exploring outsourcing their identity and access management (IAM) functions to the cloud.

There are three architectural models for implementing cloud identity services:

In the cloud – identity and access management as an on-demand service
To the cloud – IAM from an on-premise platform
Hybrid – a model that includes elements of both on-demand and on-premise solutions.

In this session, we will discuss the key architectural, platform, integration, security, scalability and reliability issues which organizations seeking to adopt cloud-based identity need to consider, including the increasingly significant role that Cloud Identity Broker/Cloud Security Broker technology is playing. The discussion will also assess current and evolving technology and industry standards available for managing SaaS account provisioning/de-provisioning, single sign-on, strong authentication, and other identity operations.


When you finish this session, you will have a framework for analyzing the state of today’s technology options and selecting the most appropriate architectural platform to meet your businesses identity requirements in the cloud.

You too Seattle?

I recently blogged about California introducing stricter consumer PII protection laws but found another interesting case from non-California as well.

In Krottner v. Starbucks Corporation, plaintiffs (ex-starbucks employees) claimed that their PII (names, addresses, SS#) were stored on a Laptop (unencrypted) that was stolen from Starbucks. They claim that Starbucks acted negligently and their stolen PII data, though it was not misused, caused them harm. What is interesting in this case is that the 9th US Circuit court of appeals agreed with plaintiffs that the plaintiffs do not need to show the actual harm that is caused or even imminent threat of harm. They agreed that potential risk due to stolen PII data can cause them harm in the future and allowed the case to go on. I was excited to see that as a consumer ofcourse, as I went through this multiple times in the past – credit card companies (multiple times), once my mortgage company lost my valuable personal data and in return all I got was a letter in the mail suggesting that I monitor my credit activity closely and see if there is misuse. Huh?. Since when your losing my personal data becomes my issue? Why do I have to go through freezing my credit information with all the bureaus which will cost me money (For those who don’t know what I am talking about, all 3 credit bureaus offer this service. You can freeze your credit history if you feel your sensitive information/ identity has been stolen and could be misused. If you file a police report and prove identity fraud then it is free, otherwise they charge you every time you freeze and lift the freeze. I know it is a pain, but it is better than dealing with Identity theft, trust me.

This is evidence that more and more emphasis is focusing on liability of PII data and not just by health care/ medical organizations. Everyone who is accessing sensitive data (such as PII and PCI) is liable for maintaining its secure access. Unless you take enough steps to safe guard your data, both at rest and in transit, you could be liable and/or non-compliant and get in State and/or Federal government cross hairs. I talked about how PII data is being classified as sensitive and how California is taking that to the next level by classifying (gulp…) zipcodes as PII data. Check out my blog on that here.
It is becoming more and more expensive to deal with such potential breaches. Not only the corporations need to notify all their consumers about the breach, but offer sufficient mechanisms to help them protect their data. Some states (such as Texas) are even suggesting (law expected to be introduced in later 2012) that every single customer to be notified, not just the ones affected, now this could cost companies lots of money plus they could be fined for violations as well.

It is not just about validated cases any more, it is going to cost lot more to defend, fix, and make it right to the consumers if you are careless about their information and/or lose it.

For more details on how your organizations can safeguard against this check out my blog about PII/ PCI, data protection and how Intel can help you here.

Perfection series – How do you define/measure perfection?

A few weeks ago I had a conversation with a customer of mine and we discussed this very topic. How do you measure perfection? It’s a good question worthy of inquiry. I was really surprised at the different answers suggested in the conversations that ensued.

Perfection is, as stated by Merriam-Webster dictionary, “broadly, a state of completeness and flawlessness, an unsurpassable degree of accuracy or excellence”. Some would also would say perfection is the absence of judgment. 🙂

If you operate within a Math or Science context, the term perfection is actually used to designate a range of diverse concepts. These concepts have historically been addressed in a number of discrete disciplines, notably mathematics, physics, chemistry, ethics, aesthetics, ontology and theology.

To an extent, “perfection” is a state of mind. Why am I telling you all of this?. I was asked the question “Is your solution Perfect for our situation”?. So instead of pursuing a quest for the meaning of perfection (and the meaning of life) I thought I would take this opportunity to write a series of blogs within which I am going to highlight our solution capabilities and recent enhancements that may make our solution perfect for you! (You knew that plug was coming right?).

A few years back (I used to work for a competitor at that time), I was visiting a customer of ours to discuss a complex architectural issue they were having. I sat down with the Security Architect, Enterprise Architect, and the CISO of a big insurance company (who shall remain unnamed) to discuss an issue. At the time, to show me the issue at-hand, they pulled up a specific transaction to analyze. There it was, the admin password for the system (the holy grail), for their important backbone component, baring its nakedness to us in clear text. In all fairness, the ‘most verbose log feature’ was turned on to debug a specific issue in that situation. After we joked about the fact that I then knew the admin password for their the backbone and for their entire enterprise, I was told I was going to spend most of my life in a corner of their data center sleeping on a rug!

The conversation got very serious when we talked about how admin passwords should NEVER be displayed, in clear text, on any log for any reason. I took this noted and avoidable vulnerability back to my Product Management/Engineering teams. To my surprise, the concern was brushed aside as a non-issue.

A risk of this magnitude could easily be considered a major compliance issue if you are an organization that deals with HIPAA and/or PCI compliance. Regardless of whether you have the most verbose mode turned on or not, if you leave PCI or PII (personally identifiable information) clearly visible in logs, in clear text, you are creating potential breaches. As is sometimes the case, log data gets lost and at the most innoportune time — could be unearthed during an audit. Aside from exposing one’s self to the risk associated with not properly safeguarding data, those risks multiply when failed audits lead to very expensive fines.

The California supreme court recently ruled in a case, Pineda v. Williams-Sonoma, that zipcodes are really “personally identifiable information” (PII). In a California’s Song-Beverly Credit Card Act, California Civil Code section 1747.08, reversing the Court of Appeal‘s decision the supreme court made a ruling on this. Penalties of up to $250 for the first violation and $1,000 for each subsequent violation could accrue, without there even being any allegations of harm to the consumer.

Section 1747.08 of this law states that a retailer cannot ask their customers for PII information (including zip codes), or record it during credit card transactions. (I have distilled the legalese for you. However, those so inclined may read about the ruling in its entirety at Though this information is applicable only to PCI compliance right now, there are laws pending in California (and in other states) around the essence of PII. This may end up being germaine to medical records, EHR (Electronics Health Records), and prescription Information, etc.

Initially it could be limited to include SS#, PAN (credit card info), date of birth, zip codes, address, age, gender, password (in the corporate world), etc. However, safeguarding data could potentially expand into several other domains. All organizations need to be cognizant of how the laws and regulations continue to change at a state and national level and how they may vary from one country to another. Imagine if you are using a cloud provider, which is hosting your data in a country (not of your) choice, where you have virtually no control.

In the next few blogs I am going to talk about our Log Redact, Data Redact, Data privacy, Compliance, Encryption and Tokenization capabilities, which will help address some of the aforementioned issues. They not only help you address today’s needs but will also enable you to “change direction” as necessary as incipient changes come to fruition.

You may already know that Intel acquired McAfee, the leader in the security software business, over a year ago. We are quickly seeing the successful integration of both entities. However, as part of this perfection series, I’m going to share with you, in greater detail, our integration efforts with McAfee security components. At the end of this series, you’ll get a sense of palpable energy abound, and the synergies that are helping us to bring even better solutions together for our customers.

As far as that company that had given me a rug to sleep on in the datacenter corner for sharing their family secrets? I wish I had this solution set handy when I was at that meeting!. Oh well, comfortable sleep is often over rated anyways.

If you would like a sneak preview of some of the solutions that I’m going to address in this blog series, please visit:

Then they took down another BIG one

I have been sitting on this blog/thought for awhile but it became timely now with the Global Payments breach yesterday (Reported first by Brian Krebs on his security blog). Global Payments is a merchant acquirer, with contracts with retailers to handle the processing of card transactions (cc, debit cards, gift cards of all brands). Though the information is premature and not complete, it is estimated that they lost about 10 million+ accounts. Though Global specializes in mom-and-pop shop transactions, the company itself is very well established ($167 Billion worth of transactions last year alone). This breach happened in spite of having a decent security measures in place. What is worse is that the data stolen is full track 1 and track 2, which means using that stolen data one could easily reproduce counterfeit cards. (So, you better watch out for those unauthorized charges in your account – it is hard to dispute a transaction when someone swipes a card unless you catch it early – know it from personal experience).

You see the problem lies in the whole complex payment systems that were developed years ago for payment transactions. On those days security was not on everyone’s mind. Partly that is because most of these systems ran on private networks (and leased lines) and the hackers those days were not that savvy. It is sad, but true, that it is much cheaper for the companies to deal with the breaches than to make their systems more secure. You might recall a serious breach with Heartland Payment systems about a couple of years ago, where they lost about 130 million cards. Last year hackers stole payment card information for more than 100 million customers of Sony’s PlayStation Network. In between these, multiple smaller breaches that went un-noticed.

So if you are a security architect and are wondering how can I safe guard my company from such disasters; we here at Intel can help you. While we have many solutions that can help you, I am going to talk about a particular solution, our Tokenization Solution – Token Broker (TB).

A few years ago, PCI-DSS released a new directive that opened the door for a new concept called tokenization. The issue with dealing sensitive data is that you need to hide it somehow. It was done by encryption up until a few years ago. While encryption solution is very good for what it does, the surrounding issues became a major issue (key management, key rotation, encryption strength, etc). If the hacker catches the transaction in flight, or hack in to the systems and catch the transaction in memory/ process (where the data might be in clear) the issue becomes deadlier. In order to avoid that, PCI-DSS released a directive (and updated it late last year PCI DSS 2.0 Aug 2011) about tokenizing the PAN (Primary Account Number) information. At the heart of this directive is the fact that if you create a true random token (i.e., format preserving surrogate) there is no way that a hacker who intercepts the message can get the original information back. Hence there is no monetary value if someone captures the token in flight or from storage.

Essentially we have these hardened proxy Token Brokers that you can either slide in front or back of any application (we do support almost all standard protocols and data formats) that can sit in line of traffic and do these tokenization actions. This means essentially very little or no work is required on the applications/ API/ services side. By sliding our proxies in line of traffic you can ensure all the channels are secure and no one can sneak in without our knowledge.

An application needing original data can come back to our TB and ask us to provide them with the original data. This can be either a side call (as in a call to an API to reverse the data) or in line reverse translation, so the receiving application will receive the original data without a need for modification. Only the needed applications (or the proxies) know where to go to resolve the token. That application needs to be white listed with us (not just everyone can ask us to do the dirty job even if they know where to go). The connection can be made as a 2way mutually authenticated SSL to establish the identity of both sides and make sure the information travels end to end secure.

Tokens are stored in a Hardened database which is nearly impossible to breach and only the TB can connect to. All the communications from TB to DB is secure and the DB has a white list of only TBs that it can connect to.

In short by using Intel Token Broker (TB) solution you get,
• Storage and processing using surrogate data and not the original data.
• Format preserving tokenization allows to preserve parts of Pan information for internal purposes.
• Can handle any form of data. Can handle MS word, Excel, PDF or any other form of document.
• Our solution comes with all kinds of security certifications (CC EAL 4+, FIPS 140-2 Level, etc)
• Allows you to secure the perimeter, secure the edge, secure the API.
• Reduce PCI scope, Protect Card Holder data,
• Can work anywhere within enterprise, extended enterprise, including partner locations, virtual environments such as in the cloud.
• Can be in DMZ due to hardened appliance form factor.
• Reduces annual assessment costs.
• Helps with compliance issues.
• Hardware based random token generator.
• Full disk encryption, database storage encryption, Secure Boot/ BIOS, Tripwire, snooping block

A sample high level enterprise data flow with the original dataflow highlighted in dotted red to show how easy it is to slide a proxy in line to handle all transactions regardless of data format, protocol or security type.

If you are interested either in PAN tokenization or PII tokenization (such as SS#, DOB, etc) use the bottom link to check out our solution details and reach out to me if you need further details. Also, check out this whitepaper by Walter Conway, QSA, who is an expert on this subject.

Hope we can help our customers protect one enterprise at a time so these things won’t happen in the future.

%d bloggers like this: