David Kirkpatrick

July 7, 2009

Social inSecurity Number?

Food for thought and fodder for identity theft nightmares. This research finds social security numbers may be even more insecure than previously thought.

The release:

Carnegie Mellon researchers find social security numbers can be predicted with public information

PITTSBURGH—Carnegie Mellon University researchers have shown that public information readily gleaned from governmental sources, commercial data bases, or online social networks can be used to routinely predict most — and sometimes all — of an individual’s nine-digit Social Security number.

Project lead Alessandro Acquisti, associate professor of information technology and public policy at Carnegie Mellon’s H. John Heinz III College, and Ralph Gross, a post-doctoral researcher at the Heinz College, have found that an individual’s date and state of birth are sufficient to guess his or her Social Security number with great accuracy. The study findings will appear this week in the online Early Edition of the Proceedings of the National Academy of Science, and will be presented on July 29 at the BlackHat 2009 information security conference in Las Vegas. Additional information about the study and some of the issues it raises is available at http://www.ssnstudy.org.

The predictability of Social Security numbers is an unexpected consequence of seemingly unrelated policies and technological developments that, in combination, make Social Security numbers obsolete for authentication purposes, according to Acquisti and Gross. Because many businesses use Social Security numbers as passwords or for other forms of authentication — a use not anticipated when Social Security was devised in the 1930s — the predictability of the numbers increases the risk of identity theft. ID theft cost Americans almost $50 billion in 2007 alone. The Social Security Administration could mitigate this vulnerability by assigning numbers to people based on a randomized scheme, but ultimately an alternative means of authenticating identities must be adopted, the authors conclude.

“In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone,” said Acquisti, a researcher in the Carnegie Mellon CyLab. Information that once was useful to make public may now be too available. An example is the Social Security Administration’s Death Master File, a public database with Social Security numbers, dates of birth and death, and states of birth for every deceased beneficiary. Its purpose is to prevent impostors from assuming the Social Security numbers of deceased people. But Acquisti and Gross found that analyzing the death file enabled them to detect statistical patterns that would help them predict Social Security numbers of the living.

These statistical patterns can help narrow guesses of an individual’s Social Security number, when combined with that person’s date and state of birth. Birth information can be obtained from various sources, including commercial databases, public records (such as voter registration lists) and the millions of profiles that people publish about themselves on social networks, personal Web sites and blogs.

The statistical patterns and the birth information can be used to predict Social Security numbers because the Social Security Administration’s methods for assigning numbers, based in part on geography, are well-known. For most individuals born nationwide since 1989, Social Security numbers are assigned shortly after birth, making those numbers easier to predict.

Acquisti and Gross tested their prediction method using records from the Death Master File of people who died between 1973 and 2003. They could identify in a single attempt the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born between 1973 and 1988. They were able to identify all nine digits for 8.5 percent of those individuals born after 1988 in fewer than 1,000 attempts. Their accuracy was considerably higher for smaller states and recent years of birth: for instance, they needed 10 or fewer attempts to predict all nine digits for one out of 20 SSNs issued in Delaware in 1996. Sensitive details of the prediction strategy were omitted from the article.

“If you can successfully identify all nine digits of an SSN in fewer than 10, 100 or even 1,000 attempts, that Social Security number is no more secure than a three-digit PIN,” the authors noted.

When the researchers tested their method using birth dates and hometowns that students had self-reported on popular social networking sites, the results were almost as good despite the inaccuracies typical of social network data. Enrollment records were used to confirm the accuracy of the predictions, though the researchers did not receive confirmation of any individual Social Security number, but only aggregate measures of accuracy.

“Dramatically reducing the range of values wherein an individual’s Social Security number is likely to fall makes identity theft easier,” Gross said. A fraudster who knows just the first five digits of an individual’s number might use a phishing email to trick the person into revealing the last four digits. Or, a fraudster could use networks of compromised computers, or “botnets,” to repeatedly apply for credit cards in a person’s name until hitting the correct nine-digit sequence.

Future Social Security numbers could be made more secure by switching to a randomized assignment scheme, but protecting people who already have been issued numbers is harder, the researchers said. Given the ease with which Social Security numbers can be predicted — particularly the first five digits and particularly for the millions of Americans born since 1988 — legislative and policy initiatives aimed at removing the numbers from public exposure, or redacting their first five digits, may be well-meaning but misguided, Acquisti added.

“Given the inherent vulnerability of Social Security numbers, it is time to stop using them for verifying identities and redirect our efforts toward implementing secure, privacy-preserving authentication methods,” Acquisti said. Methods to consider include two-factor authentication, similar to the PIN number/card combinations used for bank accounts, and digital certificates.




Students Ioanis Alexander Biternas, Ihn Aee Choi, Jimin Lee and Dhruv Deepan Mohindra assisted Acquisti and Gross in the study. The Heinz College (http://www.heinz.cmu.edu) includes the School of Information Systems and Management and the School of Public Policy and Management and its faculty and students bring expertise to bear on issues of information security and policy and information systems, as well as public policy, arts and health care management.

The National Science Foundation, the U.S. Army Research Office, Carnegie Mellon CyLab and the Berkman Faculty Development Fund provided support for this research.


About Carnegie Mellon: Carnegie Mellon (www.cmu.edu) is a private, internationally ranked research university with programs in areas ranging from science, technology and business, to public policy, the humanities and the fine arts. More than 11,000 students in the university’s seven schools and colleges benefit from a small student-to-faculty ratio and an education characterized by its focus on creating and implementing solutions for real problems, interdisciplinary collaboration and innovation. A global university, Carnegie Mellon’s main campus in the United States is in Pittsburgh, Pa. It has campuses in California’s Silicon Valley and Qatar, and programs in Asia, Australia and Europe. The university is in the midst of a $1 billion comprehensive campaign, titled “Inspire Innovation: The Campaign for Carnegie Mellon University,” which aims to build its endowment, support faculty, students and innovative research, and enhance the physical campus with equipment and facility improvements. For more about Carnegie Mellon, visit http://www.cmu.edu/about/.

October 14, 2008

Lunar prospecting robot tested on Mauna Kea

Filed under: Science, Technology — Tags: , , , , , — David Kirkpatrick @ 9:57 pm

A cool press release from Carnegie Mellon University and NASA:

Lunar Prospecting Robot To Be
Field Tested on Hawaii’s Mauna Kea

NASA Rover Was Developed by Carnegie Mellon’s Robotics Institute

PITTSBURGH—The cool, rocky slopes of Mauna Kea, a dormant volcano that is Hawaii’s highest mountain, will serve as a stand-in for the moon as researchers from Carnegie Mellon University’s Robotics Institute, NASA and other organizations test a robot designed for lunar prospecting.
During the field experiment, Nov. 1-13, the robot called Scarab will simulate a lunar mission to extract water, hydrogen, oxygen and other compounds that could potentially be mined for use by future lunar explorers. The four-wheeled robot will trek to different sites, using a Canadian-built drill to obtain a one-meter geologic core at each site. Each core will be chemically analyzed by on-board instruments developed by NASA.
“People will not return to the moon for prolonged stays unless we can find resources there to help sustain them,” said University Professor William “Red” Whittaker, director of the Robotics Institute’s Field Robotics Center. “The technology being developed for Scarab will help locate whatever water or resources might exist on the moon as we seek out the raw materials for a new age of exploration.”
Scarab was designed and built for NASA’s Human Robot Systems program by Carnegie Mellon. It serves as a terrestrial testbed for technologies that would be used to explore craters at the moon’s southern pole, where a robot would operate in perpetual darkness at temperatures of minus 385 degrees Fahrenheit. The rover features a novel rocker-arm suspension that enables it to negotiate sandy, rock-strewn inclines and to lower its 5 1/2-foot by 3-foot body to the ground for drilling operations. Scarab weighs 400 kilograms (about 880 pounds) and can operate on just 100 watts of power.
“Last year, we demonstrated Scarab’s unique maneuverability and its ability to navigate autonomously,” said David Wettergreen, associate research professor of robotics and project leader. “This year we reconfigured Scarab to accommodate a rock sample analysis payload developed by NASA. Now it is a complete robotic system for exploring the lunar poles and prospecting for resources.”
Scarab is outfitted with a drill assembly built by the Northern Centre for Advanced Technology Inc. (Norcat) in Sudbury, Ontario. The drill takes hours to cut a one-meter core into a dense layer of weathered rock and soil, known as regolith. The core is then transferred into another Norcat device that pulverizes it, about one foot at a time.
The crushed rock and soil drops into the Regolith and Environment Science and Oxygen and Lunar Volatile Extraction (RESOLVE) experiment being developed by NASA’s In Situ Resource Utilization (ISRU) program. Inside RESOLVE’s heating chamber, the sample is heated to 900 degrees Celsius (1652 degrees Fahrenheit); gases released by the heat are transported to a gas chromatograph, an instrument that identifies individual chemicals and their relative abundance, and to absorption beds, each of which measures a particular compound of interest. It takes up to 20 hours to analyze an entire one-meter core.
Hawaii, famed for its tropical beaches, may not seem to have much in common with the moon. But the nearly 14,000-foot summit of Mauna Kea, home to a dozen major telescopes, is often snow-capped during winter months. The NASA field test will occur at elevations of approximately 9,000 feet, where Scarab is likely to encounter rain and fog and daytime temperatures of about 40 degrees.
Scarab is funded through NASA’s Johnson Space Center in Houston, Texas, and is managed by NASA’s Glenn Research Center in Cleveland, Ohio. Both Scarab and ISRU’s RESOLVE experiment are part of NASA’s Exploration Technology Development Program, which is managed at NASA’s Langley Research Center in Hampton, Va.    


September 8, 2008

Gold nanorods help fight cancer

Filed under: Science, Technology — Tags: , , , , , — David Kirkpatrick @ 11:00 pm

Nanoscale gold rods are a key component in heat-based cancer treatment.

From the link:

Cancer cells are relatively temperature-sensitive. This is exploited in treatments involving overheating of parts of the cancer patient’s body. One highly promising method is photoinduced hyperthermia, in which light energy is converted to heat. Gold nanoparticles absorb light very strongly in the near infrared, a spectral region that is barely absorbed by tissue. The absorbed light energy causes the gold particles to vibrate and is dissipated into the surrounding area as heat. The tiny gold particles can be functionalized so that the specifically bind to tumor cells. Thus, only cells that contain gold particles are killed off.

The problem? Ordinary spherical gold particles do not efficiently convert the light energy into heat; only rod-shaped particles will do. Unfortunately, the additives needed to crystallize the rod-shaped particles from aqueous solutions are cytotoxic.

The team headed by Michael R. Bockstaller is now pursuing a new strategy: instead of aqueous solution, they chose to use an ionic liquid as their medium of crystallization. Ionic liquids are “liquid salts”, organic compounds that exist as oppositely charged ions, but in the liquid state. In this way, the researchers have been able to produce gold nanorods without the use of any cytotoxic additives.

M. Bockstaller and his team have synthesized gold nanorods using an ionic liquid as a solvent. Gold nanorods are interesting starting materials in cancer therapy. (c)Wiley-VCH 2008

M. Bockstaller and his team have synthesized gold nanorods using an ionic liquid as a solvent. Gold nanorods are interesting starting materials in cancer therapy. (c)Wiley-VCH 2008