I recently commented in my LinkedIn Smartcard Group to a posting about why The USPS was promoting their “snail mail over email. Some commentors argued that promoting older technologies like the post office is trying to capitalize on fear of new technologies or the inconveniences it brings. I disagree that inconvenience or fear of the unknown are the problems. Rather it’s a self-preservation reaction. With almost 20-years of smartcard support and being on the bleeding edge of technologies even longer, I think I have the credentials to somewhat support the USPS stance, but not for the reasons they give.

Ray Wizbowski from Gemalto wrote an insightful post about how “Strong Authentication, not ‘Snail Mail’ is the answer to cyber crimes“. In it Ray builds the case that the USPS is having a “Luddite” movement in its last-ditch attempt to convince consumers and businesses to ditch electronic communications in favor of snail mail. Ray makes the analogy to the regular occurrences of mail train robberies but the railroads survived.  Train travel did have its problems in the U.S. for safety concerns with Indian raids, robbers and derailment. In fact, the railroad barons almost went bankrupt if they didn’t solve these and other security/safety issues for their riders.  Most people put a higher valuation on personal safety that some new glitzy technology. It was because of the security efforts from groups like Pinkerton, Texas Ranger and U.S. Marshalls that made the price to pay for robbing a train too high for its rewards. The old West had few laws but the most recognised one was 45, that’s Colt 45.

When trying to make a security comparison between email vs. standard mail the first question has to be “from what security perspective?”. Sure a letter can be stolen from a box that has your banking or social security information it, but it is not going to infect everything you do, cause your house to crash and force you to buy a new house to get an updated mail box. In the comment, “…digitization is now so much a part of our everyday lives that the suggestion that we should regress seems preposterous.” This is  true but it seems that technology companies have put a higher valuation on profit and market share than on security. The devastation to individuals, businesses and governments that a hidden malware in spam, file attachments, pharming sites, electron ads and such is inexcusable today. And it only takes one careless click to propagate into a $7.2M data breach catastrophe or an identity theft nightmare.

• So for individuals to revert back to snail mail – Understandable
• For businesses to revert back to snail mail – Very understandable

I don’t buy from websites that don’t have https:// shopping carts. I don’t click the email links anymore from people I don’t know. I certainly don’t open any email attachments even from my credit card company or bank. I know it’s not because I’m a technophobe, but because I can’t trust the delivery and the cost of a mistake is too high for me to pay. It is also inexcusable for companies like Google, Microsoft, Adobe, Amazon, Facebook, etc., and the U.S. Government to treats security, privacy and trust as after thoughts or worst, not at all. Even recently, states are selling personal email information to presidential campaign organizations so the state can make money and so you can be bombarded with their evil hate ads. Microsoft should also be ashamed of themselves for having a day every month since 1998 named for their products insecurity: Patch Tuesday.

In conclusion, ask yourself if you have changed any of your computer, email or internet habits due to viruses, identity theft , malware, spam, etc.concerns? How much security add-ons do you have because you felt vulnerable with the original product? Are you longing for the good old days of pony express and covered wagons because they were so convenient. Finally, back to the train analogy, gun sales were at its highest for the times when so were train robbers. Maybe that is why there are so many technology security companies today. So for the USPS to try to capitalize on the cyber security fears is no different from cyber companies trying to capitalize on the USPS speed. What all technologies come down to is the convenience it offers the user until the fear of personal harm from that technology drives self-preservation.

Cyber warfare is real. That’s why each Friday I will post a review on this book: Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, and today I am sharing what I am reading in…

Chapter 3: Cyber Doctrine.

A doctrine is the foundation for teaching collective, fundamental principles to large groups so that everyone knows what to do in pre-defined situations. The military since armies of ancient times has relied on their doctrines to instill tradition, guidance, tactics, techniques and procedures. Different governments and military branches are now putting this long honored practice to cyberspace. While it was interesting that the authors started out by stating, “The U.S. military does not have a definition for cyber warfare today“, don’t think that a lot of time, work and money isn’t being spent to defend and attack “it”.

One reason that cyber warfare is poorly defined is that what makes up cyber keeps changing. Terms like computer security, information security, network centric warfare, information assurances, information warfare and even cybersecurity have all been used to describe this nebulas network of electrons that are organized in ways that can deliver vital information to one group and not the other. Cyber warfare is just the latest name in vogue. Therefore, these electrons have become the pawns to attack and defend. Remember, in my Chapter 2 observations I stated that cyber warfare is machine vs. machine and that human suffering is collateral damage.

The first step has to be defining what is “Cyber”. The U.S. doctrine understand cyber to be a part of Information Operations where one of the Core Capabilities is Operations Security of Computer Network Operations.  Computer Network Operations is then divided into three tactical objectives: Computer Network Exploitation, Computer Network Attack and Computer Network Defence. Or in other words Espionage, Offense and Defence. So while the battlefield may have changed the strategies and tactics are no different from those of Alexander the Great, Julius Caesar, Napoleon Bonaparte or General Petraeus. As a side note, I’m not adding in all the three-letter acronyms loved by the government in this review. After awhile it all becomes too confusing.

The chapter is a fascinating read regarding how our different miliary branches are developing doctrines based upon laws and traditions of previous battlefields, and trying to make them apply to electron behaviour. We also get a glimpse into some doctrines from other nations both friendly and some not so friendly ones. But a doctrine by itself, while interesting, serves no purpose if it can be implemented. That is where a different set of multi-letter acronym organizations come into the picture because they are responsible for Tactics, Techniques and Procedures.

With all the organizational charts, closed-door planning and top-secret research going on, you don’t think other government agencies, politicians and private industry are not going to have their competing clubs? The private and non-military government agencies can’t develop military doctrine but they do influence the doctrine with the Guidance and Directives. Some of these groups include Dept of Homeland Security (DHS), Homeland Security/Presidential Directive (HSPD) and National Institute of Standards and Technology (NIST) which are a little more familiar to us civilians.

Finally, after all the preparations, theories and paper pushing there has to be training, practice and refining. These are done through either Table Top or Simulations exercises. These exercises are conducted in the federal, military and academic arenas. And while the authors don’t state it, I think we all suspect that some live demonstations have been conducted once or twice by someone or some government.

CONCLUSION:

The authors have done a great job in breaking down the complexity of developing a Cyber Warfare Doctrine. While majority of all the references are to U.S. organizations, branches and institutions the same type of structure is being duplicated in just about every other nation around the world that has a military, politicians and internet connectivity. I do like to think that the Samoans and Fijians are not in this game.

When hearing that IRS refunds stolen and the pain it is causing people then politicians will remember Occupy Wall Street and the Tea Party Rallies as intimate picnic compared to the fury of a citizenry demanding their money.

Already the IRS is saying they’re going to have to delay payment to early filers because of lack of manpower. Now they are claiming they don’t have enough manpower to handle all the ID theft cases.

Recently Floridians were reported as waiting over 3 hours to talk to investigator, only to learn that it will take up to 90 days to investigate their claims.

But if 2012 proves to be bad year for the IRS as they deal with ID theft, then it is safe to assume that this is just the tip of the iceberg. As more and more cases are reported it stands to reason that the investigations will take even longer,particularly as the IRS claims to be short of man-power.

ID theft doesn’t discriminate against income bracket, party, race, sex, religion, class or any other demographics that politicians like to classify people into. The new classification may finally be “Tax Paying Americans”. So what can be done? Well that depends on the perspective of the question.

While nothing can give you 100% protection, here are a few tips:

1. Don’t write your SSN or Fed Tax ID on any checks if mailing your tax return via USPS.

2. Always use certified mail and hand it to the post office.

3. Shred any documents you used to determine your taxes.

4. Only use reputable tax services. You may think some are too expensive but the cost of Identity Theft will far overshadow the extra payment for service.

5. Be careful of tax scams by email, post and phone.

When employees travel abroad here are ten electronic devices security tips I pulled from  a recent New York Times article, “Traveling Light in a Time of Digital Thievery” by Nicole Perlroth. Nicole discusses electronic devices security policies and practices of the State Department, Google, Bookings Institution, and McAfee executives when traveling to China and Russia.

However, because Cyber Warfare has no geographical boundaries I suggest these electronic devices security tips be used whenever anyone travels anywhere overseas; or, depending on the circumstance, travel anywhere.

Ten Electronic Devices Security Tips When Traveling Abroad

1. Leave personal cell phones and laptops at home.
2. Bring a burn phone (prepaid, disposable cell phone) and a loaner laptop dedicated for travel only.
3. Erase the EEPROM, Flash and hard drive memory of both devices before leaving the country and immediately after returning. As a personal side note, never plug this laptop into any network before first wiping it and use a very good wipe program.
4. Disable all Bluetooth and Wi-Fi functionality from all devices. This includes ear pieces.
5. Never let your phone or laptop out of your site.
6. In meetings, don’t just turn off your phone but also remove the battery. It is possible that the microphone can be turned on remotely. So, be sure you have a phone that you can get to the battery. An iPhone is not a good choice when traveling.
7. Connect to the internet through secure, encrypted channels.
8. Use a password manager so you don’t have to remember or type them.  I recommend a smartcard password manager over a USB thumb drive because of the added security smartcards offers.
9. If customs or any outsider has touched or turned on your computer, do not plug it into the company network without first scrubbing it.
10. Your company needs to have an electronic device security travel policy, employee re-training before every trip, and all devices returned to IT before the employee is allowed back into the building.

Cyber attackers are clever in hiding what they do, but the number one behavior they rely on is employee carelessness. Scott Aken, a former F.B.I. agent who specialized in counterintelligence and computer intrusion made a great summation, “We’ve already lost our manufacturing base. Now we’re losing our R.& D. base. If we lose that, what do we fall back on?”

Cyber warfare is real. That’s why each Friday I will post a review on this book: Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, and today I am sharing what I am reading in…

Chapter 2: The Cyberspace Battlefield

All wars have a battlefield and cyber warfare is no different. Where conventional warfare have solders within a country’s border, terrorism has expanded the fighter’s deployment and cyberspace has obviated both deployment and borders. A cyber attacker can actually be located within your own country, be a fellow citizen or even one of your allies. What is also ironic is that human suffering is collateral damage since the actual attack is not human against human or machine against human, but machine against machine. Human life is devastated by what happens when a machine malfunctions.

Cyber warfare’s virtual battlefield is analyzed in three ways: logical, physical and organizational.  Cyber security is designed to build a defense wall around a network. This is not much difference than the historic defenses of a medieval castle (moat, drawbridge, battlements, etc.) But now we have logon passwords, firewalls, anti-virus, etc. Castles also had weapons to kill their attackers (spears, arrows, catapults and burning hot oil), but currently cyber security does not have much in the way of weapons of destruction. We are too busy going on the defense after something catastrophic happens.

Once the networks are protected, the cyber attackers will target the physical infrastructure like the HVAC, electricity, people, etc. Here companies are vulnerable to surveillance, sabotage, vandalism and blackmail. Finally, an attack is also determined by its organization: Government (federal, state, or local) or Commercial (multi-international corporation, SMB or home business). Ironically, governments have far more money available for defenses and retaliation, but they also have some of the oldest equipment that are vulnerable to attacks. Businesses have the most up to date equipment but only invest money in security based on ROI and risk assessments. From an attackers perspective both are easy prey.

Arming yourself against cyber warfare will not be tremendously effective if you don’t understand the enemy and their threats. In the Art of War by Sun Tzy there is a very prophetic quote: “If you know neither the enemy nor yourself, you will succumb in every battle.”

Attackers fall into six categories: Script kiddies, criminals, hacker groups, insiders, political/religious and APT/Nation states. There are more script kiddies than nation states, but the damage they can do is the inverse. Then the final piece in the puzzle are the motivations of the attacker (money, espionage, fame, terrorism, hacktivism, etc.)

In conclusion, the authors have written a very compelling chapter that helps one understand the cyberspace battle field by making comparisons to the physical world.

It is through understanding your attacker, the damages and the motivations that we can full understand and appreciate this quote:  “Success in warfare is gained by carefully accommodating ourselves to the enemy’s purpose.” ~Sun Tzy.

Online security is now more important with cyber attacks are on the rise in 2012. That is the prediction by many security experts. Individuals, industries and agencies are all trying to find safeguards that will reduce the risk of an attack. But what is the best solution? Do you use Public Key Infrastructure (PKI), One Time Passwords (OTP), Single Sign-On (SSO) or Password Management (PM)? Before I, or anyone else can answer that you first need to understand your environment, what are you protecting, what are the risks and who else would have access.

No one solution works for everyone and every environment. They all have their advantages and disadvantages. For this discussion, let’s just address Password Management. While I have developed Power LogOn® to offer solutions to a number of issues, I also recognize that it may not be entirely the best solution for everyone. So first off, if you are using any type of password manager and generator you are ahead of most internet users. Congratulations.

Instead of doing a product, feature-by-feature comparison with the intention to eliminate one product/competitor from another, I want to discuss some topics you need to consider in picking any password manager.

1. Target Customer: Password manager solutions typically target two different customers – Consumer and Industrial. While the basics of protecting passwords are similar, the differences is how much customization is allowed, integration into existing servers/networks and additional functions.
2. Authentication: Security experts all say that the more ways one authenticates themselves to the computer/network/site the better. The security industry standardized on three types of authentications: Something you have (card or token), something you know (PIN or Password), and something you are (biometrics). Security is strengthened by incorporating any two of the three types or using all three. A single PIN or Password does not authenticate the user; it only authenticates that a someone knows the secret but not the person. The tradeoff here is also that the more levels of authentication the higher the security costs.
3. Password Storage: Reading all the articles about the resent hacking attacks, the target has been the password database. It does not matter how complex and unique your password is if someone breaks into the database. Therefore, another consideration has to be where passwords are stored (Hard Drive, Cloud or Token). Here are some considerations:
   

   • File Encryption: Do you encrypt the password files or are you using a service’s encryption? Is there any concern that the encryption could have a backdoor?
   • Authentication Access: Does the product/service have single or multi- factor authentication?
   • Files Access: Are the passwords stored on a sole computer, directory, cloud or token? How do you access your passwords if you are on different machines? Can someone else access your passwords/accounts it you are away from your machine?
   • File Encryption: Do you encrypt the password files or are you using a service’s encryption? Is there any concern that the encryption could have a backdoor?
   • Networks and clouds: Does an IT administrator have access, where are the passwords stored, any back doors, what encryption is used, and how is authentication established?
   • False authentication lockout and recovery: Are there a limited number of authentication attempts before the password file is locked. If it is locked, what is the recovery processes? Will a “brute” force attack work?
   • Token based storage security: If you use a USB device, smartcard or even your smartphone what happens if the device is lost or stolen? How do you recover your passwords? Will others have access to your passwords if they find it?

4. Malware, Phishing, Virus protection: How does the password manager protect from phishing emails, keyloggers and viruses?
5. Additional Application: Many industrial solutions can incorporate other features into the same card. For example employee photo ID, building access control, electronic payment, etc. How will you handle card issuance and management? Some solutions require re-badging whereas others can work with the existing field-issued badges.
6. Customization: Does the security solution require that your conform to it’s default settings or does the technology allow it to be changed per your security policies?
7. Flexibility: Passwords are needed to log onto computers, networks, web sites and applications. Does the password management solution have the flexibility to address all these areas?
8. Multiple platforms: Will the solution work with different operating systems (Windows, Linux, Mac, Android, etc.) and with different browsers (IE, Firefox, Safari, Chrome, etc.)? Does it matter in your environment?
9. Price and cost-of-ownership: Are there any annual or subscription fees? Can licenses be transfers or recycled? What additional hardware and computer modifications are required? How long will it take to install? How much employee training is required to use a product?

While there are some pretty shoddy products on the market, but when dealing with a name brand solution you can rest assure that security and convenience is top notch. Trying to determine if one technology or solution is better than another is like comparing a Range Rover to a Bentley. It all depends on where it is to be used. If your try to use the Bentley for climbing mountain dirt roads and forging raging streams you might think that it is the worst vehicle in the world. But if you are going to the Oscars… well you decide.

Stupid Thing #1: You Undervalue Your Personal Data

Did you know that when a company goes through valuation by a venture capitalist the number of email accounts is reviewed? So while you might not value your information, corporate America does.

Stupid Thing #2: You Submit Sensitive Information Over an Insecure Connection

Besides the https:// servers, users also have to have anti-malware protection that blocks keylogger programs from capturing your credit card information. Use an electronic wallet application that allows you to input credit card information without typing it. 

Stupid Thing #3: You Feed the Trolls

I can’t add much more here.

Stupid Thing #4: You Leave Private Information in Your Web Browser

Sadly, the number one group responsible for committing identity theft is spouses. Other things to protect your accounts include: 1) not saving passwords in the browser, 2) don’t click those “save my password” boxes, 3) don’t use the same password everywhere and 4) use complex passwords that are changed periodically. I recommend a multi-factor password manager that blocks family and friends from getting into your accounts if they are on your computer.

Stupid Thing #5: You Don’t Keep a Backup of Online Data

Also, if you must backup data using online services, encrypt the data before uploading. You don’t know where your data is really being stored and if there are any backdoors in the service’s encryption algorithm. Remember, if there is a security breach at the online service you are still responsible and liable for compromising your customer’s private information.

Stupid Thing #6: Assuming Your Posts and Comments Are Anonymous

Unless you are really skilled, McGee of NCIS fame will find you. Corporate Human Resources department are looking more at a candidate’s Facebook account and less on a resume. So think first before you hit or click that submission button.

Stupid Thing #7: You Let People Track Your Whereabouts

It is fairly easy to track if a person is going to be home. Here’s how: 1) Pick your targets. 2) Send them informative emails and establish a Twitter and Facebook relationship. 3) use the target’s own Facebook account to find other family members of your target. 4) Build a social media relationship with those family members. 5) and sit back and wait for that “Out Of Office” reply, check all of the social media for comments from the family member and 80% of the time you will know when a house will be vacant. So, maybe you want to tell your kids what and when to place information on their fan page.

Stupid Thing #8: You Use an Insecure Password That You Rarely (or Never) Change

This is the topic closest to my heart and I have written many articles, posts, a book and white papers on this topic. Please check out my website for tips and topics about securing passwords. When picking any password manager solution you need to also evaluate how the individual actually authenticates themselves to the service. Also there is a big difference between commercial and corporate password management products and solutions.

Cyber warefare is real. With all the news articles about China hacking into American companies, India breaking into the US Government, Wikileaks, data breaches, cyber-attacks, Pentagon elevation that cyber-attacks could be regarded as an act of war, etc., I thought I had better educate myself and make the leap from identity theft protector to cyber warrior.

For me, the best way to educate myself on critical events in my industry is to start reading some of the latest books on the market. “Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners” by Jason Andress and Steve Winterfeld is one such book that I  am studying. It promises that “the concepts discussed in this book will give those involved in information security at all levels  a better idea of how cyber conflicts are carried out now, how they will change in the future and how to detect and defend against espionage, hacktivism, insider threats and non-state actors like organized criminals and terrorists”.

Even though I am very much a online security professional, I wanted to approach this topic from a layman’s perspective and help develop some strategies that even the small business owner or individual can easily understand and deploy to protect their data.

I will be doing a series of posts that highlights some lessons and thoughts I learned in each of the different chapters of this book and bring out some key points the authors are making. I will not be doing a Cliff Notes version of the book but rather give enough insight to encourage you to also want to read the book and learn how to protect your online presence.

In the Foreword a shocking statement caught my eye that scared the holy pajesus out of me. It needs to be the default text message whenever you start up any computer.

“Identity theft is so commonplace it is no longer [considered] newsworthy. There is just so much stolen data, [that] the criminals have not yet figured out how to use it all. But they will.” – Stephen Northcutt, President, The SANS Technology Institute.

Chapter 1: What is Cyber Warfare?

Being that the title of the book is Cyber Warfare, it would seem that a standard, acceptable definition would be offered. However, that is not the case. It seems that trying to come up with a definition for Cyber Warfare is more difficult than imagined because there are no recognized definitions for “cyberspace” or “warfare”. This conundrum makes me want to paraphrase Supreme Court Justice Potter Stewart’s original quote on pornography and adjust it for this topic: “I may not know how to define Cyber Warfare; and perhaps I never will, but I know it when I see it.”

How I see it, “Cyberspace” is the theater of computer instructions (code) and information (data). “Warfare” is the strategies and tactics of one side using all available resources to achieve power and financial wealth while the other side uses all their available resources to protect their existing power and financial wealth. Cyber warfare is the control of both code and data to achieve/defend power and financial wealth.

The authors presented a very informative strategy and power comparison section between physical versus virtual fronts and how they relate to the Principles of War, the DIME factors and the types of national power. The conclusion I drew was that century old strategies still need to be kept in place; the weapons themselves will not be “Weapons of Mass Destruction”, but rather “Weapons of Mass Disruption” to the civilian population, and that safeguards could morph into monitor and control.

Presidents Bush and Obama both announced initiatives, directives, reports and czars. However, very little headway has been made, especially when the evening news reports another government agency hacked using malware infused emails, the release of confidential documents, the hacking of government smartcards, security protocols released and so on.  And while there may not be an actual Declaration of Cyber War there certainly been enough probes, skirmishes and terrorists activities to elevate a cyber DEFCON level to 3.

This first chapter set up some good ground rules and understanding of the political problems from first defining cyber warfare to managing it. It also raised questions in my mind on whether a cyber-attack on the private versus public sectors can also constitute as an act of war. How does one deal with Weapons of Mass Disruption when imposed by a government onto its own people?  If a citizen within a country attacks another country, how will both countries treat the incident? Is Cyber warfare the government’s excuse to implement a National ID? While these questions might be disturbing, I am excited to read this book and find out if these concerns are addressed.

Be sure to visit again to see what I learn.

The Smart Card Alliance released their weak response to the recent Sykipot Tojan attack which hijacked the Department of Defense authentication smartcards. Unlike hypothetical attacks on smartcards (the Chinese Remainder Theorem Attack comes to mind with the use of a microwave oven and a calculator) this is a real threat to the security of one’s network and data but not so much to the smartcard itself.

The Sykipot Tojan is taking advantages of the flaws and lack of security in Adobe’s PDF documents (zero-day attack) and Microsoft’s Windows OS and anti-virus suppliers are not blocking infected attachments.

How are these attacks happening? The attacker sends a phishing or spear phishing email with a malware infected attachment to an unsuspecting person or employee. The employee opens the attachment and launches the attack. The malware is a keylogger that captures the PIN of the smartcard, reads the user’s certificates within Windows, and then allows the attacker to use this information to log into unauthorized accounts.

The Smart Card Alliance offers only simplistic security strategies.

1. Educate users on safe computer and email practices.
2. Maintain up-to-date anti-virus, -malware and –keylogger software.
3. Implement user analysis and network forensics tools.
4. Include multi-factor authentication (I thought that was the whole purpose of the smartcard)
5. Buy a PIN pad smartcard reader. (Expensive)
6. Hardening the authentication between user, keyboard, and smartcard. (That’s what the OS is suppose to do)
7. Change your card PIN and certificates (Note: changing certificates can wreak havoc on documents, access rights, etc., that used the older certificate. Plus, the attackers will still have access to the older information.)

This is baloney. These recommendations are insulting at best, since it’s Security 101. For the public representatives of the smartcard industry to put out such namby pamby platitudes and either refuse, or even understand how to address the real culprits is an injustice to all of us in the smartcard industry who are working to make data secure and user authentication reliable.

What deeply concerns me about their response is that neither the smartcard industry nor the PKI industry is at fault. Prevention and security is wrongly placed on the user. The fault actually lies with the insecure applications (Adobe), the Operating System (Microsoft) and the network security that don’t detect corrupted files. The attack used was unsophisticated and has been know and experienced for years. Why hasn’t the computer industry addressed these known threats?

So here are my “Key Elements of Security”:

1. Scrap Windows 8 and develop an entirely new operating system from the ground up. Don’t make it backward compatible with anything. Make security an integral part of the design. Sure there will be the cost of new applications and drivers but which is worst? The cost of upgrading or the continuation of the multi-billion dollar identity theft loses which can bring down our economy?
2. Block all Adobe PDF attachments until they fix their problem. No older PDF attachments will be allowed into any computer.
3. Cloud and network manufacture’s products scan attachments for hidden files.
4. Charge these companies $1 billion for every security patch they have to release. Windows Patch Tuesday has been going on since Windows 98. Is the Microsoft Management so keen on profits that building a trusted system is of no real importance  to them? If the U.S. Postal Service needs a new campaign to get people to actually purchase stamps and other postal products then remind every American that “snail mail” is not affected by viruses and can’t take down your computer or network.

The claim that the Common Access Card (CAC) has reduced network intrusion by 46% when replacing passwords is also very misleading. It has reduced the intrusion when you prevent the users from self-managing their passwords.  Time and time again we know that people will pick simple passwords, use the same password everywhere and write passwords on notes. Why? Because we can’t remember that many of them. But if you incorporate a smartcard-based, multi-factor authentication password manager you will see similar intrusion reductions; and, at a fraction of the cost and time. PKI is a great technology and it does some things better than any other technology, but it is not appropriate for everyone. So comparing CAC to self-managed passwords is disingenuous.

As you can see, I am quite distressed and more than a little angry. Not at the hackers, criminals or even the Chinese since they are doing their job and doing it very well. But with the computer industry that allows these attacks to continue. And at the Smart Card Alliance for not identifying the true culprits and offering solid security recommendations. The attack being waged was not sophisticated. So instead of Microsoft, Adobe and others coming up with a new, “pretty” interface, spend the money securing your software.

The cost of identity theft is more than the charges on a credit card. Victims have referred to it as “Identity Rape”. It is incumbent on us, the consumer, to protect our identities with all means that can be brought to bear. If you are interested in more ways to protect your identity, please check out my free book, “Online Identity Theft Protection for Dummies”.