The creation of job posting websites like monster.com, hotjobs.com, careerbuilder.com or even dice.com has really made the marketplace of employers finding employees and employees finding employers an automated, fast and high quality process. Of course, finding 300 resumes in a week is easy. Finding the 5 resumes of the people that you really intend to interview is another story.
The visitor's familiarity with job sites and knowing that they can lead to interviews and hopefully a job or a better job makes them vulnerable, and makes the thief's job easier.
A story in BusinessWeek highlights the risk of 'how much information' you should give to a jobs website. In the story, identity thieves are asking for your social security number, drivers licence number, mailing address and birthdate details - even before you start the search let alone start the job.My recommendation? Never divulge birthdate information except to family, and never, ever, ever give your SSN to a website.
Identity theft is a $50 billion problem, and the habits of citizens can sometimes make them targets for identity theft. A recent article highlighting that the very sensitive Social Security Number is crackable, that is predictable at an increasing rate made me reflect on my own habits and practices and put me in a sharing mood.
The algorithm developed by computer scientists at Carnegie-Mellon University was able to correctly predict the SSN for Americans born after 1988 for 8.5% of targets in less than 1,000 attempts. That's an alarming prospect involving trivial computational resources.
Of course victims don't deserve to have their identities stolen. But their online activities does impact their ability to be safe.
For example, the other day a social networking site that I was contemplating joining asked me to provide my birthdate information. I ignored the request and was told it was mandatory. Too bad and I left.
FaceBook allows users to post their birthdates for friends to see. Of course, we all love getting attention on our birthdays, but since it is a big site and acts as a big target for hackers, getting that database of birthday information is worth a great deal of effort.
A friend in New Jersey signed up to a birthday registration site and asked me to do the same so both he and I could exchange automated email birthday wishes in some kind of grand calendar. I refused. Even though I like to birthday greetings (my half-life is coming due soon) like anybody else, I don't like to share it online because I am concerned about the risk of theft and abuse. Surely if the nations largest retailers are routinely hacked for credit card information, a crummy birthdate calendaring site is not only a softer target but they're not likely to do anything about it when they discover the hack... and neither are the victims.
So what can you do if you know where someone lives and their birthdate?
With the rise in phishing attacks masquerading as banking sites, ebay or paypal sites, users can be duped into providing other sensitive personal information like mother's maiden names that further takes down one more layer in the wall of security around any one person, like the brick game, shown here for Pocket PC.
So, if someone can predict your SSN, and someone else can find your birthday, and someone else can find out your address.... Isn't that a recipe for disaster?
Stop the gathering, publishing and promoting of birthdates on line. Keep this a personal, human-to-human thing.
Create a service that discovers and reports what the web knows about you. I like the idea of reports that are more personal than the web reputation services I've seen for brand reputation management services. Downside of course, is that you can find out information about people who aren't you. Could be useful in tracking down deadbeat dads that owe child support payments.
Some folks think that recessions are exactly the wrong time to introduce new products. Sadly, these industry laggards miss out on the great advantage that recessionary times bring to vendors. Fortunately, NCP and Brockmann & Company (and many others I'm sure) believe that recessionary times are EXACTLY the right time to introduce new products.
NCP, the German VPN security company plans to introduce the NCP Secure Enterprise Server and the NCP Secure Enterprise Management System to the US market. Until now, only the client has been available for download, sale and support from NCP. For the first time users can purchase licenses to the server that terminates the IPSec and SSL clients through a newly forming network of NCP authorized security resellers.
Software is designed to enable large scale terminations of both IPSec and SSL sessions, providing a monitoring window and control point for any VPN connection to the enterprise network. This way, the same security policies can be applied regardless of access methodology. The recommended configuration of hardware and software (NCP software is integrated onto a hardware platform by the reseller) platforms can support a high availability load balancing service for SSL session integrity and quality. The architecture is scalable to as many as 10,000 concurrent SSL sessions.
The server supports termination of iPhone VPN clients including PPTP, L2TP and Cisco IPSec. And for Windows shops, the software can be loaded onto Windows Server 2008 (32 or 64-bit servers) or Linux. (The client already supports Symbian OS).
The server can also provide a VPN-oriented Network Access Control to confirm policy settings (presence of updates and patches) and initiate remediation services to 'clean up' poorly managed devices BEFORE they attach to the enterprise network.
Once an enterprise gets to about 100 or so clients, the time and cost of effective management of the VPN communications system overwhelms the general deployments. At that level, enterprises need professional tools to managed the automated deployment of software, the management of updates and surveillance of the sessions.
The management system acts as the central point of control for administration, configuration and operation and can be integrated with LDAP or Active Directory services for Identity and Access Management controls such as password authentication, or other methods or policy services. Activity logs record what VPN-attached users did while connected, providing an effective central audit trail in the event of suspicious activities, and software version control features assure that plugin updates and configuration settings can be delivered over the LAN without necessarily engaging in a VPN connection.
The SEMS can also pass information up into higher level enterprise management applications.
I'm confident that NCP will discover that a recession is precisely the right time to expand their footprint in the US and introduce the server and management software products. The power of their careful approach to the market - downloadable clients first and then servers with plenty of reseller value-add to be enabled - will certainly attract clever security resellers who appreciate quality product and focused market entry. Besides, NCP knows many client users that are looking for more sophisticated and complementary server solutions that can support their environments and security requirements for an array of remote and mobile device implementations.