Main menu:


Site search:

RSS Feeds

Email Subscription
Your email address:

 

Categories

Most Viewed

Recent Comments

Archive

Archive for the year 2010

Lessons from the Gawker password leak

lock and keyRecently, the Gawker family of web sites suffered a data breach where millions of password records were stolen and many of the passwords were cracked and published. This incident revealed, once again, that many people are using very weak passwords, but this article also discusses other important lessons.

A key lesson from the attack is that any large password collector must have a plan for responding to a compromised password file — Gawker’s technical inability to force password updates or even email their users is inexcusable. Still, these measures can’t contain the damage. The biggest missed angle on this story is that it’s not just a Gawker hack, accounts on thousands of websites can be compromised as many users use the same email/password combination everywhere.

Time to register for Financial Cryptography 2011

Planning for the 2011 Financial Cryptography and Data Security conference (commonly known as FC) is coming along nicely.

There is a great collection of accepted papers covering a variety of interesting topics, including: exposure of personal data, privacy risks of location-based services, private information retrieval, e-Banking, botnets, web security, Internet voting, EMV credit cards, password recovery, RFID, and many more…

There will also be workshops on: ethics in computer security research, authentication and authorization on the web, and real-life cryptographic protocols

FC11 will be held in St. Lucia at the Bay Gardens Beach Resort from Feb. 28 to March 4, 2011. Hotel rooms are only being held until Dec. 15, 2010 Dec. 30, 2010 so book your room now.

St. Lucia has two airports and travel arrangements can be easily made from all over the world.

See you in February!

The TSA and the Stanford Prison Experiment

Watching this video (and the associated description) of psychological abuse of a passenger by TSA officials in a US airport reminds me of watching video from the infamous Stanford Prison Experiment.

In that experiment, conducted in 1971 in the basement of the Stanford Psychology building, normal, healthy students were randomly assigned to the roles of prisoners and guards in a mock prison. Over the course of six days, the “guards” developed extremely authoritarian, abuse behavior towards the “prisoners”, and subjected some of the “prisoners” to torture. Philip Zimbardo, the head of the study, reflected later on the results:

The situation won; humanity lost. Out the window went the moral upbringings of these young men, as well as their middle-class civility. Power ruled, and unrestrained power became an aphrodisiac. Power without surveillance by higher authorities was a poisoned chalice that transformed character in unpredictable directions. I believe that most of us tend to be fascinated with evil not because of its consequences but because evil is a demonstration of power and domination over others.

It seems to me that the actions of the TSA could be described in the same way. Without oversight, power has taken the place of rationality and domination seems to be the goal.

Airport security in Israel and North America: Focus on the person not the stuff

This is an interesting article on how security procedures in Israel are very different from those used in North America. In Israel the focus is on the person — asking questions and looking in their eyes. In North America the focus is on stuff — that they might be carrying or concealing. Interesting differences…

Despite facing dozens of potential threats each day, the security set-up at Israel’s largest hub, Tel Aviv’s Ben Gurion Airport, has not been breached since 2002, when a passenger mistakenly carried a handgun onto a flight. How do they manage that?

“The first thing you do is to look at who is coming into your airport,” said Sela.

Very expensive computer repairs

priestSometimes, the computer repair man is your biggest enemy. Not only can the technicians access any private, unprotected information on your system, but they can use that information against you. This story describes an elaborate scheme of psychological exploitation to commit a very large fraud.

According to police, the pair were able to convince Davidson that the virus was in fact a symptom of a much larger plot in which he was being menaced by government intelligence agencies, foreign nationals and even priests associated with Catholic organisation, Opus Dei.

So convinced was the victim he is said to have agreed to pay the pair $160,000 per month for 24-hour protection against the fictitious threats, payments which continued until recently.

Nov. 16, CapCHI event, David Barrera on usability and security of Android

photo by laihiu

David Barrera will be speaking on Usability and Security  of Android, Google’s Open Source Smartphone System

Date: Tuesday November 16, 2010
Time: 6:00pm
Place: TheCodeFactory, 246 Queen St., Ottawa
See http://www.capchi.org/events

The adoption of Android-based smartphones is growing at a rapid pace (nearly 200,000 activations per day) which has placed Google among the top smartphone system vendors worldwide. Despite Android’s open source nature, there are a number of security and usability issues that have yet to be addressed. This talk will cover issues related to security prompts and notices on the device, permission granting, smudge attacks and application security. We will discuss how these issues affect other platforms as well, including Apple iOS, Blackberry, and Symbian.

David Barrera is a 1st year Ph.D. student in Computer Science at Carleton University under the direction of Paul Van Oorschot. His research interests include smartphone and mobile OS security, data visualization, network security and IPv6.

Implanting false memories to sell products

by Funkyah

Memory research has demonstrated that it is easy to implant false memories, convincing people that they had experienced some event or emotion that never really happened. This has long been a problem in the area of forensic psychology and eyewitness testimony.

Now researchers are speculating about implanting false memories by alter photographs, perhaps stored on a social network site like Facebook, to insert products in situations that never really happened.

Would adding Coca-Cola bottles to your favorite photos from last Christmas change your attitudes, and desire to buy, the product?

By taking advantage of implanted memories, corporate product placement in photos on social networking sites could finally accomplish the much-desired — but incredibly difficult — goal of altering brand loyalty,

International Conference on Trust and Trustworthy Computing

TRUST2011 is scheduled for June and the Call for Papers is out. I am on the program committee for the socio-economic strand and papers are due February 15, 2011.

TRUST 2011 is an international conference on the technical and soci-economic aspects of trustworthy infrastructures. It provides an excellent interdisciplinary forum for researchers, practitioners, and decision makers to explore new ideas and discuss experiences in building, designing, using and understanding trustworthy computing systems.

Symposium on Usable Privacy and Security (SOUPS 2011)

SOUPS logoThe Call for Papers for SOUPS 2011 is now out. It is my pleasure to be on the program committee again.

The symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature technical papers, a poster session, panels and invited talks, discussion sessions, and in-depth sessions (workshops and tutorials). This year SOUPS will be held in Pittsburgh, PA.

Papers are due March 11, 2011.

Remembering Andreas Pfitzmann

Kim Cameron has posted a remembrance of Andreas Pfitzmann, a shining light in the field of security and privacy research. Andreas was a professor at the Technische Universität Dresden and I had the privilege of visiting with him during a PETS conference in 2003.

Andreas was a gracious host and avid hiker and, like Cameron, I will always value his contribution of a clear terminology for the often confusing world of anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management.