So what do employers in the federal and private sectors want in a security pro today? The most in-demand qualifications basically mirror the types of attacks, breaches, and threats these organizations face today, as well as the regulations that help dictate their defenses: They’re looking for experience in incident-handling and response, compliance, risk management, business-side acumen, security clearance for sensitive government work, and leadership.

Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on. We find that it is possible to bypass rudimentary network security protections within the car, such as maliciously bridging between our car’s two internal subnets.

The paper is available here.

Media coverage can be read here.

The FBI says the calls were a diversionary tactic, meant to tie up Thousand’s line so that Ameritrade couldn’t reach him to authenticate the money transfer requests.

via http://www.andrewpatrick.ca/?p=901 A military supplier has been making lots of money selling dowsing-like devices to troops in Iraq that are supposed to detect explosives and other nasty materials. They devices come equipped with different programming cards to customize the substances they search for.

There has been speculation that the devices are fake and the programming cards don’t do anything. Now comes an analysis of the cards by careful dis-assembly, and the results are predictable…

There is no way in which this device could be programmed to distinguish the many different substances that the ADE651 manufacturer claimed it could, not to mention that any useful interaction with such an LC circuit would require a transmitter antenna, a power source, and lots of other components that the ADE651 appears to lack.

Research into the privacy implications of information technologies is one of the four priority areas for funding support under this year’s program. Emerging information technologies can threaten the privacy of Canadians or enhance it – and sometimes both simultaneously. For that reason, the Office is especially interested in receiving funding applications from researchers examining, from a scientific or technical standpoint, the impact of information technologies on privacy.

Not-for-profit organizations, including education institutions, industry and trade associations, consumer, voluntary and advocacy organizations are all eligible under the program. Up to $50,000 is available for successful projects. The deadline for submitting applications is February 26, 2010.

More information is available at:

http://www.priv.gc.ca/resource/cp/p_index_e.cfm

Trusteer makes a browser plugin called Rapport which is given away for free to customers of certain banks (including some Canadian banks). The plugin monitors for phishing attacks and can detect when someone is submitting login information to a false banking site. Rapport has been installed on about 3 million computers in Europe and North America, and data collected by the plugin provides a valuable look into the damage caused by phishing attacks.

In the recent study, Trusteer monitored the data from the Rapport plugin during a three month period, and in that time it analyzed phishing attacks against 10 large banks in the US and Europe. The key findings were:

• each bank was targeted by an average of 16 phishing attacks per week (or about 832 attacks per year)
• out of every million bank customers, about 12 (0.00125%) are lured into visiting each false web site that was studied. This is a very low success rate, but…
• given that a bank experiences many phishing attacks in a year, about 1.04% of it customers were lured to one of the false web sites each year
• once people were lured to a false web site, about 50% of the time they entered and submitted their login information
• doing the math, this means that about 0.47% of a banks customers revealed their login information to criminals each year
• if the losses from stolen login information total $2,000 per case, then a bank with a million customers lost about $9.4 million per year
• …and that money is going to criminals

Whoever said that crime does not pay did not try phishing.

A Chinese woman managed to enter Japan illegally by having plastic surgery to alter her fingerprints, thus fooling immigration controls, police claim.

This is a case of a woman who underwent surgery to alter her fingerprints in order to get past Japanese immigration procedures. Apparently, the measures worked and she was only found out when arrested on an unrelated charge.

The surgery switched the fingerprints of the thumbs and index fingers between the two hands, presumably to allow the person to present the original or modified fingerprint when given the option of which hand to present to a scanner.

It makes me wonder if fingerprint transplants between people are also a viable threat. It is also not clear how 10-print systems that record fingerprints from all the fingers, such as those now used by US immigration, who handle such finger swapping.

I believe that there is very little down-to-earth, practical information available for individuals and small businesses who want to stay secure on the Internet, but don’t know how to do it. My intention with this site is to provide current, direct advice and news that people will find useful.

Drop by and check it out.

I have explored a couple of different technologies and I would like to hear what other people have done. Do you know of any good technologies for this problem?

The encryption solution would primarily be used for safely storing files on USB flash drives that are carried between work locations, but it might also be used for safe storage on laptop and office computers.

I am a big fan of TrueCrypt and have had a lot of success creating encrypted containers on USB drives. But TrueCrypt requires an admin account to install and run the software, so these users can’t use it. It seems that most encryption solutions also require administrator privileges.

I have tried FreeOTFE, which offers a no-install version called FreeOTFE Explorer. This software can be copied to a USB drive and then run by a non-admin user. The user can created an encrypted container, mount it, and then drag files and folders into the container using an Explorer-like interface. So far, so good.

The problem with FreeOTFE Explorer is that the users cannot work with the files within the secure container. They can’t, for example, double click on a .doc file in the Explorer-like window and launch Word to edit the file. The only thing they can do with files in the secure container is extract them to an unsecure disk.

This means that a workflow using FreeOTFE Explorer would have to be something like:

• open the container
• extract the file to an unsecure disk
• edit and save the file
• copy the file back to the encrypted container, using an overwrite option
• removing the copy on the unsecure disk

This is overly cumbersome and likely to lead to insecurities if the unsecure disk is not kept clean. I would really like these novice users to be able to work with files in the same way they are used to on unsecure disks.

The other option I have looked at is encrypted USB flash drives. Some drives, such as the ones from IronKey, have hardware encryption technology that can be used without administrator privileges. I don’t own one of these but, as far as I can tell, their operation should be transparent and users should be able to click on their files to open applications in the usual way.

IronKey drives, and other similar hardware encryption drives, are expensive, with prices being 4-5 times that of a normal USB drive. However, they may be the best solution to my problem, at least for securing files on USB drives. They would not provide a solution for secure storage on laptop hard drives or desktop computers.

Do you of any other encryption solutions for users without administrator privileges? Please post a comment below.

Location-based technology and services are becoming popular very fast. A recent Gartner report predicts that the number of LBT users will double in 2009 to 96 million people worldwide. Revenue from LBS is also expected to at least double to a worldwide total of 2.2 billion (U.S.) dollars. The importance of location-based services for mobile phones is illustrated by the recent purchase of Navteq (the leading digital mapping company) by Nokia (the leading mobile phone company).

Location-based technology relies on geographic data provided by some kind of infrastructure. For mobile phones, location information can be obtained from the cellular infrastructure. By measuring which cellular antennas are closest to a mobile phone, and knowing where those antennas are located, a mobile telephone provider can use triangulation to calculate a moderately accurate location. Many modern mobile phones are also being equipped with GPS capabilities. By receiving data from a collection of orbiting satellites, GPS devices are able to calculate location information to a high level of accuracy. Also, by tracking the location information over time, GPS devices can determine the speed and direction of travel.

Location information can also be obtained from local infrastructures. Information about nearby Wi-Fi or Bluetooth networks can be used to calculate approximate geographic locations. For example, while Apple’s IPhone uses GPS technology to provide accurate location information, the IPod Touch uses Wi-Fi information to calculate approximate locations. This type of local service is important indoors where GPS and cellular services may not work properly.

Location-based technology is being used in a number of application areas. Mapping and navigation has already been discussed. Real-time traffic and weather information that is sensitive to the current location and planned route can also be provided. LBT can also be used for commerce applications, such as providing information about the closest stores or restaurants. Advertisement can also be sent to a user’s mobile phone based on their current location. Purchases could also be completed using location-based technology and a form of electronic payment – a customer would point their phone at the desired object and then authorize electronic payment. Automatic tollbooth systems that rely on low-power transmitters attached to vehicles are an example of this kind of location-based transaction.

Location-based technology can also be used for monitoring and tracking applications. Employees carrying mobile phones or vehicles in a corporate fleet can be tracked. Location-based tracking is already common for monitoring the movements of people under house arrest or other judicial restrictions. The same technology could be used to track children or senior citizens.

Although location-based services can be very valuable for the user, there are significant privacy implications. Location information is personal and private, and inappropriate use of the information can have significant negative consequences. Knowing that someone is out of town, for example, may be an invitation for criminals to rob their home. Being able to track a person’s movements may provide an opportunity for stalking. Because of these concerns, proper safeguards must be in place to protect any location information that is collected.

The most fundamental privacy issue is ownership and control of the location information. The current model is that, although it is the customer who owns with the mobile phone, the location information is owned and controlled by the telephone company. The location information is in effect sold back to the customer embedded in some kind of service. The customer then becomes subject to any agreements and terms of service that they have arranged with the telephone company, and their partners. If a customer is not happy with the service or any privacy policies involved, they may have few options. This is especially true in places where the choice of telephone companies is limited.

Another important issue for location-based services in mobile phones is consent to gather and use the information. Cellular-based location information can be collected and used by the network operator without the customer’s knowledge or consent. Also, GPS devices embedded in mobile phones are often enabled by default and, although it may be possible to turn them off, controlling the devices can be difficult. Moreover, the services enabled by the location devices can be intrusive and unwanted. For example, location-sensitive advertisements that are pushed to mobile phones and automatically displayed would raise issues of consent.

Limiting the use of location information is also a concern. A mobile telephone provider and its customers will need to reach an agreement about how the location information is used, to whom it will be disclosed, and how long it will be retained. Location information may be particularly important in legal cases where establishing a person’s location at a specific time is crucial to a case. Canadian lawmakers are currently discussing new lawful access rules and the privacy of location information records should be included in that debate.

As mentioned previously, location information can be used to monitor and control individuals and activities. Knowing where someone is at all times can be used as a method of controlling his or her life. Location information can also be used to trigger a remote control, such as disabling a device if it is moved beyond some boundary. Understanding the personal and social implications of these powers will be important as location-based technologies continue to develop.

The privacy implications of location-based services have not gone unnoticed by the mobile telephone providers. In 2008, CTIA – The International Association for Wireless Telecommunications published a set of best practices and guidelines for location-based services. These guidelines emphasized two privacy principles that should be adopted by all providers of location-based services: user notice and consent.

A number of alternative technologies and approaches are possible when considering location-based services on mobile phones. For example, the accuracy of the location information can be artificially decreased as a means to provide some level of privacy. Instead of a service provider or application knowing the exact address of a customer’s current location, knowing the general neighbourhood or city may be enough to provide a valuable service while protecting privacy. Changing the level of accuracy based on the service provider involved, the type of service, or the end-user of the location information can be a powerful technique. For example, a customer may want to let a family-tracking service know their exact location while a work-related application would only get information about their general area (e.g., what city).

Anonymity techniques can also be useful for increasing the privacy of location-based services. The technology can be configured such that a provider of location-based services gets information about a customer’s location without getting any identifying information. Thus, the service could provide directions to the nearest banking machine without knowing who the customer is. Aggregation techniques can also be used so location data is always grouped and the location of a group can be determined but not the location of individuals. This could be used, for example, in traffic alerting situations that rely on the locations and speeds of drivers on the highways. An operator of such a service does not need detailed identity, speed, and location information of each individual driver, just the aggregate information from a group near one another.

The range of location-based services that could emerge in the future is limited only by our imaginations. One use we are likely to see in the near future is digital coupons, where stores that are nearby send coupons to mobile phones. Obviously, issues about consent, intrusiveness, and privacy protections will be important in this application. Imagine receiving a graphic digital coupon as you pass a sex shop on a downtown street and then lending your phone to your children or spouse.

Location-based services will also be married with social networking applications, such as Facebook and MySpace. Such a service allows a customer to know if anyone in his or her social network is nearby geographically. One of the first instances of such a service is Google Latitude, and Google is already starting to wrestle with the privacy implications of their service. Currently, Google promises to never share location information with third parties without explicit permission. They also support privacy controls where the only people who can view location information are those explicitly included on a friends list. Google is also supporting an option to only share location information at the resolution of a city.

Location-based services can also be used to construct augmented reality systems. Here information about the local surroundings is combined with actual information to create a hybrid real/artificial display. For example, a user might wear a special pair of glasses that they look through to see the real world. At the same time, a computer system could detect their current location and overlay information about what they are looking at. For example, they might see historical information when looking at a national monument, or biographic information when looking at a statue. Such a service might also include real-time information, such as news stories about a protest that is currently taking place in a public park. The amount of detail provided by the augmented reality system and any records of what the customers look at will raise important privacy concerns.