Andrew Patrick

TRUST2011 is scheduled for June and the Call for Papers is out. I am on the program committee for the socio-economic strand and papers are due February 15, 2011.

TRUST 2011 is an international conference on the technical and soci-economic aspects of trustworthy infrastructures. It provides an excellent interdisciplinary forum for researchers, practitioners, and decision makers to explore new ideas and discuss experiences in building, designing, using and understanding trustworthy computing systems.

The Call for Papers for SOUPS 2011 is now out. It is my pleasure to be on the program committee again.

The symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature technical papers, a poster session, panels and invited talks, discussion sessions, and in-depth sessions (workshops and tutorials). This year SOUPS will be held in Pittsburgh, PA.

Papers are due March 11, 2011.

Kim Cameron has posted a remembrance of Andreas Pfitzmann, a shining light in the field of security and privacy research. Andreas was a professor at the Technische Universität Dresden and I had the privilege of visiting with him during a PETS conference in 2003.

Andreas was a gracious host and avid hiker and, like Cameron, I will always value his contribution of a clear terminology for the often confusing world of anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management.

What Rutgers reveals is, yet again, that new technologies can facilitate new and more creative ways of being cruel to each other.

Steve Schultze has made some interesting comments about the recent suicide by a Rutgers student after an embarrassing video was posted on the Internet. Reacting to a media treatment that took the position that it is not the technology that led to this problem, it is us (human nature), Schultze argues that technology is a facilitator that sometimes brings out the worst of human nature. He observes that technology can often allow people to do things that they would never do in the real, face-to-face world, and we ignore this at our peril.

Authorities in the US have arrested more than 80 “mules” involved in large scale bank fraud. Although the masterminds are still at large, and probably in Eastern Europe, these arrests show the massive size and success of the fraud operation. Cyber crime has become a virtual economy.

The Zeus banking Trojan enabled hackers to secretly monitor the victims’ computer activity, enabling them to obtain bank account numbers, passwords, and authentication information as the victim typed them into the infected computer, the FBI said.

The scheme relied on individuals known as “money mules” in the United States to actually steal money, the FBI said. Bharara said those arrested consisted almost entirely of mules and four people who managed them.

…

“The hacking rings we see today take on a more organized approach, similar to a drug cartel or a cyber-mafia,” Bar Yosef says. “There is a hierarchy with employees that have a distinct role in the scheme — the researcher looking for different ways to infect machines, the botnet farmer operating the bots, the botnet dealer renting the bots, and the actual ‘consumer’ who monetizes on the virtual goods received by the bot.

via More Than 80 Arrested In Alleged Zeus Banking Scam – computer crime/Attacks – DarkReading.

Android applications are supposed to get permission from the user before they gain access to personal information, such as location. But what happens once the permission is given?

This study from Network World looked at 30 apps to see where and when personal information was used, and found some worrisome results.

A recent test of prototype security code for Android phones found that 15 of 30 free Android Market applications sent users’ private information to remote advertising servers, without the users being aware of what was being sent or to whom. In some cases, the user’s location data was sent as often as every 30 seconds.

Can the Internet be encrypted by default?

With the current debates about lawful intercept and increasing numbers of man-in-the-middle attacks, maybe the Internet should finally be made secure by default.

Encryption is currently used sparingly, mostly when connecting to e-commerce and financial services over the web. Here the https protocol is used and traffic between the user’s web browser and the server is protected from eavesdropping using SSL. The problems with this scheme are legendary, mostly associated with requiring users to notice when encryption is on and off, and knowing how to interpret certificate information and error messages.

But could encryption be turned on all the time, automatically?

Google has recently made https the default for Gmail, demonstrated that encryption can be scaled to millions of users. What about scaling it to the entire Internet?

Tcpcrypt is an extension to the TCP protocol designed to make encryption the default. It is backwardly compatible with traditional TCP, and it would protect old applications that don’t have encryption. And it works faster than the SSL we rely on today.

You can read more about tcpcrypt in a recent technical paper, on a tcpcrypt community web site, and on Wikipedia.

The 2nd Workshop on Ethics in Computer Security Research is calling for papers. The workshop will take place March 4, 2011 on the beautiful island of St. Lucia as part of the Financial Cryptography and Data Security conference.

I attended the workshop last year and it was very interesting. Papers are due October 15, 2010.

This workshop solicits submissions describing or suggesting ethical and responsible conduct in computer security research. While we focus on setting standards and sharing prior experiences and experiments in computer security research, successful or not, we tap into research behavior in network security, computer security, applied cryptography, privacy, anonymity, and security economics.

A good, brief article on economics and security failures by Ross Anderson contains some great quotes…

The discipline of security economics teaches us that large systems often fail because incentives are poorly aligned; if someone guards a system while someone else bears the cost of failure, then failure is likely.

…

As one of my students put it, “All the party invitations in Cambridge come through Facebook. If you don’t use Facebook you don’t get to any parties, so you’ll never meet any girls, you won’t have any kids and your genes will die out.”

Google is introducing two-factor authentication to its Google Apps products. This means that in order to access the enterprise services (mail, documents, etc.) the Google user will have to know their password and also supply a one-time verification code. That code will be sent to your cell phone, or generated by a special application on the smart phone.

The approach is not novel, and does not provide 100% security, but it is notable because of Google’s size and influence. Having such a large player adopt stronger authentication can only help to speed the adoption by other organizations, and that is a good thing.

By doing this now, and previously making https the default in gmail, Google is demonstrating that better security can be done on a large scale, with general users.