The Office of the Privacy Commissioner of Canada is calling for proposals for cutting-edge privacy research and public education projects in Canada. The application deadline is March 14, 2011.

The Office is interested in receiving research proposals focusing on four priority areas:

1) identity integrity and protection,

2) information technology,

3) genetic privacy, and

4) public safety.

However, the Office will continue to accept research proposals on issues that fall outside these areas.

As well, the Office invites proposals to fund public education and regional outreach initiatives that aim to inform Canadians about their privacy rights and how they may better protect their personal information.

All proposals will be evaluated on the basis of merit by OPC officials, and the maximum amount that can be awarded for each research or public education project is $50,000.  (A maximum of $100,000 can be awarded per organization.)

Not-for-profit organizations, including education institutions and industry and trade associations, are eligible, and this includes consumer, voluntary and advocacy organizations.

Ars Technica has an interesting article describing in detail how the group Anonymous was able to penetrate and embarrass the security firm HBGary and the rootkit.com site.

This was not a particularly advanced attack, but rather one that focused on known weaknesses, bad practices, and social engineering of people who should know better.

Most frustrating for HBGary must be the knowledge that they know what they did wrong, and they were perfectly aware of best practices; they just didn’t actually use them. Everybody knows you don’t use easy-to-crack passwords, but some employees did. Everybody knows you don’t re-use passwords, but some of them did. Everybody knows that you should patch servers to keep them free of known security flaws, but they didn’t.

Recently, the Gawker family of web sites suffered a data breach where millions of password records were stolen and many of the passwords were cracked and published. This incident revealed, once again, that many people are using very weak passwords, but this article also discusses other important lessons.

A key lesson from the attack is that any large password collector must have a plan for responding to a compromised password file — Gawker’s technical inability to force password updates or even email their users is inexcusable. Still, these measures can’t contain the damage. The biggest missed angle on this story is that it’s not just a Gawker hack, accounts on thousands of websites can be compromised as many users use the same email/password combination everywhere.

This is an interesting article on how security procedures in Israel are very different from those used in North America. In Israel the focus is on the person — asking questions and looking in their eyes. In North America the focus is on stuff — that they might be carrying or concealing. Interesting differences…

Despite facing dozens of potential threats each day, the security set-up at Israel’s largest hub, Tel Aviv’s Ben Gurion Airport, has not been breached since 2002, when a passenger mistakenly carried a handgun onto a flight. How do they manage that?

“The first thing you do is to look at who is coming into your airport,” said Sela.

Sometimes, the computer repair man is your biggest enemy. Not only can the technicians access any private, unprotected information on your system, but they can use that information against you. This story describes an elaborate scheme of psychological exploitation to commit a very large fraud.

According to police, the pair were able to convince Davidson that the virus was in fact a symptom of a much larger plot in which he was being menaced by government intelligence agencies, foreign nationals and even priests associated with Catholic organisation, Opus Dei.

So convinced was the victim he is said to have agreed to pay the pair $160,000 per month for 24-hour protection against the fictitious threats, payments which continued until recently.

Kim Cameron has posted a remembrance of Andreas Pfitzmann, a shining light in the field of security and privacy research. Andreas was a professor at the Technische Universität Dresden and I had the privilege of visiting with him during a PETS conference in 2003.

Andreas was a gracious host and avid hiker and, like Cameron, I will always value his contribution of a clear terminology for the often confusing world of anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management.