Security & privacy

This is an important news item out of Sweden.

Researchers have conducted a study looking at certain structural patterns in the iris and self-report personality characteristics. Prior research has shown that genetic differences may influence both brain and iris development, so a correlation between iris appearance and behavior is possible. Although the correlations found in this study were small, they do appear to be consistent and specifically related to some iris characteristics but not others. An analysis of effect size showed that the personality differences were “much larger than, for example, women’s tendency to be more emotional than men.”

The implication for iris-based authentication mechanisms is interesting. If iris characteristics are possibly related to personality, then privacy concerns about who gets to capture, examine, and store iris images become more important. What might a government agency or an insurance company due with information that someone possesses personality characteristics (and perhaps genetic markers) related to approachability or impulsiveness?

How irises ‘reveal personalities’

The team, led by Dr Matt Larsson a behavioural scientist, said: “These findings support the notion that people with different iris configurations tend to develop along different trajectories in regards to personality. “Differences in the iris can be used as a biomarker that reflects differences between people.”

The article is available at

ScienceDirect

Technorati Tags: biometrics, iris, personality, privacy, authentication, research, Sweden

Would it be possible to create a safe mode for browsers that prevented users from submitting anything that might be a password into unsafe forms? Has anybody done this already?

Consider the following two rules inserted into a web browser:

1. if we are presented any https page without a verified certificate, don’t display the page

2. if there is a form on any non-https page with anything that might be a password entry field, don’t display the page. (Password input fields would be identified by any NAME parameter related to passwords, and by the TYPE=PASSWORD attribute.)

Instead of just providing warnings, completely refuse to display the page with a message saying that the page is unsafe.

We might use these rules in browser configurations that are given to children and naive Internet users.

Would this be effective in preventing the disclosure of passwords to false or unsafe web sites (e.g., phishing)? Sure, it would not be perfect because spoof sites could use nonsense field names and avoid the PASSWORD attribute type, but would it be better?

Would too many legitimate sites be blocked?

Technorati Tags: security, passwords, phishing, browser, forms

Here is another example of a security device that is becoming more insecure. In this case it is holograms that are attached to credit cards, money, and products to prove their authenticity. In recent years, duplicating holograms has become cost effective.

Fake Holograms a 3-D Crime Wave

If you have a credit card or just bought a copy of Windows Vista, you’re familiar with security holograms — those sparkly bits of film that vouch for the validity of everything from driver’s licenses to software and sports league items. It turns out, they’re aren’t as secure as they are sparkly. Experts say the number of counterfeit holograms affixed to equally counterfeit merchandise has tripled in the past three years, as the technology to make them has spread. Today, crafting a convincing duplicate of a security hologram has never been easier or more profitable.

Technorati Tags: security, holograms, counterfeit

This article discusses deploying bank ATM machines in rural India where access is controlled by fingerprint biometrics alone. As has been demonstrated many times, biometrics like fingerprints are not secret, and they can easily copied, stolen, and reproduced. The challenge of doing authentication with an illiterate population is daunting, but biometrics alone is not the solution.

Wired News: Thumb-Print Banking Takes India

The increase will mean that just about every rural village and outpost will have access to the world’s financial backbone and, if the pilot program is successful, fingerprint identification could become standard, even for private bank transactions.

“Many banks here are keen on this idea of doing away with ATM cards,” said Sunil Udupa, CEO of AGS Infotech, the company supplying the first batch of ATMs to the five districts in India. “Whether it is practically possible is a very different question, but the interest is huge.”

Technorati Tags: fingerprint, biometric, ATM, India

This is a good review of the top security threats, and prevention methods, that are appropriate for home users and small businesses.

Small Business Primer on Network Security Threats

This article will introduce you to ten of the biggest and most dangerous threats to network security, in an effort to make everyone more aware of the security problems facing networks today.

Technorati Tags: security, internet, virus, spam

There is an interesting article on password characteristics by Bruce Schneier on Wired News:

“How good are the passwords people are choosing to protect their computers and online accounts?

…passwords are getting better. I’m impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric.”

Technorati Tags: security, passwords, myspace, wired, schneier

Here is some practical advice on protecting yourself from identity theft.

Twelve Ways to protect yourself from Identity Theft

Every year thousands of Canadians are victims of identity theft. Although the number of identity theft victims is relatively small, the financial impact to an individual whose identity is stolen can be profound. In this article, Digital Home examines what identity theft is, how it happens, suggests twelve ways you can protect yourself from it, and finally what steps to take if you think you are a victim.

There is an important story today about plans to block access to hundreds of child pornography sites on a national scale. There is an interesting discussion happening at Michael Geist’s blog:

Michael Geist – Project Cleanfeed Canada

[One side] I do think that blocking hundreds of child porn sites will provide some measure of protection for the overwhelming majority of the population who are not seeking to access such content yet may inadvertently come across it. That is a clear societal harm and this has the potential to help address it.
…
[Another side] It seems that the use-case here is quite muddled. Is this really about stopping people from *inadvertently* seeing bad content? That’s a pretty narrow goal for such a sweeping program. Is this a real social ill? Does it really happen all that often in the course of web-browsing?

A few of us were talking last night about recent security problems with using debit and credit cards, and I was predicting a return to cash. Here is a recent article detailing the experiences in the UK.

Britons are Europe’s biggest victims of card fraud

Britain is the fraud capital of Europe, with almost 20 per cent of the population having been a victim of electronic card fraud.
…
as a result of card fraud, 33 per cent of Europeans said the experience had made them favour cash over electronic payment
…
almost a third of card fraud victims are never reimbursed for their loss by their card provider, despite claims to the contrary by banks
…
It’s incredible how many people across Britain have fallen victim to card fraudsters and unsurprising that so many victims favour a return to cash
…
consumers were not being “told the full story”.