Security & privacy

Here is a description of the security risks associated with the UK’s new RFID-enabled passports

Cracked it!

The Home Office insists that UK passports are secure and among the best in the world, but not everyone agrees. Last week, an EU-funded body entitled the Future of Identity in the Information Society (Fidis) issued a declaration on machine-readable travel documents such as RFID-chipped passports and ID cards. It said the technology was “poorly conceived” and added: “European governments have effectively forced citizens to adopt new … documents which dramatically decrease their security and privacy and increase risk of identity theft.”

Canada’s national privacy law is the Personal Information Protection and Electronic Documents Act (PIPEDA). That law is about to be reviewed and here is an article by Michael Geist on possible improvements.

Hearings Offer Chance to Fix Holes in Privacy Law

With privacy breaches and identity theft concerns popping up regularly, Canadians can ill-afford to wait another five years for meaningful privacy protections. While few observers expect privacy law reform to emerge as a top legislative priority, the PIPEDA review presents an excellent opportunity to build the foundation for future change.

Security group ranks human error as top security worry

Paller’s organization compiles an annual report on the top to Internet security targets. This year “human vulnerabilities” will make their first appearance on a list that is typically made up of software products like Internet Explorer, databases, and file sharing applications. That’s because the human factor is being exploited in a growing number of targeted attacks as more and more online criminals come online in Eastern Europe and Asia, Paller said.

[T]he U.S. Military Academy at West Point [studied] a group of 512 cadets, selected at random for a test called the Carronade. The cadets were sent a bogus email that looked like it came from a fictional colonel named Robert Melvillle, who claimed to be with the academy’s Office of the Commandant (The real Robert Melville helped invent a short range naval cannon called the Carronade nearly 250 years ago).

“There was a problem with your last grade report,” Melville wrote, before telling the cadets to click on a Web page and “follow the instructions to make sure your information is correct.”

More than 80 percent of the cadets clicked on the link, according to a report on the experiment.

Worse still, even after hours of computer security instruction, 90 percent of freshmen cadets still clicked on the link.

Here is an interesting article from The Register on data mining and how it can be used for commercial and government purposes.

“I have nothing to hide” – or the Sainsbury’s Lesson

How frightened would you be if you were secretly planning to get pregnant, without telling your husband, and discovered that someone had written to him telling him about it? Or, put the other way, how would you feel if you discovered your wife was pregnant only when someone dropped you a letter?

This is a scary article about the power of “bots” to bring down parts of the Internet, and the implications for business.

Wired 14.11: Attack of the Bots

The latest threat to the Net: autonomous software programs that combine forces to perpetrate mayhem, fraud, and espionage on a global scale. How one company fought the new Internet mafia – and lost.

New Scientist Tech

Behavior profiling is an interesting area with a lot of potential, but there are a lot of problems.

This article describes a system that automatically monitors surveillance cameras and attempts to infer the patterns of behavior seen in the footage. The striking thing is the accuracy claim:

“The system works quite accurately,” says Park. Tests were carried out on six different pairs of people performing a total of 54 different staged interactions including hugging, punching, kicking and shaking hands. On average, the system was 80% accurate at identifying these activities correctly.

Imagine all the false alarms as hundreds or thousands of interactions are monitored throughout the day. What will be done when, 20% of the time, an alarm is made about some behavior being observed? Is this any better than human monitoring or social controls that are already in place?

Recently, someone (or some bot, according to this article) has decided to use my domain name for sending spam. This means that when that spam is rejected, the rejection notices are coming back to me! This has increased the amount of spam that I am receiving a lot.

It turns out that I am not alone.

Bot nets likely behind jump in spam

Estimates of the magnitude of the increase in junk e-mail vary, but experts agree that an uncommon surge in spam is occurring. On the low side, Symantec, the owner of SecurityFocus, has found that average spam volume has increased almost 30 percent for its 35,000 clients in the last two months. Others have seen much more significant jumps: Spam black list maintainer Total Quality Management Cubed has seen a 450 percent increase in spam in two months, and the amount of spam filtered out every week by security software maker Sunbelt Software has more than tripled compared to six months ago.

While bulk e-mailers have, in the past, sent unwanted messages from a single server, increasingly the spam emanates from networks of compromised PCs, known as bot nets. The level of junk e-mail has increased almost in lock step with the number of compromised systems used for spam, said David Hart, the administrator for Total Quality Management.

In a strange twist, a researcher who has published a simple, well-known demonstration of the huge flaws in airline security screenings is now being threatened with arrest.

Congressman Ed Markey Wants Security Researcher Arrested

Congressman Edward Markey (D-Mass.) wants the federal government to arrest security researcher Christopher Soghoian for creating the Northwest Airline Boarding Pass Generator, a site which lets anyone create a facsimile of a Northwest Airlines boarding pass. Soghoian hoped to spur Congress to look closely at the nation’s aviation security policies, which he calls “security theater.”

“The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane,” Markey said in a statement. “There are enough loopholes at the backdoor of our passenger airplanes from not scanning cargo for bombs; we should not tolerate any new loopholes making it easier for terrorists to get into the front door of a plane.”

Here is an interesting example of a biometric application, this time based on palm vein scanning.

While biometric security systems are often criticized for their privacy implications, one of the motivations of this program was to protect students who receive meal subsidies. Instead of having to show special cards or tickets to get their free meal, they can use the biometric device like all the other kids.

Another “feature” is that the system is designed to monitor what the children eat and provide advice on the diet choices. It will be interesting to see how that feature is accepted and used or misused.

Scotsman.com News – Sci-Tech – Biometric scans served up with school meals

PUPILS at a Scots primary school have become the first in the world to pay for their lunches by having their palms scanned rather than by handing over cash.

The system identifies children with food allergies and encourages pupils to eat a balanced diet by providing a read-out of what they choose during the week.

An interesting article by Bruce Schneier on the definition of a "hacker"… 

Schneier on Security: What is a Hacker?

A hacker is someone who thinks outside the box. Its someone who discards conventional wisdom, and does something else instead. Its someone who looks at the edge and wonders whats beyond. Its someone who sees a set of rules and wonders what happens if you dont follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity.