Security & privacy

Funding available for privacy research and education in Canada

The Office of the Privacy Commissioner of Canada is calling for proposals for cutting-edge privacy research and public education projects in Canada. The application deadline is March 14, 2011.

The Office is interested in receiving research proposals focusing on four priority areas:

private1) identity integrity and protection,

2) information technology,

3) genetic privacy, and

4) public safety.

However, the Office will continue to accept research proposals on issues that fall outside these areas.

As well, the Office invites proposals to fund public education and regional outreach initiatives that aim to inform Canadians about their privacy rights and how they may better protect their personal information.

All proposals will be evaluated on the basis of merit by OPC officials, and the maximum amount that can be awarded for each research or public education project is $50,000.  (A maximum of $100,000 can be awarded per organization.)

Not-for-profit organizations, including education institutions and industry and trade associations, are eligible, and this includes consumer, voluntary and advocacy organizations.

Funding available for privacy research and education in Canada Read More »

Anatomy of a successful online attack

maskArs Technica has an interesting article describing in detail how the group Anonymous was able to penetrate and embarrass the security firm HBGary and the rootkit.com site.

This was not a particularly advanced attack, but rather one that focused on known weaknesses, bad practices, and social engineering of people who should know better.

Most frustrating for HBGary must be the knowledge that they know what they did wrong, and they were perfectly aware of best practices; they just didn’t actually use them. Everybody knows you don’t use easy-to-crack passwords, but some employees did. Everybody knows you don’t re-use passwords, but some of them did. Everybody knows that you should patch servers to keep them free of known security flaws, but they didn’t.

Anatomy of a successful online attack Read More »

Lessons from the Gawker password leak

lock and keyRecently, the Gawker family of web sites suffered a data breach where millions of password records were stolen and many of the passwords were cracked and published. This incident revealed, once again, that many people are using very weak passwords, but this article also discusses other important lessons.

A key lesson from the attack is that any large password collector must have a plan for responding to a compromised password file — Gawker’s technical inability to force password updates or even email their users is inexcusable. Still, these measures can’t contain the damage. The biggest missed angle on this story is that it’s not just a Gawker hack, accounts on thousands of websites can be compromised as many users use the same email/password combination everywhere.

Lessons from the Gawker password leak Read More »

The TSA and the Stanford Prison Experiment

Airport securityWatching this video (and the associated description) of psychological abuse of a passenger by TSA officials in a US airport reminds me of watching video from the infamous Stanford Prison Experiment.

In that experiment, conducted in 1971 in the basement of the Stanford Psychology building, normal, healthy students were randomly assigned to the roles of prisoners and guards in a mock prison. Over the course of six days, the “guards” developed extremely authoritarian, abuse behavior towards the “prisoners”, and subjected some of the “prisoners” to torture. Philip Zimbardo, the head of the study, reflected later on the results:

The situation won; humanity lost. Out the window went the moral upbringings of these young men, as well as their middle-class civility. Power ruled, and unrestrained power became an aphrodisiac. Power without surveillance by higher authorities was a poisoned chalice that transformed character in unpredictable directions. I believe that most of us tend to be fascinated with evil not because of its consequences but because evil is a demonstration of power and domination over others.

It seems to me that the actions of the TSA could be described in the same way. Without oversight, power has taken the place of rationality and domination seems to be the goal.

The TSA and the Stanford Prison Experiment Read More »

Airport security in Israel and North America: Focus on the person not the stuff

This is an interesting article on how security procedures in Israel are very different from those used in North America. In Israel the focus is on the person — asking questions and looking in their eyes. In North America the focus is on stuff — that they might be carrying or concealing. Interesting differences…

Despite facing dozens of potential threats each day, the security set-up at Israel’s largest hub, Tel Aviv’s Ben Gurion Airport, has not been breached since 2002, when a passenger mistakenly carried a handgun onto a flight. How do they manage that?

“The first thing you do is to look at who is coming into your airport,” said Sela.

Airport security in Israel and North America: Focus on the person not the stuff Read More »

Very expensive computer repairs

priestSometimes, the computer repair man is your biggest enemy. Not only can the technicians access any private, unprotected information on your system, but they can use that information against you. This story describes an elaborate scheme of psychological exploitation to commit a very large fraud.

According to police, the pair were able to convince Davidson that the virus was in fact a symptom of a much larger plot in which he was being menaced by government intelligence agencies, foreign nationals and even priests associated with Catholic organisation, Opus Dei.

So convinced was the victim he is said to have agreed to pay the pair $160,000 per month for 24-hour protection against the fictitious threats, payments which continued until recently.

Very expensive computer repairs Read More »

Remembering Andreas Pfitzmann

Kim Cameron has posted a remembrance of Andreas Pfitzmann, a shining light in the field of security and privacy research. Andreas was a professor at the Technische Universität Dresden and I had the privilege of visiting with him during a PETS conference in 2003.

Andreas was a gracious host and avid hiker and, like Cameron, I will always value his contribution of a clear terminology for the often confusing world of anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management.

Remembering Andreas Pfitzmann Read More »

Using technology to be cruel

What Rutgers reveals is, yet again, that new technologies can facilitate new and more creative ways of being cruel to each other.

Steve Schultze has made some interesting comments about the recent suicide by a Rutgers student after an embarrassing video was posted on the Internet. Reacting to a media treatment that took the position that it is not the technology that led to this problem, it is us (human nature), Schultze argues that technology is a facilitator that sometimes brings out the worst of human nature. He observes that technology can often allow people to do things that they would never do in the real, face-to-face world, and we ignore this at our peril.

Using technology to be cruel Read More »

Bank fraud mules

mule

Authorities in the US have arrested more than 80 “mules” involved in large scale bank fraud. Although the masterminds are still at large, and probably in Eastern Europe, these arrests show the massive size and success of the fraud operation. Cyber crime has become a virtual economy.

The Zeus banking Trojan enabled hackers to secretly monitor the victims’ computer activity, enabling them to obtain bank account numbers, passwords, and authentication information as the victim typed them into the infected computer, the FBI said.

The scheme relied on individuals known as “money mules” in the United States to actually steal money, the FBI said. Bharara said those arrested consisted almost entirely of mules and four people who managed them.

“The hacking rings we see today take on a more organized approach, similar to a drug cartel or a cyber-mafia,” Bar Yosef says. “There is a hierarchy with employees that have a distinct role in the scheme — the researcher looking for different ways to infect machines, the botnet farmer operating the bots, the botnet dealer renting the bots, and the actual ‘consumer’ who monetizes on the virtual goods received by the bot.

via More Than 80 Arrested In Alleged Zeus Banking Scam – computer crime/Attacks – DarkReading.

Bank fraud mules Read More »

How Android apps use personal information

Android applications are supposed to get permission from the user before they gain access to personal information, such as location. But what happens once the permission is given?

This study from Network World looked at 30 apps to see where and when personal information was used, and found some worrisome results.

A recent test of prototype security code for Android phones found that 15 of 30 free Android Market applications sent users’ private information to remote advertising servers, without the users being aware of what was being sent or to whom. In some cases, the user’s location data was sent as often as every 30 seconds.

How Android apps use personal information Read More »