Category Archives: Security & privacy

Lessons from the Gawker password leak

lock and keyRecently, the Gawker family of web sites suffered a data breach where millions of password records were stolen and many of the passwords were cracked and published. This incident revealed, once again, that many people are using very weak passwords, but this article also discusses other important lessons.

A key lesson from the attack is that any large password collector must have a plan for responding to a compromised password file — Gawker’s technical inability to force password updates or even email their users is inexcusable. Still, these measures can’t contain the damage. The biggest missed angle on this story is that it’s not just a Gawker hack, accounts on thousands of websites can be compromised as many users use the same email/password combination everywhere.

The TSA and the Stanford Prison Experiment

Airport securityWatching this video (and the associated description) of psychological abuse of a passenger by TSA officials in a US airport reminds me of watching video from the infamous Stanford Prison Experiment.

In that experiment, conducted in 1971 in the basement of the Stanford Psychology building, normal, healthy students were randomly assigned to the roles of prisoners and guards in a mock prison. Over the course of six days, the “guards” developed extremely authoritarian, abuse behavior towards the “prisoners”, and subjected some of the “prisoners” to torture. Philip Zimbardo, the head of the study, reflected later on the results:

The situation won; humanity lost. Out the window went the moral upbringings of these young men, as well as their middle-class civility. Power ruled, and unrestrained power became an aphrodisiac. Power without surveillance by higher authorities was a poisoned chalice that transformed character in unpredictable directions. I believe that most of us tend to be fascinated with evil not because of its consequences but because evil is a demonstration of power and domination over others.

It seems to me that the actions of the TSA could be described in the same way. Without oversight, power has taken the place of rationality and domination seems to be the goal.

Airport security in Israel and North America: Focus on the person not the stuff

This is an interesting article on how security procedures in Israel are very different from those used in North America. In Israel the focus is on the person — asking questions and looking in their eyes. In North America the focus is on stuff — that they might be carrying or concealing. Interesting differences…

Despite facing dozens of potential threats each day, the security set-up at Israel’s largest hub, Tel Aviv’s Ben Gurion Airport, has not been breached since 2002, when a passenger mistakenly carried a handgun onto a flight. How do they manage that?

“The first thing you do is to look at who is coming into your airport,” said Sela.

Very expensive computer repairs

priestSometimes, the computer repair man is your biggest enemy. Not only can the technicians access any private, unprotected information on your system, but they can use that information against you. This story describes an elaborate scheme of psychological exploitation to commit a very large fraud.

According to police, the pair were able to convince Davidson that the virus was in fact a symptom of a much larger plot in which he was being menaced by government intelligence agencies, foreign nationals and even priests associated with Catholic organisation, Opus Dei.

So convinced was the victim he is said to have agreed to pay the pair $160,000 per month for 24-hour protection against the fictitious threats, payments which continued until recently.

Remembering Andreas Pfitzmann

Kim Cameron has posted a remembrance of Andreas Pfitzmann, a shining light in the field of security and privacy research. Andreas was a professor at the Technische Universität Dresden and I had the privilege of visiting with him during a PETS conference in 2003.

Andreas was a gracious host and avid hiker and, like Cameron, I will always value his contribution of a clear terminology for the often confusing world of anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management.

Using technology to be cruel

What Rutgers reveals is, yet again, that new technologies can facilitate new and more creative ways of being cruel to each other.

Steve Schultze has made some interesting comments about the recent suicide by a Rutgers student after an embarrassing video was posted on the Internet. Reacting to a media treatment that took the position that it is not the technology that led to this problem, it is us (human nature), Schultze argues that technology is a facilitator that sometimes brings out the worst of human nature. He observes that technology can often allow people to do things that they would never do in the real, face-to-face world, and we ignore this at our peril.

Bank fraud mules


Authorities in the US have arrested more than 80 “mules” involved in large scale bank fraud. Although the masterminds are still at large, and probably in Eastern Europe, these arrests show the massive size and success of the fraud operation. Cyber crime has become a virtual economy.

The Zeus banking Trojan enabled hackers to secretly monitor the victims’ computer activity, enabling them to obtain bank account numbers, passwords, and authentication information as the victim typed them into the infected computer, the FBI said.

The scheme relied on individuals known as “money mules” in the United States to actually steal money, the FBI said. Bharara said those arrested consisted almost entirely of mules and four people who managed them.

“The hacking rings we see today take on a more organized approach, similar to a drug cartel or a cyber-mafia,” Bar Yosef says. “There is a hierarchy with employees that have a distinct role in the scheme — the researcher looking for different ways to infect machines, the botnet farmer operating the bots, the botnet dealer renting the bots, and the actual ‘consumer’ who monetizes on the virtual goods received by the bot.

via More Than 80 Arrested In Alleged Zeus Banking Scam – computer crime/Attacks – DarkReading.

How Android apps use personal information

Android applications are supposed to get permission from the user before they gain access to personal information, such as location. But what happens once the permission is given?

This study from Network World looked at 30 apps to see where and when personal information was used, and found some worrisome results.

A recent test of prototype security code for Android phones found that 15 of 30 free Android Market applications sent users’ private information to remote advertising servers, without the users being aware of what was being sent or to whom. In some cases, the user’s location data was sent as often as every 30 seconds.

The Internet: all encrypted, all the time?

Can the Internet be encrypted by default?

With the current debates about lawful intercept and increasing numbers of man-in-the-middle attacks, maybe the Internet should finally be made secure by default.

Encryption is currently used sparingly, mostly when connecting to e-commerce and financial services over the web. Here the https protocol is used and traffic between the user’s web browser and the server is protected from eavesdropping using SSL. The problems with this scheme are legendary, mostly associated with requiring users to notice when encryption is on and off, and knowing how to interpret certificate information and error messages.

But could encryption be turned on all the time, automatically?

Google has recently made https the default for Gmail, demonstrated that encryption can be scaled to millions of users. What about scaling it to the entire Internet?

Tcpcrypt is an extension to the TCP protocol designed to make encryption the default. It is backwardly compatible with traditional TCP, and it would protect old applications that don’t have encryption. And it works faster than the SSL we rely on today.

You can read more about tcpcrypt in a recent technical paper, on a tcpcrypt community web site, and on Wikipedia.

Economic Reasons for Security Failures: Ross Anderson

A good, brief article on economics and security failures by Ross Anderson contains some great quotes…

The discipline of security economics teaches us that large systems often fail because incentives are poorly aligned; if someone guards a system while someone else bears the cost of failure, then failure is likely.

As one of my students put it, “All the party invitations in Cambridge come through Facebook. If you don’t use Facebook you don’t get to any parties, so you’ll never meet any girls, you won’t have any kids and your genes will die out.”