Security & privacy

Here is an article from The Globe and Mail on Canada’s new lawful access bills. The federal and provincial privacy commissioners are raising concerns about the privacy impacts of the proposed legislation, which would require service providers to install surveillance equipment and allow police unprecedented powers to gather information.

These proposed laws should be getting more attention on Canada before it is too late.

Planned Internet, wireless surveillance laws worry watchdogs

Canada’s federal and provincial privacy watchdogs are expressing concern about two proposed laws that would give authorities much greater surveillance powers over Internet and wireless communications.

…

In June, the Conservative government introduced two bills – the Investigative Powers for the 21st Century Act and the Technical Assistance for Law Enforcement in the 21st Century Act – that would give police sweeping new powers to collect information about Canadian Internet users without a warrant, and activate tracking devices in their cellphones and cars, among other things.

“Canadians put a high value on the privacy, confidentiality and security of their personal communications and our courts have also accorded a high expectation of privacy to such communications,” Ms. Stoddart said in a statement Thursday.

Here is an article from NetworkWorld claiming that an online travel agency in Australia has improved their sales completion rate by deploying Extended Validation (EV) certificates. Our research, on the other hand, shows that users typically do not even look at the area of the browser where certificate information is shown (we used an eye tracker), and have a great deal of difficulty understanding the information if they do look. We also find that the introduction of EV certificates makes the usability worse and security decisions harder. This seems like a thinly veiled advertisement for VeriSign’s products. Buyer beware.

Online travel takes off with EV SSL security

“Since implementing VeriSign’s EV SSL Certificates, our online sales have really taken off. We have experienced greater conversion rates, a reduced rate of booking abandonment and a noticeable drop in customer concerns relating to security issues,” Lynch said.

It turns out that it is fairly easy to “create” DNA evidence to match anyone that you wish, so it is possible to plant evidence and frame a person. Standard DNA tests used in forensic labs are not able to detect such forgeries. This is another example of the need to carefully examine the science behind the forensic techniques that we use in criminal cases.

DNA evidence can be faked

In a release announcing the discovery, the company said, “standard molecular biology techniques, such as polymerase chain reaction (PCR), molecular cloning, and more recently available whole genome amplification, enable anyone with basic equipment and limited know-how to synthesize unlimited amounts of artificial (in vitro) DNA with any desired profile.”

 

Here is a report of a gang, apparently in Eastern Europe, who are infecting machines with special keyloggers that send back real-time records of bank transactions. This allows the criminals to conduct fraud at the same time as the user does their legitimate banking. These attacks make one-time password devices, such as the SecurID system, useless. In the online security game, the bad guys are winning…
How Hackers Snatch Real-Time Security ID Numbers

If you computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can’t see.

“What everybody thought was a very secure identification method, these guys found a low-tech means to get around it,” said Joe Stewart, the director of malware research for SecureWorks, a software company. “They don’t break the encryption; they just log in at the same time you do.”

I gave a keynote talk this week at the ISSNet workshop on “Ecological validity in studies of security and human behaviour” Here is the Abstract…

It is becoming increasingly clear that studies of the effectiveness of information security solutions must take into account the human factor — the behaviour of the users of the systems. Conducting research on human behaviour is hard, however, and it is often difficult to witness authentic behaviour in a laboratory environment. Ecological validity refers to the extent to which the results of a test or experiment can be applied to the real-life of the people being studied. Using a series of case studies from research on security-related behaviours, Dr. Patrick will lead a discussion about the nature of validity in research, the issues surrounding ecological validity, and research techniques that can be used to increase the validity of security studies.

And here are the slides with notes PDF (5.7 MB).

In the latest round of the Canadian net neutrality fight, a number of Internet service providers have formally applied to have a Canadian Radio‐television and Telecommunications Commission (CRTC) decision overthrown. This decision allowed Bell Canada to continue to throttle the speed of certain Internet traffic, most notably peer-to-peer (P2P) traffic used by applications such as Bittorrent. One of the notable aspects of the issue is that Bell is not only throttling its own customers, but also the customers of alternative Internet providers who lease Bell’s DSL infrastructure.

A group that includes the Consumer’s Association of Canada, the Canadian Association of Internet Providers (CAIP), and a group of independent Internet providers have filed a lengthy document that outlines what they claim are major errors of fact and law in the previous decision.

One of the main points in the filing is that while the CRTC ruled that Bell could continue to throttle certain kinds of Internet traffic, on the same day they opened a new proceeding examining the same issues raised in the throttling case. The suggestion is that the CRTC clearly felt they did not have enough information about these issues, and yet they decided in Bell’s favour regardless. The applicants suggest that this was a wrong decision and, in fact, more information has become available as a result of the new proceeding that provides further light on the throttling issue. They want the throttle decision to be reversed until a full examination can be conducted.

Further points raised by the applicants include:

(1) a failure by Bell to show that P2P applications were causing undue congestion on the networks, or that the throttling they were using was a necessary solution if there was a problem,

(2) that CRTC erred in believing Bell when it said it did not examine the content of Internet packets when it made a throttling decision,

(3) that by examining the content of Internet traffic, Bell is going beyond its role as a neutral common carrier,

(4) that there is no other method available to Bell to manage their network traffic,

(5) that the CRTC only considered the impact on Bell’s and alternative Internet provider’s customers and not on the providers and consumers of content services that rely on P2P protocols (and other protocols, such as encrypted virtual private networks, being throttled as a side effect),

(6) that the CRTC failed to adequately consider the privacy and freedom of expression considerations of its decision.

These points, and others raised in the application, are very interesting and important. There are fundamental issues at stake here, including fair business practices, content control, privacy protection, and freedom to choose service providers. Canadians should be following this issue closely.

Copies of the application and a discussion forum on the issue can be found at

http://www.dslreports.com/forum/remark,22421119

This is an interesting video showing how ATM fraud can be done. In one sequence a “card skimmer” and camera is added to the front of an ATM machine. In another sequence distraction is used to steal a customer’s bank card.

Many people don’t realize how easy it is to get scammed when using these machines, and what to look for when trying to be safe.

Cash Machine Hustle on truTV.com Video

A con artist’s hi-tech gadget or simple distraction at the ATM can leave you with insufficient funds.

Watch more people get scammed on the streets of Manhattan as they lose their money, possessions and even identity–on The Real Hustle.