Security & privacy

Concerns about Canadian lawful access bills

Here is an article from The Globe and Mail on Canada’s new lawful access bills. The federal and provincial privacy commissioners are raising concerns about the privacy impacts of the proposed legislation, which would require service providers to install surveillance equipment and allow police unprecedented powers to gather information.

These proposed laws should be getting more attention on Canada before it is too late.

Planned Internet, wireless surveillance laws worry watchdogs

Canada’s federal and provincial privacy watchdogs are expressing concern about two proposed laws that would give authorities much greater surveillance powers over Internet and wireless communications.

In June, the Conservative government introduced two bills – the Investigative Powers for the 21st Century Act and the Technical Assistance for Law Enforcement in the 21st Century Act – that would give police sweeping new powers to collect information about Canadian Internet users without a warrant, and activate tracking devices in their cellphones and cars, among other things.

“Canadians put a high value on the privacy, confidentiality and security of their personal communications and our courts have also accorded a high expectation of privacy to such communications,” Ms. Stoddart said in a statement Thursday.

Concerns about Canadian lawful access bills Read More »

Do EV SSL certificates really increase online sales?


Here is an article from NetworkWorld claiming that an online travel agency in Australia has improved their sales completion rate by deploying Extended Validation (EV) certificates. Our research, on the other hand, shows that users typically do not even look at the area of the browser where certificate information is shown (we used an eye tracker), and have a great deal of difficulty understanding the information if they do look. We also find that the introduction of EV certificates makes the usability worse and security decisions harder. This seems like a thinly veiled advertisement for VeriSign’s products. Buyer beware.

Online travel takes off with EV SSL security

“Since implementing VeriSign’s EV SSL Certificates, our online sales have really taken off. We have experienced greater conversion rates, a reduced rate of booking abandonment and a noticeable drop in customer concerns relating to security issues,” Lynch said.

Do EV SSL certificates really increase online sales? Read More »

DNA evidence is not fool-proof

Red Ink SplatterIt turns out that it is fairly easy to “create” DNA evidence to match anyone that you wish, so it is possible to plant evidence and frame a person. Standard DNA tests used in forensic labs are not able to detect such forgeries. This is another example of the need to carefully examine the science behind the forensic techniques that we use in criminal cases.

DNA evidence can be faked

In a release announcing the discovery, the company said, “standard molecular biology techniques, such as polymerase chain reaction (PCR), molecular cloning, and more recently available whole genome amplification, enable anyone with basic equipment and limited know-how to synthesize unlimited amounts of artificial (in vitro) DNA with any desired profile.”

 

DNA evidence is not fool-proof Read More »

Real-time keylogging to defeat one-time passwords

Here is a report of a gang, apparently in Eastern Europe, who are infecting machines with special keyloggers that send back real-time records of bank transactions. This allows the criminals to conduct fraud at the same time as the user does their legitimate banking. These attacks make one-time password devices, such as the SecurID system, useless. In the online security game, the bad guys are winning…
How Hackers Snatch Real-Time Security ID Numbers

If you computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can’t see.

“What everybody thought was a very secure identification method, these guys found a low-tech means to get around it,” said Joe Stewart, the director of malware research for SecureWorks, a software company. “They don’t break the encryption; they just log in at the same time you do.”

Real-time keylogging to defeat one-time passwords Read More »

Lessons in social engineering

Here is an interesting article from Network World. Brian Brushwood describes four simple techniques that can be used to get people to do what you want: (1) confidence and control; (2) give something away; (3) use humor; (4) make a request and give a reason.

Mind Games: How Social Engineers Win Your Confidence

Social engineering and mind games expert Brian Brushwood has not come by his knowledge in the traditional manner of school or business training. Brushwood is the host of the Internet video series Scam School, a show he describes as dedicated to social engineering in the bar and on the street.

In addition to his passion for teaching people about social engineering cons, Brushwood is also a touring magician who frequently performs on college campuses and has appeared on the Tonight Show. He first became interested in social engineering years ago as a means to enhance his performance and pull off secret moves successfully. Brushwood said his understanding and use of the term social engineering goes beyond the security industry perception.

Lessons in social engineering Read More »

Symposium on Usable Privacy and Security (SOUPS 2009)

soups2009SOUPS 2009 is underway in lovely Southern California. Google is hosting the conference this year.

SOUPS is the major conference in the field defined by the intersection of usability and security. The conference includes two tutorials, which took place yesterday, 15 technical research papers, a panel, break-out discussion sessions, and a keynote address.

Check out the conference program at the web site:

SOUPS – Symposium On Usable Privacy and Security

Symposium on Usable Privacy and Security (SOUPS 2009) Read More »

Ecological validity in studies of security and human behaviour

external-validityI gave a keynote talk this week at the ISSNet workshop on “Ecological validity in studies of security and human behaviour” Here is the Abstract…

It is becoming increasingly clear that studies of the effectiveness of information security solutions must take into account the human factor — the behaviour of the users of the systems. Conducting research on human behaviour is hard, however, and it is often difficult to witness authentic behaviour in a laboratory environment. Ecological validity refers to the extent to which the results of a test or experiment can be applied to the real-life of the people being studied. Using a series of case studies from research on security-related behaviours, Dr. Patrick will lead a discussion about the nature of validity in research, the issues surrounding ecological validity, and research techniques that can be used to increase the validity of security studies.

And here are the slides with notes PDF (5.7 MB).

Ecological validity in studies of security and human behaviour Read More »

Security & Human Behaviour Workshop

I recently attended the Security & Human Behaviour Workshop in Boston. I made a brief presentation about usability and biometrics. Other presentations are about human decision making, trust, security interfaces, terror, crowd behaviour, etc. This was a great workshop that brought together some really interesting people.

Some blogs covering the conference are available:

Bruce Schneier
Ross Anderson
Adam Shostack

And audio recordings are also being provided by Matt Blaze. Audio of my presentation can be heard at the beginning of Session 3 (mp3).

Security & Human Behaviour Workshop Read More »

Latest round of Canadian net neutrality fight

In the latest round of the Canadian net neutrality fight, a number of Internet service providers have formally applied to have a Canadian Radio‐television and Telecommunications Commission (CRTC) decision overthrown. This decision allowed Bell Canada to continue to throttle the speed of certain Internet traffic, most notably peer-to-peer (P2P) traffic used by applications such as Bittorrent. One of the notable aspects of the issue is that Bell is not only throttling its own customers, but also the customers of alternative Internet providers who lease Bell’s DSL infrastructure.

A group that includes the Consumer’s Association of Canada, the Canadian Association of Internet Providers (CAIP), and a group of independent Internet providers have filed a lengthy document that outlines what they claim are major errors of fact and law in the previous decision.

One of the main points in the filing is that while the CRTC ruled that Bell could continue to throttle certain kinds of Internet traffic, on the same day they opened a new proceeding examining the same issues raised in the throttling case. The suggestion is that the CRTC clearly felt they did not have enough information about these issues, and yet they decided in Bell’s favour regardless. The applicants suggest that this was a wrong decision and, in fact, more information has become available as a result of the new proceeding that provides further light on the throttling issue. They want the throttle decision to be reversed until a full examination can be conducted.

Further points raised by the applicants include:

(1) a failure by Bell to show that P2P applications were causing undue congestion on the networks, or that the throttling they were using was a necessary solution if there was a problem,

(2) that CRTC erred in believing Bell when it said it did not examine the content of Internet packets when it made a throttling decision,

(3) that by examining the content of Internet traffic, Bell is going beyond its role as a neutral common carrier,

(4) that there is no other method available to Bell to manage their network traffic,

(5) that the CRTC only considered the impact on Bell’s and alternative Internet provider’s customers and not on the providers and consumers of content services that rely on P2P protocols (and other protocols, such as encrypted virtual private networks, being throttled as a side effect),

(6) that the CRTC failed to adequately consider the privacy and freedom of expression considerations of its decision.

These points, and others raised in the application, are very interesting and important. There are fundamental issues at stake here, including fair business practices, content control, privacy protection, and freedom to choose service providers. Canadians should be following this issue closely.

Copies of the application and a discussion forum on the issue can be found at

http://www.dslreports.com/forum/remark,22421119

Latest round of Canadian net neutrality fight Read More »

Video of ATM fraud methods

This is an interesting video showing how ATM fraud can be done. In one sequence a “card skimmer” and camera is added to the front of an ATM machine. In another sequence distraction is used to steal a customer’s bank card.

Many people don’t realize how easy it is to get scammed when using these machines, and what to look for when trying to be safe.

Cash Machine Hustle on truTV.com Video

A con artist’s hi-tech gadget or simple distraction at the ATM can leave you with insufficient funds.

Watch more people get scammed on the streets of Manhattan as they lose their money, possessions and even identity–on The Real Hustle.

Video of ATM fraud methods Read More »