Security & privacy

Here is a report from Australia of an opinion survey about using passwords for authentication. Just over 200 people were surveyed and about half of them felt that their password could be guessed. Moreover, personal information that is often used to confirm an identity (such as the infamous “mother’s maiden name” question) were felt to be unsafe by 67% of the participants. Perhaps of most interest, 75% of the people said they would be prepared to deal with more complex authentication procedures if it increased security.

Consumers Lack Faith In the Security of Passwords

Australian consumers are becoming increasingly concerned about issues of security and the methods organisations use to verify their identity, according to a new study by Sydney-based research company, callcentres.net.

The 2009 Salmat VeCommerce Identity Verification Study highlights consumers’ fears that traditional PINs and passwords do not provide adequate protection of their personal information, with 67 per cent of consumers reporting that they believe their security details are at risk.

Just over half (51 per cent) felt that someone else may be able to accurately guess their password, PIN or security details for interactions over the phone, while 59 per cent said they believe someone else may actually know these details.

This article from researchers at the University of Notre Dame discusses some of the limitations of iris biometric systems. Pupil dilation, for example, is found to affect the accuracy of iris recognition, especially if the amount of dilation is different at enrollment than at verification. Wearing contact lenses, especially cosmetic lenses designed to change the color and appearance of the eye, can also decrease recognition rates. The researchers also find that the false rejection rate increases over the four-year time span they have tested.

This is important because iris-based systems are often considered the most accurate and stable forms of biometric identification. Clearly, more research into the limitations is needed.

Toward the next generation of iris biometrics science

Many factors complicate the use of iris biometrics, such as differences in pupil dilation, the presence of contact lenses, and the eye’s natural aging.

There is a new report out of the National Academies in the US on forensic science methods, including identification technologies based on fingerprints, DNA, etc.

The report suggests, not for the first time, that many of the methods used in forensic science have never undergone rigorous scientific testing, and that standards for methodology and accuracy are lacking.

Due to the heavy use of forensic identification in the legal system, there seems to be a serious reluctance to do any kind of research on the accuracy of the methods and results. We should be doing the opposite and making sure that these methods are thoroughly questioned and tested. This report calls for a new National Institute for Forensic Science to do that testing.

‘Badly Fragmented’ Forensic Science System Needs Overhaul; Evidence to Support Reliability of Many Techniques is Lacking

A congressionally mandated report from the National Research Council finds serious deficiencies in the nation’s forensic science system and calls for major reforms and new research. Rigorous and mandatory certification programs for forensic scientists are currently lacking, the report says, as are strong standards and protocols for analyzing and reporting on evidence. And there is a dearth of peer-reviewed, published studies establishing the scientific bases and reliability of many forensic methods. Moreover, many forensic science labs are underfunded, understaffed, and have no effective oversight.

Forensic evidence is often offered in criminal prosecutions and civil litigation to support conclusions about individualization — in other words, to “match” a piece of evidence to a particular person, weapon, or other source. But with the exception of nuclear DNA analysis, the report says, no forensic method has been rigorously shown able to consistently, and with a high degree of certainty, demonstrate a connection between evidence and a specific individual or source. Non-DNA forensic disciplines have important roles, but many need substantial research to validate basic premises and techniques, assess limitations, and discern the sources and magnitude of error, said the committee that wrote the report. Even methods that are too imprecise to identify a specific individual can provide valuable information and help narrow the range of possible suspects or sources.

When thinking about replacing or strengthening traditional passwords, one alternative is to add a hardware device that proves the users are in possession of a token. RSA has done this for years with their SecurID product, but people with multiple accounts have to carry multiple SecurID tokens. Now VeriSign has come out with an iPhone application that does the same thing, and already supports three different account types. Is this the solution to adding “something you have” to the authentication process, without requiring that people “have” too many things? Will the application be secure, or just another attack vector for the bad guys?

What’s the Password? Only Your iPhone Knows

As of Tuesday, you can now download an iPhone application that will generate a password for your AOL, eBay and PayPal accounts. It’s optional and free to consumers, but if you sign up, no one can get in your account without your user ID, your password and the six-digit number generated by your phone.

Do you know who Alan Turing is? Mathematician, cryptanalyst, and perhaps the father of modern computing. His work is widely considered to be responsible for shortening WWII by at least two years.

His code breaking machines, long before the days of modern computers, allowed the Allies to decrypt and analyze German communications, even though the Germans were using the “unbreakable” Enigma machines. It is easy to forget just how impressive and important this work was.

In this story one of the code breaking machines, a 6-foot tall electrical and mechanical “computer”, has been reproduced. I think this is a fitting tribute.

Code breaking machine that shortened the Second World War by two years

The rows of silver dials and tangle of scarlet wires look more like a telephone exchange.

But this is the inside of the Turing Bombe, the part-electronic, part-mechanical code-breaking machine and forerunner of the modern computer, which cracked 3,000 messages a day sent on Nazi Enigma machines during the Second World War.

There were 210 such bookcase-like Bombes that gave Britain advance warning of Hitler’s plans and shortened the conflict by two years.

Restaurants are often the source of stolen credit card information. The waiter takes your card when you pay and swipes it twice; once in the legitimate machine and once in a surprisingly small skimming machine that can be carried in a pocket. The waiter can make good money for each card that they swipe, and the result is that bad guys gather all the card information and make fake cards. It is good to see some of these people getting caught, but I think it is far more common than this one case represents.

Washington D.C. Restaurants Become Credit Card Cloning Hot Spots

With unobserved access to diner’s credit cards, restaurant wait staff have long been the source of a steady stream of stolen magstripe data. It takes only a second to swipe a customer’s card through a tiny skimming device purchasable over the internet, which is easily concealed in pocket or apron.

Here is an article on data storage that quotes Anil Somayaji from Carleton University. As he says, the answer to the question depends on what you are protecting against. It the case of protecting confidentiality, the article fails to mention the importance of encryption.

I am becoming a big fan of encrypted containers on laptop hard drives and USB keys. This gives me confidentiality and integrity for my important files. If you have not tried this, check out TrueCrypt.

The safest place to store your data

Given the conflicting information, what is the safest place to store your data?

“It all depends on what you define as safe,” says Anil Somayaji, an associate professor at Carleton University who specializes in computer security.

Typically, people consider three things, he says:

1. Confidentiality: Making sure your private information stays private.
2. Integrity: Making sure your data isn’t damaged.
3. Availability: Making sure your data isn’t lost.

In a related article, FEMA is moving to protect data on its laptops.

Thanks to flyinghamster for the tweats.

The NRC has decided to make some program changes, and that includes canceling my program on Information Security, a program on Software Engineering, and a third one on Acoustics. They are also making significant changes to the science and technical library (CISTI).

So, this means that some of Canada’s top experts in these fields are now looking for new positions.

In the Information Security area, we have 8 people who are experts in conducing R&D in a variety of areas, including:

• agent technologies
• biometrics
• cryptographic key management
• data mining
• human-computer interaction
• privacy protection and compliance
• risk analysis and visualization
• secure software
• security protocols
• security systems
• social networks and work flow analysis
• trust management
• usable security
• web crawling
• web services and e-services

If you know of anyone interested in advanced R&D in these areas, please let me know.