Security & privacy

Not surprisingly, researchers have demonstrated that the face recognition systems being included in some new laptops can be easily fooled. Anyone relying on this form of biometric authentication should reconsider.

Researchers Hack Faces In Biometric Facial Authentication Systems – DarkReading

A Vietnamese researcher will demonstrate at Black Hat DC next week how he and his colleagues were able to easily spoof and bypass biometric systems that authenticate users by scanning their faces.

The researchers cracked the biometric authentication embedded in Lenovo, Asus, and Toshiba laptops by spoofing the biometric systems with everything from a photo of the authorized user to brute-force hacking using fake facial images.

Here is a nice article reviewing 10 different privacy settings on Facebook that you should be thinking about. Some of them are obvious, while others are a bit more obscure (e.g., who can see when you are tagged in photos uploaded by other people). Every Facebooker should have a look.

10 Privacy Settings Every Facebook User Should Know

Everyday I receive an email from somebody about how their account was hacked, how a friend tagged them in the photo and they want a way to avoid it, as well as a number of other complications related to their privacy on Facebook. Over the weekend one individual contacted me to let me know that he would be removing me as a friend from Facebook because he was “going to make a shift with my Facebook use – going to just mostly family stuff.”

Perhaps he was tired of receiving my status updates or perhaps he didn’t want me to view photos from his personal life. Whatever the reason for ending our Facebook friendship, I figured that many people would benefit from a thorough overview on how to protect your privacy on Facebook. Below is a step by step process for protecting your privacy.

As part of Data Privacy Day, Microsoft has released the findings of focus group research they have been doing on attitudes towards online privacy. They key findings are that people are concerned about privacy, but don’t understand the risks and don’t know what to do.

Microsoft has produced a short video of the focus group research.

Data Privacy Day – Focus Group Findings

This finding are leading us to consider whether industry, government and nongovernmental organizations are doing enough to educate consumers about protecting their personal information online. Members of industry should also evaluate whether we place too much responsibility on consumers and put greater emphasis on alleviating the burdens related to making informed privacy decisions. The Internet is evolving at a breakneck pace, and the privacy practices that worked for people yesterday may not apply tomorrow.

Today is data privacy day. Somehow I missed it. Check out this story and the links to events happening around the world.

Data Privacy Day 2009

On January 28, 2009, the United States, Canada, and 27 European countries will celebrate Data Privacy Day together for the second time.

Designed to raise awareness and generate discussion about data privacy practices and rights, Data Privacy Day activities in the United States have included privacy professionals, corporations, government officials, and representatives, academics, and students across the country.

One of the primary goals of Data Privacy Day is to promote privacy awareness and education among teens across the United States. Data Privacy Day also serves the important purpose of furthering international collaboration and cooperation around privacy issues.

Here is an article about security predictions for 2009 being made by Unisys, a large solutions provider. What is interesting are predictions about biometrics-at-a-distance, and the importance of “the human factor” in security solutions.

Customer convenience key to future IT security

The roll-out of identity verification solutions, that capture iris and facial images from a distance, to speed up security checkpoints, for better customer experience, where large numbers of people move through a bottleneck such as immigration control.
…
Organisations will shift from securing systems to securing information to take into account the ‘human factor’.

Until recently organisations and their auditors considered strong network and system security was adequate protection for company and consumer information. High capacity miniature storage devices such as USB sticks are now commonly available and are capable of storing entire databases, customer’s personal details, or sensitive commercial data. As a result, many organisations have had the security of their data compromised — both intentionally and accidentally — in spite of strong system security.

Jennifer Sobey, Paul Van Oorschot, and I have recently reported on some work-in-progress research on web browser interfaces for SSL certificates. The report can be downloaded at

http://www.scs.carleton.ca/research/tech_reports/index.php?Abstract=tr-09-02_0023&Year=2009

Here is a summary…

Browser Interfaces and EV-SSL Certificates: Confusion, Inconsistencies and HCI Challenges

by J. Sobey, P.C. Van Oorschot, and A. S. Patrick

The introduction of Extended Validation (EV) SSL certificates has caused web browser manufacturers to take a new look at how they design their interfaces for conveying certificate information. In turn, we take a thorough look at the choices they have made. Our observation is that the changes being made significantly increase the confusion surrounding SSL certificates rather than increasing trust. We perform a systematic walkthrough involving dialogues and interfaces related to site identity, certificates, and SSL encryption; raise questions concerning the inconsistencies in their implementations; and highlight the confusion between identity and confidentiality. Prior to carrying out a full user study, we aim to define the problem clearly and to explore some possible alternatives. We suggest some improvements in terms of both mental models and interface design and emphasize the importance of consistency across browsers for appropriate user interaction with these certificate interfaces.

Here is a report of a woman who apparently was able to enter Japan illegally using a fake passport and fake fingerprints taped to her fingers. She was able to get through the automatic biometric scanning system that has been installed at many Japanese airports.

S. Korean woman ‘tricked’ airport fingerprint scan

A South Korean woman entered Japan on a fake passport in April 2008 by slipping through a state-of-the-art biometric immigration control system using special tape on her fingers to alter her fingerprints, it was learned Wednesday.

When it comes to security, the old saying is that users are the weakest link in the security chain. Some people were starting to question this, however, with the prevalence of software vulnerabilities. More and more infections, it seemed, were being caused by exploits of common programs, such as web browser, and not because of something that the users did. Well, this data suggests that infections by software vulnerabilities are rare. Far more common are infections where people are duped to download something from the Internet or by opening email attachments.

We really have to understand and modify user behavior to improve the security situation.

The headline below is misleading — it is not the visiting of web sites that is the problem, it is the accepting of downloads being offered during that visit.

Malware most often spread by visiting malicious Web sites

From Jan. 1 to Nov. 25, the top 100 attack programs infected 53% of their victims by duping them into downloading something from the Internet. An additional 12% of the infections tracked globally were caused by users opening e-mail attachments.

Just 5% of the infections were related to an exploit of a software vulnerability, said Trend’s analysis.

Identity theft gangs are growing in sophistication, and the amount of money involved is increasing rapidly. This story from NetworkWorld describes a very sophisticated gang of ID thieves. It seems that these bad guys were using information from a variety of sources, both online and off, as well as traditional fraud tactics (e.g., social engineering). And the targets were home equity lines of credit, which often have very high values.

Feds nab more members of alleged identity theft gang

Federal authorities say they have taken another step toward busting a multinational identity theft ring that is alleged to have used stolen personal data to withdraw millions of dollars from home equity line-of-credit accounts at dozens of financial institutions in the U.S., including some of the country’s largest banks.

Four individuals were arrested last week in connection with the alleged scheme, which has resulted in more than $2.5 million being stolen from the affected financial institutions, according to law enforcement officials. Another $4 million worth of attempted withdrawals by the gang were unsuccessful, the U.S. attorney’s office in New Jersey said in announcing the arrests last Wednesday