Recently, the Electronic Frontier Foundation (EFF) and the International Secure Systems Lab (iSec Lab) have publicized methods of de-anonymization. The EFF released a tool to demonstrate de-anonymization via browser fingerprinting, while a iSec Lab paper was featured in Heise Security that discusses the authors’ attempts to use browser history and the unique properties of social networks to identify individuals. The threats to user privacy continue to grow more evident and sophisticated.
Reidentification Using Social Networks
Confessions of a Laptop Owner
I have a confession to make. I sometimes leave my company-issued laptop in my car when I run errands between work and home. My laptop bag, particularly after I have stuffed it with papers, lunchbox, laptop, cords and other detritus, feels like a sack of bricks on my shoulder. When running into the supermarket with my environmentally friendly cloth shopping bag, the last thing I want is an extra 50 pounds to carry around. Or let’s say I am going into a restaurant for a relaxing dinner. Do I carry my laptop with me or leave it in the car? Remember, if I bring it with me, I have to carry it to the restroom as well.
A New Year and New Opportunity for Security
Just over a year ago, I was invited to join ongoing discussions with retired Lt. General Harry Raduege, Scott Charney and Representatives Langevin and McCaul, as well as other industry, academia, and government representatives who were engaged in an impassioned debate. The topic? Cybersecurity strategy and direction for the next President. How would we advise the incoming President about protecting and securing our country’s information systems?
Formulated within the Center for Strategic and International Studies (CSIS), we discussed the evolving online threats, how our current approaches and technologies stack up against these threats, and how these factors – and others – impact the online world in ways that affect U.S. critical infrastructure and our way of life. In late December 2008, we completed a report of our recommendations, and shortly after that the Comprehensive Cyber Security 60-day review was completed.
The 3D Secure Protocol: Implementation Flaws and Possible Resolutions
National Data Privacy Day is celebrated annually on January 28th in the United States, Canada, and a few European countries, with a focus on educating computer users about the protection of personally identifiable information on the World Wide Web. As we move towards a world where a significant portion of one’s daily life involves interaction with the World Wide Web, the National Data Privacy Day aims to bring about an increased awareness among users about protection of their online rights, methods to control personally identifiable information online, and regulations currently in place to that effect. The focus revolves around end-user education, even in scenarios where the technology used to ensure end-user privacy may not be adequate due to implementation flaws. An example of such an unfortunate scenario was recently demonstrated by researchers at the University of Cambridge, United Kingdom (UK). The researchers published a paper that describes implementation flaws in the 3D Secure (3DS) protocol, used for authentication verification when Visa or MasterCard based credit card transactions are performed (Verified by Visa/MasterCard SecureCode). The paper suggests that the approach to securing credit card transactions is liability driven, rather than security driven, ultimately resulting in a protocol implementation that is not end-user friendly.
Mail – Got Mail? Got Criminals!
Who gets mail? We all do.
Mail arrives from a variety of public sector sources such as the court system inviting you to jury duty or county assessor providing you with the annual assessment and tax bill. You may also receive in your mail box your credit card statements, and personal correspondence. Perhaps your medical service provider or insurer mails to you an explanation of benefits. Merchants send you opportunities to appreciate their services. Similarly, we all have e-mail addresses; some of us have more than one. Our use of these addresses may be identical to that of our physical mail box. Sadly, the mail, both physical and electronic, is also used by the criminal world to perpetrate fraud.
Ask yourself this question: When mail is processed, arrives or is dispatched, where and how does this occur? Simple enough? Let’s discuss.
