Archive for the ‘Consumer Information Protection’ Category
February 19, 2012
Layer8 / Network World
The current standard method for validating a user’s identity for authentication on an information system requires humans to do something that is inherently difficult: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus, unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console.
[T]he agency’s Active Authentication program looks to develop what DARPA calls “novel ways of validating the identity of the person at the console that focus on the unique aspects of the individual through the use of software-based biometrics.”
Posted in Application Security, Authentication, Consumer Information Protection | Leave a Comment »
November 21, 2011
ENISA’s Report
The top risk for individuals utilising life-logging devices and scenarios is the threat to privacy that accompany using them. Loss of control over this data might result in individuals being subjected to financial fraud or unauthorised access might result in reputational harm or discrimination and exclusion. This risk is compounded by the nature of life-logging in that apart from privacy threat to individuals coming from commercial entities and governmental agencies, there is also a threat of deliberate or accidental data collection about one person by other individuals.
Dependency on the availability of certain devices or services is also increasing the risks for individuals, as the mobile devices, sensors or services become more attractive targets for attackers. In this direction, it is particularly important the link between tangible and intangible assets, as we can also see in Future Internet scenarios; a related risk is the loss of autonomy.
Finally, we should consider risks such as psychological damage, related to discrimination, exclusion, harassing, cyberstalking, child grooming, feeling of being continuously under surveillance (paranoid behaviour), pressures related to work performance, peering into other peoples life etc.
Posted in Consumer Information Protection, Risk Management, Social Engineering / Phishing, Tech and Laws | Leave a Comment »
September 13, 2011
Peter Svensson / USA Today
The problem with that black magnetic stripe on the back of your credit card is that it’s about as secure as writing your account information on a postcard: everything is in the clear and can be copied. Card fraud, and the measures taken to prevent it, costs U.S. merchants, banks and consumers billions each year.
The smart cards can’t be copied, which greatly reduces the potential for fraud. Smart cards with built-in chips are the equivalent of a safe: they can hide information so it can only be unlocked with the right key. Because the important information is hidden, the cards can’t be replicated.
Posted in Authentication, Communication, Consumer Information Protection, Cryptography | 1 Comment »
August 25, 2011
John Cox / Network World
Dubbed Tamper-evident pairing, or TEP, the technique is based on understanding how man-in-the-middle attacks tamper with wireless messages, and then detects and in some cases blocks the tampering. The researchers suggest that TEP could have detected the reported but still unconfirmed cellular man-in-the-middle attack that unfolded at the Defcon conference earlier this month in Las Vegas.
Posted in Communication, Consumer Information Protection, Threat Management | Leave a Comment »
August 14, 2011
Mathew J. Schwartz / InformationWeek
Visa announced that it’s putting its muscle behind the adoption of “chip and PIN” capabilities in U.S. credit cards, which require in-person purchasers to input a PIN code into a point-of-sale machine before the card can be used. Also known as EMV–for Europay, MasterCard, and Visa, referring to their global standard for integrated circuit chips built into cards–the U.S. chip will include contactless chip technology, laying the groundwork for greater adoption of mobile payments using near-field communications (NFC).
Posted in Authentication, Consumer Information Protection, PCI | Leave a Comment »
June 26, 2011
How does a hacker group get dissolved?
But in this shadowy world of claims, boasts and posturing, nothing is quite what it seems. It may have been other members of the hacker “community” – disgruntled with the antics of LulzSec – who forced the group into retreat. A document posted online in the last 24 hours purports to be a history of LulzSec, complete with full details on its leaders.
……
But even if LulzSec has gone offline, its members and other hackers trying to make a name for themselves may soon pop up elsewhere. And the other question is whether we should take any publicity-hungry group like this too seriously. The real damage is more likely being done by criminal groups who wouldn’t dream of boasting of their exploits on Twitter or anywhere else.
Posted in Application Security, Consumer Information Protection, DDoS, Threat Management | Leave a Comment »
May 31, 2011
@The Invisible Things Lab’s blog by Joanna Rutkowska
One doesn’t need to be especially smart or security conscious to realize how much this might be a threat to security and privacy. How much easier would it be to attack somebody’s laptop if I knew precisely in which hotel and when he or she is planning to stay? How much more expensive would my health and life insurance be, if they could get a look at my health and fitness progress? Etc.
But we’re willing to sacrifice our privacy and security in exchange for easy of syncing and sharing of our data. We decide to trust The Cloud. What specifically does that mean?
Posted in Cloud Computing, Consumer Information Protection, Cryptography, Privacy | Leave a Comment »
February 15, 2011
As Mobile devices starting to store more and more personal data of its owner (location, search, shopping data), it’s becoming real threat to the users.
To provide Users better tools to protect their personal data, ACLU of Northern California, the ACLU of Washington, and the Tor Project has organized 2011 Privacy Developer Challenge to develop apps for mobile devices that can educate users about mobile privacy and give them the ability to demand control of their own personal information, without loss of functionality. The winning apps will be released under an open source license.
Goal: ….demonstrate the possibility that apps for mobile devices can actually enhance the privacy of users. By doing so, we hope not only to generate technology that is useful today, but also to encourage developers and companies to adopt the “privacy by design” mindset so that future devices and technologies will be designed with privacy in mind from the start.
Posted in Application Security, Consumer Information Protection, Privacy, Secure Coding | Leave a Comment »
January 27, 2011
This is the most simple, honest, and practical answer to the question “how can I protect my privacy” – divulge less information about yourself on web and other platforms!
…in many cases, there’s no need for someone verifying your credentials to know everything about you. A bouncer at a nightclub needs to know that you’re 21, not your name or home address. A county database may only require proof that you’re a local resident, not your phone number or e-mail address.
Old rivals, Microsoft and IBM, are developing a solution to this problem using a system called ABC4Trust
Attribute-based Credentials (ABC) allow a holder to reveal just the minimal information required by the application, without giving away full identity information. These credentials thus facilitate the implementation of a trustworthy and at the same time privacy-protecting digital society.
One likely application for the ABC system: electronic identity cards issued by national governments. Microsoft has already demonstrated a system that can verify that someone is at least 18 years old and resides in Berlin, without disclosing an actual birthdate.
Posted in Communication, Consumer Information Protection, Policy and Governance, Privacy | 1 Comment »
January 25, 2011
Four researchers took a fairly large sample (1400) of iPhone apps and tested them in a testbed environment. Their test results are quite interesting.
First, the good news:
Only a small number blatantly compromised privacy: 36 accessed the device’s location without first informing the user; another five mined data from the user’s address book without permission.
Which is just 3% of the total population. Now the bad new:
…more than half of the iPhone applications studied collected the device ID—a 40-digit hexadecimal number identifying a particular phone. More than 750 of the apps studied used some sort of tracking technology. In about 200 cases, the developer created a way to track a device’s identifier code; the other apps used this functionality from advertising or tracking software library.
I agree that these are likely not malicious apps but as the article says, <quote> identifier code…..would give you a lot of information on the user, including—most of the time—their real name <unquote>, the device ID tracking will be an interesting debate in coming months as FTC’s Privacy Report gets finalized and published.
Posted in Application Security, Consumer Information Protection, Privacy, Secure Coding | 1 Comment »
January 21, 2011
Is it too early (/or late) to talk about privacy and security risks and issues emerging from emerging technologies?
With a cell phone hologram, a user would be able to walk next to a hologram of a friend, or a worker could project an enlarged 3D image of a product needing repair to walk inside it and detect problems, Bloom said. “The repair person could go inside the device instead of looking it up in a manual,”
Posted in Consumer Information Protection, Cybersecurity, Infrastructure Security, Privacy | Leave a Comment »
January 11, 2011
FAQs (PDF) to clarify understanding of the legal framework in force in the EU with regard to transfers of personal data processed in the EU/EEA (European Union/Europian Economic Area) to third countries.
Answers to these FAQs have been prepared by the Data Protection Unit of the Directorate- General for Justice, Freedom and Security with a view to assisting EU/EEA entities, and more particularly SMEs, in understanding the EU legal framework applicable to transfers of personal data processed in the EU (and the EEA) to “third countries” (i.e. countries that are not members of the EU or the EEA).
Posted in Consumer Information Protection, Privacy, Report / Paper, Tech and Laws | Leave a Comment »
January 10, 2011
The moment I read the article’s subject, the first thing came to my mind – A National CyberID…but Declan probably read my mind and added this in the first few paragraphs -
We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy, and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.
So, what is it? It is an expansion of the “National Strategy for Trusted Identities” program that the administration introduced back in June 2010.
Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.).
Another key concept in the strategy is that the Identity Ecosystem is user-centric – that means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so.
Posted in Authentication, Consumer Information Protection, Privacy, Senate or House Bill | 1 Comment »
January 9, 2011
Following its tradition, MITRE’s Common Weakness Enumeration (CWE) [jointly with SANS Institute] created a list of 2010′s Top 25 Most Dangerous Software Errors.
The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped.
……
The 2010 Top 25 makes substantial improvements to the 2009 list, but the spirit and goals remain the same. The structure of the list has been modified to distinguish mitigations and general secure programming principles from more concrete weaknesses.
Posted in Application Security, Consumer Information Protection, Secure Coding | Leave a Comment »
January 5, 2011
Howard Schmidt discusses guiding principals that lie behind White House Internet policymaking: Deterrence, resilience, privacy and partnerships.
The concept of privacy must evolve to a point that the information necessary for an online transaction is minimized and available for the shortest amount of time to validate the transaction and then vanish.
Posted in Consumer Information Protection, Policy and Governance, Privacy | Leave a Comment »
December 27, 2010
The Federal Trade Commission (FTC) issued a preliminary staff report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. It’s available for public comments. FTC will accept any comments on the report until January 31, 2011.
To reduce the burden on consumers and ensure basic privacy protections, the report first recommends that “companies should adopt a ‘privacy by design’ approach by building privacy protections into their everyday business practices.” Such protections include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy. Companies also should implement and enforce procedurally sound privacy practices throughout their organizations, including assigning personnel to oversee privacy issues, training employees, and conducting privacy reviews for new products and services.
Posted in Consumer Information Protection, Laws and Regulations, Report / Paper | 1 Comment »
December 27, 2010
After Heartland’s breach back in January 2009, Heartland’s CEO has been a strong advocate for industry adoption of end-to-end encryption. End-to-end encryption is still remains a future dream but to assist merchants, PCI Council has issued a “guidance” for encrypting cardholder data and sensitive authentication data during transmission.
According to PCI, “Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance” is written for the merchant perspective but is applicable to any payment industry stakeholder, including merchants, payment processors, acquirers, service providers, assessors, and solution vendors.
The purpose of this document is to help payment industry stakeholders in critically evaluating whether point-to-point encryption solutions may simplify PCI DSS compliance for their environment. The scope of this document relates only to transmitted cardholder or sensitive authentication data, and the impact on PCI DSS scope for a P2PE solution that encrypts this transmitted data.
Posted in Consumer Information Protection, Cryptography, PCI, Report / Paper | Leave a Comment »
November 7, 2010
Dan, one of the great writers on security topics, authored an article on Cybersecurity and National Policy (published in Harvard’s National Security Journal). A little old (April 2010) but an interesting read….
Those with either an engineering or management background are aware that one cannot optimize everything at once — that requirements are balanced by constraints. I am not aware of another domain where this is as true as it is in cybersecurity and the question of a policy response to cyber insecurity at the national level. In engineering, this is said as “Fast, Cheap, Reliable: Choose Two”. In the public policy arena, we must first remember the definition of a free country: a place where that which is not forbidden is permitted. As we consider the pursuit of cybersecurity, we will return to that idea time and time again; I believe that we are now faced with “Freedom, Security, Convenience: Choose Two”.
Posted in Consumer Information Protection, Cybersecurity | Leave a Comment »
