ISIS lab alumni, Mike Aiello, will be on CBS National News @ 6pm on Sunday, April 6th talking about RFID security. Mike runs DIFRWear, a company that makes RFID-blocking apparel.
Archive for the 'Privacy' Category
This is a short rant prompted by another student’s observation that Yelp actually asks for your Gmail password as part of their signup process…
Have you encountered a website that asks for the username and password to your e-mail provider? I’m talking about this:
Here is a set of interesting references regarding Breach Laws in the United States. I especially like the interactive map that CSO Magazine made, but I can see where having a textual list might be more useful 
.
This might be good information for any of the students taking Information Security Management this semester to include in their work.Â
Many media companies are paying big money to try and stop file sharing of copyrighted material. While the material in question is being shared illegally, many of the techniques these companies employ effect everyone by generating much additional internet traffic. In this presentation I present research into some new techniques currently being used to attack BitTorrent swarms and the prevalence of these attacks.
Q: What do you think of outsourced backup solutions? Are they secure? Would you use one? I want to backup my data but I’m not sure I can trust an outsourced backup provider.
If one were the administrator/developer of a service that requires users to supply credentials, can you picture the amount of data one will receive if you:
- Use an email as the username.
- Provide tight restrictions on the password creation (Decent minimum length, requirements of alpha+digits)
- Log unsuccessful logins and password changes
I’m sure you can see where I’m going with this, but if the service is popular the users will always first try their other common passwords until they list their entire mental list of every password they generally use (which most likely do not match the ones they came up with to register with the site), thus collecting credentials of other services the users are members of (A few google searches of their emails, or just the user-name part of the email will reveal most services they are members of.)
I am going on the basis of the idea that most people (or the ones I’ve spoken to) believe that some data like failed authentication attempts, passwords that were changed, and accounts that were removed are erased from existence after the event, but in today’s world of virtually limitless storage and facile logging mechanisms, why wouldn’t administrators log everything that goes through their systems?
I have never heard of such a harvest vector and was thinking of ways to protect from this. Using a password manager like PassSafe can reduce failed attempts and randomly generate a fresh password, but careful attention has to be paid to keep that database secure. Whichever method you use, the goal is to not supply data to a third (or second) party without them needing-to-know.
I think one of the biggest problems to privacy is dumpster diving. Sure enough you are suppose to use a crosscutting shredder to shred the paper before you throw it out and everything but… have you ever received these address stickers from– who are they: Solon Cancer Society– or others? (I am all for supporting the development of a cure for cancer and everything but let’s stick to the moral of the story here, shall we?). Have you ever tried running those address labels though a crosscutting shredder? That’s right, the sticky labels will jam up your shredder until it smokes to death.
What I think would be a useful public policy is to mandate the junk mailers to put all personal information on a single, easily identifiable paper (I would go as far as to suggest use fading ink that will disappear after a certain date, but I am not going to go that far today) so that it is easy for us, the general public, to destroy our private information, which you have gathered without our permission in the first place. Why can’t SFS/ISIS send out a letter to our State Senators about this? Isn’t it worth it?
Recent Comments