ISIS lab alumni, Mike Aiello, will be on CBS National News @ 6pm on Sunday, April 6th talking about RFID security. Mike runs DIFRWear, a company that makes RFID-blocking apparel.
Archive for the 'Privacy' Category
This is a short rant prompted by another student’s observation that Yelp actually asks for your Gmail password as part of their signup process…
Have you encountered a website that asks for the username and password to your e-mail provider? I’m talking about this:
Here is a set of interesting references regarding Breach Laws in the United States. I especially like the interactive map that CSO Magazine made, but I can see where having a textual list might be more useful :-).
This might be good information for any of the students taking Information Security Management this semester to include in their work.
Many media companies are paying big money to try and stop file sharing of copyrighted material. While the material in question is being shared illegally, many of the techniques these companies employ effect everyone by generating much additional internet traffic. In this presentation I present research into some new techniques currently being used to attack BitTorrent swarms and the prevalence of these attacks.
Q: What do you think of outsourced backup solutions? Are they secure? Would you use one? I want to backup my data but I’m not sure I can trust an outsourced backup provider.
If one were the administrator/developer of a service that requires users to supply credentials, can you picture the amount of data one will receive if you:
- Use an email as the username.
- Provide tight restrictions on the password creation (Decent minimum length, requirements of alpha+digits)
- Log unsuccessful logins and password changes
I’m sure you can see where I’m going with this, but if the service is popular the users will always first try their other common passwords until they list their entire mental list of every password they generally use (which most likely do not match the ones they came up with to register with the site), thus collecting credentials of other services the users are members of (A few google searches of their emails, or just the user-name part of the email will reveal most services they are members of.)
I am going on the basis of the idea that most people (or the ones I’ve spoken to) believe that some data like failed authentication attempts, passwords that were changed, and accounts that were removed are erased from existence after the event, but in today’s world of virtually limitless storage and facile logging mechanisms, why wouldn’t administrators log everything that goes through their systems?
I have never heard of such a harvest vector and was thinking of ways to protect from this. Using a password manager like PassSafe can reduce failed attempts and randomly generate a fresh password, but careful attention has to be paid to keep that database secure. Whichever method you use, the goal is to not supply data to a third (or second) party without them needing-to-know.
(edit: I have been known to be crazy in the past, this may have been one of those times)
This is the 2nd part in a multipart series on Privacy. Part 1 is here.
In Part 2 of my series on Privacy, I’ll talk about an issue that’s just a tad bit scary to me. Without introducing it just yet, let’s take a look at some of the current issues with identity theft and what Mike’s solution in the last article solves and what it doesn’t.
Continue reading ‘Solving Privacy in the Information Age, Part 2′
I think one of the biggest problems to privacy is dumpster diving. Sure enough you are suppose to use a crosscutting shredder to shred the paper before you throw it out and everything but… have you ever received these address stickers from– who are they: Solon Cancer Society– or others? (I am all for supporting the development of a cure for cancer and everything but let’s stick to the moral of the story here, shall we?). Have you ever tried running those address labels though a crosscutting shredder? That’s right, the sticky labels will jam up your shredder until it smokes to death.
What I think would be a useful public policy is to mandate the junk mailers to put all personal information on a single, easily identifiable paper (I would go as far as to suggest use fading ink that will disappear after a certain date, but I am not going to go that far today) so that it is easy for us, the general public, to destroy our private information, which you have gathered without our permission in the first place. Why can’t SFS/ISIS send out a letter to our State Senators about this? Isn’t it worth it?
(edit: I have been known to be crazy in the past, this may have been one of those times)
Nitesh recently gave a presentation on his concerns that the privacy of our personal information and the privacy of the data that we generate on the web (google search for example) is not being adequately protected and that he has been spending a small amount of time researching technical innovations which could help balance this deficiency.
If you are in that small minority of people who know who data brokers are, who know how private investigators are able to perform their jobs, or who know the exact wordings and loopholes and the laws supposedly protecting our privacy, then you are no doubt worried that the abstract feeling you call “privacy” may have gotten left behind in the 20th century, never to return. If you’re one of the people in our ISIS lab like Nitesh, you’re probably dying to come up with a brilliant solution that will solve this problem like every other that you come across and conquer.
But is it possible to use technology to solve the existence of an industry or solve the already widely spread personal information flowing through companies databases?
Continue reading ‘Solving Privacy in the Information Age, Part 1′
Loading ...
Recent Comments