Archive

Archive for the ‘privacy and security’ Category

Here’s Looking at You: How Personal Health Information Is Being Tracked and Used

August 22, 2014 Comments off

Here’s Looking at You: How Personal Health Information Is Being Tracked and Used
Source: California HealthCare Foundation
From press release:

Every day, in the course of using cell phones, credit cards, search engines, websites, and medical devices, we leave digital “footprints.” Aggregated and analyzed, these data flows, which occur with and without our knowledge, have the potential to paint a detailed health profile of individuals, as well as to describe whole communities based on location, health conditions, or other factors.

The proliferation of extremely large databases of health information challenge regulators’ and society’s ability to ensure individuals’ data rights and privacy. This report provides an overview of some of the emerging issues related to consumer-generated health data. It is based on numerous interviews with technology and health care experts, several of whom offer strategies for protecting privacy in the future.

About these ads

XRay: Enhancing the Web’s Transparency with Differential Correlation

August 21, 2014 Comments off

XRay: Enhancing the Web’s Transparency with Differential Correlation (PDF)
Source: Columbia University

Today’s Web services – such as Google, Amazon, and Facebook – leverage user data for varied purposes, including personalizing recommendations, targeting advertisements, and adjusting prices. At present, users have little insight into how their data is being used. Hence, they cannot make informed choices about the services they choose.

To increase transparency, we developed XRay, the first fine-grained, robust, and scalable personal data tracking system for the Web. XRay predicts which data in an arbitrary Web account (such as emails, searches, or viewed products) is being used to target which outputs (such as ads, recommended products, or prices). XRay’s core functions are service agnostic and easy to instantiate for new services, and they can track data within and across services. To make predictions independent of the audited service, XRay relies on the following insight: by comparing outputs from different accounts with similar, but not identical, subsets of data, one can pinpoint targeting through correlation. We show both theoretically, and through experiments on Gmail, Amazon, and YouTube, that XRay achieves high precision and recall by correlating data from a surprisingly small number of extra accounts.

See: New Tool Makes Online Personal Data More Transparent

AU — Access to and retention of internet ‘metadata’

August 21, 2014 Comments off

Access to and retention of internet ‘metadata’
Source: Parliamentary Library of Australia

On 5 August 2014, the Government announced its intention to update Australia’s telecommunication interception laws. This is part of broader efforts to enhance powers available to security agencies ‘to combat home-grown terrorism and Australians who participate in terrorist activities overseas’. This includes developing a mandatory ‘metadata’ retention system.

Whilst having a period of mandatory metadata retention would be new, the collection of metadata by telecommunications companies and government access to it is not new and is governed by the Telecommunications (Interception and Access) Act 1979 (TIA). Whilst the need for such a scheme was linked to combating terrorism, it is worth noting that Australian and European experience suggests that the most common law enforcement use of metadata will be in non-terrorism criminal cases.

EU — Security of the Internet, including e-Government, cloud computing and social networks

August 21, 2014 Comments off

Security of the Internet, including e-Government, cloud computing and social networks
Source: European Parliamentary Research Service

As we become increasingly dependent on the internet for all aspects of our lives, how can Europe on the web work best while ensuring that everyone can trust online services?

STOA has examined the latest technological advances with regard to the internet and information technologies in Europe. STOA is the Science and Technology Options Assessment body,which provides independent scientific advice to the European Parliament.

Technology could help foster a European civil society and political sphere, particularly if the European institutions widened their e-participation efforts. This was the conclusion of the 2011 STOA study on ‘E-public, e-participation and e-voting in Europe’. The study did not currently recommend e-voting. However, technology could start addressing the perceived ‘democratic deficit’ in the European Union. The European institutions could broaden e-participation, involving citizens more in the legislative process and creating an ‘e-public’, a European political sphere, perhaps a basis for a shared sense of European citizenship.

DHS OIG — Implementation Status of the Enhanced Cybersecurity Services Program

August 20, 2014 Comments off

Implementation Status of the Enhanced Cybersecurity Services Program (PDF)
Source: U.S. Department of Homeland Security, Office of Inspector General

The National Protection Programs Directorate (NPPD) is primarily responsible for fulfilling the DHS national, nonͲlaw enforcement cybersecurity missions. Within NPPD, the Office of Cybersecurity and Communications is responsible for the implementation of the Enhanced Cybersecurity Services program. Our overall objective was to determine the effectiveness of the Enhanced Cybersecurity Services program to disseminate cyber threat and technical information with the critical infrastructure sectors through commercial service providers.

NPPD has made progress in expanding the Enhanced Cybersecurity Services program. For example, as of May 2014, 40 critical infrastructure entities participate in the program. Additionally, 22 companies have signed memorandums of agreement to join the program. Further, NPPD has established the procedures and guidance required to carry out key tasks and operational aspects of the program, including an inͲdepth security validation and accreditation process. NPPD has also addressed the privacy risk associated with the program by developing a Privacy Impact Assessment. Finally, NPPD has engaged sector-specific agencies and government furnished information providers to expand the program, and has developed program reporting and metric capabilities to monitor the program.

Although NPPD has made progress, the Enhanced Cybersecurity Services program has been slow to expand because of limited outreach and resources. In addition, cyber threat information sharing relies on NPPD’s manual reviews and analysis, which has led to inconsistent cyber threat indicator quality.

Internet of Things Research Study

August 20, 2014 Comments off

Internet of Things Research Study (PDF)
Source: Hewlett Packard (HP)

Suddenly, everything from refrigerators to sprinkler systems are wired and interconnected, and while these devices have made life easier, they’ve also created new attack vectors for hackers. These devices are now collectively called the Internet of Things (IoT). IoT devices are poised to become more pervasive in our lives than mobile phones and will have access to the most sensitive personal data such as social security numbers and banking information. As the number of connected IoT devices constantly increases, security concerns are also exponentially multiplied. A couple of security concerns on a single device such as a mobile phone can quickly turn to 50 or 60 concerns when considering multiple IoT devices in an interconnected home or business. In light of the importance of what IoT devices have access to, it’s important to understand their security risk.

Significant Security Deficiencies in NOAA’s Information Systems Create Risks in Its National Critical Mission

August 15, 2014 Comments off

Significant Security Deficiencies in NOAA’s Information Systems Create Risks in Its National Critical Mission
Source: U.S Department of Commerce, Office of Inspector General
From Abstract (PDF):

Information systems connected to NESDIS’ critical satellite ground support systems increases the risk of cyber attacks. The Polar-orbiting Operational Environmental Satellites’ (POES’) and Geostationary Operational Environmental Satellites’ (GOES’) mission-critical satellite ground support systems have interconnections with systems where the flow of information is not restricted, which could provide a cyber attacker with access to these critical assets.

NESDIS’ inconsistent implementation of mobile device protections increases the likelihood of a malware infection. In our review of selected Windows components on four NESDIS systems, we found that (a) unauthorized mobile devices had been connected to POES, GOES, and Environmental Satellite Processing Center (ESPC), and (b) GOES and ESPC did not consistently ensure that Microsoft Windows’ AutoRun feature was disabled.

Improvements are needed to provide assurance that independent security control assessments are sufficiently rigorous. We found that 28 of 60 (47 percent) of the independent assessments of security controls have deficiencies and may not have provided NOAA’s authorizing official with an accurate implementation status of the system’s security controls.

Follow

Get every new post delivered to your Inbox.

Join 898 other followers