Archive

Archive for the ‘privacy and security’ Category

Internet of Things: FTC staff report and a new publication for businesses

January 27, 2015 Comments off

Internet of Things: FTC staff report and a new publication for businesses
Source: Federal Trade Commission

We’ve all been talking about the Internet of Things – the ability of everyday objects to connect to the Internet to send and receive data. (We wouldn’t be surprised if our devices are talking about it, too.) A just-released FTC Staff Report recaps what we learned at our November 2013 workshop on the subject and discusses four ongoing initiatives to address the consumer protection implications. There’s also a new nuts-and-bolts publication, Careful Connections: Building Security in the Internet of Things, for businesses developing the next generation of connected devices.

What kind of products are part of the Internet of Things? It’s the bracelet that shares with friends how far you walked in a day, the home automation system that switches the lights on as you turn onto your street, and maybe that under-wraps innovation your company is working on right now.

The scope of the industry is vast. Six years ago, the number of connected devices surpassed the number of people and the total now tops 25 billion worldwide. Experts estimate that by the end of the decade, that figure will bump to 50 billion. And it’s no wonder, given the potential benefits to consumers.

But businesses should think about the potential for risk, too. Protecting against unauthorized access to consumers’ personal information – something companies have been dealing with for decades now – is just one consideration. The Internet of Things poses new challenges, too. For example, if a consumer can use a device to lock the front door remotely, could a weak spot in the system let a burglar unlock it? The success of the industry depends, in part, on whether it can earn consumer confidence.

Phishing in Smooth Waters: The State of Banking Certificates in the US

January 26, 2015 Comments off

Phishing in Smooth Waters: The State of Banking Certificates in the US
Source: Social Science Research Network

A critical component of the solution to online masquerade attacks, in which criminals create false web pages to obtain financial information, is the hierarchy of public key certificates. Masquerade attacks include phishing, pharming, and man-in-the-middle attacks. Public key certificates ideally authenticate the website to the person, before the person authenticates to the website. Public key certificates are typically issued by certificate authorities (CAs).

Banks are the most common target of phishing attacks, so we implemented an empirical study of certificates for depository institutions insured by the Federal Depository Insurance Corporation (FDIC) and compared them to general purpose, non-banking certificates. Our study of websites of FDIC-insured banks found that the current configuration fails to support website authentication. The most common failure is an absence of certificates, meaning that a false certificate would be the only valid-named certificate for that institution. Certificates with incorrect names, incorrectly structured certificates, and shared certificates all plague online banking. The vast majority of banks, especially smaller banks, apparently lack the expertise, support, or incentive to implement certificates correctly.

We document the current state of bank certificates. We compare these with general-purpose certificates (e.g., the top one million websites). We survey the various proposals for the certificate market writ large, including pinning and notaries. We identify how those fit and fail to fit the unique problem of banking certificates. We close with policy and technical recommendations to alter the use of certificates so that these can be a valid basis for consumer trust.

EU — Mass Surveillance – Part 1: Risks and opportunities raised by the current generation of network services and applications

January 22, 2015 Comments off

Mass Surveillance – Part 1: Risks and opportunities raised by the current generation of network services and applications
Source: European Parliament

This document identifies the risks of data breaches for users of publicly available Internet services such as email, social networks and cloud computing, and the possible impacts for them and the European Information Society. It presents the latest technology advances allowing the analysis of user data and their meta-data on a mass scale for surveillance reasons. It identifies technological and organisational measures and the key stakeholders for reducing the risks identified. Finally the study proposes possible policy options, in support of the risk reduction measures identified by the study.

See also: Mass Surveillance – Part 2: Technology foresight, options for longer term security and privacy improvements
See also: Mass Surveillance of IT users? (European Parliamentary Research Service)

New Report Says No Technological Replacement Exists for Bulk Data Collection; Software Can Enhance Targeted Collection and Automate Control of Data Usage to Protect Privacy

January 16, 2015 Comments off

New Report Says No Technological Replacement Exists for Bulk Data Collection; Software Can Enhance Targeted Collection and Automate Control of Data Usage to Protect Privacy
Source: National Research Council

No software-based technique can fully replace the bulk collection of signals intelligence, but methods can be developed to more effectively conduct targeted collection and to control the usage of collected data, says a new report from the National Research Council. Automated systems for isolating collected data, restricting queries that can be made against those data, and auditing usage of the data can help to enforce privacy protections and allay some civil liberty concerns, the unclassified report says.

The study was a result of an activity called for in Presidential Policy Directive 28, issued by President Obama in January 2014, to evaluate U.S. signals intelligence practices. The directive instructed the Office of the Director of National Intelligence to produce a report within one year “assessing the feasibility of creating software that would allow the intelligence community more easily to conduct targeted information acquisition rather than bulk collection.” ODNI asked the Research Council — the operating arm of the National Academy of Sciences and National Academy of Engineering — to conduct a study, which began in June 2014, to assist in preparing a response to the President. Over the ensuing months, a committee of experts appointed by the Research Council produced the report.

Final Report of the Rendition, Detention, and Interrogation Network Agency Accountability Board (Central Intelligence Agency)

January 16, 2015 Comments off

Final Report of the Rendition, Detention, and Interrogation Network Agency Accountability Board (Central Intelligence Agency) (PDF)
Source: Central Intelligence Agency
From AllGov.com:

In what amounts to the fox announcing it did nothing wrong while guarding the hen house, the Central Intelligence Agency (CIA) has concluded its own people were not at fault for spying on a Senate investigation of the CIA’s torture program from last decade.

During a lengthy probe of the CIA’s controversial program, the Senate Intelligence Committee reviewed CIA files with the agency’s permission. However, in the course of the Senate committee’s work, several CIA officials searched the files being used by Senate staffers.

The controversy prompted the CIA’s top man, John Brennan, to organize a panel to determine whether his agency had acted improperly.

Brennan stacked the five-member panel with three senior CIA officers.

CRS — Cybersecurity Issues and Challenges: In Brief (December 16, 2014)

January 14, 2015 Comments off

Cybersecurity Issues and Challenges: In Brief (PDF)
Source: Congressional Research Service (via Federation of American Scientists)

The information and communications technology (ICT) industry has evolved greatly over the last half century. The technology is ubiquitous and increasingly integral to almost every facet of modern society. ICT devices and components are generally interdependent, and disruption of one may affect many others. Over the past several years, experts and policy makers have expressed increasing concerns about protecting ICT systems from cyberattacks, which many experts expect to increase in frequency and severity over the next several years.

The act of protecting ICT systems and their contents has come to be known as cybersecurity. A broad and arguably somewhat fuzzy concept, cybersecurity can be a useful term but tends to defy precise definition. It is also sometimes inappropriately conflated with other concepts such as privacy, information sharing, intelligence gathering, and surveillance. However, cybersecurity can be an important tool in protecting privacy and preventing unauthorized surveillance, and information sharing and intelligence gathering can be useful tools for effecting cybersecurity.

See also: The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress (December 15, 2014)

CRS — Cyber Operations in DOD Policy and Plans: Issues for Congress (January 5, 2015)

January 13, 2015 Comments off

Cyber Operations in DOD Policy and Plans: Issues for Congress (PDF)
Source: Congressional Research Service (via Federation of American Scientists)

Cyberspace is defined by the Department of Defense as a global domain consisting of the interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. Attacks in cyberspace have seemingly been on the rise in recent years with a variety of participating actors and methods. As the United States has grown more reliant on information technology and networked critical infrastructure components, many questions arise about whether the nation is properly organized to defend its digital strategic assets. Cyberspace integrates the operation of critical infrastructures, as well as commerce, government, and national security. Because cyberspace transcends geographic boundaries, much of it is outside the reach of U.S. control and influence.

Follow

Get every new post delivered to your Inbox.

Join 1,001 other followers