Rina Steenkamp - Privacy and technology
[Position paper on the use of RFID in schools | Why passwords have never been weaker - and crackers have never been stronger | Legal risks on the radar | The five neglects - risks gone amiss | Computer security incident handling guide | [Privacy charges against Facebook] | Locating the source of diffusion in large-scale networks | Visual data security white paper | Proposal for a [General Data Protection Regulation - written comments on chapters I and II] | How Apple and Amazon security flaws led to my epic hacking | [Consultation on legislating to give consumers access to data in an electronic, machine readable form] | Threatsaurus - The A-Z of computer and data security threats | Location-based services - An overview of opportunities and other considerations | Online traceability - Who did that? | Smarter protection for the smart grid]
A position paper issued by CASPIAN, EPIC and Privacy Rights Clearinghouse.
I. Introduction:
"As organizations and individuals committed to the protection of privacy and civil liberties, we have come together to issue this statement on the use of RFID in schools for the tracking and monitoring of students, teachers, and staff. In the following pages, we describe RFID technology, define the risks associated with its use, and discuss potential public policy approaches to mitigate the issues raised."
CASPIAN, EPIC and Privacy Rights Clearinghouse: Position paper on the use of RFID in schools (PDF)
[Open link in this window | Open link in new window]
Epic.org: EPIC supports moratorium on RFID student tracking (12/08/21)
[Open link in this window | Open link in new window]
An article by Dan Goodin.
From the introduction to the article:
"The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker."
Dan Goodin: Why passwords have never been weaker - and crackers have never been stronger (Ars Technica)
[Open link in this window | Open link in new window]
Errata Security: The deal with passwords (12/08/21)
[Open link in this window | Open link in new window]
Errata Security: Common misconceptions of password cracking (12/08/22)
[Open link in this window | Open link in new window]
A survey by The Corporate Board Member/FTI Consulting.
From 'Cyber strategy and IT risk':
"[...] it comes as no surprise that this year, more than half (55%) of general counsel rated data security as a major concern and 48% of directors feel likewise. Interestingly, this level of concern has nearly doubled in the last four years: In 2008, only 25% of directors and 23% of GCs noted data security as an area of high concern. How are companies coping with this challenge? The survey asked general counsel to rate how well their board was managing cyber/IT risk, and while the majority of GCs gave a positive response to the question, one-third (33%) believe their board is not effective at managing cyber risk-noteworthy as being one of the least-effective ratings among 13 risk management areas surveyed."
The Corporate Board Member/FTI Consulting: Legal risks on the radar (PDF)
[Open link in this window | Open link in new window]
Inside Privacy: Data security top concern of directors, GCs (12/08/20)
[Open link in this window | Open link in new window]
A paper by Alan Berger, Case Brown, Carolyn Kousky, and Richard Zeckhauser.
From '1. Introduction':
"This chapter focuses on the shortcomings of individuals making risk-related decisions, whether choosing for themselves or as agents for others or for institutions, including the institution of society at large. Individuals often fail to incorporate in their decision making the five elements we identified as critical for rational decisions."
Alan Berger, Case Brown, Carolyn Kousky, and Richard Zeckhauser: The five neglects - risks gone amiss (PDF)
[Open link in this window | Open link in new window]
Homeland Security Watch: Near-misses, mitigation, and resilience (12/08/16)
[Open link in this window | Open link in new window]
Schneier on Security: Five "neglects" in risk management (12/08/22)
[Open link in this window | Open link in new window]
Recommendations of the National Institute of Standards and Technology (NIST).
Abstract:
"Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications."
National Institute of Standards and Technology (NIST): Computer security incident handling guide (PDF)
[Open link in this window | Open link in new window]
Security.nl: NIST richtlijnen voor omgaan met computerincidenten (12/08/10)
[Open link in this window | Open link in new window]
NIST: Updated NIST guide is a how-to for dealing with computer security incidents (12/08/08)
[Open link in this window | Open link in new window]
A publication by the Federal Trade Commission (FTC).
From paragraphs 12-14:
"Although the precise language has changed over time, Facebook's Central Privacy Page and Profile Privacy Page have, in many instances, stated that the Profile Privacy Settings allow users to 'control who can see' their profile information, by specifying who can access it, e.g., 'Only Friends' or 'Friends of Friends.' [...] Similarly, although the precise interface has changed over time, Facebook's Profile Privacy Settings have continued to specify that users can restrict access to their profile information to the audience the user selects, e.g., 'Only Friends,' 'Friends of Friends.' [...] None of the pages described in Paragraphs 10-13 have disclosed that a user's choice to restrict profile information to 'Only Friends' or 'Friends of Friends' would be ineffective as to certain third parties. Despite this fact, in many instances, Facebook has made profile information that a user chose to restrict to 'Only Friends' or 'Friends of Friends' accessible to any Platform Applications that the user’s Friends have used (hereinafter 'Friends’ Apps'). Information shared with such Friends' Apps has included, among other things, a user’s birthday, hometown, activities, interests, status updates, marital status, education (e.g., schools attended), place of employment, photos, and videos."
Federal Trade Commission (FTC): [Privacy charges against Facebook] (PDF)
[Open link in this window | Open link in new window]
The Guardian: Facebook accused of deceiving developers over security (12/08/13)
[Open link in this window | Open link in new window]
A paper by Pedro C. Pinto, Patrick Thiran and Martin Vetterli.
From the abstract:
"How can we localize the source of diffusion in a complex network? Due to the tremendous size of many real networks — such as the Internet or the human social graph — it is usually infeasible to observe the state of all nodes in a network. We show that it is fundamentally possible to estimate the location of the source from measurements collected by sparsely-placed observers."
Pedro C. Pinto, Patrick Thiran and Martin Vetterli: Locating the source of diffusion in large-scale networks (PDF)
[Open link in this window | Open link in new window]
Swissinfo: Swiss develop altorithm to trace virus sources (12/08/10)
[Open link in this window | Open link in new window]
CSO: Swiss scientists develop algorithm to sniff out the source of malware and spam attacks (12/08/13)
[Open link in this window | Open link in new window]
Security.nl: Nieuw algoritme traceert herkomst virusuitbraken (12/08/13)
[Open link in this window | Open link in new window]
A publication from the European Association for Visual Data Security, by Brian Honan.
From 'The incomplete approach to data security':
"One core area of data security which is often overlooked is the very real possibility of a visual data security breach – the potential for sensitive, personal information and data to be seen, captured and utilised by unauthorised individuals. These risks are present wherever data is displayed on screen – whether that’s inside or outside the office – and on any device, from smartphones to tablets and from laptops to desktops."
Brian Honan: Visual data security white paper (PDF)
[Open link in this window | Open link in new window]
DCS: More than half of employees fail to protect their data despite admitting that they are able to spy on the confidential information of others (12/08/03)
[Open link in this window | Open link in new window]
Security.nl: Helft werknemers kwetsbaar voor schoudersurfen (12/08/13)
[Open link in this window | Open link in new window]
A document by the Council of the European Union.
From the front page of the document:
"Further to the invitation by the Presidency (CM 2338/12) delegations have sent in written comments on Chapters I and II of the proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The comments received are set out hereafter."
Council of the European Union: Proposal for a [General Data Protection Regulation - written comments on chapters I and II] (PDF)
[Open link in this window | Open link in new window]
Data Protector: "Exit that draft Regulation, pursued by an ungovernable crowd"
[Open link in this window | Open link in new window]
HawkTalk: Pssssst! Want to know what the UK or any other Member State thinks about the Data Protection Regulation?
[Open link in this window | Open link in new window]
Out-law.com: UK submits concerns over proposed data protection reforms
[Open link in this window | Open link in new window]
An article by Mat Honan.
From the article:
"In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook. In many ways, this was all my fault. [...] But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices."
Mat Honan: How Apple and Amazon security flaws led to my epic hacking (Wired)
[Open link in this window | Open link in new window]
AG: Apple en Amazon repareren probleem 'Wired'-schandaal
[Open link in this window | Open link in new window]
The Guardian: Apple and Amazon patch security flaws exposed by hack heard around the world
[Open link in this window | Open link in new window]
Schneier on Security: Yet another risk of storing everything in the cloud
[Open link in this window | Open link in new window]
Talking Identity: The epic hacking of Mat Honan and our identity challenge
[Open link in this window | Open link in new window]
Tweakers.net: Ook Amazon faalde bij social engineering-aanval
[Open link in this window | Open link in new window]
Tweakers.net: Amazon past privacybeleid aan na social-engineeringaanval
[Open link in this window | Open link in new window]
WebWereld: Amazon en Apple verscherpen resetbeleid na hack
[Open link in this window | Open link in new window]
Wired: Amazon quietly closes security hole after journalist's devastating hack
[Open link in this window | Open link in new window]
Wired: After epic hack, Apple suspends over-the-phone AppleID password resets
[Open link in this window | Open link in new window]
A consultation document by the [UK] Department for Business Innovation and Skills.
From the Foreword:
"Throughout the world a shift is already occurring towards a different approach to personal data, which recognises the value of data to the consumer as well as to business. New models and applications are appearing all the time. As the Government’s complementary work on transparency and opening up of public data shows, if a truly useful dataset is made available, there is no shortage of innovators able to devise new uses for it or people eager to make use of new applications. There is evidence of encouraging progress, but there is much more to do. The Government wants to unlock the huge potential that the midata programme has revealed and give the UK the chance to be at the forefront of this emerging market. We have therefore decided to consult on taking powers to give consumers the right to access their data in portable, machine-readable form. In the digital age this will provide the foundation for applications and services that will benefit business and consumers alike."
[UK] Department for Business Innovation and Skills: [Consultation on legislating to give consumers access to data in an electronic, machine readable form] (PDF)
[Open link in this window | Open link in new window]
BIS: Midata 2012 review and consultation
[Open link in this window | Open link in new window]
Inside Privacy: UK government launches consultation on new data portability requirement
[Open link in this window | Open link in new window]
A publication by Sophos.
From 'The A-Z of computer and data securty threats':
"Whether you’re an IT professional, use a computer at work, or just browse the Internet, this book is for you. We explain the facts about threats to your computers and to your data in simple, easy-to-understand language."
Sophos: Threatsaurus - The A-Z of computer and data security threats (PDF linked from ths page)
[Open link in this window | Open link in new window]
SecuriTeam Blogs: Sophos Threatsaurus
[Open link in this window | Open link in new window]
A report by the Federal Communications Commission (FCC).
From the Executive Summary:
"Technological innovations, notably over the past decade, facilitate the collection of substantial amounts of personally identifiable data about virtually anyone who accesses information online. The rapid pace of change in both technology and business models is fueling an active and growing debate in the United States and around the world about the appropriate use of that data. The following report focuses on one part of the discussion: Location-based services ('LBS'), mobile services that combine information about a user's physical location with online connectivity and are transforming the way Americans work and play. [...] The promise of LBS, however, comes with challenges and concerns. Because mobile devices have the ability - and often the technical requirement - to regularly transmit their location to a network, they also enable the creation of a precise record of a user's locations over time. This can result in the creation of a very accurate and highly personal user profile, which raises questions of how, when and by whom this information can and should be used."
Federal Communications Commission (FCC): Location-based services - An overview of opportunities and other considerations (PDF)
[Open link in this window | Open link in new window]
HL: Parties divided over FCC involvement in mobile privacy
[Open link in this window | Open link in new window]
A technical expert report on collecting robust evidence of copy infringement through peer-to-peer filesharing, by Dr Richard Clayton.
From the Foreword:
"This report, written by Dr Richard Clayton, outlines how copyright owners can collect robust evidence of copyright infringement through peer-to-peer filesharing. [...] When it comes to taking action against people accused of infringement, the standards of evidence are critical. The Digital Economy Act 2010 requires that the Initial Obligations Code makes provisions on the 'means of obtaining evidence' and the 'standard of evidence' for copyright owners who want to lodge 'copyright infringement reports' against consumers with their Internet Service Provider (ISP)."
Dr Richard Clayton: Online traceability - Who did that? (PDF)
[Open link in this window | Open link in new window]
Consumer Focus: Online traceability - Who did that? - Technical expert report on collecting robust evidence of copyright infringement through peer-to-peer filesharing
[Open link in this window | Open link in new window]
Light Blue Touchpaper: Online traceability - Who did that?
[Open link in this window | Open link in new window]
A report by McAfee.
From 'Prime target: the energy grid':
"The problem is that the very thing that makes the grid smart —the ability of myriad embedded systems to communicate with each other, often using a combination of legacy and proprietary equipment alongside more modern solutions—has created a duality where communications over serial, wired and wireless Ethernet, cellular, and dial-up modems being used with a combination of common TCP/IP and proprietary protocols. This has expanded the attack surface, making it vulnerable to cyberthreats. Open systems invite hacking. More malware was detected on computer networks in 2011 than in all previous years combined, with critical infrastructure being a prime target."
McAfee: Smarter protection for the smart grid (PDF)
[Open link in this window | Open link in new window]
McAfee: In the dark - crucial industries confront cyberattacks
[Open link in this window | Open link in new window]
Security.nl: "Afpersing grootste dreiging energiebedrijven"
[Open link in this window | Open link in new window]