Category Archives: Security

The risk of geo-tagging

Posted on by
Reply

Once more, new technology introduced threats on privacy. FRIEDLAND Gerald and SOMMER Robin, in their paper “Cybercasing the Joint: On the Privacy Implications of Geo-Tagging” clearly highlight the new risks.

Many high end phones, such as iPhones, come with GPS. Undoubtfully, GPS is a great feature. Once you used it, you cannot live anymore without. Nevertheless, the combination of GPS and camera is a problem. Currently, all such devices embed a geo-tag, i.e. the precise location, in the metadata of pictures shot by the camera. And many of such pictures end up on Flicker, Facebook and Craig List. This metadata can be easily extracted through standard tools.

In other words, if you publish on Internet a picture of your house taken with your iPhone, it will be extremely easy for anybody to locate you for instance using Google Street View. The paper presents a very illustrative example.

Of course, you can disable the geo-tagging. But, (1) you must be aware of the threat, and then (2) find how to disable it. The solution should be that the manufacturers make this feature as opt-in, i.e. disabled by default. Very unlikely, because manufacturers load the devices with new features ready to work.

If you have a mobile phone with GPS, think about it. Personnaly, I know what I would do.

Where Do Security Policies Come From?

Posted on by
Reply

In a paper presented at the 6th Symposium on Usable Privacy and Security, DINEI Florencio and CORMAC Herley, Microsoft Research, examined the policy ruling the passwords of 75 Internet sites. The type of websites ranged from very popular sites/services such as Facebook or Paypal to more confidential ones such as governmental agencies.

They evaluated the strength of the enforced policy with the equation N.log2(C) where N is the minimum size of the password and C is the cardinality of the allowed character set. Obviously, this equation is not a perfect evaluation of the constraints because it does not take into account constraints such as mandatory use of digits or special characters. Nevertheless, the result is simple (and perhaps not too surprising)

The size of the site, the number of user accounts, the value of the resources protected, and the frequency of non-strength related attacks all correlate very poorly with the strength required by the site.

In other words, the sites with the most constraining policies are not necessarily the sites which are at most at risks. For instance, Gmail or Paypal do not have strong constraints. Most often, the sites with most constraining policies do have no incentives to have numerous visits or have a captive “audience”. The constraints were more driven by the need to attract visitors than by security itself.

It is the usual trade-off between security and usability. Facebook that is paid by advertising needs frequent visitors. A too complex password policy may rebuke many users and thus make the site less attractive.

The authors advocate that there is most probably no need of strong password policy because strategy to defeat online brute force attack should be deterrent enough. They cite Twitter that recently banned the 370 most common passwords. According to them, strong passwords are most probably only useful in case of an access to the hashed password files. (Remember the use use of rainbow tables)

Their view on the trade-off between usability and security is interesting.

When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive.

I let you savor this statement. Any reactions?

The paper is available here.

I publish, I think

Posted on by
Reply

Je publie, je réfléchis (I publish, I think) is the name of a French Internet site which aims at sensitizing people (mainly young audience) on the risks of publishing things on the Net. It is designed by the CNIL (French authority for IT and liberty)

It provides ten good recommendations before publishing, such as:

  • Ask yourself if you would do the same in “real” life
  • read the terms and conditions of social web sites. This is probably the less realistic one. It is a tough job. Did you do it yourself when for instance joining LinkedIn? I confess that I did not 
  • Don’t publish contents that may harm the reputation of somebody else
  • Use a pseudo that you communicate only to your close friends…

Interestingly, the site is linked to a serious game that describes a realistic scenario and gives some hints to avoid the problems. If you have youngsters, send them to this site.

Unfortunately, the site is only in French. Does somebody know an equivalent site in English?

Thanks to OH to have pointed me to the site. 

Updated on 3 Dec 14:  The site is not anymore online

Airport, laptop and computers

Posted on by
Reply

After my last travel (I hate volcanoes  :Mad: ) I noticed a funny point. For now several trips, I am carrying with me a very small computer that hosts many demonstrations. This is in addition with the laptop. At airport screening, I systematically take the laptop out of the brief case, and put it on the belt for X RAY. I always forget to do the same with the small computer. Guess what? Never, and in country, I was asked to place the tiny computer on the belt out of my luggage.

Obviously, this surprised me. Personal brainstorm… Why are laptops screened out of the luggage? Not to check if they carry a bomb. Within or outside the briefcase, it would change nothing on the X ray. Then why? Next time, watch the monitor. Electronic equipment is rather impenetrable. You may not see what is lying beneath this equipment, for instance a weapon or a bomb. Laptops have a rather large footprint and thus may hide weapons.

But why did the officers not check my computer? Its physical footprint is a small square that may hide a small gun or a knife. Why no check? I guess that the officers have been trained to look for laptops, i.e. a given form factor within a range of size. My small computer does not fit inside this category, thus passes through.

Lesson: Educate the people about the rationales behind a security measure. Only then may they apply the security rule intelligently.

May be somebody has a better explanation (and less distressing)

Facebook – Another breach in the wall

Posted on by
Reply

This is the title of a presentation that George Petre gave recently at the MIT spam conference. George is the head of the Threat Intelligence Team of anti-virus company BitDefender.

His team experimented the use of social networks as spam vector. And the results are impressive (frightening?). Social networks are great for spams.

One of the side results of the study is the evaluation of user acceptance of new ”friends”. They created three types of profiles. The first one had the minimal allowed details (without picture), the second one had a picture and some more details and the third one was extremely complete.

Just one hour after starting to add people to each profile, we managed 23 connections with the 1st profile, 47 with the 2nd profile and 53 with the 3rd profile.

Amazing! You don’t even not need to be a social engineer.

And of course, once you are a friend, people have a natural tendency to trust you and accept any of your proposed links.

The full paper is available here. If you are worried about social networks, read this paper and you will be even more worried. The remedy seems simple: accept as friend only people that you know and trust. Unfortunately, this is contrary to the drive to have a high score of friends.

Do people care about privacy? Blippy

Posted on by
Reply

Privacy is a hot topic. Many people fight to preserve our privacy. On the other side, many people build services that destroy this privacy. According to me, social networks are among the natural predators of privacy.

I went through a new site: Blippy. First, I thought it was a joke. But no, it is real. And some serious reviewers (such as techcrunch) appreciated it.

Blippy proposes to display every purchase you will do with one credit card. It provides the details of the transaction: when, where, how much and the details of the purchase. The objective is that people discuss with you about your purchases such as asking for evaluation, tips or giving advices.

Where is the problem? Social Engineering!! Tell me what you buy, and I will have a far better knowledge of who you are, a rough estimate of your incomes… If you purchase travel tickets, I will know when you will not be at home… Are people who subscribe to this site aware of this risk?

Of course, the site has a section about privacy. It is worth reading!

Would you enroll on such sites?

Privacy notices as “Nutrition” Label

Posted on by
Reply

Reading privacy notices on online sites is a difficult task. Currently, they are displayed in lengthy textual pages with legal mambo-jumbo. How many brave people try to complete this unpleasant reading? I suppose that excepted privacy lawyers, quiet nobody.

As a consequence, people give up their privacy and accept the privacy rules without knowing what they are.

Under the lead of Cranor Lorrie, a team of researchers from Carnegie Mellon propose in a paper to be presented at CHI10 an interesting approach: Let’s display the privacy policy in a way similar to nutrition labels.

We are now all familiar with nutrition labels that allow you to have a look at carbs, proteins… (at least if you are concerned about your figure and/or health  :Happy:  ). They propose a table which rows indicate the potentially collected data whereas each column defines the potential use. The cell has five color codes: Will use, opt in, opt out, will likely not use, will not use.

They compared different forms of policy displays. Guess what? The standardized privacy label won.

This proposal is clearly a progress. Now, a more worrying question: how many people would choose their social network depending on the privacy policy? How many people would not join the latest buzz hot need-to-be social network due to privacy issues? I’m afraid not so many.  :Sad:

Nevertheless, people would have at least the possibility to choose. This would be better than the current situation.