the security professionals conference washington dc april, 2005 regaining user trust in cyberspace ...
TRANSCRIPT
The Security Professionals Conference
Washington DC April, 2005
Regaining User Trust in Cyberspace Is it Already Too Late?
Regaining User Trust in Cyberspace
Is it Already Too Late?
Copyright Greg Sprague, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from
the author.
Greg SpragueUNB and NRC IITProject Manager, Privacy, Security & [email protected] (506) 444-0492
Outline
1. Background
2. Privacy, Security & Trust (PST)
3. Today’s Headlines: PST in the News
4. User Impact
5. Understanding Trust
6. Regaining Trust
7. Tomorrow’s Headlines
8. Conclusion
Outline
1. Background
2. Privacy, Security & Trust (PST)
3. Today’s Headlines: PST in the News
4. User Impact
5. Understanding Trust
6. Regaining Trust
7. Tomorrow’s Headlines
8. Conclusion
Map of New Brunswick
•
UNB wasfounded by Loyalists in
1785.
http://www.q1labs.com
NRC IIT e-Business and UNB
e-Government e-Health e-Learning e-Commerce PST Team – Research Gaps
NRC Presence Across Canada
Herzberg Institute of Astrophysics (Victoria, Penticton)Institute for Fuel Cell Innovation (Vancouver) Centre for Surface Transportation Technology (Vancouver) National Institute of Nanotechnology (Edmonton) Plant Biotechnology Institute (Saskatoon) Institute for Biodiagnostics (Winnipeg, Calgary)
Biotechnology Research Institute (Montréal) Industrial Materials Institute (Boucherville) Aluminum Technologies Centre - (Ville Saguenay) Aerospace Manufacturing Technologies Centre (Montreal)
Integrated Manufacturing Technologies Institute (London)
Institute for Biological Sciences (Ottawa) Institute for Aerospace Research (Ottawa) Institute for Chemical Process and Environmental Technology (Ottawa)
Institute for Information Technology (Ottawa, Gatineau) Institute for Microstructural Sciences (Ottawa) Institute for National Measurement Standards (Ottawa) Institute for Research in Construction (Ottawa) Steacie Institute for Molecular Sciences (Ottawa, Chalk River) Canadian Hydraulics Centre (Ottawa) Centre for Surface Transportation Technology (Ottawa) Regional Innovation Centre (Ottawa)
Institute for Information Technology Institute for Marine Biosciences (Halifax) Institute for Biodiagnostics (Halifax) Institute for Marine Dynamics (St. John's)Institute for Nutrisciences and Health (Charlottetown)
• Fuel Cell Innovation
• Plant Biotechnology
• Nanotechnology
• Aerospace
• Marine Biosciences
NRC IITMaking Headlines
Alzheimers
Louvre
Academy Awards
Space Shuttle -NASA
Nouse
Outline
1. Background
2. Privacy, Security & Trust (PST)
3. Today’s Headlines: PST in the News
4. User Impact
5. Understanding Trust
6. Regaining Trust
7. Tomorrow’s Headlines
8. Conclusion
Source: Common Sense Guide for Senior Managers, Internet Security Alliance, http://www.isalliance.orgEasy, low risk, hard to trace
What are Hackers After?
• Attention, curiosity, mischief• Fame, peer recognition• Your data• Your computer • Your network connection• Your company (ip, competitive advantage)• Your identity• Revenge• Political support• Your money (organized crime)
Impact of InformationCompromises
• Loss of customers• Violation of customer privacy• Identity theft
• Damaged reputation• Loss of market share, market confidence
• Financial and productivity loss (theft, fraud, downtime, interruption of service, rework)
• Promulgation of false, deceptive, misleading info• Loss of partners, suppliers, staff• Inadvertent disclosure• Legal action, regulatory non-compliance• Loss of life (health)• Inability to recover, stay in business• Research
• Inability to participate, publish; early release• Loss of Trust
Security
• Security addresses the various components of an information system that safeguard the data and associated infrastructure from unauthorized activity.
• Network security relates to organizational control over network information and resources.
Viruses Worms Denial of Service Attacks
Privacy
• Privacy concerns the operational policies, procedures and regulations implemented within an information system to prevent unauthorized use of, access to, or release of personal information held in any format.
• Network privacy relates to organizational norms that permit individuals to have control over their own personal information.
PHISHING ID Theft SPAM
Trust
• Trust represents a subjective measure of confidence in the reliability and integrity of a service provider in terms of the provider's commitment and ability to complete an interaction in accordance with the expectations of those who use or otherwise rely upon that service.
• Network trust cannot be guaranteed but its likelihood is increased when those responsible for an information system adequately safeguard individual privacy and security interests and deliver the service in a manner that is reasonably transparent to the user.
Social Engineering
Wal-Mart pushes RFID tracking tagsBy Richard Shim CNET News.comJune 6, 2003, 4:23 AM PTURL: http://zdnet.com.com/2100-1103-1013890.html
Inventory management technology that uses wireless signals to track products from the factory to store shelves is set to win a major new ally next week: Wal-Mart.
Wal-Mart cancels 'smart shelf' trial By Alorie Gilbert and Richard Shim Staff Writer, CNET News.comJuly 9, 2003, 4:00 AM PT
Wal-Mart Stores has unexpectedly canceled testing for an experimental wireless inventory control system, ending one of the first and most closely watched efforts to bring controversial radio frequency identification technology to store shelves in the United States.
1984
1950
2005
1973
RFID Chips Are HereBy Scott GrannemanPosted: 27/06/2003 at 13:17 GMT
Right now, you can buy a hammer, a pair of jeans, or a razor blade with anonymity. With RFID tags, that may be a thing of the past. Some manufacturers are planning to tag just the packaging, but others will also tag their products. There is no law requiring a label indicating that an RFID chip is in a product. Once you buy your RFID-tagged jeans at The Gap with RFID-tagged money, walk out of the store wearing RFID-tagged shoes, and get into your car with its RFID-tagged tires, you could be tracked anywhere you travel. Bar codes are usually scanned at the store, but not after purchase. But RFID transponders are, in many cases, forever part of the product, and designed to respond when they receive a signal. Imagine everything you own is "numbered, identified, catalogued, and tracked." Anonymity and privacy? Gone in a hailstorm of invisible communication, betrayed by your very property.
IT Infrastructure Pyramid
• E-Government• E-Learning• E-Health• E-Commerce• Privacy, Security, Trust • Traditional IT Infrastructure
– Networks (wired and wireless), switches, servers, software, desktops, staff
Soft Stuff is Hard
The challenge is that the Internet was designed for sharing information. We did not anticipate “bad guys” adopting and adapting these technologies for questionable and illegal purposes.
The world needs a huge research effort to re-engineer our information and communications technologies, to make our infrastructure more private, secure and trustworthy. This work is essential if we are to realize the potential benefits of advanced applications of ICT in areas such as eHealth, eBusiness and eLearning.
Example: a health care applicationSecure – prevent hackers changing infoPrivate – prevent disclosure of personal, sensitive infoBut trust? How to get doctors, nurses, pharmacists, patients at home to actually trust
the systems enough to use it ?Trust represents the subjective, soft, human side of the equation. Most technology
project failures are attributable to inadequate attention to the human side. So you can see that this reengineering effort requires more than technologists.
Privacy
Trust
Security
• Arts
• Law
• Business
Administration
• Science
• Engineering• Health Sciences
• Computer Science
PST*Net
CriticalInfrastructure
IntrusionDetection
AmbientIntelligence
LawfulSurveillance
Developing systems people will trust and use…
Outline
1. Background
2. Privacy, Security & Trust (PST)
3. Today’s Headlines: PST in the News
4. User Impact
5. Understanding Trust
6. Regaining Trust
7. Tomorrow’s Headlines
8. Conclusion
Stolen UC Berkeley laptop exposes personal data of nearly 100,000
San Francisco Chronicle Tuesday, March 29, 2005 By MICHAEL LIEDTKE, AP Business Writer
A thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society's vulnerability to identity theft.
Universities have accounted for 28 percent of the 50 security breaches of personal information recorded by California since 2003, said Joanne McNabb, the chief of the state's Office of Privacy Protection. That's more than any other group, including financial institutions, which have accounted for 26 percent of the breaches affecting Californians.
The risks of identity theft have risen in recent years as technological advances make it easier for businesses, schools and other organizations to create vast databases containing Social Security numbers, credit card account numbers and other personal information.
More University Computer Breaches
(16 March 2005)California State University, Chico has informed more than 59,000 people that the security of their personal information mayhave been compromised due to an attack on the school's servers.
The information included the names and Social Security numbers ofcurrent, former and prospective students and well as current and formerfaculty and staff. Those affected were notified through email and thepostal service. The university says it will stop using Social SecurityNumbers as identifiers.
A Boston College computer used for fund-raising purposeswas broken into, but school officials say no personal data were stolen;they still plan to notify the 120,000 alumni whose information may havebeen compromised. Boston College spokesman Jack Dunn says theschool will no longer use Social Security numbers as identifiers.
Computer Stolen from Nevada DMV Contains Motorist Data
(11 March 2005)
Thieves broke into a Nevada Department of Motor Vehicles office andstole a computer that contains personal data belonging to more than8,900 licensed Nevada drivers. The information includes names, birthdates, Social Security numbers, photographs and signatures.
The Nevada DMV initially said the data was encrypted, but DMV chiefGinny Lewis said the company that makes the state's digital driver'slicenses told her the data was not encrypted.
All Nevada DMV licensing stations have been ordered to removepersonal information from computers; the department plans to sendletters to the people whose data is on the stolen computer.
ONLINE BRIDE SCAM
A Russian man who netted $300,000 by faking emails from prospectivebrides to unsuspecting foreigners was caught by Moscow police but received only a one-year suspended sentence. Yury Lazarev, 34, anEnglish translator from the Urals, employed women to write flowery,romantic messages signed with real names picked off web dating sites.
The photographs of seductive women that accompanied the text caughtthe attention of some 3000 men from New Zealand, Australia, Canada, theUnited States and other countries. Once a prospective victim gotinterested and wanted to meet his potential fiancé, the fictitious womanwould ask for financial help in paying for visas and airline tickets.
(The Age, 11 Nov 2004)
Paris Hilton's Sidekick Hacked
The Register By Lucy SherriffPublished Monday 21st February 2005 11:32 GMT
Paris Hilton's address book, famously kept on a T-Mobile Sidekick, has been popping up all over the internet after someone managed to figure out her password.
The Drudge Report says that it has confirmed the authenticity of many of the numbers, presumably a polite way of saying they've been crank calling Anna Kournikova and Lindsay Lohan all weekend. The FBI has reportedly opened an investigation.
Files exposed to the world also include Paris' travel habits, airline and hotel preferences, along with her private notes.
While Paris must by now be used to being overexposed online, many of the people in her little black book were less than pleased with the leak. According to the Drudge Report, one starlet said "I gave her my number after we met in Miami, I did not know she f**king kept it on her cellphone!"
Reality TV star Victoria Gotti told New York Daily News that she had received over 100 phone calls in two hours. "It's driving me insane," she said.
ChoicePoint execs sold stock before leak revealed
• Harry R. WebberAssociated PressFeb. 26, 2005 12:00 AM
• ATLANTA - ChoicePoint Inc.'s top two executives made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people's personal information may have been compromised and before the breach was made public, regulatory filings show.
ChoicePoint's stock has dropped about 10 percent since last week when the company announced that criminals had duped it into allowing them access to its massive database.
Choicepoint
Bank Loses Tapes of Records of 1.2 Million With Visa Cards
February 26, 2005The New York Timesby SAUL HANSELL
Bank of America said yesterday that it had lost computer backup tapes containing personal information about 1.2 million federal employees, including some senators, with Visa charge cards issued by the bank.
A spokeswoman for Bank of America, Alexandra Trower, said the bank did not believe that the information had been stolen or had fallen into the hands of people using it to commit fraud. There has been no suspicious activity on any of the affected accounts, she said.
FEDERAL AGENCIESGET FAILING GRADESON CYBERSECURITY
(Washington Post 16 Feb 2005)
At least half of all federal agencies received a grade of "D" or worse on the House Government Reform Committee's annual cyber-security report card. Agencies that received failing marks include the departments of Agriculture, Commerce, Energy, Health and Human Services, Housing and Urban Development, and Veterans Affairs.
A grade of "D" was awarded to the departments of Defense and Treasury, as well as the National Aeronautics and Space Administration and the Small Business Administration.
Committee Chairman Tom Davis (R-VA) was encouraged by the fact that the scores of the 10 agencies, as poor as they were, have actually improved since last year, but he warned they must still do better: "I hope it won't take some kind of major cyber-attack to wake everybody up."
Feds 'vulnerable' to cyber-attacks: AG
February 16, 2005
By MARIA McCLINTOCK -- Sun Media
OTTAWA -- Security within the federal government's computer systems is so lax that sensitive information about Canadians is at risk of falling into the hands of hackers, according to a new report from Auditor General Sheila Fraser. "The government is vulnerable to attacks ... it's surprising because I think IT security is increasingly becoming an issue in the broad public but I get the sense that it's not getting the attention that it should be within government," she said yesterday.
Fraser called on the feds to take computer security more seriously but stopped short yesterday of issuing a warning to Canadians about using the 130 online services offered by the federal government.
"There are weaknesses that are serious in the system, but it is not my job here today to start saying to all Canadians 'stop doing business with government electronically,' and I would certainly hope that that's not the way this is interpreted," said Fraser.
J.K. ROWLING DENOUNCES INTERNET FRAUDSTERS
J.K. Rowling, author of the mega-popular Harry Potter series, iswarning fans to beware of Internet "phishing" scams claiming to sellelectronic copies of her latest book, "Harry Potter and the Half-Blood Prince.“
"The only genuine copies of Harry Potter remain the authorizedtraditional book or audio tapes/CDs distributed through mypublishers,“ says Rowling, and her copyright lawyer, Neil Blair,notes that Rowling has never granted licenses for electronicversions of her books.
"Please, please protect yourselves, your computers and your creditcards and do not fall for these scams," says Rowling. Police saythey suspect organized crime gangs in Eastern Europe are behindthe fraudulent e-mail offers.
(Reuters/Washington Post 2 Feb 2005)
Same Old Story
SANS NewsBites March 23, 2005 Vol. 7, Num. 12
Editor's Note (Pescatore): Any day of any week you can publish a study that says "Company / Agency X Employees Vulnerable to Social Engineering.“
Cave-person Og fell for the old Pleistocene Shiny Rock swap scam and today people are still falling for the Nigerian Banking scam.
Exclusive from PC World
Top Five Online Scams
Thu Mar 10, 3:00 AM ET Dan Tynan
1. Auction Fraud
2. Phishing Scams
3. Nigerian 419 Letter
4. Postal Forwarding/Reshipping Scam
5. "Congratulations, You've Won an Xbox IPod, plasma TV, etc."
Outline
1. Background
2. Privacy, Security & Trust (PST)
3. Today’s Headlines: PST in the News
4. User Impact
5. Understanding Trust
6. Regaining Trust
7. Tomorrow’s Headlines
8. Conclusion
Fears of Identity TheftChill Holiday Shoppers
TRUSTe and TNS, Christmas 2004
• 58% of consumers surveyed may reduce online shopping this year due to fear of identity theft and other privacy concerns. Up from 49% last year.
• Concerns– ID Theft (52%)– Fear of Credit Card Theft (44%)– Spywear downloads (44%)– Receiving SPAM after purchasing from a Web site (42%)
Study suggests online banking is tapped out
ITBusiness.ca 2/1/2005 Sarah Lysecki
Between 2000 and 2003, the proportion of Canadians who were banking online doubled from 14 to 33 per cent in 2003 compared with only two per cent in 1997, said Rhonda Grunier, a vice-president at TNS, which has been tracking online banking since 1997.
“It had been growing at such a fast pace it would be difficult to maintain that,” said Grunier. “We’ll still see growth but it’s going to be at a much slower pace.”
One of the main reasons behind this plateau in online banking among non-users is concern about Internet security, Grunier said.
“We find consistently about a third of them say they’re concerned about online security so they would be hesitant to bank online because of that,” she said.However, Christopher Musto, vice-president of research at Watchfire Corp., said a big concern among banks is that consumers are starting not to trust online banking and because of that are less willing to try it.
Internet Fraud Scares Off Seniors
Elderly people have so much to gain from the internet, but they are being scared off by internet fraud and fake emails, according to a man who has introduced scores of older local people to the web. Recently a 75-year-old Port Macquarie woman was caught by an email scam. Emails purporting to be from Citibank and SunTrust asked the recipient to confirm their banking credit card and banking details.
She replied to an email and three withdrawals totaling $9000 were made from her account in a three-hour period, according to police.
http://www.crime-research.org/news/17.11.2004/796/
Concern about ID theft growing in Canada: Survey
TORONTO — Computing Canada, March 11, 2005, Vol. 31 No. 3
Four in five Canadians think identity theft is a serious problem in Canada and that concern is growing as the number of people with personal experience with the crime increases, according to a new telephone poll conducted for Intersections Inc. and Carlson Marketing Group Canada Ltd. by Ipsos-Reid.
The survey, called the Identity Theft Index Canada (ITIC), found that one in four Canadians reported that they have been, or someone they personally know has been, a victim of identity theft. Among those who have been a victim or personally know someone who has been a victim of identity theft, 70 per cent said the identity theft resulted in unauthorized credit card purchases, the most frequent, but least costly form of identity theft fraud for consumers.
However, significant percentages of these respondents reported more serious frauds, including takeover of existing credit card accounts (43 per cent), the opening of new credit card accounts (36 per cent) or new loans (22 per cent), unauthorized bank account access (42 per cent) and the use of the victims' personal information in other types of frauds, such as to obtain government benefits or medical care (24 per cent).
Signs that User Trust is Rapidly Eroding
• Pornographic spam = rape?• Computer free zone• Patches = 42
Computerfreezone
CYBERSECURITYLARGELY IGNORED BY INDIVIDUAL USERS
A new study by America Online and the National Cyber Security Alliance indicates that about 80% of home PCs are infected withspyware, but most users aren't even aware of it. And while 85% of users had installed antivirus software, two-thirds of those had notupdated it in the past week. In addition, about 20% had an activevirus on their machines and two-thirds did not have a firewall installed.
AOL chief trust officer Tatiana Gau says the results highlight justhow vulnerable the average online user is to malicious hackers. "Noconsumer would walk down the street waving a stack of cash orleave their wallet sitting in a public place, but far too many are doingthe exact same thing online. Without basic protections like antivirus,spyware and firewall software, consumers are leaving their personaland financial information at risk." (CNet News.com 24 Oct 2004)
Giving Up Passwords For Pens
“In February 2004, I attended a conference at which Kevin Mitnick, renowned reformed hacker, spoke. He referenced a survey where nine in ten of office workers at London's Waterloo Station gave away their computer password for a cheap pen - up from 65 per cent the previous year.
What makes the above story even more astounding is that the survey was carried out an InfoSec conference where people ought to know better. Simply astounding.”
Eric van Wiltenburg, University of Victoria
Outline
1. Background
2. Privacy, Security & Trust (PST)
3. Today’s Headlines: PST in the News
4. User Impact
5. Understanding Trust
6. Regaining Trust
7. Tomorrow’s Headlines
8. Conclusion
Layers of Trust
Dispositional - The basic disposition of a person to be trusting or not (and how trusting).
Learned - A person’s general tendency to trust, or not to trust, as a result of experience.
Situational - A person’s trusting judgment in a specific situation.
Stephen Marsh and Andrew S. PatrickNATIONAL RESEARCH COUNCIL OF CANADAPamela BriggsUNIVERSITY OF NORTHUMBRIA, UK
Implement Trust Design Guidelines: Marsh et al
1. Ensure good ease of use.
2. Use attractive design.
3. Create a professional image—avoiding spelling mistakes and other simple errors.
4. Don’t mix advertising and content—avoid sales pitches and banner adverts.
5. Convey a ‘real world’ look and feel, for example with the use of high quality photographs of real places and people.
6. Maximize the consistency, familiarity, or predictability of an interaction both in terms of process and visually.
7. Include seals of approval such as TRUSTe.
8. Provide explanations, justifying the advice or information given.
Response time
Reliability
Trust Design Guidelines: Marsh et al
9. Include independent peer evaluation such as references from past and current users and independent message boards.
10. Provide clearly stated security and privacy statements, and also rights to compensation and returns.
11. Include alternative views, including good links to independent sites within the same business area.
12. Include background information such as indicators of expertise and patterns of past performance.
13. Clearly assign responsibilities (to the vendor and the customer).
14. Ensure that communication remains open and responsive and offer order tracking or alternative means of getting in touch.
15. Offer a personalized service which takes account of each client’s needs and preferences and reflects their social identity.
Principles of Trust
• Trust is earned over time
• Trust can be monitored by governments but not established by them
• Trust is an aggregation of many people’s experiences
• Trust can be lost in an instant
• Trust extends through the value chain
The Economic Value of TrustFan, Mathur, ShahOutlook Journal, October 2003
Practical Steps
• Plan your trusted services
• Understand trust in your customer base
• Make your policy clear
• Become part of a trusted value chain
• Be trustworthy internally
• Engage relevant government bodies
• Start now
Outline
1. Background
2. Privacy, Security & Trust (PST)
3. Today’s Headlines: PST in the News
4. User Impact
5. Understanding Trust
6. Regaining Trust
7. Tomorrow’s Headlines
8. Conclusion
Value Systems
• Change value systems– Open values of Internet– Hackers should not be glorified
• Compare to surface paper mail– Physical security is minimal– Law: serious offence– Culture: divorce
• Value systems can change– Alcohol: One for the road
• Lex – what the law actually says, rules
• Jus – accepted practice, mind set
Re-visit criminal code
• Fraud is technology neutral– Beware overly specific legislation
• White collar crime– Cyber stalking, ID theft– Preparatory activities
• collecting and trading ID info• Writing spyware (conspiracy if paid)• Having multiple ID cards
• PIPEDA in Canada– Anonymous– Not criminal– Notification not required (unlike California)
Recognize Global Nature of the Challenge
• Bank inspector vs Nigerian scam– Social engineering– Opportunity for your church
• On line vs. door to door– Easier to contact vulnerable individuals– Huge pool, don’t need a high take up rate– Low cost– Time minimal– Low risk of being caught (rub out of town)– Low penalty if caught– Easy to move on
• Phishing site average life time 6 days
• Trade sanctions
Address Shortageof Qualified People
• Sys Admins• Network Admins• Security Officers• Privacy Officers• Developers• Auditors, Lawyers• Law Enforcement Officers• Researchers
Certification
User Victimization and Education Issues
• SARS – not value laden, caught in a hospital• AIDS – value laden, victim blaming • Rape victims
– What were you wearing?
• Computer Virus victims– Signature up to date? OS patched?
• Security Professionals – help change mind set– Cyber crime is not cute, neat– Report Incidents
• Risk-aware consumers can take remedial action– When to use a post card vs. registered mail
• Class action suits against vendors?
http://survey.mailfrontier.com/survey/quiztest.html
http://www.scrolllock.nl/passport
“Welcome to the World Passport Record Bureau web site - where you can search our online database. We have over 6 Billion Passports currently on file, absolutely FREE!
Under the recent Inetrenational Passport Act (INPA - enacted on Nov 2, 2003), every country in the world is required to make available to the public a digitized copy of each and every valid passport issued, in their respective country.”
Good Privacyis Good Business
“Privacy should be viewed asa business issue, not a compliance issue”
Ann Cavoukian, Ph.D.Information & Privacy CommissionerProvince of Ontariowww.ipc.on.ca
The Golden Rules: Fair Information Practices
• Why are you asking?–Collection; purpose specification
• How will the information be used?–Primary purpose; use limitation
• Any secondary uses?–Notice and consent; prohibition against unauthorized disclosure
• Who will be able to see my information?–Restricted access from unauthorized third parties
www.ipc.on.ca
Security is not technology: CEO
By: Tom VenetisComputerWorld Canada (18 Mar 2005)
Security is about protecting a company’s brand and trustworthiness amongst consumers and business partners, and once security people begin to understand that, it will be easier to justify their continued existence and budgets.
Mary Kirwan, CEO of Toronto-based Headfry Inc., said security is intimately tied to the brand value and the perception customers have of a company. Security protects a company’s brand value by imparting to customers the idea that the company is trustworthy enough to do business with.
“A brand is a promise to the customer,” Kirwan added. “If you have customer’s private data, the promise you make to them is that you will do no harm to that data. If you handle data badly, it will affect your brand and the value of your company.”
Citi Identity Theft
• Gold Kelly Winner: Fallon for Citigroup Inc. “Citi Identity Theft” By using four consecutive right-hand magazine pages for maximum impact, Citigroup sought to generate consumer interest and increase credit card applications. The result – the campaign is credited with getting nearly 10,000 applications and more than 2,100 new accounts. The Fallon team included: David Lubars, Creative Director; Steve Driggs and John Matejczyk, Group Creative Directors; Steve Sage, Art Director; John Matejczyk, Copywriter; and Stephanie Rau, Photographer.
• “… if your identity is stolen, we’ll help you get your life back. You’ll get an Identity Theft Specialist who will things when you wouldn’t know where to start. From calling credit bureaus with you on the line to helping with police reports.”
Citi Identity TheftTool Kit
Should you become a victim of identity theft, our team of Identity Theft Specialists will provide you with personal support and assistance. The links below will allow you to download documentation and information that will put you on the path to restoring your credit. Citi® Identity Theft Solutions is a free service for Citi card members — because you can't put a price on your identity.
• Security Affidavit• Identity Theft Worksheet• Identity Theft: What You Need to Know
Canadians winning the spam battlesays poll
By: Vanessa Ho, ITWorld Canada (23 Mar 2005)
A recent Ipsos-Reid poll suggests that Canadians are winning the battle against spam. The results of the survey revealed that 49 per cent of the average 177 e-mails Canadians received per week in 2004 were spam. The poll surveyed 2,000 participants either online or via telephone interviews. That may not seem like a resounding victory, but it is significant progress when one considers that in 2003, junk mail or spam accounted for 68 per cent of the average 197 e-mails received weekly.
Ipsos-Reid attributed the drop to new laws such as Canada’s Personal Information Protection and Electronics Document Act (PIPEDA) and the proliferation of spam-filtering software.
IDENTITY THEFT SUSPECTS CAUGHT IN STING OPERATIONWashington Post 28 Oct 2004
"Operation Firewall" -- an international law enforcement dragnet conducted by the U.S. Secret Service, the Justice and Homeland Security departments, the Royal Canadian Mounted Police, Europol and local police departments -- has led to the arrest of 28 individuals on suspicion of operating Web sites created to steal, sell and forge credit cards and ID documents.
The suspects are thought to have bought or sold about 1.7 million stolen information and counterfeit documents such as credit cards, driver's licenses, birth certificates and foreign and domestic passports. A MasterCard security executive familiar with the operations says, "We're talking about an international network that has new sites popping up all the time. These aren't high-tech individuals. All it takes is a computer, a little bit of knowledge, and these guys can do a lot of damage."
Microsoft info-cards
• NEW YORK (CNN/Money) March 28, 2005- The new versions of Windows operating system and the Internet Explorer Web browser from Microsoft will put a new emphasis on security for Web users, according to a published report.
The Wall Street Journal reported Monday that the next version of Windows, code-named Longhorn, will introduce a feature known as "Info-cards," that let computer users have more control over disclosure of information about themselves to businesses or others online. The paper also said that Internet Explorer 7 will provide more alerts to users about attempts to steal personal information over the Internet. "The way you earn customer trust is to put control of information in customers' hands," Peter Cullen, Microsoft's chief privacy strategist, told the paper. "It's more than just protecting information, it's providing them with the tools to make their own choices."
Outline
1. Background
2. Privacy, Security & Trust (PST)
3. Today’s Headlines: PST in the News
4. User Impact
5. Understanding Trust
6. Regaining Trust
7. Tomorrow’s Headlines
8. Conclusion
Virus Attacks MobilesVia Bluetooth
The Register by John Oates
Published Tuesday 15th June 2004 12:07 GMT
Some useful citizen has written a virus which targets mobile phones running the Symbian operating system. Anti-virus groups received the worm from its authors but it is not yet "in the wild".
The Cabir worm is the first network worm for mobile phones, according to Kaspersky Labs. It was written by 29a, a group of virus writers which specialises in proof-of-concept viruses - they made the first viruses for .NET and for Win64.
WiFi users feel the sting of 'evil twins'
Hackers setting up near hot spots trick wireless PC users into revealing data
By JERRY LANGTON Special to The Globe and MailThursday, March 31, 2005 Updated at 8:22 AM EST
Cheryl was suckered by a wireless hacker. ''I feel like such an idiot,'' says the IT technologist for a London-based banking company, who refused to let her surname be published. ''Considering what happened and what I do for a living, I just can't let people know that I was fooled like this.''
Working on her laptop in a park near her office, Cheryl thought she was logging onto the Internet using a public WiFi access point. From what happened next, she believes she inadvertently exposed herself to criminals bent on identity theft, despite the fact that she's something of a technology security expert and the would-be thieves were using a very simple trick.
"I noticed the log-on was slightly different, but thought nothing of it," she said. "It wasn't until they asked for my credit card number that I noticed something was up."
•
• Municipal administration• Mobile – police, fire, recreation, engineering, etc.• Regional – police• Community Dark Fiber plus Commodity Internet• Dedicated Dark Fiber• Point to Point Wireless• WiFi
SPITTING MAD AT SPAM
Spam over Internet telephony, known as SPIT, will become commonplace as more people make phone calls over the Internet.
Internet researcher Michael Osterman warns that Web-based phone systems attacked by spam will "trash voice-mail systems," and explains: "You can easily delete 100 spam text messages. But try to weed through a voice-mail system filled with 100 unsolicited pitches. That's a pain.“
Spam is already appearing frequently on instant messages, cell phones, and blogs, and one executive of an Internet service provider admits: "As everything gets connected, there are more ways to spam consumers. Spam is everywhere.“
(USA Today 9 Nov 2004)
Scammers Snag Money on Net Phones
Story location: http://www.wired.com/news/privacy/0,1848,66954,00.html12:36 PM Mar. 20, 2005 PT
Internet phone services have drawn millions of users looking for rock-bottom rates. Now they're attracting identity thieves who want to turn stolen credit cards into cash.
Some internet phone services allow scam artists to make it appear that they are calling from another phone number -- a useful trick that enables them to drain credit accounts and pose as banks or other trusted authorities, online fraud experts say.
U.S. approvesimplanted chipfor patients
CBC news Wed, 13 Oct 2004 19:16:01 EDT
WASHINGTON - An implantable device that gets under the skin and allow doctors to access a patient's medical history has been approved by regulators in the U.S.
In Mexico, the attorney general's office uses the chip to allow workers to gain access to high security areas. Medical ethicists point to potential privacy concerns, such as if an employer requires workers to be implanted. Others wonder about hackers cracking the encryption system.
- chronic health problems- complicated medical records, such as patients who visit
many specialists- Alzheimer's and other cognitive diseases
Drivecam Video Systems
• Car crashes kill 24 teenagers per day in US• Ambulance fleet – driving improved
– Under rear view mirror– Videos sent to parents– Seatbelt use up, risk taking down– ? Spying? Parents don’t want to be seen to be spying– Precious, fragile relationship between parents, kids– Violate trust, unfair– But if insurance cost breaks are available……???– www.devicecam
Lexus cars potentially vulnerable to virus?
Posted Jan 26, 2005, 11:45 AM ET by Donald MelansonRelated entries: Transportation, Wireless
http://www.engadget.com/entry/1234000760029037
Here’s another Technology Gone Wild story to scare you. Russian anti-virus research firm Kaspersky Lab says you can now add cars to the growing list of things that can be infected with a computer virus. It’s not clear whether or not this has ever actually happened, but apparently someone asked Kaspersky Lab if they knew “how to cure a virus, which ‘infected the onboard computers of automobiles Lexus LX470, LS430, Landcruiser 100 via a cell phone,’” and they conjecture that a virus could potentially use Bluetooth to jump from a Symbian-powered cellphone to the navigation system of certain Lexus models.
Hackers Strike at 'soft target' SME’s
Online criminals are increasingly concentrating on "soft target" small and medium-sized firms, the Financial Services Authority (FSA) has warned. The organization investigated 18 financial firms as part of a review of security and found that, while the large financial institutions had made progress with online security, smaller firms were falling behind. http://www.vnunet.com/news/1159408
Phishing Withouta Lure
New York Times March 31, 2005
Phishers are ramping up their use of instant-messaging services instead of e-mail to trick people into revealing personal information, according to a new report.
DNS cache poisoning is also an alternative means that can be used to resolve information to non-legitimate Web sites.
Some security companies have dubbed DNS cache poisoning as “pharming” and have been warning customers against it.
Outline
1. Background
2. Privacy, Security & Trust (PST)
3. Today’s Headlines: PST in the News
4. User Impact
5. Understanding Trust
6. Regaining Trust
7. Tomorrow’s Headlines
8. Conclusion
We are facing a loss of trust due to:
• SPAM• Pornography• ID Theft• Viruses• Worms• Denial of Service• Spoofing• Phishing• Spyware• He latest scam, vulnerability exploit
We must not allow trust to erode further. The battle is too important to lose.
• Today’s PST problems are non-trivial.• The number and types of networked devices will grow rapidly.• New technologies will bring new problems.• Need to re-think our business models and re-invent our
technology.• Review our social and legal systems.• The issues and challenges go beyond technology. • We need multi-disciplinary research.• Blaming the user (especially at home) doesn’t help. • We need a better understanding of privacy, security and trust.
The Internet and the e-Economy:Building Trust and Confidence OnlineDraft Discussion PaperFebruary 23, 2005Industry Canada
“Improving trust and confidence is essential if the enormous potential of the Internet as a platform for the e-economy is to be realized.”
•
Canada’s Third Annual Conference on Privacy, Security and Trust ResearchOctober 12-14, 2005
The Fairmont AlgonquinSt. Andrews, New Brunswick, Canada
Following on the success of the PST2003 workshop in Montréal and the PST2004 conference in Fredericton, PST2005 will bring together researchers, practitioners and policy makers in the areas of Privacy, Security and Trust to share ideas and thoughts in a unique and inspiring sea-side setting.
Questions?
Discussion?
• What is your experience?
• What trends are you seeing?
• Is the picture as bleak as I fear?