Privacy/Security in the News

In the News

A New System Preserves the Right to Privacy in Internet Searches
Plataforma SINC (11/05/09)

Researchers from Rovira i Virgili University, Autonoma of Barcelona, and Oberta of Catalonia have developed a system that protects the privacy of Internet search engine users through a new computer protocol. "It is a model based on cryptographic tools, which distort the profile of users when they use search engines on Internet in such a way that their privacy is preserved," says Rovira i Virgili University's Alexandre Viego. The researchers note that there are systems that provide anonymous navigation, but say their system provides a significant improvement in response time over anonymous systems, though it still delays searches slightly. The new protocol has already been tested in both closed research center intranets and on the Internet, and the results have made the researchers optimistic about a global implementation model. The researchers are currently working on the development of a final user version, and believe that it will soon be easy to integrate the system into the major platforms and browsers.

Thwarting Cyber Criminal
Norwegian University of Science and Technology (10/30/09)

Researchers at the Norwegian University of Science and Technology (NTNU) say they have developed a digital signature system that is 17,000 times faster than current systems used for verification and 10,000 times faster in providing a digital signature. They say the new system, MQQ, was developed as a way to address the biggest pitfalls in current data security systems. Existing systems, when used with smart card applications or at credit card payment terminals, are often slow, do not protect against quantum computing attacks, and have not been optimized for parallel processing. MQQ was developed using a trapdoor function, which is generated by quasigroup string transformations based on multivariate quadratic quasigroups. The researchers say that MQQ's security is enhanced by a signing speed that is 10,000 times faster than corresponding RSA and elliptical curves digital signatures. The researchers also say that MQQ is one of the first algorithms specially designed for parallel processing, which allows the system to benefit from the recent trends in multicore parallel processing. "Due to the nature of its design, MQQ is secure against quantum computing attacks," says NTNU professor Dailo Gligoroski. He says MQQ also has been found to be secure against all known multivariate quadratic attack methods.

Vulnerability Seen in Amazon's Cloud-Computing
Technology Review (10/23/09) Talbot, David

A new study by researchers from the Massachusetts Institute of Technology (MIT) and the University of California, San Diego (UCSD) suggests that leading cloud-computing services may be vulnerable to eavesdropping and malicious attacks. The study found that it may be possible for attackers to accurately map where a target's data is physically located within the cloud and use various strategies to collect data. MIT postdoctoral researcher Eran Tromer says the vulnerabilities uncovered in the study, which only tested Amazon.com's Elastic Computer Cloud (EC2) service, are likely present in current virtualization technology and will affect other cloud providers. The attack used in the study involves first determining which physical servers a victim is using within a cloud, implanting a virus on those servers, and then attacking the victim. The researchers demonstrated that once the malicious virtual machine is on the target's server, the malware can carefully monitor how access to resources fluctuates, potentially allowing the attacker to glimpse sensitive information about the victim. The attack capitalizes on the fact that virtual machines still have IP addresses visible to anyone within the cloud. The researchers found that nearby addresses often share the same physical hardware within the cloud, so an attack can set up numerous virtual machines, look at their IP addresses, and determine which ones share a server as the target. It may even be possible to detect the victim's passwords using a keystroke attack, Tromer says. Amazon's Kay Kinton says that Amazon has deployed safeguards that prevent attackers from using the techniques described in the study.

To Protect Your Privacy, Hand Over Your Data
New Scientist (10/22/09) Venkatraman, Vijaysree

A new proposal from the Massachusetts Institute of Technology's (MIT's) Human Dynamics Laboratory suggests that digital identities would be more secure if they were based on data collected from "reality mining," which studies how people behave using the digital data produced by computerized activities. MIT researcher Alex Pentland says that researchers and corporations have already realized the potential for reality mining, and argues that if people were to gain control over their own personal data mines they could use that information to prove who they are or inform smart recommendation systems. Pentland believes that allowing access to that data is safer than relying on key-like codes and numbers, which can be stolen or faked. He proposes creating a central body--supported by cell phone networks, banks, and the government--that would manage a data identity system. Banks could provide pieces of data to a third party running a check on a person's identity, and individuals could use their own data for services such as apps on a smartphone. Pentland says such a system would be far more powerful than existing recommender systems. He has been working to alleviate concerns over using personal data as an identification system, and has gotten the Harvard Law Lab and the World Economic Forum to develop and support the idea. He says 70 other industry partners have expressed interest and will be asked to test a design for the system.

Seeking Privacy in the Clouds
Duke University News & Communications (10/13/09) Basgall, Monte

Duke University professor Landon Cox recently received a three-year, $498,000 U.S. National Science Foundation grant to research alternatives for providing social networking services that do not concentrate all user information in a single place. Cox believes creating a peer-to-peer architecture to spread the information out would make individual data harder to steal or exploit. "The basic idea is that users would control and store their own information and then share it directly with their friends instead of it being mediated through a site like Facebook," he says. In a report for ACM's Workshop for Online Social Networks, Cox proposed three possible options. In each option, users would load personal information into a virtual individual server (VIS), which could be hosted on the user's computer or be distributed within redundant clouds of servers. One of the options is called hybrid decentralization, which would keep VISs on desktops when possible, but switch to the cloud distribution option when individual computers go offline. "Users can try to put their information in clouds of servers, which are going to be highly available but expensive," Cox says. "Or they could try to store it on their own machines, which would be cheap but subject to service interruptions."

Household Robots Do Not Protect Users' Security and Privacy, Researchers Say
UW News (10/08/09) Hickey, Hannah

A new University of Washington (UW) study has found that domestic robots present security and privacy risks for their owners. The researchers examined three household robots on the market as of October 2008, two of which can be controlled online. The researchers discovered that all three robots could be located using their wireless networks, their audio and video data could be interrupted or even stolen online, they did not always warn people that someone was accessing them, and they did not always alert nearby people to their presence. Moreover, the researchers found that in some cases a robot could be manipulated to hurt its owner or its owner's property. "In the future people may have multiple robots in the home that are much more capable and sophisticated," says UW doctoral student Tamara Denning. "Security and privacy risks with future household robots will likely be more severe, which is why we need to start addressing robot security and privacy today." The researchers say the solution could be as simple as encrypting wireless networks or removing the robots' Internet access. "People know to look for small parts in children's toys, or look for lead paint," says study co-author Cynthia Matuszek. "For products that combine more advanced technology and wireless capabilities, people should look at whether it protects privacy and security."

Prototype Security Software Blocks DDoS Attacks
Network World (10/05/09) Greene, Tim

Auburn University researchers have developed a software filter that protects computers against distributed denial-of-service (DDoS) attacks without bogging down the computer's CPU and memory. The identity-based privacy-protected access control filter (IPCAF) also wards against session hijacking, dictionary attacks, and man-in-the-middle attacks. Instead of warding against IP addresses, which can be faked by hijackers, IPCAF sends a user ID and password to computer users and the Web site they are attempting to access. Then the two parties create fake IDs and values for each packet so that each one is double-checked. Computers check the value in each packet and choose whether to accept it or not. Only then are more memory and CPU resources used to deal with them. The researchers say that IPCAF also is useful because it does not rely on separate and expensive applications that bog down memory. Instead it uses servers and client machines without affecting computer use. IPCAF uses hash-based message authentication code to create the value it will use to confirm every single packet, which saves CPU power, says Auburn's Chwan-Hwa "John" Wu. When testing IPCAF, Wu found that the computer network was only stalled by 30 nanoseconds during an attack through a 10Gbps connection. "For humans, there is no difference," he says. Meanwhile, security teams can possibly track the source of the original attack.

UK's Centre for Cyber-Security Opens at Queen's
Queen's University Belfast (09/23/09) McElroy, Lisa

The Centre for Secure Information Technologies (CSIT) recently opened at Queen's University Belfast. CSIT will create 80 new positions and serve as the United Kingdom's primary center for the development of technology to fight malicious cyberattacks. The research conducted at CSIT will help prevent Internet crime and protect the security and trustworthiness of electronically stored information. CSIT is one of the first Innovation and Knowledge Centers established in the U.K. The center is backed by funding from the Engineering and Physical Sciences Research Council and the Technology Strategy Board, and more than 20 organizations have committed to supporting CSIT's work over the next five years. CSIT will unite research specialists from fields including data encryption, network security systems, wireless-enabled security systems, and intelligent video analysis. CSIT principal investigator professor John McCanny believes the new center will become globally recognized thanks to the breadth and depth of its technological capabilities, and because it represents a new international paradigm for innovation.

Controlling the Language of Security
Science Centric (09/19/09)

A security policy specification that guarantees the reliability and availability of home networks has been developed by computer scientists at Kyungpook National University and the Electronics and Telecommunications Research Institute in Korea. "Whenever a new access to the home network is found, it should be able to authenticate and authorize it and enforce the security policy based on rules set by the home administrator," the researchers say. The researchers developed the Home security Description Language (xHDL), which includes the necessary notation for consistently describing and specifying the security policy, and ultimately securing a home network. XHDL consists of a combining-rule element, authentication element, user element, object element, object-group element, role element, and rule elements. Each term could be used to run a browser-based control center. The domestic administrator would have simple control options for allowing access to the home network for specific devices and for controlling the packets of information that pass through the gateway to and from the Internet. XHDL would protect home networks from cyberattacks and ensure that it is available for use.

Surveillance Software Solves Security Snag
University of Adelaide (09/14/09) Gibson, Candace

University of Adelaide researchers have developed software that eliminates the need for security personnel at large public venues to search for suspicious activity among hundreds of different video screens. The program streamlines the information gathered from thousands of cameras and channels them into a single sensor. The researchers say the program helps prevent data overload in the surveillance network and saves workers time and effort. The software, developed at Adelaide's Australian Centre for Visual Technologies, is being commercialized by Snap Network Video Surveillance. When security personnel find suspicious activity, they can "perform virtual walkthroughs to investigate without risking their personal safety," says Snap co-founder Henry Detmold. He says that because the program makes automatic connections between thousands of security cameras, one security operator can simply "follow people throughout the whole network, in real time." Fellow Snap co-founder and Adelaide professor Anton van den Hengel says the software can be used for arenas as large as airports and the 2012 London Olympics. Adelaide researchers will continue to develop the software with universities in Australia and New Zealand.

Project 'Gaydar'
Boston Globe (09/20/09) Johnson, Carolyn Y.

Two students at the Massachusetts Institute of Technology (MIT) sought to determine whether online social network users were unknowingly revealing sensitive details through their virtual interaction with others, and they discovered through analysis of Facebook data that they could predict a person's sexual orientation just by looking at that person's online friends. MIT students Carter Jernigan and Behram Mistree used a program that studied the gender and sexuality of a person's friends and predicted homosexuality or heterosexuality through statistical analysis. "That pulls the rug out from a whole policy and technology perspective that the point is to give you control over your information--because you don't have control over your information," says MIT professor Hal Abelson. Project Gaydar, as Jernigan and Mistree call it, is an example of the rapidly accelerating field of social network analysis, in which the connections between people are examined to see what information can be extrapolated. The project taps the principle of homophily, which posits that similar people tend to group together. The method has demonstrated practicality in the identification of gay men, as opposed to gay women or bisexuals. The Electronic Frontier Foundation's Kevin Bankston says this discovery shows the risk that people run in participating in social networks. "Even if you don't affirmatively post revealing information, simply publishing your friends' list may reveal sensitive information about you, or it may lead people to make assumptions about you that are incorrect," he warns.

EU Funding 'Orwellian' Artificial Intelligence Plan to Monitor Public for 'Abnormal Behaviour'
Telegraph.co.uk (09/19/09) Johnston, Ian

The European Union-funded Project Indect is developing software that monitors and processes information collected from Web sites, discussion forums, file servers, peer-to-peer networks, and individual computers in an effort to automatically detect threats, abnormal behavior, or violence. The project involves researchers from more than 10 European countries and is part of the EU's effort to expand its role in fighting crime and terrorism and managing migration. Project Indect, which started earlier this year, is developing a platform for the registration and exchange of operational data, multimedia content, intelligent processing of information, and automatic detection of threats. Researchers in York University's computer science department say their goal is to develop "computational linguistic techniques for information gathering and learning from the Web." Another EU project, Automatic Detection of Abnormal Behavior and Threats in crowded Spaces (Adabts), aims to develop models of suspicious behavior so that closed-circuit TV and other surveillance methods can be upgraded to automatically detect suspicious behavior. The Adabts system would track individuals in a crowd and analyze their body movements and the pitch of their voice. Adabts project coordinator Jorgen Ahlberg, of the Swedish Defense Research Agency, says the system will make it easier for security personnel to spot problems. However, Open Europe analyst Stephen Booth says the projects sound "Orwellian" and raise serious questions about individual liberty and rights. "These projects would involve a huge invasion of privacy and citizens need to ask themselves whether the EU should be spending their taxes on them," Booth says.

Stimulus Funds to Further Cyber Security Research
Penn State Live (09/08/09) Spinelle, Jenna

The American Recovery and Reinvestment Act of 2009 will fund a project designed to protect the privacy and security of business information systems and data centers from cyberattacks. More than $1 million will be awarded over three years to Pennsylvania State University researcher Peng Liu, George Mason University researcher Sushil Jajodia, and Western Illinois University researcher Meng Yu. The researchers hope to accelerate customer and supplier services and to ensure secure business information. They will attempt to combine four areas of data security--redundancy, detection and analysis of microscopic intrusion, automatic response, and diversity-driven protection. The researchers say the project could lead to stronger security measures in the business world, increased efficiency in customer and supplier service, and improved data protection in the wake of cyberattacks. "This grant will enable us to take a big stride forward towards building self-protecting and trustworthy information systems and data sets," Liu says. "This project will 'stand on the shoulders' of our recent research achievements in trusted recovery, self-healing information systems, and intrusion-tolerant computing."

Adding Trust to Wikipedia, and Beyond
Technology Review (09/04/09) Naone, Erica

WikiTrust, developed by University of California, Santa Cruz (UCSC) researchers, helps users evaluate information published on Wikipedia by automatically assigning a reliability color code to the text, based on the reliability of the author and accuracy of the content. WikiTrust algorithms determine these factors by examining how well received the author's contributions have been within the community, including how quickly an author's contributions are revised or reverted and the reputation of people who interact with the author. UCSC professor Luca de Alfaro says WikiTrust makes it harder to change information without anyone noticing, and makes it easier to analyze the reliability of information on a page. WikiTrust researchers are working on a version that features a full analysis of all edits made to the English-language version of Wikipedia. The principles behind the WikiTrust algorithms could be used on any site with collaboratively created content, de Alfaro says. Similarly, the World Wide Web Consortium recently released the Protocol for Web Description Resources (POWDER), which aims to create a common language for building trust online. Using POWDER's specifications, a Web site can make claims about where information comes from and how it can be used. POWDER is designed to integrate with third-party authentication servers and to be machine-readable. Web users could install a POWDER plug-in that will look for claims made through POWDER on any given page, automatically check authentication, and inform other users of the result.

Researchers Find a New Way to Attack the Cloud
IDG News Service (09/03/09) McMillan, Robert

Researchers at the University of California, San Diego (UCSD) and the Massachusetts Institute of Technology (MIT) have found security holes in Amazon's EC2 cloud-computing service. The researchers were able to execute basic versions of side-channel attacks, in which a hacker looks at indirect information related to the computer to determine what is taking place on the machine. The researchers succeeded in pinpointing the physical servers used by programs running on the EC2 cloud, and then extracted small amounts of data from those programs. Previous research has demonstrated the vulnerability of side-channel attacks. In 2001, University of California, Berkeley researchers were able to extract password information from an encrypted SSH data stream by performing a statistical analysis of how keystrokes generated traffic on the network. By looking at the computer's memory cache, the UCSD and MIT researchers were able to obtain basic information about when other users on the same machine were using a keyboard to perform tasks such as accessing the computer using an SSH terminal. The researchers say that measuring the time between keystrokes enables them to determine what is being typed on the machine. To perform this attack, the researchers had to determine which EC2 machine was running the program they wanted to target, a difficult challenge as cloud computing is supposed to hide this information. However, by performing an analysis of DNS traffic and using a network-monitoring tool, the researchers developed a technique that could provide a 40 percent chance of placing their attack code on the same server as their target. Security experts say that side-channel techniques could lead to more serious problems for cloud computing.

Privacy Plug-In Fakes Out Facebook
Technology Review (09/09/09) Lemos, Robert

University of Waterloo, Ontario researchers have developed FaceCloak, a browser plug-in that shields social network users' private data from both malicious users and social network providers. Waterloo professor Urs Hengartner says the plug-in replaces sensitive information in a user's profile with news feeds and meaningless text that can only be unscrambled by trusted friends and contacts. Carnegie Mellon University (CMU) professor Alessandro Acquisti says most users are unaware of the privacy implications of posting personal information on social networking sites such as Facebook and MySpace. In 2005, Acquisti and fellow CMU researcher Ralph Gross found that almost 80 percent of Facebook users revealed their birthday and the majority provided public access to their real-world address, which could provide enough information to commit identity theft. Acquisti says users have recently started changing their access options to protect their information more carefully, but social network providers have not been good at protecting user privacy because monetizing personal information could result in millions of dollars in revenue. FaceCloak allows users to designate what information should be encrypted and made available only to friends. The user receives a secret access key and sends two other keys to friends. The keys are used to access the real information, which is stored on a separate server. Similar tools are being developed by other academic teams, including a Cornell University plug-in called None of Your Business that encrypts profile information so it can be read only by a small group of friends.

Online Social Networks Leak Personal Information to Third-Party Tracking Sites
Worcester Polytechnic Institute (08/24/09) Dorsey, Michael

A Worcester Polytechnic Institute (WPI) study by professor Craig Wills found that the practices of many popular social networking sites can make personal information shared by users on their pages available to companies that track Web user browsing habits. The study, presented at the Workshop on Online Social Networks, part of ACM's recent SIGCOMM 2009 conference, described the method that tracking sites could use to directly link browsing habits to specific individuals. Wills says users are given a unique identifier when they sign up with a social networking site, and when social networking sites pass information to tracking sites about user activities, they often include the identifier, giving the tracking site a profile of Web browsing activities and the ability to link that profile to a user's personal information. Wills says this is a particularly troubling practice for two reasons. "First, users put a lot of information about themselves on social networking sites. Second, a lot of that information can be seen by other users, by default." A unique identifier could give a tracking site access to a user's name, physical address, email address, gender, birth date, education, and employment information. Wills says he does not know what, if anything, tracking sites do with unique identifiers given to them by social networking sites, and while the Web sites provide users with tools to protect themselves, the best way to prevent privacy leaks would be for social networking sites to stop making unique identifiers visible.

ACM Bulletin Service
USACM Cautions Federal Government on Web Tracking, August 25, 2009

In response to the U.S. government’s reexamination of their current ban on cookie technology, USACM, ACM’s U.S. Public Policy Committee, recently submitted comments on using web tracking technologies. Cookies, an example of web tracking technologies, are bits of code that can be deposited on your computer to help the web site you are visiting remember things about you. USACM acknowledged that cookies can significantly improve citizens’ interactions with government websites and promote civic engagement. USACM’s comments also cited the challenges of using Personally Identifiable Information (PII) for web tracking, or when financial records or medical data are involved or exposed through careless collection.

Among the USACM recommendations are:

Minimizing the collection of PII

Incorporating proper website design and access controls

Limiting web tracking technologies to HTTP cookies until users can track and manage it on their computers

Additional details and commentary are available at: http://usacm.acm.org/usacm/PDF/USACM_Web_Tracking_Comments_Final.pdf

Web Tools Help Protect Human Rights Activists
Reuters (08/19/09) Finkle, Jim

A new generation of Internet privacy tools is being developed to prevent governments from gathering data, such as where users access the Internet from. One tool, called Tor, scrambles information before sending it over the Web, hiding the user's location. Tor can bypass firewalls, which makes it a popular tool among activists in countries such as China and Iran. Tor connects users to a second PC that links to a third computer, which does not know the location of the first machine, making it impossible to trace the identity of the person accessing the Web. "Tor is a tunnel," says Tor Foundation executive director Andrew Lewman. "What you send into it comes out the other end, untouched." The U.S. government has contributed $250,000 of the $343,000 in income the foundation reported in 2007. Tor enables surfers to bypass Internet censorship software, whether it is implemented by a government or a company aiming to keep workers off of sites such as Facebook while at work. It also can protect against identity theft and deletes all Web session information after closing a browser. Tor was used to coordinate demonstrations following the disputed presidential election in Iran, and has been used in China and Iran to enable citizens to access Gmail, Twitter, and other communication sites when blocked by their governments. The adoption of Tor has been hurt by its speed, as not all users allow traffic to flow through their computers, which makes the service slower than regular Web browsing. A similar technology is Freegate, which was developed by the banned Falun Gong movement in China.

Microsoft Team Traces Malicious Users
Technology Review (08/13/09) Lemos, Robert

In a paper that will be presented at ACM SIGCOMM 2009, which takes place Aug. 17-21 in Barcelona, Spain, Microsoft researchers will demonstrate HostTracker, software that removes the anonymity from malicious Internet activity. The researchers were able to identify the machines responsible for anonymous attacks, even when the host's IP address rapidly changed. The researchers say HostTracker could lead to better defenses against online attacks and spam campaigns. For example, security firms could create a clearer picture of which Internet hosts should be blocked from sending traffic to their clients, and cybercriminals would have a more difficult time disguising their activities as legitimate communications. The researchers analyzed a month's worth of data collected from a large email service provider to attempt to determine users responsible for sending spam. Tracking the origins of a message involved reconstructing relationships between account IDs and the hosts used to connect to the email service. The researchers grouped all the IDs accessed from different hosts over a certain time period, and the HostTracker software searched through this data to resolve any conflicts. The researchers also developed a way to automatically blacklist traffic from an IP address if HostTracker determines that the host at that address has been compromised. HostTracker was able to block malicious traffic with an error rate of 5 percent, and using additional information to identify good-user behavior reduced the error rate to less than 1 percent.

U.S. Web-Tracking Plan Stirs Privacy Fears
Washington Post (08/11/09) P. A2; Hsu, Spencer S.; Kang, Cecilia

The White House is proposing to soften a long-existing prohibition on tracking how users peruse U.S. government Web sites with cookies and other methods, inciting suspicion among privacy advocates. The U.S. Office of Management and Budget (OMB) has proposed replacing a ban on using cookies and other technologies on government sites and replacing it with new standards. Supporters of the proposal say social networking and other services have transformed the way users share knowledge, and White House officials say those services can be used to enhance transparency and public participation in the government. Some privacy advocates say the change represents a fundamental and inexplicable shift in federal policy. The American Civil Liberties Union's Michael Macleod-Ball says the proposal could "allow the mass collection of personal information of every user of a federal government Web site." Even those in favor of revising the policy question whether the Obama administration is pursuing these changes at the behest of private companies, as the sector's clout in Washington has expanded significantly. The Electronic Frontier Foundation and the Electronic Privacy Information Center cite the language of a February contract with Google, in which a government agency specifically exempted the company so that it could access Google's YouTube site. Electronic Frontier Foundation legal advocate Cindy Cohn calls the agreement troubling. "It appears that these companies are forcing the government to lower the privacy protections that the government had promised the American people," Cohn says. "The government should be requiring companies to raise the level of privacy protection if they want government contracts."

New Epidemic Fears: Hackers
The Wall Street Journal (08/04/09) P. A6; Worthen, Ben

Under the economic stimulus bill and other U.S. federal government proposals, hospitals and doctors' offices that invest in electronic records systems may receive compensation from part of a $29 billion fund. However, such systems can be vulnerable to security breaches. Last year health organizations publicly disclosed 97 data breaches, up from 64 in 2007, including lost laptops with patient data on them, misconfigured Web sites that accidentally disclosed confidential information, insider theft, and outside hackers breaking into a network. Because most healthcare organizations keep patients' names, Social Security numbers, dates of birth, and payment information such as insurance and credit cards, criminals often target these places for identity theft. "Healthcare is a treasure trove of personally identifiable information," says Secure Works researcher Don Jackson. The U.S. Federal Trade Commission says medical fraud is involved in about 5 percent of all identity theft. Smaller practices can become easier targets, as they rarely have a technology professional or security specialists, and often lack a security plan or proper tools. The government plans to release guidelines over the next year, as part of the stimulus bill, to illustrate a secure information system, but critics warn that data encryption and other security functions are worthless if they are not correctly used. "If you take a digital system and implement it in a sloppy way, it doesn't matter how good the system is," says World Privacy Forum executive director Pam Dixon. "You're going to introduce risk."

Trust But Verify: Security Risks Abound in the IT Supply Chain
Government Computer News (07/17/09)

There are substantial national security issues associated with the use of information technology (IT) products delivered via the global supply chain, including theft of intellectual property, logic bombs and self-modifying code, deliberately concealed back doors and features for unsanctioned remote access, and risks from bogus or counterfeit products. Three years ago, ACM published a study identifying the national security risks posed by the U.S. government's use of foreign software, and the leading risk was that non-understanding of code pedigree could permit belligerent nations, terrorists, and others to undermine or sabotage software used in critical government systems. Yet the problem also applies to hardware and potential risks caused by counterfeit products or foreign computer chips and microprocessors, as well as the activities of domestic miscreants. The complexity of the IT supply chain means no clear demarcation between software and hardware pedigree from source to government system. In January 2008, the White House issued a Homeland Security Presidential Directive calling for a national priority and plan for anti-cyberthreat action, and one of the directive's initiatives is designed to address IT supply chain risks. The National Institute of Standards and Technology has identified several sub-program areas to tackle, including criteria for identifying federal government systems and networks that need augmented efforts to ensure supply chain risk management, lifecycle processes and standards, acquisition policy and legal analysis, and a process for sharing vendor threat analyses across the federal government. Meanwhile, U.S. Customs and Border Protection's Customs-Trade Partnership Against Terrorism (C-TPAT) has shown considerable progress in its goal to protect the trade industry from terrorists and offer incentives and benefits to private-sector firms that meet or surpass C-TPAT supply chain security criteria and best practices.

SENATE INTRODUCES BILL RESEMBLING REAL ID
ACM Washington Update, Vol. 13.6 (July 14, 2009)

After several states passed legislation preventing them from implementing the REAL ID Act, it appeared that REAL ID would not be fully implemented. It was even considered possible in some quarters that the law might be repealed and replaced with the rulemaking process that was in progress when REAL ID was passed in 2005. However, a bill was recently introduced in the Senate that would repeal REAL ID and replace it with an ID system that has many of the same problems as REAL ID. S.1261 was introduced by Senator Akaka, who has tried to repeal REAL ID in the past.
You can read the bill here

http://thomas.loc.gov/cgi-bin/query/z?c111:S.1261:

There have been changes in the cost structure of the bill, and there will no longer be a national electronic system linking the various state databases. However, there will be a pilot project for just such a system, allowing the possiblity of a national data exchange once the pilot has been successfully demonstrated. There is some language in the bill that acknowledges the importance of privacy protections, which should be applauded, as such language rarely makes it into legislation. However, very few of the good changes that came about after the 2007 public comment period on REAL ID regulations remain in the bill. For instance, it is possible under the current legislation for RFID chips to be used in a PASS ID. These chips can be scanned remotely without the knowledge of the ID holder. Here's a link to our comments from that time.

http://www.acm.org/usacm/PDF/USACM_REAL_ID_Comments_FINAL.pdf

A review of the bill suggests that most of USACM's comments could be applied to the new legislation, and that the new program - called PASS ID - will not provide the increased security proponents claim it does. Additionally, PASS ID falls into that same trap of a so-called 'gold standard' identity document that REAL ID does. Such a 'gold standard' identity document looks nice, until it gets cracked. At that point, the kinds of mischief that can happen make the whole system not worth the trouble. Something that tough to crack is unfortunately really hard to restore. Identity theft under cover of a REAL ID will be harder to recover from than it currently is today.

IBM Security Software Masks Confidential Info
Network World (07/09/09) Cooney, Michael

IBM researchers have developed Masking Gateway for Enterprises (MAGEN), software that uses optical character recognition and screen scraping technology to identify and conceal confidential information. IBM says MAGEN can prevent data leakage and allow for data sharing while protecting sensitive business data. MAGEN works at the screen level by "catching" the information before it reaches the screen, analyzing the content, and masking sensitive details that should be hidden from the potential viewer. The system treats the information as a picture, uses optical character recognition to identify confidential sections, and places a data "mask" over those details, without copying, changing, or processing the data. IBM says customers can set masking rules that can be defined per screen structure or per application. MAGEN does not change the software program or data, but rather filters information before it reaches the screen. The software also does not force companies to create modified copies of electronic records to mask, scramble, or eliminate data. IBM says MAGEN could be used for healthcare firms that outsource customer service and claims processing functions to a third party, enabling customer service representatives to access patient records while protecting private medical information.

EU Lays Out Plans for the 'Internet of Things'
VNUNet (06/18/09) Bailey, Dave

The European Commission (EC) has developed a 14-point action plan to address some of the problems that could develop when everyday objects such as food packaging and prescription drug containers are equipped with radio frequency identification (RFID) tags as part of an effort to create an "Internet of things." Such a network could have a number of benefits, including the ability of food packaging to record temperatures along a supply chain or warn patients when they are taking two prescription drugs that are incompatible with one another. However, a number of problems could begin appearing when the use of RFID technology increases, including issues with governance, privacy, and data protection. The EC says the action plan will address these issues and help Europeans benefit from the development of an Internet of things. Meanwhile, the EC is planning to gather a representative group of stakeholders in Europe to monitor the development of the Internet of things. However, the network's development could be hampered by the fact that Internet Protocol version 6 (IPv6) has yet to be introduced. The EC says IPv6 is necessary for dealing with the large number of IP addresses that will be created by putting RFID tags on everyday objects.

E-Mail Surveillance Renews Concerns in Congress
New York Times (06/16/09) Risen, James; Lichtblau, Eric

A National Security Agency (NSA) operation involving surveillance of American residents' communications, especially domestic emails, is fueling debate in the U.S. Congress about its legal and logistical ramifications, with current and former officials calling such monitoring much broader than previously admitted. Emails have been a particularly thorny issue for the NSA because of technological problems in drawing a distinction between messages by U.S. citizens and foreigners. Several former intelligence officials note that email traffic from all over the world is frequently channeled through U.S.-based Internet service providers, and when the NSA monitors a foreign email address, it does not know when the person using that address will send messages to someone inside the United States. A representative of national intelligence director Dennis C. Blair says that due to the complicated nature of surveillance and the need to comply with the rules of the Foreign Intelligence Surveillance Court and "other relevant laws and procedures, technical or inadvertent errors can occur." Agency advocates say the process of collecting millions of electronic messages by computer inevitably leads to the examination of innocent emails. Such messages are supposed to be filtered out, but critics say the NSA is not doing a good enough job in this area. An anonymous former NSA analyst verifies that the agency used a secret database that archived foreign and domestic emails and enabled analysts to read large volumes of messages to and from U.S. citizens, provided they fell within certain parameters and the citizens were not explicitly targeted in the queries. Officials acknowledge that the massive over-collection of U.S. citizens' communications can lead to a substantial number of privacy infringements, which has raised alarms in both the Foreign Intelligence Surveillance Court and Congress.

Semantic Web Set for Critical Mass
InfoWorld (06/16/09) Krill, Paul

The Semantic Web is finally approaching critical mass, said World Wide Web Consortium (W3C) officials at a recent technical conference. W3C technology and society technical director Ralph Swick said the Semantic Web is starting to see commercial developments. The W3C has jurisdiction over critical Semantic Web technologies, including the Resource Description Framework (RDF) for representing information on the Web, the Web Ontology Language to allow information in documents to be processed by applications, and SPARQL for querying RDF data. The Semantic Web could be used for a variety of purposes, including building better mashups or publishing social networking data, according to W3C Semantic Web activity lead Ivan Herman. He said Semantic Web technologies could allow information to be accessed and linked, including data in medical databases, geographical information, and government data. Thomas Reuters' Thomas Tague urged technology developers to create tools that use the Semantic Web and semantic data. Monetization of the Semantic Web could come from adding semantic capabilities to social sites, improving opportunities for advertising performance, and semantic search, Tague said.

Privacy May Be a Victim in Cyberdefense Plan
New York Times (06/13/09) P. A1; Shanker, Thom; Sanger, David E.

The U.S. Obama administration's cyberdefense strategy includes the formation of a new Pentagon cybercommand that critics warn may end up compromising personal privacy in order to fulfill its objective to monitor the myriad daily assaults on U.S. security systems. Pentagon and military officials say there is no way to effectively run computer operations without penetrating networks within the United States, where the military is banned from operating, or traveling electronic pathways through countries that are not themselves U.S. targets. Officials say the interception and analysis of some email messages may be necessary to guard against computer viruses or potential terrorist action, and supporters say the procedure could eventually be accepted as a digital version of customs inspections. Maren Leed with the bipartisan Center for Strategic and International Studies says there needs to be a broad debate "about what constitutes an intrusion that violates privacy and, at the other extreme, what is an intrusion that may be acceptable in the face of an act of war." U.S. Gen. James E. Cartwright with the Joint Chiefs of Staff admitted in a recent speech that the military's legal establishment of an early warning system for cyberattacks remains an unresolved issue. Leed notes that although the U.S. Defense Department and related intelligence agencies are the only organizations capable of cyberattack protection, they are not the best-equipped entities to assume such duties "from a civil liberties perspective." The expectation is that the new cybercommand will be helmed by a four-star general who also will direct the National Security Agency in an effort to heal the rift between the spy agency and the military over who has authority to conduct offensive operations.

Social Networks Keep Privacy in the Closet
Technology Review (06/11/09) Naone, Erica

Social networks are being encouraged to downplay the privacy settings they build because of the tension between the desire to have users share as much personal information as possible and the need to protect that information and restrict how it is shared between users and outside their own borders. Privacy rights groups and activists are pressuring the networks to embed tools for users to control their information, but the networks also have an interest to keep privacy out of users' minds, according to research that will be presented at the Eighth Workshop on the Economics of Information Security. "Their goal is to create a very free-flowing environment where everybody is constantly sharing everything and seeing all this data on other people," says University of Cambridge researcher Joseph Bonneau. "The best way to achieve that is to not bring up the concept of privacy." The researchers studied 45 social-networking sites and determined that more popular sites did better with privacy overall because they face greater pressure to shield user data and also have more resources to address the problem. Bonneau says the disclosure of all sites' privacy practices could help put pressure on major sites to enhance the protection of users' information. Another researcher, Soren Preibusch, speculates that standardizing privacy settings could help users understand and control their information. University of Texas at Austin professor Vitaly Shmatikov is concerned that social networks will exacerbate the situation if they start focusing less on drawing new users and more on reaping profits from the ones they have.

ADVISORY BOARD URGES UPDATES TO NATION'S PRIVACY POLICY
ACM Washington Update, June 4, 2009

Since the Privacy Act of 1974 few, if any, government-wide guidance has been given on privacy policies. Individual agencies have been responsible for the privacy of their own data, with widely varying results. In the absence of guidance and significant technological changes, the Information Security and Privacy Advisory Board (ISPAB) released a report to the Director of the Office of Management and Budget (OMB) on the need to update privacy policies. The ISPAB is a federal advisory body that provides guidance to federal agencies in the areas of information security and policy.

Some of the report's recommendations include amending the Privacy Act and the E-Government Act of 2002, improving government leadership on privacy, and making other changes to privacy policies such as updating federal cookie policy and publicly reporting the use of Social Security Numbers.

More details on the recommendations can be explored in the report:
http://csrc.nist.gov/groups/SMA/ispab/documents/correspondence/ispab-report-may2009.pdf

Is the Hacking Threat to National Security Overblown?
Wired News (06/03/09) Singel, Ryan

U.S. President Obama recently made cybersecurity a national priority, but at the ACM's Computers, Freedom, and Privacy Conference, Threat Level editor Kevin Poulsen asked whether hacking and cyberattacks are an actual threat to the United States or simply the latest exaggerated threat to national security. Former Bush administration cybersecurity czar Amit Yoran says that hacking is absolutely a national security threat, and cites stories about the denial-of-service attacks against Estonia, attacks against government contractor Booz Allen Hamilton, and the recently reported breach of defense contractor computers that gave the attackers access to information on the Joint Strike Fighter. Poulsen says the threat of cyberterrorism is "preposterous," pointing out the long-standing threat that hackers would attack the power grid, which has never happened, and arguing that calling such potential attacks national security threats means that information about any possibility of defeated attacks is unnecessarily classified. "If we can't publicly share info that the attackers already have--since it's about them--then we are doing far more harm than good," says Poulsen, who argues that classification makes it impossible for the security community to, as a whole, prepare defenses for such attacks. Furthermore, Poulsen points out that the Joint Strike Fighter attack involved only unclassified information. However, security expert Bruce Schneier says there will be cyberattacks that affect the real world, though the current threat is exaggerated. "Passive defenses alone are not sufficient," says National Research Council cyberattack expert Herb Lin. "You have to impose costs on an attacker and maybe the only way to do that is a cyberattack yourself."

Study: Web Trackers Systematically Compromise Users' Privacy
Dark Reading (06/03/09) Wilson, Tim

A University of California, Berkeley study found that Web users may be tracked by dozens of sources on a visit to a single site. Within a single month, the researchers found 100 monitoring agents on the site blogspot.com. Although many of the trackers used on blogging sites are low-level monitors used by bloggers to see who is reading their posts, major companies also are tracking a significant amount of Web traffic, according to the report. The researchers found five trackers operated by Google, including Analytics, DoubleClick, AdSense, FriendConnect, and Widgets. "Among the top 100 Websites this project focused on, Google Analytics appeared on 81 of them," according to the report. "When combined with the other trackers it operates, Google can track 47 of the top 50 Web sites, and 92 of the top 100 Web sites." The researchers note that even if Web users know that their online activities are being tracked, they have no way of knowing how that data is being used. The report says that 36 percent of the Web sites in the study openly acknowledge the presence of third-party tracking, but each of the sites also state that the data-collection practices of the third parties are outside the coverage of the site's privacy policy. "Based on our experience, it appears that users have no practical way of knowing with whom their data will be shared," the researchers report. The researchers note that many large companies have hundreds or even thousands of affiliates, sometimes in completely different industries, and occasionally in foreign countries.

INTERNET PRIVACY BILL ON DRAWING BOARD FOR THIS CONGRESS
ACM Washington Update, Vol. 13.3 (April 3, 2009)

Representative Rick Boucher (D-VA) is the new Chair of the Subcommittee on Communications, Technology and the Internet of the House Energy and Commerce Committee. While telecommunications issues will be a big concern for Rep. Boucher, he is thinking about Internet privacy. In an interview with the New York Times, Boucher expressed concern over the issue, stating, "Internet users should be able to know what information is collected about them and have the opportunity to opt out."

Rep. Boucher is working with subcommittee Republicans on a bill that could standardize opt-out capacity and data collection disclosure for web sites. Rep. Boucher is also interested in requiring websites to obtain permission from users for the website before using their information in certain practices - known as opt-in. In other words, if a website was to institute deep packet inspection or other data collection practices and sell that information, they must get the explicit permission of the users they collect information from.

While this is an encouraging development, the Energy and Commerce Committee has crafted privacy bills before that have languished in legislative limbo. With a new committee chair, Congressman Waxman, this might change.

SECRETARY OF HOMELAND SECURITY PUTS REAL ID ON BACK BURNER
ACM Washington Update, Vol. 13.3 (April 3, 2009

The new Secretary of Homeland Security, Janet Napolitano, indicated in late March that there were many flaws and problems with the REAL ID law, which is intended to provide for more secure forms of identification. USACM submitted comments back in 2007 outlining our concerns with the program, which would not be as secure or reliable as desired or needed. Several states expressed their objections to REAL ID through legislation, including the State of Arizona and its then-Governor, Janet Napolitano. So the new perspective on REAL ID is not completely unexpected.

Secretary Napolitano is part of a working group coordinated by the National Governors Association to examine possible legislative and/or regulatory changes to REAL ID. Given the privacy and security concerns, as well as the steep price tag states will face under the current program, the status quo with REAL ID seems unlikely. Some states are working on forms of an enhanced drivers license (Washington state has started issuing them) geared toward frequent border crossers, but it’s unclear whether they would be cheaper, more secure, or provide better privacy than REAL ID.

Future Shock: The PC of 2019
Computerworld (03/16/09) Pratt, Mary K.

The personal computer (PC) is expected to advance in both intelligence and form factor over the next 10 years, evolving into a merger of computing devices and peripherals that can help carry out "the higher cognitive tasks of what people do to get their jobs done," says Intel research director Andrew Chien. The laptop form factor is expected to transition from the current book-like configuration to more diverse paradigms dictated by function, says Dan Siewiorek with Carnegie Mellon University's Human-Computer Interaction Institute. BT Group executive Wen Xiao forecasts that smallness and ubiquity will be key characteristics of tomorrow's PC, while access control and communications, rather than computing, will be its primary applications. He says the push toward greater PC mobility will be hastened by virtualization and cloud computing. Xiao predicts that "the computing [and] data-storage functions will all be virtualized--device-independent, location-independent data and applications stored somewhere in the cloud, and on-demand software applications." He also envisions users becoming responsible for supplying their own computing devices while the corporate information technology department would establish a secure enterprise cloud and oversee the access and authentication of individual users. Physical flexibility is another PC advance that experts are anticipating, with innovations that include foldable, rollable, stretchy screens, and material programmed to change shape according to user needs. Xiao believes physical keyboards, mice, and monitors may be phased out in favor of projected controls and displays, perhaps even holograms. Among the technologies expected to replace wires in the PC is magnetic-induction charging. Xiao says the need of data input will be significantly reduced thanks to advancements in Semantic Web and artificial intelligence.

Berners-Lee: Semantic Web Will Have Privacy Built-In
ZDNet UK (03/12/09) Espiner, Tom

World Wide Web Consortium director Sir Tim Berners-Lee says the Semantic Web will improve online privacy protection by allowing Internet users to control who can access their data. Researchers have warned that the combination of personal information and a semantic Web could lead to privacy problems, including increased data mining. However, Berners-Lee says that teams working on the Semantic Web project are working to ensure that privacy principles are built into the Semantic Web's architecture. "The Semantic Web project is developing systems which will answer where data came from and where it's going to--the system will be architectured for a set of appropriate uses," he says. Berners-Lee also says the Semantic Web will be based on the principle that people who make a Web request for information held by third parties, such as a company or a government agency, will be able to see all the data those organizations will keep on them. The Semantic Web project will include accountable data-mining components, which enable people to know who is mining data on them, and it is exploring making the Web adhere to privacy preferences set by the users.

Many See Privacy on Web as Big Issue, Survey Says
New York Times (03/16/09) P. B5; Clifford, Stephanie

More than 90 percent of U.S. citizens polled in a recent TRUSTe survey said that online privacy is a "really" or "somewhat" important issue, and just 28 percent said they were comfortable with advertisers using behavioral targeting; more than half of respondents said they were not. More than 75 percent of respondents agreed that the Internet is not well regulated, and said that naive users are at risk. In February, the U.S. Federal Trade Commission (FTC) revised its suggestions for behavioral targeting rules for the advertising industry, including that Web sites should disclose when they are participating in behavioral advertising and ask users for permission to use their browsing history. FTC commissioner Jon Leibowitz warns that intervention will be needed if the industry does not respond to the new suggested regulations. "Put simply, this could be the last clear chance to show that self-regulation can--and will--effectively protect consumers' privacy," Leibowitz says. More than half of the respondents in the survey said the government should be "wholly" or "very" responsible for protecting individuals' online privacy, although 75 percent of respondents also said that people should be wholly or very responsible for protecting their own privacy.

NIST Suggests Areas for Further Security Metrics Research
Government Computer News (03/09/09) Jackson, William

Scientists at the National Institute of Standards and Technology's (NIST's) Computer Security Division have identified several areas that need to be researched to spur the creation of useful security metrics. One key area is the creation of formal models of security measurement and metrics. NIST scientists say the absence of these models and other formalisms has made it difficult to create security metrics that are useful in practice. Another area that needs to be researched is historical data collection and analysis. The scientists say that predictive estimates of the security of software components and applications that are being examined should be able to be derived from historical data collected about the characteristics of similar types of software and the vulnerabilities those applications experienced. The scientists observe that insights into security metrics could be gained by using analytical techniques on historical data in order to identify trends and correlations, discover unexpected relationships, and uncover other predictive interactions. Finally, the scientists say the development of computing components that are designed for measurement would be a significant step toward developing effective security metrics.

USACM Policy Brief
USACM Policy Recommendations on Privacy

Current computing technologies enable the collection, exchange, analysis, and use of personal information on a scale unprecedented in the history of civilization. Despite the intended benefits of using these technologies, there are also significant concerns about their potential for negative impact on personal privacy. Well-publicized instances of personal data exposures and misuse have demonstrated some of the challenges in the adequate protection of privacy. Personal data -- including copies of video, audio, and other surveillance -- needs to be collected, stored, and managed appropriately throughout every stage of its use by all involved parties. Protecting privacy, however, requires more than simply ensuring effective information security. The U.S. Public Policy Committee of the Association for Computing Machinery (USACM) advocates a proactive approach to privacy policy by both government and private sector organizations. We urge public and private policy makers to embrace the following recommendations when developing systems that make use of personal information.

How to Share Without Spilling the Beans
Technology Review (03/02/09) Naone, Erica

A new protocol designed to allow organizations to share important information without compromising privacy through the use of smart cards was recently unveiled by Bar-Ilan University professor Andrew Yehuda Lindell. The protocol's usage involves the first party's creation of a key with which both parties could encrypt their data. The key would be stored on a secure smart card to be given to the second party. Both parties would employ the key to encrypt their respective databases, and then the first party would send his or her encrypted database to the second party, who can see what information both parties have in common. In addition, the second party would only have a restricted window of time to use the secret key on the smart card because the first party deletes it remotely using a special messaging protocol. University of Haifa professor Benny Pinkas says that Lindell's system demands far fewer computing resources to shield private information. However, RSA Laboratories chief scientist Ari Juels says that because the smart card serves as a trusted third party, finding a manufacturer that both organizations trust completely could be problematic. "Assuming that a smart card is secure against an individual or modestly funded organization may be reasonable, but not that it's secure against a highly resourced one, like a national-intelligence agency," he notes. Lindell says that in the event the chip is compromised, high-end smart cards can be designed to self destruct.

Computerized Mobile Health Support System
Fraunhofer-Gesellschaft (02/09)

Researchers at Germany's Fraunhofer Institute for Integrated Circuits (IIS) have developed intelligent medical sensor devices designed to monitor the health of patients in their homes. The SomnoSENS system is a small box that is attached to the body during sleep to observe vital functions. Four adhesive electrodes record an electrocardiogram (ECG), while a finger clip measures the patient's blood oxygen level and pulse rate. Breathing is monitored using a nasal clip and expandable belts fitted around the upper torso, while a movement sensor in the device monitors the patient's body position and records how much the patient moves. Fraunhofer's Herbert Siegert says the small size of the device, and attaching the device to the body, enables it to be worn without hindering sleep comfort. The device records and stores data and transmits the data to a base station using a Bluetooth wireless interface. Physicians can then evaluate the data to make a diagnosis. Another device, the SYSvital telemonitoring system, is a small, lightweight device worn on a patient's body that records their heart rate using a three-channel ECG to identify minimum and maximum heart rates and arterial fibrillation, and also records movement. SYSvital enables physicians to evaluate a patient's heart rate in connection with physical activity. Meanwhile, the ActiSENS device is used to determine how active patients are. Siegert says ActiSENS measures a person's activity level throughout the day, helping the user reach the daily activity level that will keep them in shape.

Sensors Help Keep the Elderly Safe, and at Home
New York Times (02/13/09) P. A1; Leland, John

Sensors and other monitoring technologies offer senior citizens more freedom to live independently and at less risk within the home. Motion sensors, medication reminder systems linked to mobile phones, pill compliance detectors, and wireless devices that transmit data on blood pressure and other physiological indicators are just some of the tools being used. These systems can be less costly than assisted living and nursing home care. One objective of personal health monitoring is to spur people to enhance their health by changing their behavior with the knowledge that they are being observed. However, the technologies are largely untested and are not usually covered by the government or private insurance plans. Moreover, there is the danger that the technologies could substitute for one-on-one interaction between seniors and their physicians, nurses, and relatives. "It's not that we need new technologies," says Dr. Jeffrey Kaye with the Oregon Health and Science University. "We need to use what we have more creatively." Monitoring technologies can gather terabytes of data, and researchers are working on ways of analyzing that information to help the well-being of users. For example, Kaye is working with Intel on a program that analyzes the motion data of seniors for patterns that would point to the onset of dementia well before it could be diagnosed with cognitive tests.

P2P Networks Rife With Sensitive Health Care Data, Researcher Warns
Computerworld (01/30/09) Vijayan, Jaikumar

Sensitive medical data is easily available through peer-to-peer (P2P) file-sharing networks, reveals a study by researchers at Dartmouth College. During the study, the researchers used search terms related to the top 10 publicly traded U.S. healthcare organizations to see if they could find medical data on P2P networks such as Gnutella, FastTrack, Aries, and e-Donkey. Dartmouth professor Eric Johnson says the searches yielded a plethora of information from healthcare companies, suppliers, and patients. For example, Johnson says he was able to find a 1,718-page document containing Social Security numbers, dates of birth, insurance information, treatment codes, and other sensitive data belonging to roughly 9,000 patients at a medical testing laboratory. Johnson and the other researchers were able to obtain the information because employees at healthcare providers installed P2P networks on their computers, which allow users to download and share music and videos from shared folders but also can allow users to obtain other types of files if care is not taken to control which folders users have access to. Johnson says the study underscores the need for hospitals and other healthcare providers to be aware of the dangers of inadvertent data leakage as well as the need to put improved controls in place to monitor, detect, and stop them.

RFID's Security Problem
Technology Review (02/09) Vol. 112, No. 1, P. 72; Naone, Erica

New U.S. passport cards and driver's licenses issued by Washington and New York state are designed to enable U.S. citizens to cross international borders more efficiently through the use of radio frequency identification (RFID) tags containing identity data that can be scanned by readers. But RFID technology has generated controversy because of its potential for privacy infringement, and studies of the new cards indicate that they can be exploited by ID thieves as well as by governments for the purpose of tracking people. Both the federal passport cards and the Washington driver's licenses boast electronic product code (EPC) tags that earned a passing grade from the U.S. Homeland Security Department, and which are inexpensive as well as capable of being read from an unusually long way off. Researchers from the University of Washington and RSA Laboratories see the latter capability as a means to facilitate invasive tracking, and also perceive a privacy issue in the tags' ability to store a unique number. The researchers also conclude that border security would be threatened by unauthorized reading, since the cards' ID numbers can be easily retrieved and therefore easily counterfeited. In addition, the Washington cards' EPC tags can be disabled by a ""kill"" command that is supposed to come from authorized users, and the state's failure to set the PIN on the cards it distributed means that anyone with RFID readers can set it themselves and issue kill orders. Some of the weaknesses in the federal passport cards and the Washington licenses are not apparent in New York's enhanced driver's licenses, which contain chips with serial numbers to guard against counterfeiting. Their memory banks are locked to shield them against unauthorized use of commands, but the New York licenses also raise the same privacy concerns the other cards do.

Student Open Source Software Brings Personal Finance to the iPhone
Rensselaer Polytechnic Institute (02/03/09) DeMarco, Gabrielle

Rensselaer Polytechnic Institute computer science students Amit Kumar and Devin Ross, part of the Rensselaer Center for Open Software, have developed Vault, open-source software for Apple's iPhone that enables users to log, track, and manage their personal spending. "People are always carrying their phone everywhere already," Ross says. "We saw the potential to centralize a task that many people could use daily." Categories such as groceries have been programmed into Vault, but users will be able to add categories for other expenses. The software logs the transaction and modifies the user's account balance. Kumar and Ross have designed Vault to use the global positioning system to find the closest bank branch, and allows users to link to the bank's Web site or place a call to the bank. Users do not log their personal account information into the software.

Networked Embedded System Middleware Speeds Up the Development of Innovative Systems
Fraunhofer Institute (01/20/09) Deeg, Alex

The Fraunhofer Institutes for Applied Information Technology and Secure Information Technology has developed context aware middleware that is designed to help in the manufacturing of intelligent environments. The institute's Hydra project developed a Networked Embedded System Middleware for Heterogeneous Physical Devices that will help manufacturers and system integrators in combining and connecting devices that can work together in cost-effective and flexible solutions. "A main issue in the Hydra project is networking a broad range of heterogeneous devices," says project coordinator Markus Eisenhauer. "The middleware makes it easy for developers to integrate additional devices and sensors into a distributed infrastructure. And it helps them take care of privacy and security requirements." The Hydra middleware supports several operating systems and programming languages, and can be used in a broad range of applications. To improve security, the middleware minimizes information exchange and the mechanisms needed for secure communication. To demonstrate its use, the researchers created a small model building equipped with sensors that send short messages to alert users to a technical defect. The model includes a situation in which a sensor detects humidity inside the house's heating system and alerts inhabitants by calling a mobile phone and orders an emergency repair request at a service company.