Facebook recently introduced some interesting functionality that’s being touted as an “opt-in security feature.” When I first heard that they were incorporating one-time passwords (OTP), I figured it was probably a pretty good idea. In theory, OTP seems straightforward to implement, and can offer some substantial benefits when done correctly. However, after learning how Facebook expects people to request the one-time passwords (via mobile SMS), a potentially negative side-effect becomes apparent. Passwords are often the first line of defense encountered by an attacker. But in this case, OTPs actually undermine the benefit of the original password by creating a temporary token that can be used instead. This creates a security tradeoff, whereby the benefit of a secret password is sacrificed[…]

So you’ve been hearing lately about how some Android applications are going rogue, and being used to steal user’s data and infiltrate their phones, to sit idly by only to wreak havoc when the user least expects it (ok, so maybe I exaggerated a little there). But there has been a lot of buzz lately about certain apps not playing by the rules, or including certain calls to leach user information. A lot of this buzz has been spun as backlash against Google for allowing these types of applications to exist (instead of having some asininely draconian filtering process like some ‘other’ phone provider).

A colleague lent me his most recent copy of IEEE’s Computer magazine.  Inside was an article entitled A Web 2.0 Model for Patient-Centered Health Informatics Applications (IEEE membership required to read).  Some possible benefits of their proposed approach were listed, including: Run deeper analytics across physicians groups and facilities, which can include relevant patient data… Provide a wide community of health professionals with feedback on the use and effectiveness of protocols… Share similar and alternative protocols and their analyses across many medical facilities and individual providers… Anyone want to guess what’s completely missing from their approach?  You guessed it, any mention of security.  The commonly misunderstood (and frequently misspelled) HIPAA makes it pretty clear that the privacy and confidentiality of personal[…]

A beta release of HTTPS Everywhere was released today. It’s a collaborative project between those at the Tor project and the EFF. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS. It’s good to see a project like this, especially after giants like Google finally step up and start offering more secure search features in their search engine. It’s only in beta so far, but it does look very promising. One area to[…]

In celebration of Facebook’s recent privacy control revamp, I present a very informative tutorial video from the Electronic Frontier Foundation that gives a brief rundown of the changes, the highs, and the lows. This might also be something beneficial to share with friends or relatives on Facebook who may not be in-the-know about the increased focus on privacy control in social networking and social media. Enjoy:

Lately, Google has been apologizing for mistakenly collecting data from unprotected Wi-Fi networks with the fleet of vans the company has sent out for its StreetView service.  Some have pointed out that, by leaving their wireless networks unprotected, companies had no reason to expect their data would not be collected somehow. And so we have another example of what can happen when data and communications are left unprotected.  You’re even susceptible to accidental disclosure of information.  What other accidents might occur?  One thing that comes to mind is accidental loss of bandwidth.  Someone who doesn’t know any better might turn on their laptop and find that they have Internet access.  What they didn’t realize is that they automatically connected to[…]