Tuesday, April 13, 2010

Keeping Medical Data Private

Researchers at Vanderbilt University have developed an algorithm that simultaneously protects privacy of patients while allowing medical records to be used for research on the genetics of disease.

The new method, published online April 12 in the Proceedings of the National Academy of Sciences, simply disguises parts of the medical history data that are not relevant to a geneticist’s specific research question using an algorithm that looks through health records and makes some aspects of them more general.
“We’re hoping that it’s a game-changer,” says Bradley Malin, a biomedical informatics specialist from Vanderbilt University in Nashville who helped develop the method. The problem is, it's not all that difficult to follow a specific set of codes backward and identify a person, says Malin.

See articles in Science News and MIT's Technology Review.

Monday, April 12, 2010

Loose Clicks Sink Ships

Since it is possible to analyze audio recordings of keystrokes, computer scientists have been able to reconstruct accurate transcripts of what is being typed, including passwords. By contrast with more sophisticated types of espionage, it is very easy to do. All that is needed is a cheap microphone and a desktop computer.

While past attempts at writing software to decipher the recorded keyboard sounds have only been at most 80% successful, Doug Tygar and colleagues at the University of California, Berkeley have developed software that achieves 96% accuracy. The software can decode anything, including scrambled ten-character passwords.

Dr. Tygar suggests simply turning up the radio to thwart these auditory invasions. However, since background noise will be ultimately overcome with more sophisticated recording, Tygar recommends that typed passwords be phased out, to be replaced with biometric checks or multiple types of authorization that combine a password with silent verification (e.g., clicking on a pre-selected image in an array of images).

See full article in The Economist.

Friday, April 09, 2010

"How Lenders Overlook the Warning Signs of ID Theft"

Brad Stone's NY Times Blog entry "How Lenders Overlook the Warning Signs of ID Theft" discusses Chris Hoofnagle's paper "Internalizing Identity Theft. The abstract for that paper says:

"Why has identity theft remained so prevalent, in light of the development of ever more sophisticated fraud detection tools? Identity theft remains at 2003 levels – 9.9 million Americans fell victim to the crime in 2009."

"One faction explains the identity theft as a problem of a lack of control over personal information. Another argues conversely that identity theft may be caused by a lack of access to personal information by credit grantors. This article presents data from a small sample of identity theft victims to explore a different dimension of the crime, one that suggests alternative interventions."

"Drawing upon victim and impostor data now accessible because of updates to the Fair Credit Reporting Act, the data show that identity theft impostors supply obviously erroneous information on applications that is accepted as valid by credit grantors. Thus, the problem does not necessarily lie in control nor in more availability of personal information, but rather in the risk tolerances of credit grantors. An analysis of incentives in credit granting elucidates the problem: identity theft remains so prevalent because it is less costly to tolerate fraud. Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts."

Stone's article gives an overview of how lenders approved credit applications, "one victim found four of six fraudulent applications submitted in her name contained the wrong address; two contained the wrong phone number and one the wrong date of birth."

Stone's article was also picked up by Slashdot

Thursday, April 01, 2010

'MULE' Prototype Uses Location for Authentication

Researchers at CMU (Carnegie Mellon University) have constructed a location-based encryption model for protecting data in lost or stolen laptops with little or no user interaction or IT administrative overhead.

The so-named Mobile User Location Specific Encryption (MULE) method encrypts only sensitive files on a user's laptop.

In a paper entitled Mobile User Location-specific Encryption (MULE): Using Your Office as Your Password researchers say
Our goal is to remove user effort associated with encryption technology while achieving the same or better security comparedto traditional password-based approaches. For example, with MULE, a user can securely store encrypted copies of bank records and tax returns on a laptop, and automatically gain access when opening those files in the home office, CMU CyLab technical director Adrian Perrig and CMU graduate student Ahren Studer write in their paper on MULE. "After a thief steals the laptop, the only way to recover the files is to break into the user's home."

See Tech Center: Insider Threat article in Dark Reading .