Privacy and the internet : differences in perspectives

Janz, Linda, University of Lethbridge. Faculty of Arts and Science

January 1997

This study examined results of a World Wide Web survey that used the framework of domain theory of moral development to examine attitudes of Internet users assuming perspectives of victims, aggressors and bystanders toward privacy issues. The effect of a monetary incentive was tested on two perspectives; effects of three moderating variables, employment status, newsgroup/mailing list membership and culture, were also tested. In the process of examing interactions, an evaluation determined if changes in attitudes indicated movement along a morality continuum. Results show that victims are more concerned than aggressors, and bystanders take a moralizing stance regardless of domain. Results of the monetary incentive test suggest that privacy is for sale. Employed respondents are more concerned than non-employed respondents; membership has little effect. Effects of culture do not support the hypotheses. Implications are that moral judgements are a function of perspective and domain, allowing flexibility along a morality continuum due to situational deviations. / xii, 112 leaves ; 28 cm.

Internet -- Security measures

Internet

Privacy, Right of

Dissertations, Academic

Token-based Graphical Password Authentication

Gyorffy, John

Unknown Date

No description available.

Graphical Password

Phishing

USB token

Internet security

Trojan

A Security Analysis of Wireless Smart Home Technologies

Hansson, Niclas, Lantz, Alexander, Fischerström, Ludvig

January 2015

The use of electronics connected to local networks and the Internet is growingall the time. Nowadays you can control your electronics in your house even when away from home, which opens up for potential security threats. The purpose of this report is to point out the potential risks with connecting home electronics to the Internet and to shed light on what security mechanisms that are needed in these kinds of systems. This report contains a theoretical part in which relevant material has been summarized. This material includes the smart home solution Tellstick Net and the wireless technologies ZigBee and Z-Wave, which are commonly used in home automation. The Tellstick Net system was mapped out and a risk analysis with attack trees was performed. After the analysis of the system, the implementation of two potential security threats were attempted. The two attempted attacks were replay attack and cross-site request forgery. The replay attack was unsuccessful due to the way the system communicates and keeps connections alive. However, the cross-site request forgery was discovered to be successful in some cases. It depended on if the browser of the target supported cross-origin resource sharing, as that property protects against cross-site request forgery. Finally, the report discusses what impact the found security deficiencies have, what they entail and how they reflect on the need for security in smart technologies for the home.

Smart home technologies

Internet security

Internet of Things

Tellstick Net

Token-based Graphical Password Authentication

Gyorffy, John

11 1900

Given that phishing is an ever increasing problem, a better authentication system than the current alphanumeric system is needed. Because of the large number of current authentication systems that use alphanumeric passwords, a new solution should be compatible with these systems. We propose a system that uses a graphical password deployed from a Trojan and virus resistant embedded device as a possible solution. The graphical password would require the user to choose a family photo sized to 441x331 pixels. Using this image, a novel, image hash provides an input into a cryptosystem on the embedded device that subsequently returns an encryption key or text password. The graphical password requires the user to click five to eight points on the image. From these click-points, the embedded device stretches the graphical password input to a 32- character, random, unique alphanumeric password or a 256-bit AES key. Each embedded device and image are unique components in the graphical password system. Additionally, one graphical password can generate many 32-character unique, alphanumeric passwords using its embedded device which eliminates the need for the user to memorize many passwords. / Computer Engineering

Graphical Password

Phishing

USB token

Internet security

Trojan

Securing the 'Internet of Things' : decentralised security for wireless networks of embedded systems

King-Lacroix, Justin

January 2016

The phrase 'Internet of Things' refers to the pervasive instrumentation of physical objects with sensors and actuators, and the connection of those sensors and actuators to the Internet. These sensors and actuators are generally based on similar hardware as, and have similar capabilities to, wireless sensor network nodes. However, they operate in a completely different network environment: wireless sensor network nodes all generally belong to a single entity, whereas Internet of Things endpoints can belong to different, even competing, ones. This difference has profound implications for the design of security mechanisms in these environments. Wireless sensor network security is generally focused on defence against attack by external parties. On the Internet of Things, such an insider/outsider distinction is impossible; every entity is both an endpoint for legitimate communications, and a possible source of attack. We argue that that under such conditions, the centralised models that underpin current networking standards and protocols for embedded systems are simply not appropriate, because they require such an insider/outsider distinction. This thesis serves as an exposition in the design of decentralised security mechanisms, applied both to applications, which must perform access control, and networks, which must guarantee communications security. It contains three main contributions. The first is a threat model for Internet of Things networks. The second is BottleCap, a capability-based access control module, and an exemplar of decentralised security architecture at the application layer. The third is StarfishNet, a network-layer protocol for Internet of Things wireless networks, and a similar exemplar of decentralised security architecture at the network layer. Both are evaluated with microbenchmarks on prototype implementations; StarfishNet's association protocol is additionally validated using formal verification in the protocol verification tool Tamarin.

Security for e-commerce with specific reference to SAP

Wentzel, Jan Johannes

06 December 2011

M.Comm. / Poorly controlled E-Commerce vulnerabilities expose organisations to fraud that can result in major financial losses and embarrassment. Also, fraud can be committed while the perpetrator remains anonymous. It is therefore important that the auditor understand the security relating to SAP's E-Commerce solutions. This short dissertation will focus on the security features relating to E-Commerce with specific reference to SAP. The results of this investigation will be used to develop a model, which may be used to assist auditors to identify and evaluate the security controls in a typical E-Commerce environment as well as those present in a SAP R/3 environment.

Electronic commerce

Internet security measures

Internet auditing

SAP e-commerce solutions

Enforcing Privacy on the Internet.

Lategan, Frans Adriaan

02 June 2008

Privacy of information is becoming more and more important as we start trusting unknown computers, servers and organisations with more and more of our personal information. We distribute our private information on an ever-increasing number of computers daily, and we effectively give target organisations carte blanche to do what they want with our private information once they have collected it. We have only their privacy policy as a possible safeguard against misuse of our private information. Thus far, no reliable and practical method to enforce privacy has been discovered. In this thesis we look at ways to enforce the privacy of information. In order to do this, we first present a classification of private information based on the purpose it is acquired for. This will then enable us to tailor protection methods in such a way that the purpose the information is acquired for can still be fulfilled. We propose three distinct methods to protect such information. The first method, that of nondisclosure, is where private information is required not for the contents, but as input to verify calculations. We shall present an encryption method to protect private information where the private information consists of a set of numeric values S on which some function G has to be applied and the result = G(S) has to be supplied to a target organisation. The calculation of the result must be verifiable by the target organisation, without disclosing S. The second method, that of retaining control is a method by which we can grant limited access to our private information, and thus enforce the terms of privacy policies. The final method we present is a conceptual method to extend P3P in order to add more flexibility to the decision on whether or not a given item of private information will be supplied to a target organisation by using the Chinese Wall security policy. This will enable a user to not only define rules as to which items of private information he would disclose, but also to define what collection of private information any given organisation would be able to build about him. / Olivier, M.S., Prof.

internet

internet security

computer security

data protection

right of privacy

An investigation into tools and protocols for commercial audio web-site creation

Ndinga, S'busiso Simon

January 2000

This thesis presents a feasibility study of a Web-based digital music library and purchasing system. It investigates the current status of the enabling technologies for developing such a system. An analysis of various Internet audio codecs, streaming audio protocols, Internet credit card payment security methods, and ways for accessing remote Web databases is presented. The objective of the analysis is to determine the viability and the economic benefits of using these technologies when developing systems that facilitate music distribution over the Internet. A prototype of a distributed digital music library and purchasing system named WAPS (for Web-based Audio Purchasing System) was developed and implemented in the Java programming language. In this thesis both the physical and the logical component elements of WAPS are explored in depth so as to provide an insight into the inherent problems of creating such a system, as well as the overriding benefits derived from the creation of such a system.

Web sites -- Design

Digital libraries

Internet -- Security measures

Phishing Warden: Enhancing Content-Triggered Trust Negotiation to Prevent Phishing Attacks

Henshaw, James Presley

01 June 2005

Phishing attacks are spam e-mails that attempt to fool recipients into divulging their identifying information by posing as a message from a well known company and using that company's branding and logos. It is estimated that phishing attacks have cost bank and credit card customers $1.2 billion in the U.S. in 2003. Previous work, content-triggered trust negotiation (CTTN), filters Internet traffic for sensitive data, and prevents a user from disclosing sensitive information to an un-trusted server. However, existing CTTN implementations are vulnerable to client-side scripts that obfuscate any data the client's browser sends to the web server in order to bypass CTTN's filter. To increase the security of CTTN, this thesis introduces Phishing Warden, a browser-plug-in that filters content before client-side scripts can execute, thereby preventing the scripts from obfuscating data in order to bypass the filter. Phishing Warden negotiates the release of sensitive data through web forms via the AutoFill button. After Phishing Warden determines the web server is trustworthy of the requested information, the sensitive data is automatically inserted into the form, indirectly informing the user that Phishing Warden trusts the server with this information. Besides potentially obfuscating data, scripts in Internet browsers can exploit security vulnerabilities which allow malicious scripts to potentially take over the computer, or deceive the user with a fake toolbar [31]. In addition to preventing data obfuscation by client-side scripts, Phishing Warden also allows a user to customize script control with the push of a button, letting the user decide which websites to trust enough to run scripts. Phishing Warden extends CTTN to remember past sites deemed trustworthy by the user.

phishing

internet security

trust negotiation

Phishing Warden

Computer Sciences

Secure Identification in Social Wireless Networks

Nawaz, Omer

January 2011

The applications based on social networking have brought revolution towards social life and are continuously gaining popularity among the Internet users. Due to the advanced computational resources offered by the innovative hardware and nominal subscriber charges of network operators, most of the online social networks are transforming into the mobile domain by offering exciting applications and games exclusively designed for users on the go. Moreover, the mobile devices are considered more personal as compared to their desktop rivals, so there is a tendency among the mobile users to store sensitive data like contacts, passwords, bank account details, updated calendar entries with key dates and personal notes on their devices. The Project Social Wireless Network Secure Identification (SWIN) is carried out at Swedish Institute of Computer Science (SICS) to explore the practicality of providing the secure mobile social networking portal with advanced security features to tackle potential security threats by extending the existing methods with more innovative security technologies. In addition to the extensive background study and the determination of marketable use-cases with their corresponding security requirements, this thesis proposes a secure identification design to satisfy the security dimensions for both online and offline peers. We have implemented an initial prototype using PHP Socket and OpenSSL library to simulate the secure identification procedure based on the proposed design. The design is in compliance with 3GPP’s Generic Authentication Architecture (GAA) and our implementation has demonstrated the flexibility of the solution to be applied independently for the applications requiring secure identification. Finally, the thesis provides strong foundation for the advanced implementation on mobile platform in future.

Secure Identification

Internet Security

GBA

UICC

Computer Sciences

Datavetenskap (datalogi)