Categories
Presentations

Opportunities and Choices: Digital Student Records and Privacy

I was recently invited by the Groningen Declaration Network to join a panel discussing privacy issues around the exchange of digital student records. Like the discussion, this summary is a collaborative effort by the panel team. Two main use cases were discussed during the meeting: transferring records between education institutions when students apply to or […]

Categories
Articles

Legitimate Interests and Federated Access Management

I only wish the Article 29 Working Party had published their Opinion on Legitimate Interests several years ago, as it could have saved us a lot of discussion in the federated access management community. Any organisation that processes personal data needs to  have a legal justification for this; in access management that applies both to […]

Categories
Articles

Reducing the Impact of Privacy Breaches

At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected. Requirements to notify privacy […]

Categories
Articles

Security Debt

Martin McKeay’s presentation at Networkshop warned us of the risk of spiralling “security debt”. Testing for, and exploiting, well-known vulnerabilities in networked systems now requires little or no technical expertise as point-and-click testing tools are freely available. The best known of these led Josh Corman to propose “HDMoore’s law“, that the capabilities of the Metasploit […]

Categories
Articles

Passive DNS: improving security and privacy

[Updated with further information and suggestions provided by CSIRTs: thanks!] One incident response tool that seems to be growing in value is passive DNS monitoring, described in Florian Weimer’s original paper.  As described in the references at the bottom of this post, patterns of activity in the Domain Name System – when names change, move […]

Categories
Articles

Information Security Updates at Networkshop

A strong common (and unplanned, honest!) theme emerged from the information security session at Networkshop yesterday: that information security, or information risk, is ultimately the responsibility of individual users. Only they can decide which documents it is safe to read on a train, which phone calls they can make in a public place. The role […]