Research, and particularly the on-line collaborative research referred to as e-science, creates a new challenge for federated access management systems. In teaching, the authoritative statement whether an individual is entitled to access an on-line resource comes from their home organisation: are they a member of that course? are they covered by that institutional licence? Thus […]
Categories
Cleaning up after Botnets
One of the challenges in finding an appropriate legal framework for incident response is that for many types of incident you don’t know in advance what information you are likely to receive. Rogier Spoor of SURFnet discussed one of the most common situations – cleaning up after a botnet infection – at the TERENA Networking […]
Categories
Making Best Use of Big Data
A thought-provoking talk at the TERENA Networking Conference by Barry Smyth of the Insight Centre for Data Analytics suggested both the possibilities and the problems of big data, and some of the decisions that society needs to make soon about how we do, and do not, use it to maximise benefits and minimise harms. A […]
A number of people have asked me what the recent European Court judgment in the Google “right to be forgotten” case means; here’s why I have been answering that I don’t know! The case concerned a fifteen-year old article in a Spanish newspaper about a named individual who had got into financial difficulties. The individual, […]
I was recently invited by the Groningen Declaration Network to join a panel discussing privacy issues around the exchange of digital student records. Like the discussion, this summary is a collaborative effort by the panel team. Two main use cases were discussed during the meeting: transferring records between education institutions when students apply to or […]
I only wish the Article 29 Working Party had published their Opinion on Legitimate Interests several years ago, as it could have saved us a lot of discussion in the federated access management community. Any organisation that processes personal data needs to have a legal justification for this; in access management that applies both to […]
Categories
Reducing the Impact of Privacy Breaches
At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected. Requirements to notify privacy […]
Categories
Security Debt
Martin McKeay’s presentation at Networkshop warned us of the risk of spiralling “security debt”. Testing for, and exploiting, well-known vulnerabilities in networked systems now requires little or no technical expertise as point-and-click testing tools are freely available. The best known of these led Josh Corman to propose “HDMoore’s law“, that the capabilities of the Metasploit […]
[Updated with further information and suggestions provided by CSIRTs: thanks!] One incident response tool that seems to be growing in value is passive DNS monitoring, described in Florian Weimer’s original paper. As described in the references at the bottom of this post, patterns of activity in the Domain Name System – when names change, move […]
A strong common (and unplanned, honest!) theme emerged from the information security session at Networkshop yesterday: that information security, or information risk, is ultimately the responsibility of individual users. Only they can decide which documents it is safe to read on a train, which phone calls they can make in a public place. The role […]