Andrew Patrick

Brain scan lie detection excluded from court

Andrew — Wed, 02 Jun 2010 16:25:54 +0000

Wired Science is reported that a Tennessee court has thrown out lie detection “evidence” from brain scans because it was unscientific. The defendant had offered the scans as proof that he was not lying about defrauding the government over Medicare payments.

The defense tried to use brain scans of the defendant to prove its client had not intentionally defrauded the government. In a 39-page opinion, Judge Tu Pham provided both a rebuke of this kind of fMRI evidence now, and a roadmap for how future defendants may be able to satisfy the Daubert standard, which governs the admissibility of scientific evidence.

It is particularly important to note that the company actually violated their own protocols during the scan. After two tests produced different results, the testing was repeated a third time until the desire result was obtained.

“Dr. Semrau risked nothing in having the testing performed, and Dr. Laken himself testified that had the results not been favorable to Dr. Semrau, they would have never been released,” Pham noted.

Further, the company expert was unwilling to say if the defendant was lying or telling the truth on any specific question, but instead whether the person was “more overall” telling the truth.

Tips for effective lying

Andrew — Fri, 14 May 2010 15:26:54 +0000

Lying is hard, but some people are particularly good at it. Psychology Today offers 10 tips for effective lying.

…human beings have an innate skill at dishonesty. And with good reason: being able to manipulate the expectations of those around us is a key survival trait for social animals like ourselves. Indeed, a 1999 study by psychologist Robert Feldman at the University of Massachusetts showed that the most popular kids were also the most effective liars.

Security skills in demand

Andrew — Fri, 14 May 2010 15:05:42 +0000

Employers are looking for specific skills when hiring security professionals, and these mirror the most common issues are threats seen today.

So what do employers in the federal and private sectors want in a security pro today? The most in-demand qualifications basically mirror the types of attacks, breaches, and threats these organizations face today, as well as the regulations that help dictate their defenses: They’re looking for experience in incident-handling and response, compliance, risk management, business-side acumen, security clearance for sensitive government work, and leadership.

Researchers hack car computer systems

Andrew — Fri, 14 May 2010 15:00:28 +0000

Researchers will be presenting a paper at the IEEE security conference in Oakland next week that demonstrates various attacks against the computer systems in modern cars. These attacks allow someone to control a variety of systems, including the breaks, and even erase all evidence of the attacks. We know a lot about building safety critical systems, but we seem to also be good at ignoring the lessons.

Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on. We find that it is possible to bypass rudimentary network security protections within the car, such as maliciously bridging between our car’s two internal subnets.

The paper is available here.

Media coverage can be read here.

Denial-of-Phone While Draining Accounts

Andrew — Thu, 13 May 2010 17:25:53 +0000

Here is an interesting attack method: launch a denial-of-phone attack to prevent communication with a bank while draining the accounts. Apparently, fake VoIP accounts were setup to phone the victim repeatedly while the bad guys transferred thousands of dollars out of the accounts. This is an example of a cross-over attack using different types of technologies to perform the fraud.

The FBI says the calls were a diversionary tactic, meant to tie up Thousand’s line so that Ameritrade couldn’t reach him to authenticate the money transfer requests.

via Mind Hacks: fMRI lie detection and the Wonder Woman problem.

Fake Bomb Detectors

Andrew — Sat, 23 Jan 2010 15:41:01 +0000

A military supplier has been making lots of money selling dowsing-like devices to troops in Iraq that are supposed to detect explosives and other nasty materials. They devices come equipped with different programming cards to customize the substances they search for.

There has been speculation that the devices are fake and the programming cards don’t do anything. Now comes an analysis of the cards by careful dis-assembly, and the results are predictable…

There is no way in which this device could be programmed to distinguish the many different substances that the ADE651 manufacturer claimed it could, not to mention that any useful interaction with such an LC circuit would require a transmitter antenna, a power source, and lots of other components that the ADE651 appears to lack.

Funding available for privacy research in Canada

Andrew — Thu, 21 Jan 2010 15:37:21 +0000

My new employer, The Office of the Privacy Commissioner of Canada, is again calling for research and public education proposals for its contributions programs.

Research into the privacy implications of information technologies is one of the four priority areas for funding support under this year’s program. Emerging information technologies can threaten the privacy of Canadians or enhance it – and sometimes both simultaneously. For that reason, the Office is especially interested in receiving funding applications from researchers examining, from a scientific or technical standpoint, the impact of information technologies on privacy.

Not-for-profit organizations, including education institutions, industry and trade associations, consumer, voluntary and advocacy organizations are all eligible under the program. Up to $50,000 is available for successful projects. The deadline for submitting applications is February 26, 2010.

More information is available at:

http://www.priv.gc.ca/resource/cp/p_index_e.cfm

Using Psychology to Control Traffic

Andrew — Mon, 11 Jan 2010 19:33:10 +0000

You have probably seen a variety of “traffic calming measures” when you drive down roads. These range from speed bumps to pavement markings to deliberate narrowing of the roads.

Here is an article reporting results from pavement markings designed to produce an optical illusion that makes it appear that you are driving faster than you actually are. The markings are being used at the approach to a corner with a bad accident record, and they seem to we working quite well.

Traffic calming results

Phishing Attacks Rarely Work, But Still Worth Millions

Andrew — Tue, 08 Dec 2009 06:23:19 +0000

A new report from Trusteer has shown that phishing attacks are rarely successful, but still worth millions of dollars to the attackers.

Trusteer makes a browser plugin called Rapport which is given away for free to customers of certain banks (including some Canadian banks). The plugin monitors for phishing attacks and can detect when someone is submitting login information to a false banking site. Rapport has been installed on about 3 million computers in Europe and North America, and data collected by the plugin provides a valuable look into the damage caused by phishing attacks.

In the recent study, Trusteer monitored the data from the Rapport plugin during a three month period, and in that time it analyzed phishing attacks against 10 large banks in the US and Europe. The key findings were:

each bank was targeted by an average of 16 phishing attacks per week (or about 832 attacks per year)
out of every million bank customers, about 12 (0.00125%) are lured into visiting each false web site that was studied. This is a very low success rate, but…
given that a bank experiences many phishing attacks in a year, about 1.04% of it customers were lured to one of the false web sites each year
once people were lured to a false web site, about 50% of the time they entered and submitted their login information
doing the math, this means that about 0.47% of a banks customers revealed their login information to criminals each year
if the losses from stolen login information total $2,000 per case, then a bank with a million customers lost about $9.4 million per year
…and that money is going to criminals

Whoever said that crime does not pay did not try phishing.