Although security and privacy technologies are incorporated into every device and service, the complexity of these concepts confuses non-expert users. Prior research has shown that non-expert users ask strangers for advice about digital media use online. In this study, to clarify the security and privacy concerns of non-expert users in their daily lives, we investigated security- and privacy-related question posts on a Question-and-Answer (Q&A) site for non-expert users. We conducted a thematic analysis of 445 question posts. We identified seven themes among the questions and found that users asked about cyberattacks the most, followed by authentication and security software. We also found that there was a strong demand for answers, especially for questions related to privacy abuse and account/device management. Our findings provide key insights into what non-experts are struggling with when it comes to privacy and security and will help service providers and researchers make improvements to address these concerns.

This paper presents a practical side-channel attack that identifies the social web service account of a visitor to an attacker's website. Our attack leverages the widely adopted user-blocking mechanism, abusing its inherent property that certain pages return different web content depending on whether a user is blocked from another user. Our key insight is that an account prepared by an attacker can hold an attacker-controllable binary state of blocking/non-blocking with respect to an arbitrary user on the same service; provided that the user is logged in to the service, this state can be retrieved as one-bit data through the conventional cross-site timing attack when a user visits the attacker's website. We generalize and refer to such a property as visibility control, which we consider as the fundamental assumption of our attack. Building on this primitive, we show that an attacker with a set of controlled accounts can gain a complete and flexible control over the data leaked through the side channel. Using this mechanism, we show that it is possible to design and implement a robust, large-scale user identification attack on a wide variety of social web services. To verify the feasibility of our attack, we perform an extensive empirical study using 16 popular social web services and demonstrate that at least 12 of these are vulnerable to our attack. Vulnerable services include not only popular social networking sites such as Twitter and Facebook, but also other types of web services that provide social features, e.g., eBay and Xbox Live. We also demonstrate that the attack can achieve nearly 100% accuracy and can finish within a sufficiently short time in a practical setting. We discuss the fundamental principles, practical aspects, and limitations of the attack as well as possible defenses. We have successfully addressed this attack by collaborative working with service providers and browser vendors.

IDMs are getting more effective and secure with biometric recognition and more privacy-preserving with advanced cryptosystems. In order to meet privacy and security needs of an IDM, the cryptographic background should rely on reliable random number generation. In this study, a Biometric Random Number Generator (BRNG) is proposed which plays a crucial role in a typical cryptosystem. The proposed novel approach extracts the high-frequency information in biometric signal which is associated with uncertainty existing in nature of biometrics. This bio-uncertainty, utilized as an entropy source, may be caused by sensory noise, environmental changes, position of the biometric trait, accessories worn, etc. The filtered nondeterministic information is then utilized by a postprocessing technique to obtain a random number set fulfilling the NIST 800-22 statistical randomness criteria. The proposed technique presents random number sequences without need of an additional hardware.

There are many protocols proposed for protecting Radio Frequency Identification (RFID) system privacy and security. A number of these protocols are designed for protecting long-term security of RFID system using symmetric key or public key cryptosystem. Others are designed for protecting user anonymity and privacy. In practice, the use of RFID technology often has a short lifespan, such as commodity check out, supply chain management and so on. Furthermore, we know that designing a long-term security architecture to protect the security and privacy of RFID tags information requires a thorough consideration from many different aspects. However, any security enhancement on RFID technology will jack up its cost which may be detrimental to its widespread deployment. Due to the severe constraints of RFID tag resources (e.g., power source, computing power, communication bandwidth) and open air communication nature of RFID usage, it is a great challenge to secure a typical RFID system. For example, computational heavy public key and symmetric key cryptography algorithms (e.g., RSA and AES) may not be suitable or over-killed to protect RFID security or privacy. These factors motivate us to research an efficient and cost effective solution for RFID security and privacy protection. In this paper, we propose a new effective generic binary tree based key agreement protocol (called BKAP) and its variations, and show how it can be applied to secure the low cost and resource constraint RFID system. This BKAP is not a general purpose key agreement protocol rather it is a special purpose protocol to protect privacy, un-traceability and anonymity in a single RFID closed system domain.

This paper presents an overview of four on-going European research projects in the field of mobile and wireless communications leading to the next generations of wireless communications. The projects started in 2004. They investigate requirements and definition of access technology, network architecture, antennas and propagation, security, services, applications and socio-economic impact.

Multi-recast techniques make it possible for a voter to participate in a sequence of different designated votings by using only one ticket. In a multi-recastable ticket scheme for electronic voting, every voter of a group can obtain an m-castable ticket (m-ticket), and through the m-ticket, the voter can participate in a sequence of m different designated votings held in this group. The m-ticket contains all possible intentions of the voter in the sequence of votings, and in each of the m votings, a voter casts his vote by just making appropriate modifications to his m-ticket. The authority cannot produce both the opposite version of a vote cast by a voter in one voting and the succeeding uncast votes of the voter. Only one round of registration action is required for a voter to request an m-ticket from the authority. Moreover, the size of such an m-ticket is not larger than that of an ordinary vote. It turns out that the proposed scheme greatly reduces the network traffic between the voters and the authority during the registration stages in a sequence of different votings, for example, the proposed method reduces the communication traffic by almost 80% for a sequence of 5 votings and by nearly 90% for a sequence of 10 votings.