1 / 37

Privacy Security

COMP 381, 6 February. Privacy Security. “zone of inaccessibility” Edmund Byrne, 1998. Privacy. “The right to be alone” Warren and Brandeis, 1890. Views on Privacy. “All this secrecy is making life harder, more expensive, dangerous …” Peter Cochran, BT Research

devon
Download Presentation

Privacy Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP 381, 6 February PrivacySecurity

  2. “zone of inaccessibility” Edmund Byrne, 1998 Privacy “The right to be alone” Warren and Brandeis, 1890

  3. Views on Privacy • “All this secrecy is making life harder, more expensive, dangerous …” Peter Cochran, BT Research • “You have zero privacy anyway.” Scott McNealy, Sun • “By 2010, privacy will become a meaningless concept in western society” Gartner report

  4. Aspects of Privacy • Secrecy • Limiting dissemination of information • Anonymity • Protection from undesired attention • Solitude • Lack of proximity Ruth Gavison 1984

  5. Historical Basis of Privacy • Code of Hammurabi • 1760 BCE • crime to break a hole through the wall of another’s house • Justice of Peace Act • England 1361 • Peeping Toms and eavesdroppers

  6. Current Basis of Privacy • Universal Declaration of Human Rights • United Nations 1948 • Article 12 • European Convention on Human Rights • European Council 1950 • Article 8 • US Constitution: Bill of Rights • Evolution from property rights • Amendment IV

  7. Legal Realities of Privacy • Self-regulation approach in US, Japan • Comprehensive laws in Europe, Canada, Australia • European Union • Limits data collection • Requires comprehensive disclosures • Prohibits data export to unsafe countries • Or any country for some types of data

  8. Without Privacy • Extrinsic loss of freedom • Ability of others to control our behavior • Coercion or imposition of others’ wills • Intrinsic loss of freedom • Changes how we behave • “anticipatory conformity” • Autonomy requires privacy

  9. Aspects of Privacy • Transparency and Control: knowing what is being collected • Complex, hidden security policies • Anonymity • Security: Data breaches chronology • Theft • Hacking • Insecure transmissions

  10. Privacy and Identity • Identity • sense of self • distinct personality of an individual • an individual's comprehension of him or herself as a discrete, separate entity • What defines your identity?

  11. Privacy and Trust • Right of individuals to determine if, when, how, and to what extent data about themselves will be collected, stored, transmitted, used, and shared with others • Includes • right to browse the Internet or use applications without being tracked unless permission is granted in advanced • right to be left alone • True privacy implies invisibility • Without invisibility, we require trust

  12. Privacy and Trust • In order to trust others, need to know something about them • Privacy impedes • In order to build STRONGEST trust between two people, need to create a bond • Requires privacy

  13. Importance of Privacy • Privacy and relationships • How is it the digital world different? • Electronic alter ego • Identity convergence

  14. Everyone Agrees • Privacy is not absolute in society …why? • Willing to divulge SOME information in exchange for SOME economic or social benefit…. • BUT reasonable expectation about how it’s treated… • What is known about you?

  15. Controversy & Challenge • My right to informational privacy vs. others’ right to know vs. security • Does it have to be versus? • Is it really a zero-sum game?

  16. My rights • Shouldn’t I have a say? • Why should I care? • Decisions made about us • Effect if data are Incomplete? Erroneous? Sensitive?

  17. Privacy on the Web • The right to have information that you don’t expect to be available to others remain that way • On many sites, you give up your right to privacy • But there are also other more insidious ways • Google Dashboard

  18. Impediments to Privacy • Cookies (retention) • Web site discovered capturing cookies that it retained for 5 years • Sniffing, Snarfing, Snorting • Capturing packets as they pass through the network • Differ by how much info and what is done with it • Spyware • Phishing, etc • Surveillance (Google Street View) • Data collection and sharing • What we post (Geotagging)

  19. Technologies • privacy aware technologies (reactive) • non-privacy-related solutions that enable users to protect their privacy • Examples • password and file-access security programs • unsubscribe • encryption • access control • privacy enhancing technologies (proactive) • solutions that help consumers and companies protect their privacy, identity, data and actions • Examples • popup blockers • anonymizers • Internet history clearing tools • anti-spyware software

  20. P3P • Platform for Privacy Preference (P3P) • World Wide Web Consortium (W3C) project • Voluntary standard • Structures a web site’s policies in a machine readable format • Allows browsers to understand the policy and behave according to a user’s defined preferences

  21. Privacy and Wireless • “Wardriver” program: scans for broadcast SSIDs • broadcasting improves network access, but at a cost • once the program finds the SSID • obtains the IP address • obtains the MAC address • … • Lowe’s was penetrated this way • Stole credit card numbers

  22. CERT/CC Vulnerabilities

  23. Bad Code + Big Networks = Big Problems Geographic spread of Sapphire worm 30 minutes after release Source: http://www.caida.org • CodeRed worm (Summer 2001) • Infected 360,000 hosts in 10 hours (CRv2), and still going … • Sapphire/Slammer worm (Spring 2003) • 90% of Internet scanned in <10mins

  24. Consider • 1994: Vladimir Levin breaks into Citibank's network and transfers $10 million dollars into his accounts • Mid 90’s: Phonemasters • stole tens of thousands of phone card numbers • found private White House telephone lines • 1996: Tim Lloyd, disgruntled employee inserts time bomb that destroys all copies of Omega Engineering machining code. Estimated lost: $10 million.

  25. November 2, 1988 • Date of the first Internet worm • Launched by a Cornell CS graduate student, Robert Morris • Exploited several software vulnerabilities • A buffer overflow vulnerability in fingerd • The debug option of sendmail • Also exploited human tendency to choose passwords that can be guessed via an automated search

  26. IT Giveth, and IT Taketh Away • In the US, for example, two-thirds of productivity increases from 1990-2000 are attributed to the use of IT • At the same time, businesses are bleeding due to disruption in IT services Melissa virus: $1 billionin damages (Computer Economics) Lloyds of London put the estimate for Love Bug at$15billion3.9 million systems infected 30 days to clean up Code Red cost$1.2 billionin damagesand$740 millionto clean up from the360,000 infectedservers (Reuters) Slammer $1 billionin damages 1999 2000 2001 2003 Next: $ trillion shutdowns?

  27. Security “Gospel” • The Morris Internet worm of 1988 cost $98 million to clean up • The Melissa virus crashed email networks at 300 of the Fortune 500 companies • The Chernobyl virus destroyed up to a million PCs throughout Asia • The ExploreZip virus alone cost $7.6 billion to clean up

  28. Security Reality • The Morris Internet worm of 1988 cost $98under $1 million to clean up • The Melissa virus crashedscared executives into disconnecting email networks at 300 of the Fortune 500 companies • The Chernobyl virus destroyedcaused replacement of up to a million PCs throughout Asia • The ExploreZip virus alone could have cost $7.6 billion to clean up

  29. Malware is Becoming Increasingly Stealthy

  30. Basic Components of Security • Confidentiality • Keeping data and resources secret or hidden • Integrity • Ensuring authorized modifications • Refers to both data and origin integrity • Availability • Ensuring authorized access to data and resources when desired • Accountability • Ensuring that an entity’s action is traceable uniquely to that entity • Security assurance • Assurance that all four objectives are met

  31. Info Security 20 Years Ago • Physical security • Information was primarily on paper • Lock and key • Safe transmission • Administrative security • Control access to materials • Personnel screening • Auditing

  32. Information Security Today • Increasing system complexity • Digital information security importance • Competitive advantage • Protection of assets • Liability and responsibility • Financial losses • FBI estimates that an insider attack results in an average loss of $2.8 million • Estimates of annual losses: $5 billion - $45 billion (Why such a big range?) • Protection of critical infrastructures • Power grid • Air transportation • Government agencies • GAO report (03): “severe concerns” security mgmt & access control • Grade F for most of the agencies • Limkagesaccerbate

  33. Goals of Security • Prevention • Prevent someone from violating a security policy • Detection • Detect activities in violation of a security policy • Verify the efficacy of the prevention mechanism • Recovery • Stop attacks • Assess and repair damage • Ensure availability in presence of ongoing attack • Fix vulnerabilities to prevent future attacks • Deal with the attacker

  34. Human Issues • Outsiders and insiders • Which is the real threat? • Social engineering • How much should a company disclose about security? • Claim more or less security than exists

  35. Setting up a server to attract hackers Used by corporations as early warning system Used to attract spam to improve filters Used to attract viruses to improve detection http://www.honeypots.net/ Honeypots

  36. Identity Theft • “crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception” • Identity Theft is a Federal Offense • Crimes of Persuasion

  37. (Stop Internet Fraud and Identity Theft)

More Related