0
Security,
Privacy Data Protection,
   and Perspectives to
    Counter Cybercrime


         Gohsuke Takama
     Meta Assoc...
outline:

•   introduction
•   security vs. privacy?
•   privacy today - revisited
•   state of cybercrime today
•   balan...
about…

• Gohsuke Takama
  –    Privacy International (London, UK),
      advisory board member
       •   http://www.priv...
introduction

•  some works of Privacy International
•   a report in June 2007: quot;A Race to
  the Bottom - Privacy Rank...
introduction



•  Privacy International (PI) is a human rights
  group formed in 1990 as a watchdog on
  surveillance and...
quot;Privacy Ranking of
Internet Service Companiesquot;
•    Amazon, AOL, Apple, BBC, Bebo, eBay,
    Facebook, Friendster...
quot;Leading surveillance
societies in the EU and the
World 2007quot;
security vs. privacy
security vs. privacy

         • really?
   •   false dichotomy?
        • balance?
Sep 11, 2001
some government's view

•    threat #1 = terrorists
•    threat #2…n = criminals, illegal
    immigrants, etc
some government's view

•    terrorists mingling among people
•    thus people need to be watched
•    people's movements ...
more surveillance
more tracking
more tracking
more monitoring
more monitoring
some government's view

  •   security = surveillance
      • privacy = barrier
some government's view
security
100




                     privacy
  0            100
centralization
panopticon?
data concentration
data concentration

     • is data secure?
    • is data accurate?
•   is operation efficient?
is data secure?…
is data secure?…
individual's view

    •   how I live
    •   how I work
privacy today
       - revisited
•    privacy in physical world
    • privacy in data world
physical world   data world
individual's view

•    how I   live in physical world
•    how I   work in physical world
    • how    I live in data wor...
likely decentralized
economic activities
privacy today…

•    activities shifting to data world
•    more activity = more data trail
•    personally identifiable i...
individual's view
security
100




                     privacy
  0            100
businesses' view
businesses' view

•   monitoring of…   •   protection of…
•    users           •    user data
•    employees       •    em...
businesses' view
security
100




                     privacy
  0            100
security vs. privacy
state of cybercrime
McAfee
       criminology report
• a recent online banking study...
• 2 million Americans = 5% of online
 banking customer...
McAfee
       criminology report
• one North American credit company
 reported...
• in 2005
• online fraud losses = $30 mi...
McAfee
        criminology report
•   one FBI estimate in 2005...
•   in the USA
•   cost of cybercrime = $67 billion
McAfee
        criminology report
•   a Gartner Inc. survey…
•   identity theft-related fraud
•   in 12 months ending in m...
crime techniques

•   phishing         •   XSRF
•   spear phishing   •   XSS
•   scam spam        •   pharming
•   virus  ...
target

•    ordinary computer users
•    personally identifiable information
•    for identity theft
•     to illegally u...
value for crime

•    personally identifiable information
    (PII) = monetizable data
criminal's view
profit
100




                     privacy
  0            100
ENISA report
crime on web 2.0 ?

•   long tail
•   user data (PII) = core competence
•   the web as platform (for attack)
•   user as a...
spoof/altered site   1st line              2nd line
                                 victims               victims




   ...
final victim

            •   our economy
      • economy is held as hostage
•   one type of national security issue
security & profit
   vs. privacy
quot;security vs. privacyquot;
    or 'security & privacy'
          • security for whom?
         • misleading dichotomy
...
security
 process & action matrix
              prevention     detection       response

              law making         ...
privacy data protection
 process & action matrix
              prevention     detection      response

              law m...
some acronyms…

•   PIA = Privacy Impact Assessment
•   PET = Privacy Enhancing Technology
•   ROI = Return On Investment
how they lure talents?
how they lure talents?
            (excerpt)
•    find target students in password
    posting site, cracking tool sites,
...
law enforcement's limit

•   international jurisdiction
•   can act only after the incident
•   limited operation & human ...
balance of powers:
                asymmetric?
•    attack side:              • defence side:
    organized cybercrime    ...
remedies

• need to make businesses to understand…
•  security is for averting the risk
•  PII data is targeted
•  the siz...
remedies

• need to prevent technically talented
 youngsters going to be lured by
 criminals (from the dark side)
• rescue...
remedies

•    need to increase number of security
    professionals for defence
•    need to make security professionals
...
psychological layer
      security
psychological layer
            security
• still a theoretical idea
• Bruce Schneier is also looking at
 similar direction...
layer approach

     • examle: OSI model
a security layer model
               7 Psychological    cognition

Human Factor   6 Custom (Habit)   behavior

          ...
attacks vs. remedies
Psychological phishing, spear phish,   ?
              scam, pharming
Custom         spoof phishing s...
psychological attacks

•   exploit   social   interaction
•   exploit   social   protocols
•   exploit   social   norms
• ...
social interactors
prof. Lessig
what things regulate
extensive thought
elements
interactivity
motivation
ill-motivation
de-motivate
de-motivate

•   example
Atocha station, Madrid
Mar 11, 2004
Madrid demonstrators
deflect motivation

•   example
hack for cybercrime is
         lame




      Borg, from   Startrek (c ) Paramount Pictures
hack for security is
        cool




     Matrix Reloaded, (c )Warner Bros. Pictures
psychological layer
             security
•   passive defence:
•    user behavior modification
•    to increase user alert...
+ direct attacks to
users' mental state
+ a concept example:

•  Psycho-acoustic Computer Virus
•   creates near inaudible very low
  frequency sound (20-40Hz) by...
psychological attacks
       how can we counter?
•   exploit   social   interaction
•   exploit   social   protocols
•   e...
sources
• A Race to the Bottom - Privacy Ranking of Internet
  Service Companies
• http://www.privacyinternational.org/art...
sources
• Our view on security vs. privacy_ Bush uses scare
  tactics ...USATODAY
• http://blogs.usatoday.com/oped/2008/02...
sources
• Bush Administration's Warrantless Wiretapping
  Program
• http://www.washingtonpost.com/wp-
  dyn/content/articl...
sources
• What Is Web 2.0
• http://oreillynet.com/pub/a/oreilly/tim/news/2005/09
  /30/what-is-web-20.html
• Security, Eco...
?

•   ?
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 04092008
Upcoming SlideShare
Loading in...5
×

Security, Privacy Data Protection and Perspectives to Counter Cybercrime 04092008

4,455

Published on

"Security, Privacy Data Protection and Perspectives to Counter Cybercrime" was presented at the CodeGate 2008 security conference in Seoul, Korea, April 2008.
http://www.codegate.org/

Published in: Technology, News & Politics
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
4,455
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
140
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Security, Privacy Data Protection and Perspectives to Counter Cybercrime 04092008"

  1. 1. Security, Privacy Data Protection, and Perspectives to Counter Cybercrime Gohsuke Takama Meta Associates, Japan gt@inter.net CodeGate Conference April 2008, Seoul, Korea
  2. 2. outline: • introduction • security vs. privacy? • privacy today - revisited • state of cybercrime today • balance of powers • psychological layer security
  3. 3. about… • Gohsuke Takama – Privacy International (London, UK), advisory board member • http://www.privacyinternational.org/ – Computer Professionals for Social Responsibility /Japan chapter, founding supporter • http://www.cpsr.org/ – independent journalist for over 10 years – Meta Associates, founder & president • http://www.meta-associates.com/
  4. 4. introduction • some works of Privacy International • a report in June 2007: quot;A Race to the Bottom - Privacy Ranking of Internet Service Companiesquot; • a study in Dec 2007: quot;Leading surveillance societies in the EU and the World 2007quot;
  5. 5. introduction • Privacy International (PI) is a human rights group formed in 1990 as a watchdog on surveillance and privacy invasions by governments and corporations. • PI is based in London, England, and has an office in Washington, D.C. • PI has over 50 members of international advisory board including MIT's Noam Chomsky and a former member of the U.S. House of Representatives Bob Barr
  6. 6. quot;Privacy Ranking of Internet Service Companiesquot; • Amazon, AOL, Apple, BBC, Bebo, eBay, Facebook, Friendster, Google, Hi5, Last.fm, LinkedIn, LiveJournal, Microsoft, Myspace, Orkut, Reunion.com, Skype, Wikipedia, Windows Live Space, Xanga, Yahoo!, YouTube
  7. 7. quot;Leading surveillance societies in the EU and the World 2007quot;
  8. 8. security vs. privacy
  9. 9. security vs. privacy • really? • false dichotomy? • balance?
  10. 10. Sep 11, 2001
  11. 11. some government's view • threat #1 = terrorists • threat #2…n = criminals, illegal immigrants, etc
  12. 12. some government's view • terrorists mingling among people • thus people need to be watched • people's movements need to be tracked • people's communications need to be monitored
  13. 13. more surveillance
  14. 14. more tracking
  15. 15. more tracking
  16. 16. more monitoring
  17. 17. more monitoring
  18. 18. some government's view • security = surveillance • privacy = barrier
  19. 19. some government's view security 100 privacy 0 100
  20. 20. centralization
  21. 21. panopticon?
  22. 22. data concentration
  23. 23. data concentration • is data secure? • is data accurate? • is operation efficient?
  24. 24. is data secure?…
  25. 25. is data secure?…
  26. 26. individual's view • how I live • how I work
  27. 27. privacy today - revisited • privacy in physical world • privacy in data world
  28. 28. physical world data world
  29. 29. individual's view • how I live in physical world • how I work in physical world • how I live in data world • how I work in data world
  30. 30. likely decentralized economic activities
  31. 31. privacy today… • activities shifting to data world • more activity = more data trail • personally identifiable information (PII) • = privacy data • privacy protection • = personal security • = privacy data protection
  32. 32. individual's view security 100 privacy 0 100
  33. 33. businesses' view
  34. 34. businesses' view • monitoring of… • protection of… • users • user data • employees • employees' data • traffic • traffic • activities • activities
  35. 35. businesses' view security 100 privacy 0 100
  36. 36. security vs. privacy
  37. 37. state of cybercrime
  38. 38. McAfee criminology report • a recent online banking study... • 2 million Americans = 5% of online banking customers • their accounts illegally accessed and robbed • average loss = $1,200 • banking industry total losses > $2 billion
  39. 39. McAfee criminology report • one North American credit company reported... • in 2005 • online fraud losses = $30 million • (all losses = $100 million)
  40. 40. McAfee criminology report • one FBI estimate in 2005... • in the USA • cost of cybercrime = $67 billion
  41. 41. McAfee criminology report • a Gartner Inc. survey… • identity theft-related fraud • in 12 months ending in mid 2006 • approx 15 million Americans = victims • average loss = $3,257 • (total losses > $48 billion?)
  42. 42. crime techniques • phishing • XSRF • spear phishing • XSS • scam spam • pharming • virus • website spoofing • trojan • content altering • spyware • code injection • keylogger • IP hijacking • rootkit • rogue WiFi AP • bot + botnet • sniffer
  43. 43. target • ordinary computer users • personally identifiable information • for identity theft • to illegally use credit cards • to illegally access bank accounts • to illegally access stock trading • to illegally access organizations' networks
  44. 44. value for crime • personally identifiable information (PII) = monetizable data
  45. 45. criminal's view profit 100 privacy 0 100
  46. 46. ENISA report
  47. 47. crime on web 2.0 ? • long tail • user data (PII) = core competence • the web as platform (for attack) • user as a contributor (of botnet, etc) • mash ups (web, malware, botnet, etc) • rich user experiences (of trouble) • distributed operation • loose connection among operatives • collective intelligence
  48. 48. spoof/altered site 1st line 2nd line victims victims stock trading organized crime coders banks credit companies lost/stolen data
  49. 49. final victim • our economy • economy is held as hostage • one type of national security issue
  50. 50. security & profit vs. privacy
  51. 51. quot;security vs. privacyquot; or 'security & privacy' • security for whom? • misleading dichotomy • security & privacy are not opposite
  52. 52. security process & action matrix prevention detection response law making investigate gov - law surveillance administer arrest enforcement monitor promote prosecute self self self defence individual accustomed awareness call police? rule making awareness org defence business manuals monitor call police appliances spoof 0 day transborder criminal deception obfuscation remote op
  53. 53. privacy data protection process & action matrix prevention detection response law making survey investigate gov - law administer hearing give penalty enforcement promote called in prosecute self self call service individual accustomed awareness call gov? rule making awareness org defence business manuals monitor call police PIA PET use called in spoof 0 day transborder criminal deception obfuscation remote op
  54. 54. some acronyms… • PIA = Privacy Impact Assessment • PET = Privacy Enhancing Technology • ROI = Return On Investment
  55. 55. how they lure talents?
  56. 56. how they lure talents? (excerpt) • find target students in password posting site, cracking tool sites, chat, etc (on online game sites possible) • offer easy low risk tasks with rewards • if successful, offer increased level tasks with higher rewards • once involved, blackmail target for forcing to do risky tasks • sometimes sponsor target students to get IT degrees in Univ. (as a reward)
  57. 57. law enforcement's limit • international jurisdiction • can act only after the incident • limited operation & human resources
  58. 58. balance of powers: asymmetric? • attack side: • defence side: organized cybercrime gov, security industry • no compliance to the • compliance to the law law • borderless adhoc • limit by international alliances jurisdiction • long tail attack model • concentric defence • spontaneous action • action after incidents • operation low cost = • security often looked high ROI as anti-ROI cost • luring technically • more security sophisticated youngsters professionals needed • psychological attack • psychological defence approach effective possible?
  59. 59. remedies • need to make businesses to understand… • security is for averting the risk • PII data is targeted • the size of damages (what if 5% of users attacked…) • guidance & aid for small & middle size businesses • = over 90% of businesses are S&M size companies • = attacks are long tail model
  60. 60. remedies • need to prevent technically talented youngsters going to be lured by criminals (from the dark side) • rescue remedy to save lured youngsters from blackmail (& ransom?) (c ) Lucas Film
  61. 61. remedies • need to increase number of security professionals for defence • need to make security professionals as a glamorous job • = cool • = respected • = high pay ( > US$200/hour…?)
  62. 62. psychological layer security
  63. 63. psychological layer security • still a theoretical idea • Bruce Schneier is also looking at similar direction • Feb 2007 quot;The Psychology of Securityquot;
  64. 64. layer approach • examle: OSI model
  65. 65. a security layer model 7 Psychological cognition Human Factor 6 Custom (Habit) behavior 5 Operation rules 4 Content data Intangibles 3 OS/Application software 2 Hardware Tangibles 1 Physical
  66. 66. attacks vs. remedies Psychological phishing, spear phish, ? scam, pharming Custom spoof phishing spam, accustomed best practice pharming, XSS, XSRF, , awareness, digital ID spoof signature, PKI Operation DoS, spam, sabotage, filter, opsec procedure, espionage, ransomware policy, law enforcement Content sniffing, spam, encryption, filter, spyware, alteration content-scan, host IDS OS/ DoS, vuln exploit, FW, network IDS, IPS, Application 0day, rootkit, botnet anti-virus, OS/app patch Hardware direct access, perimeter guard, anti- tampering, alteration tampering, hard seal Physical lock pick, break in, surveillance, perimeter vandalism alarm, armed guard
  67. 67. psychological attacks • exploit social interaction • exploit social protocols • exploit social norms • exploit social status of users
  68. 68. social interactors
  69. 69. prof. Lessig
  70. 70. what things regulate
  71. 71. extensive thought
  72. 72. elements
  73. 73. interactivity
  74. 74. motivation
  75. 75. ill-motivation
  76. 76. de-motivate
  77. 77. de-motivate • example
  78. 78. Atocha station, Madrid
  79. 79. Mar 11, 2004
  80. 80. Madrid demonstrators
  81. 81. deflect motivation • example
  82. 82. hack for cybercrime is lame Borg, from Startrek (c ) Paramount Pictures
  83. 83. hack for security is cool Matrix Reloaded, (c )Warner Bros. Pictures
  84. 84. psychological layer security • passive defence: • user behavior modification • to increase user alertness • active defence: • to de-motivate adversary • to deflect direction of attacks • potential field to look at: • Cognitive Behavioral Therapy • Neuro Linguistic Programming
  85. 85. + direct attacks to users' mental state
  86. 86. + a concept example: • Psycho-acoustic Computer Virus • creates near inaudible very low frequency sound (20-40Hz) by exploiting sound synthesizer chip • such very low frequency sound is believed to create fear and awed feeling in hearers • Nazi was believed as they used this sound technique for Nazi Party conventions
  87. 87. psychological attacks how can we counter? • exploit social interaction • exploit social protocols • exploit social norms • exploit social status of users • exploit mental state of users
  88. 88. sources • A Race to the Bottom - Privacy Ranking of Internet Service Companies • http://www.privacyinternational.org/article.shtml?cm d[347]=x-347-553961 • Leading surveillance societies in the EU and the World 2007 • http://www.privacyinternational.org/article.shtml?cm d[347]=x-347-559597 • Map developed: http://english.freemap.jp/ • What Our Top Spy Doesn't Get: Security and Privacy Aren't Opposites • http://www.wired.com/politics/security/commentary/se curitymatters/2008/01/securitymatters_0124?currentPa ge=all&
  89. 89. sources • Our view on security vs. privacy_ Bush uses scare tactics ...USATODAY • http://blogs.usatoday.com/oped/2008/02/our-view-on- sec.html • MI5 seeks powers to trawl records in new terror hunt • http://www.guardian.co.uk/uk/2008/mar/16/uksecurity. terrorism • Police announce London 2012 plans • http://news.bbc.co.uk/sport2/hi/olympics/london_2012 /7277918.stm • UK considers RFID tags for prisoners • http://www.itweek.co.uk/vnunet/news/2207145/governme nt-considers-rfid-tags
  90. 90. sources • Bush Administration's Warrantless Wiretapping Program • http://www.washingtonpost.com/wp- dyn/content/article/2007/05/15/AR2007051500999.html • Mobile firms seek India govt meeting on BlackBerry • http://www.reuters.com/article/ousiv/idUSBOM10000520 080312?sp=true • UK MOD confirms loss of recruitment data • http://www.mod.uk/DefenceInternet/DefenceNews/Defenc ePolicyAndBusiness/ModConfirmsLossOfRecruitmentData. htm • TSA_securitybreach_20080111092648 • http://oversight.house.gov/documents/20080111092648. pdf
  91. 91. sources • What Is Web 2.0 • http://oreillynet.com/pub/a/oreilly/tim/news/2005/09 /30/what-is-web-20.html • Security, Economics, and the Internal Market • http://www.enisa.europa.eu/doc/pdf/report_sec_econ_& _int_mark_20080131.pdf • Criminals 'target tech students' • http://news.bbc.co.uk/2/hi/technology/6220416.stm • The Psychology of Security • http://www.schneier.com/essay-155.html • Hackers Assault Epilepsy Patients via Computer • http://www.wired.com/politics/security/news/2008/03/ epilepsy
  92. 92. ? • ?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×