Security, Privacy Data Protection and Perspectives to Counter Cybercrime 04092008

Security, Privacy Data Protection, and Perspectives to Counter Cybercrime Gohsuke Takama Meta Associates, Japan gt@inter.net CodeGate Conference April 2008, Seoul, Korea

outline: • introduction • security vs. privacy? • privacy today - revisited • state of cybercrime today • balance of powers • psychological layer security

about… • Gohsuke Takama – Privacy International (London, UK), advisory board member • http://www.privacyinternational.org/ – Computer Professionals for Social Responsibility /Japan chapter, founding supporter • http://www.cpsr.org/ – independent journalist for over 10 years – Meta Associates, founder & president • http://www.meta-associates.com/

introduction • some works of Privacy International • a report in June 2007: quot;A Race to the Bottom - Privacy Ranking of Internet Service Companiesquot; • a study in Dec 2007: quot;Leading surveillance societies in the EU and the World 2007quot;

introduction • Privacy International (PI) is a human rights group formed in 1990 as a watchdog on surveillance and privacy invasions by governments and corporations. • PI is based in London, England, and has an office in Washington, D.C. • PI has over 50 members of international advisory board including MIT's Noam Chomsky and a former member of the U.S. House of Representatives Bob Barr

quot;Privacy Ranking of Internet Service Companiesquot; • Amazon, AOL, Apple, BBC, Bebo, eBay, Facebook, Friendster, Google, Hi5, Last.fm, LinkedIn, LiveJournal, Microsoft, Myspace, Orkut, Reunion.com, Skype, Wikipedia, Windows Live Space, Xanga, Yahoo!, YouTube

quot;Leading surveillance societies in the EU and the World 2007quot;

security vs. privacy

security vs. privacy • really? • false dichotomy? • balance?

Sep 11, 2001

some government's view • threat #1 = terrorists • threat #2…n = criminals, illegal immigrants, etc

some government's view • terrorists mingling among people • thus people need to be watched • people's movements need to be tracked • people's communications need to be monitored

more surveillance

more tracking

more monitoring

some government's view • security = surveillance • privacy = barrier

some government's view security 100 privacy 0 100

centralization

panopticon?

data concentration

data concentration • is data secure? • is data accurate? • is operation efficient?

is data secure?…

individual's view • how I live • how I work

privacy today - revisited • privacy in physical world • privacy in data world

physical world data world

individual's view • how I live in physical world • how I work in physical world • how I live in data world • how I work in data world

likely decentralized economic activities

privacy today… • activities shifting to data world • more activity = more data trail • personally identifiable information (PII) • = privacy data • privacy protection • = personal security • = privacy data protection

individual's view security 100 privacy 0 100

businesses' view

businesses' view • monitoring of… • protection of… • users • user data • employees • employees' data • traffic • traffic • activities • activities

businesses' view security 100 privacy 0 100

security vs. privacy

state of cybercrime

McAfee criminology report • a recent online banking study... • 2 million Americans = 5% of online banking customers • their accounts illegally accessed and robbed • average loss = $1,200 • banking industry total losses > $2 billion

McAfee criminology report • one North American credit company reported... • in 2005 • online fraud losses = $30 million • (all losses = $100 million)

McAfee criminology report • one FBI estimate in 2005... • in the USA • cost of cybercrime = $67 billion

McAfee criminology report • a Gartner Inc. survey… • identity theft-related fraud • in 12 months ending in mid 2006 • approx 15 million Americans = victims • average loss = $3,257 • (total losses > $48 billion?)

crime techniques • phishing • XSRF • spear phishing • XSS • scam spam • pharming • virus • website spoofing • trojan • content altering • spyware • code injection • keylogger • IP hijacking • rootkit • rogue WiFi AP • bot + botnet • sniffer

target • ordinary computer users • personally identifiable information • for identity theft • to illegally use credit cards • to illegally access bank accounts • to illegally access stock trading • to illegally access organizations' networks

value for crime • personally identifiable information (PII) = monetizable data

criminal's view profit 100 privacy 0 100

ENISA report

crime on web 2.0 ? • long tail • user data (PII) = core competence • the web as platform (for attack) • user as a contributor (of botnet, etc) • mash ups (web, malware, botnet, etc) • rich user experiences (of trouble) • distributed operation • loose connection among operatives • collective intelligence

spoof/altered site 1st line 2nd line victims victims stock trading organized crime coders banks credit companies lost/stolen data

final victim • our economy • economy is held as hostage • one type of national security issue

security & profit vs. privacy

quot;security vs. privacyquot; or 'security & privacy' • security for whom? • misleading dichotomy • security & privacy are not opposite

security process & action matrix prevention detection response law making investigate gov - law surveillance administer arrest enforcement monitor promote prosecute self self self defence individual accustomed awareness call police? rule making awareness org defence business manuals monitor call police appliances spoof 0 day transborder criminal deception obfuscation remote op

privacy data protection process & action matrix prevention detection response law making survey investigate gov - law administer hearing give penalty enforcement promote called in prosecute self self call service individual accustomed awareness call gov? rule making awareness org defence business manuals monitor call police PIA PET use called in spoof 0 day transborder criminal deception obfuscation remote op

some acronyms… • PIA = Privacy Impact Assessment • PET = Privacy Enhancing Technology • ROI = Return On Investment

how they lure talents?

how they lure talents? (excerpt) • find target students in password posting site, cracking tool sites, chat, etc (on online game sites possible) • offer easy low risk tasks with rewards • if successful, offer increased level tasks with higher rewards • once involved, blackmail target for forcing to do risky tasks • sometimes sponsor target students to get IT degrees in Univ. (as a reward)

law enforcement's limit • international jurisdiction • can act only after the incident • limited operation & human resources

balance of powers: asymmetric? • attack side: • defence side: organized cybercrime gov, security industry • no compliance to the • compliance to the law law • borderless adhoc • limit by international alliances jurisdiction • long tail attack model • concentric defence • spontaneous action • action after incidents • operation low cost = • security often looked high ROI as anti-ROI cost • luring technically • more security sophisticated youngsters professionals needed • psychological attack • psychological defence approach effective possible?

remedies • need to make businesses to understand… • security is for averting the risk • PII data is targeted • the size of damages (what if 5% of users attacked…) • guidance & aid for small & middle size businesses • = over 90% of businesses are S&M size companies • = attacks are long tail model

remedies • need to prevent technically talented youngsters going to be lured by criminals (from the dark side) • rescue remedy to save lured youngsters from blackmail (& ransom?) (c ) Lucas Film

remedies • need to increase number of security professionals for defence • need to make security professionals as a glamorous job • = cool • = respected • = high pay ( > US$200/hour…?)

psychological layer security

psychological layer security • still a theoretical idea • Bruce Schneier is also looking at similar direction • Feb 2007 quot;The Psychology of Securityquot;

layer approach • examle: OSI model

a security layer model 7 Psychological cognition Human Factor 6 Custom (Habit) behavior 5 Operation rules 4 Content data Intangibles 3 OS/Application software 2 Hardware Tangibles 1 Physical

attacks vs. remedies Psychological phishing, spear phish, ? scam, pharming Custom spoof phishing spam, accustomed best practice pharming, XSS, XSRF, , awareness, digital ID spoof signature, PKI Operation DoS, spam, sabotage, filter, opsec procedure, espionage, ransomware policy, law enforcement Content sniffing, spam, encryption, filter, spyware, alteration content-scan, host IDS OS/ DoS, vuln exploit, FW, network IDS, IPS, Application 0day, rootkit, botnet anti-virus, OS/app patch Hardware direct access, perimeter guard, anti- tampering, alteration tampering, hard seal Physical lock pick, break in, surveillance, perimeter vandalism alarm, armed guard

psychological attacks • exploit social interaction • exploit social protocols • exploit social norms • exploit social status of users

social interactors

prof. Lessig

what things regulate

extensive thought

elements

interactivity

motivation

ill-motivation

de-motivate

de-motivate • example

Atocha station, Madrid

Mar 11, 2004

Madrid demonstrators

deflect motivation • example

hack for cybercrime is lame Borg, from Startrek (c ) Paramount Pictures

hack for security is cool Matrix Reloaded, (c )Warner Bros. Pictures

psychological layer security • passive defence: • user behavior modification • to increase user alertness • active defence: • to de-motivate adversary • to deflect direction of attacks • potential field to look at: • Cognitive Behavioral Therapy • Neuro Linguistic Programming

+ direct attacks to users' mental state

+ a concept example: • Psycho-acoustic Computer Virus • creates near inaudible very low frequency sound (20-40Hz) by exploiting sound synthesizer chip • such very low frequency sound is believed to create fear and awed feeling in hearers • Nazi was believed as they used this sound technique for Nazi Party conventions

psychological attacks how can we counter? • exploit social interaction • exploit social protocols • exploit social norms • exploit social status of users • exploit mental state of users

sources • A Race to the Bottom - Privacy Ranking of Internet Service Companies • http://www.privacyinternational.org/article.shtml?cm d[347]=x-347-553961 • Leading surveillance societies in the EU and the World 2007 • http://www.privacyinternational.org/article.shtml?cm d[347]=x-347-559597 • Map developed: http://english.freemap.jp/ • What Our Top Spy Doesn't Get: Security and Privacy Aren't Opposites • http://www.wired.com/politics/security/commentary/se curitymatters/2008/01/securitymatters_0124?currentPa ge=all&amp;

sources • Our view on security vs. privacy_ Bush uses scare tactics ...USATODAY • http://blogs.usatoday.com/oped/2008/02/our-view-on- sec.html • MI5 seeks powers to trawl records in new terror hunt • http://www.guardian.co.uk/uk/2008/mar/16/uksecurity. terrorism • Police announce London 2012 plans • http://news.bbc.co.uk/sport2/hi/olympics/london_2012 /7277918.stm • UK considers RFID tags for prisoners • http://www.itweek.co.uk/vnunet/news/2207145/governme nt-considers-rfid-tags

sources • Bush Administration's Warrantless Wiretapping Program • http://www.washingtonpost.com/wp- dyn/content/article/2007/05/15/AR2007051500999.html • Mobile firms seek India govt meeting on BlackBerry • http://www.reuters.com/article/ousiv/idUSBOM10000520 080312?sp=true • UK MOD confirms loss of recruitment data • http://www.mod.uk/DefenceInternet/DefenceNews/Defenc ePolicyAndBusiness/ModConfirmsLossOfRecruitmentData. htm • TSA_securitybreach_20080111092648 • http://oversight.house.gov/documents/20080111092648. pdf

sources • What Is Web 2.0 • http://oreillynet.com/pub/a/oreilly/tim/news/2005/09 /30/what-is-web-20.html • Security, Economics, and the Internal Market • http://www.enisa.europa.eu/doc/pdf/report_sec_econ_& _int_mark_20080131.pdf • Criminals 'target tech students' • http://news.bbc.co.uk/2/hi/technology/6220416.stm • The Psychology of Security • http://www.schneier.com/essay-155.html • Hackers Assault Epilepsy Patients via Computer • http://www.wired.com/politics/security/news/2008/03/ epilepsy

? • ?

http://www.gohsuketakama.com	162
http://metamemos.typepad.com	78
http://gohsuketakama.com	44
http://www.slideshare.net	13
http://webcache.googleusercontent.com	4
http://translate.googleusercontent.com	3
http://213.8.145.171	1

Security, Privacy Data Protection and Perspectives to Counter Cybercrime 04092008

by Gohsuke Takama on Jun 01, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

7 Embeds 305

Statistics

Security, Privacy Data Protection and Perspectives to Counter Cybercrime 04092008 — Presentation Transcript