Security, Privacy Data Protection and Perspectives to Counter Cybercrime 04092008
Upcoming SlideShare
Loading in...5
×
 

Security, Privacy Data Protection and Perspectives to Counter Cybercrime 04092008

on

  • 5,131 views

"Security, Privacy Data Protection and Perspectives to Counter Cybercrime" was presented at the CodeGate 2008 security conference in Seoul, Korea, April 2008.

"Security, Privacy Data Protection and Perspectives to Counter Cybercrime" was presented at the CodeGate 2008 security conference in Seoul, Korea, April 2008.
http://www.codegate.org/

Statistics

Views

Total Views
5,131
Views on SlideShare
4,013
Embed Views
1,118

Actions

Likes
0
Downloads
125
Comments
1

8 Embeds 1,118

http://www.gohsuketakama.com 574
http://gohsuketakama.com 281
http://metamemos.typepad.com 236
http://www.slideshare.net 13
http://translate.googleusercontent.com 5
http://webcache.googleusercontent.com 4
http://131.253.14.98 4
http://213.8.145.171 1
More...

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security, Privacy Data Protection and Perspectives to Counter Cybercrime 04092008 Security, Privacy Data Protection and Perspectives to Counter Cybercrime 04092008 Presentation Transcript

  • Security, Privacy Data Protection, and Perspectives to Counter Cybercrime Gohsuke Takama Meta Associates, Japan gt@inter.net CodeGate Conference April 2008, Seoul, Korea
  • outline: • introduction • security vs. privacy? • privacy today - revisited • state of cybercrime today • balance of powers • psychological layer security
  • about… • Gohsuke Takama – Privacy International (London, UK), advisory board member • http://www.privacyinternational.org/ – Computer Professionals for Social Responsibility /Japan chapter, founding supporter • http://www.cpsr.org/ – independent journalist for over 10 years – Meta Associates, founder & president • http://www.meta-associates.com/
  • introduction • some works of Privacy International • a report in June 2007: quot;A Race to the Bottom - Privacy Ranking of Internet Service Companiesquot; • a study in Dec 2007: quot;Leading surveillance societies in the EU and the World 2007quot;
  • introduction • Privacy International (PI) is a human rights group formed in 1990 as a watchdog on surveillance and privacy invasions by governments and corporations. • PI is based in London, England, and has an office in Washington, D.C. • PI has over 50 members of international advisory board including MIT's Noam Chomsky and a former member of the U.S. House of Representatives Bob Barr
  • quot;Privacy Ranking of Internet Service Companiesquot; • Amazon, AOL, Apple, BBC, Bebo, eBay, Facebook, Friendster, Google, Hi5, Last.fm, LinkedIn, LiveJournal, Microsoft, Myspace, Orkut, Reunion.com, Skype, Wikipedia, Windows Live Space, Xanga, Yahoo!, YouTube
  • quot;Leading surveillance societies in the EU and the World 2007quot;
  • security vs. privacy
  • security vs. privacy • really? • false dichotomy? • balance?
  • Sep 11, 2001
  • some government's view • threat #1 = terrorists • threat #2…n = criminals, illegal immigrants, etc
  • some government's view • terrorists mingling among people • thus people need to be watched • people's movements need to be tracked • people's communications need to be monitored
  • more surveillance
  • more tracking
  • more tracking
  • more monitoring
  • more monitoring
  • some government's view • security = surveillance • privacy = barrier
  • some government's view security 100 privacy 0 100
  • centralization
  • panopticon?
  • data concentration
  • data concentration • is data secure? • is data accurate? • is operation efficient?
  • is data secure?…
  • is data secure?…
  • individual's view • how I live • how I work
  • privacy today - revisited • privacy in physical world • privacy in data world
  • physical world data world
  • individual's view • how I live in physical world • how I work in physical world • how I live in data world • how I work in data world
  • likely decentralized economic activities
  • privacy today… • activities shifting to data world • more activity = more data trail • personally identifiable information (PII) • = privacy data • privacy protection • = personal security • = privacy data protection
  • individual's view security 100 privacy 0 100
  • businesses' view
  • businesses' view • monitoring of… • protection of… • users • user data • employees • employees' data • traffic • traffic • activities • activities
  • businesses' view security 100 privacy 0 100
  • security vs. privacy
  • state of cybercrime
  • McAfee criminology report • a recent online banking study... • 2 million Americans = 5% of online banking customers • their accounts illegally accessed and robbed • average loss = $1,200 • banking industry total losses > $2 billion
  • McAfee criminology report • one North American credit company reported... • in 2005 • online fraud losses = $30 million • (all losses = $100 million)
  • McAfee criminology report • one FBI estimate in 2005... • in the USA • cost of cybercrime = $67 billion
  • McAfee criminology report • a Gartner Inc. survey… • identity theft-related fraud • in 12 months ending in mid 2006 • approx 15 million Americans = victims • average loss = $3,257 • (total losses > $48 billion?)
  • crime techniques • phishing • XSRF • spear phishing • XSS • scam spam • pharming • virus • website spoofing • trojan • content altering • spyware • code injection • keylogger • IP hijacking • rootkit • rogue WiFi AP • bot + botnet • sniffer
  • target • ordinary computer users • personally identifiable information • for identity theft • to illegally use credit cards • to illegally access bank accounts • to illegally access stock trading • to illegally access organizations' networks
  • value for crime • personally identifiable information (PII) = monetizable data
  • criminal's view profit 100 privacy 0 100
  • ENISA report
  • crime on web 2.0 ? • long tail • user data (PII) = core competence • the web as platform (for attack) • user as a contributor (of botnet, etc) • mash ups (web, malware, botnet, etc) • rich user experiences (of trouble) • distributed operation • loose connection among operatives • collective intelligence
  • spoof/altered site 1st line 2nd line victims victims stock trading organized crime coders banks credit companies lost/stolen data
  • final victim • our economy • economy is held as hostage • one type of national security issue
  • security & profit vs. privacy
  • quot;security vs. privacyquot; or 'security & privacy' • security for whom? • misleading dichotomy • security & privacy are not opposite
  • security process & action matrix prevention detection response law making investigate gov - law surveillance administer arrest enforcement monitor promote prosecute self self self defence individual accustomed awareness call police? rule making awareness org defence business manuals monitor call police appliances spoof 0 day transborder criminal deception obfuscation remote op
  • privacy data protection process & action matrix prevention detection response law making survey investigate gov - law administer hearing give penalty enforcement promote called in prosecute self self call service individual accustomed awareness call gov? rule making awareness org defence business manuals monitor call police PIA PET use called in spoof 0 day transborder criminal deception obfuscation remote op
  • some acronyms… • PIA = Privacy Impact Assessment • PET = Privacy Enhancing Technology • ROI = Return On Investment
  • how they lure talents?
  • how they lure talents? (excerpt) • find target students in password posting site, cracking tool sites, chat, etc (on online game sites possible) • offer easy low risk tasks with rewards • if successful, offer increased level tasks with higher rewards • once involved, blackmail target for forcing to do risky tasks • sometimes sponsor target students to get IT degrees in Univ. (as a reward)
  • law enforcement's limit • international jurisdiction • can act only after the incident • limited operation & human resources
  • balance of powers: asymmetric? • attack side: • defence side: organized cybercrime gov, security industry • no compliance to the • compliance to the law law • borderless adhoc • limit by international alliances jurisdiction • long tail attack model • concentric defence • spontaneous action • action after incidents • operation low cost = • security often looked high ROI as anti-ROI cost • luring technically • more security sophisticated youngsters professionals needed • psychological attack • psychological defence approach effective possible?
  • remedies • need to make businesses to understand… • security is for averting the risk • PII data is targeted • the size of damages (what if 5% of users attacked…) • guidance & aid for small & middle size businesses • = over 90% of businesses are S&M size companies • = attacks are long tail model
  • remedies • need to prevent technically talented youngsters going to be lured by criminals (from the dark side) • rescue remedy to save lured youngsters from blackmail (& ransom?) (c ) Lucas Film
  • remedies • need to increase number of security professionals for defence • need to make security professionals as a glamorous job • = cool • = respected • = high pay ( > US$200/hour…?)
  • psychological layer security
  • psychological layer security • still a theoretical idea • Bruce Schneier is also looking at similar direction • Feb 2007 quot;The Psychology of Securityquot;
  • layer approach • examle: OSI model
  • a security layer model 7 Psychological cognition Human Factor 6 Custom (Habit) behavior 5 Operation rules 4 Content data Intangibles 3 OS/Application software 2 Hardware Tangibles 1 Physical
  • attacks vs. remedies Psychological phishing, spear phish, ? scam, pharming Custom spoof phishing spam, accustomed best practice pharming, XSS, XSRF, , awareness, digital ID spoof signature, PKI Operation DoS, spam, sabotage, filter, opsec procedure, espionage, ransomware policy, law enforcement Content sniffing, spam, encryption, filter, spyware, alteration content-scan, host IDS OS/ DoS, vuln exploit, FW, network IDS, IPS, Application 0day, rootkit, botnet anti-virus, OS/app patch Hardware direct access, perimeter guard, anti- tampering, alteration tampering, hard seal Physical lock pick, break in, surveillance, perimeter vandalism alarm, armed guard
  • psychological attacks • exploit social interaction • exploit social protocols • exploit social norms • exploit social status of users
  • social interactors
  • prof. Lessig
  • what things regulate
  • extensive thought
  • elements
  • interactivity
  • motivation
  • ill-motivation
  • de-motivate
  • de-motivate • example
  • Atocha station, Madrid
  • Mar 11, 2004
  • Madrid demonstrators
  • deflect motivation • example
  • hack for cybercrime is lame Borg, from Startrek (c ) Paramount Pictures
  • hack for security is cool Matrix Reloaded, (c )Warner Bros. Pictures
  • psychological layer security • passive defence: • user behavior modification • to increase user alertness • active defence: • to de-motivate adversary • to deflect direction of attacks • potential field to look at: • Cognitive Behavioral Therapy • Neuro Linguistic Programming
  • + direct attacks to users' mental state
  • + a concept example: • Psycho-acoustic Computer Virus • creates near inaudible very low frequency sound (20-40Hz) by exploiting sound synthesizer chip • such very low frequency sound is believed to create fear and awed feeling in hearers • Nazi was believed as they used this sound technique for Nazi Party conventions
  • psychological attacks how can we counter? • exploit social interaction • exploit social protocols • exploit social norms • exploit social status of users • exploit mental state of users
  • sources • A Race to the Bottom - Privacy Ranking of Internet Service Companies • http://www.privacyinternational.org/article.shtml?cm d[347]=x-347-553961 • Leading surveillance societies in the EU and the World 2007 • http://www.privacyinternational.org/article.shtml?cm d[347]=x-347-559597 • Map developed: http://english.freemap.jp/ • What Our Top Spy Doesn't Get: Security and Privacy Aren't Opposites • http://www.wired.com/politics/security/commentary/se curitymatters/2008/01/securitymatters_0124?currentPa ge=all&
  • sources • Our view on security vs. privacy_ Bush uses scare tactics ...USATODAY • http://blogs.usatoday.com/oped/2008/02/our-view-on- sec.html • MI5 seeks powers to trawl records in new terror hunt • http://www.guardian.co.uk/uk/2008/mar/16/uksecurity. terrorism • Police announce London 2012 plans • http://news.bbc.co.uk/sport2/hi/olympics/london_2012 /7277918.stm • UK considers RFID tags for prisoners • http://www.itweek.co.uk/vnunet/news/2207145/governme nt-considers-rfid-tags
  • sources • Bush Administration's Warrantless Wiretapping Program • http://www.washingtonpost.com/wp- dyn/content/article/2007/05/15/AR2007051500999.html • Mobile firms seek India govt meeting on BlackBerry • http://www.reuters.com/article/ousiv/idUSBOM10000520 080312?sp=true • UK MOD confirms loss of recruitment data • http://www.mod.uk/DefenceInternet/DefenceNews/Defenc ePolicyAndBusiness/ModConfirmsLossOfRecruitmentData. htm • TSA_securitybreach_20080111092648 • http://oversight.house.gov/documents/20080111092648. pdf
  • sources • What Is Web 2.0 • http://oreillynet.com/pub/a/oreilly/tim/news/2005/09 /30/what-is-web-20.html • Security, Economics, and the Internal Market • http://www.enisa.europa.eu/doc/pdf/report_sec_econ_& _int_mark_20080131.pdf • Criminals 'target tech students' • http://news.bbc.co.uk/2/hi/technology/6220416.stm • The Psychology of Security • http://www.schneier.com/essay-155.html • Hackers Assault Epilepsy Patients via Computer • http://www.wired.com/politics/security/news/2008/03/ epilepsy
  • ? • ?