cscd 303 essential computer security winter 2014 lecture 14 – internet privacy reading: see links...
Post on 25-Dec-2015
216 Views
Preview:
TRANSCRIPT
CSCD 303Essential ComputerSecurityWinter 2014
Lecture 14 – Internet Privacy
Reading: See links - End of Slides
Overview
• Anonymity and Privacy Defined• Reasons to be Anonymous• Threats to Privacy• Solutions to maintaining privacy
Anonymous Defined
Anonymous1. Without any name acknowledged, as that
of author, contributor• An anonymous letter to the editor; an
anonymous donation.
2. Of unknown name; whose name is withheld
3. Lacking individuality, unique character, or distinction: an endless row of drab, anonymous houses.
A Few Good Reasons EFF
McIntyre v. Ohio Elections Comm’n 514 U.S. 334 (1995)
“Anonymity is a shield from the tyranny of the majority ... [that] exemplifies the purpose [of the First Amendment] to protect unpopular individuals from retaliation … at the hand of an intolerant society.”
A Few Good Reasons EFF
McIntyre v. Ohio Elections Comm’n, 514 U.S. 334 (1995)
“[A]n author’s decision to remain anonymous, like other decisions concerning omissions or additions to the content of a publication, is an aspect of the freedom of speech protected by the First Amendment.”
A Few Good Reasons EFF
Doe v. 2theMart.com, 140 F. Supp. 2d 1088 (W.D. Wash. 2001)
“The right to speak anonymously extends to speech via the Internet. Internet anonymity facilitates the rich, diverse, and far ranging exchange of ideas.”
8
Applications of Anonymity
Privacy• Hide online transactions, Web browsing,
etc. from intrusive governments, marketers and archivists
Untraceable electronic mail• Corporate whistle-blowers• Political dissidents• Confidential business negotiations
Law enforcement and intelligence• Sting operations and honeypots• Secret communications on a public
network
9
Applications of Anonymity
Digital cash• Electronic currency with properties of
paper money (online purchases unlinkable to buyer’s identity)
Anonymous electronic voting Censorship-resistant publishing
10
Anonymity in terms of Internet Traffic Sender anonymity
• A particular message is not linkable to any sender and that to a particular sender, no message is linkable
Recipient anonymity• A particular message cannot be linked to
any recipient and that to a particular recipient, no message is linkable
Relationship anonymity• The sender and the recipient cannot be
identified as communicating with each other, even though each of them can be identified as participating in some communication
•A. Pfizmann and M. Waidner, Networks without User Observability. Computers & Security 6/2 (1987) 158-166
Anonymity in terms of Internet
Anonymity is the state of being not identifiable within set of subjects
You cannot be anonymous by yourself!Hide your activities among others’ similar activities
Unlinkability of action and identity For example, sender and his email are no more
related after observing communication than they were before
Unobservability (hard to achieve) Any item of interest (message, event, action) is
indistinguishable from any other item of interest
Attacks on Anonymity What could you do to identify a subject? Passive traffic analysis
Infer from network traffic who is talking to whom To hide your traffic, must carry other people’s traffic!
Active traffic analysis Inject packets or put a timing signature on packet
flow Compromise network nodes
Attacker may compromise some routersIt is not obvious which nodes have been compromised• Attacker may be passively logging traffic
Better not to trust any individual router• Assume that some fraction of routers are good, don’t know
which
13
One Solution, Randomized Routing
Hide message source by routing it randomly Popular technique: Crowds, Freenet, Onion routingRouters don’t know for sure if source of message is true sender or another router
14
Onion Routing
R R4
R1
R2
R
RR3
Bob
R
R
R
Sender chooses a random sequence of routers • Some routers are honest, some controlled by
attacker• Sender controls the length of the path
[Reed, Syverson, Goldschlag ’97]
Alice
Tor is an Onion Router
15
Tor was originally designed, implemented, and deployed as third-generation onion routing project of U.S. Naval Research Laboratory, – Primary purpose of protecting government
communications Tor is free tool that allows people to use the
internet anonymously
Tor is an Onion Router
16
Basically, Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world
How doe this help you achieve anonymity?
It prevents somebody watching your Internet connection from learning what sites you visit
It prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked
Tor anonymizes the origin of your traffic!
What is Tor?
17
IP address that appearsvia other browsers atthe same time
IP address that appearsvia other browsers atthe same time
IP address that appears via the Tor browser
IP address that appears via the Tor browser
What is under the hood?
18
Tor is based on Onion Routing, a technique for anonymous communication over a computer network.
http://en.wikipedia.org/wiki/Onion_routing
Steps• Messages are repeatedly
encrypted and then sent through several network nodes called onion routers
• Each onion router removes layer of encryption to uncover routing instructions, and sends message to the next router where this is repeated This prevents these intermediary nodes from knowing origin, destination, and contents of message
Onions
Who is using Tor?
19
Normal people (e.g. protect their browsing records)
Militaries (e.g. military field agents)
Journalists and their audiences (e.g. citizen journalists encouraging social change)Law enforcement officers (e.g. for online “undercover” operations)
Activists and Whilstblowers (e.g. avoid persecution while still raising a voice)
BloggersIT professionals (e.g. during development and operational testing, access internet resources while leaving security policies in place)
Privacy Settings
Program that configures on-line accounts for optimum privacy
Priveazy Lockdown is handy and reliable Firefox extension that helps you to tweak privacy and security settings for online accounts.
Priveazy Lockdown works with websites such as Google, Facebook, Twitter, Gmail, AOL, YouTube, Pandora, Amazon and eBay
Video on how to use the programhttp://www.frequency.com/video/priveazy-lockdo/
85402212
Removing Your Information
Remove your information from People Search databases
One handy page has access to many databases
http://abine.com/optouts.php Or, you can use their tool
More complete list of Data Brokershttps://www.privacyrights.org/online-information-
brokers-list
Get Private Email
Encypted, Private Email Use a secure email service for better
email privacyNo more Gmail for me !!!One page has links to multiple secure
emailers plus reviewshttp://thesimplecomputer.info/free-webmail-for-
better-privacy/
Secure VPN's to Hide IP Address
Can use VPN's to either encrypt your connections or use as a proxy to hide your IP address
Cyberghost is one VPN programhttp://cyberghostvpn.com/en/surf-anonym.html
Ordinary surfing, use SecurityKISS.• This program does store your IP address,
but this is only associated with the total amount of data sent tunneled through SecurityKISS
• No other personally identifiable information is logged
http://www.securitykiss.com/index.php
Privacy
Treating privacy as a separate subject than anonymity
In reality, they are linkedBeing anonymous is one way to
achieve a level of privacyBut, in reality, if corporations and
governments respected our right to privacy, we would not need to be anonymous ….
Privacy Defined
Privacy
1. The state of being private; retirement or seclusion
2. The state of being free from intrusion or disturbance in one's private life or affairs: the right to privacy; There is so much information about us online that personal privacy may be a thing of the past ...
3. Secrecy
Is Privacy a Fundamental Human Right? Can also ask what are Fundamental
Human Rights anyway? Human rights are rights inherent to all human
beings, whatever our nationality, place of residence, sex, national or ethnic origin, colour, religion, language, or any other status
We are all equally entitled to our human rights without discrimination
Fundamental Human Rights
There is a United Nations defined– Universal Declaration of Human Rights
The Universal Declaration of Human Rights, which was adopted by UN General Assembly on 10 December 1948, was result of experience of Second World War
End of that war, creation of United Nations, international community vowed never again to allow those atrocities to happen again
http://www.un.org/en/documents/udhr/
Back to Privacy
Article 12 of 1948 Universal Declaration of Human Rights, specifically protects territorial and communications privacy
Is there an explicit right to privacy in the United States?
Privacy in the United States
Not Really !!! The U. S. Constitution contains no express right to
privacy The Bill of Rights, however, reflects the concern of
James Madison and other framers for protecting specific aspects of privacy, such as the privacy of beliefs (1st Amendment), privacy of the home against demands that it be used to house soldiers (3rd Amendment), privacy of the person and possessions as against unreasonable searches (4th Amendment), and the 5th Amendment's privilege against self-incrimination
Plus, there are laws that protect privacy of various kinds
Privacy Laws in the US
The Privacy Act of 1974 prevents unauthorized disclosure of personal information held by federal government
The Fair Credit Reporting Act protects information gathered by credit reporting agencies
The Children’s Online Privacy Protection Act grants parents authority over what information about their children (age 13 and under) can be collected by web sites
The California Online Privacy Protection Act of 2003 (OPPA)– Effective as of July 1, 2004, is a California State Law– According to this law, operators of commercial websites
that collect personally identifiable information from California's residents are required to conspicuously post and comply with a privacy policy that meets certain requirements
Privacy Laws Regulating Industry As it relates to securing computer networks or
data
Sarbanes-Oxley Act, http://en.wikipedia.org/wiki/Sarbanes
%E2%80%93Oxley_Act - business practices
HIPAA, http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
GLBA http://www.business.ftc.gov/privacy-and-security/gramm-leach-bliley-act banks
Contain at least some guarantee of an individual’s right not to have their personal or confidential information exposed
These regulations mandate that companies take steps to ensure their customer’s data is secure and impose fines and penalties on companies that fail to do so
Summary
• Anonymity and privacy
• We do have a right to them !!! Even on the Internet … even dogs have these rights
• So, recommendation is to try out some of these methods
• Know your rights. To privacy and every other human right. Or else you might lose them.
• Money talks. Corporations want to make more money. If they violate your rights in the process … well, they are not all honest in that regard.
• Government, what can we say?
Who is this really?
References
About.com Article on Privacyhttp://netsecurity.about.com/od/newsandeditorial1/a/
aaprivacyrights.htm
Advice on Protecting Your Privacy On-linehttp://www.techsupportalert.com/content/how-protect-your-online-
privacy.htm#Make_Sure_Any_Online_Accounts_Are_Properly_Configured_For_Optimum_Privacy
Privacy Rights Clearinghousehttps://www.privacyrights.org/privacy-survival-guide-take-control-your-
personal-information
top related