Security
Networked Society, Networked Science
Erik Poll
Digital Security
Radboud University Nijmegen
1
Overview
• Security problems in our networked digital society
• Root causes and drivers of security problems• Mechanics
– how do security attacks work?– how does internet design fail to prevent this?
• Privacy– in the face of the data explosion
2
Computers
• PC/laptops
• mobile phones
• smartcards: SIM, credit card, ov-chip, passport
• car navigation systems
• cars, trains, planes – embedded systems
• control of industrial systems, power grid, ...
3
The digital era
Three stages
1. mainframes and PCs
in companies
2. PCs & laptops everywhere – at home and the office –
connected to internet
forming one virtual digital world
3. mobile computers (smartphones, tablets, …)
everywhere, merging physical and virtual worlds
to one cyber-physical reality
4
Power of computer networks
• Computer networks – and the internet as prime example – offer huge possibilities
• but also:– huge possibilities for abuse– our increasing reliance on it can make us
vulnerable• and make abuse more interesting for the bad
guys
5
Two root causes of security problems
1. Software Computer programs are the most complicated
artefacts produced by humans. We do not know how to build large computer programs without bugs.
2. Networks Problems can be exploited remotely and can
spread quickly
9
Software & security problems
To get an impression of the scale of the problem,look at these websites for recent software
security flaws
http://www.us-cert.gov/cas/bulletins http://www.securitytracker.com/ http://www.securityfocus.com/vulnerabilities
10
Software & security problems
Computers are digital, discrete systems and not analogue, continuous systems
• Paradox: absence of error margins and tolerances do not make digital systems easier to analyse
if analogue car brakes work at 40 km/h, they work at 20 km/h and any value in between, but a digital brake could fail at – and only at - 32.767 km/h
• The butterfly effect can cause chaotic behaviour in analogue systems over time, but a single bit change can cause chaos in digital systems straight away
Network problems: Slammer Worm (5:29 am, Jan 25, 2003)
12
Pictures taken from The Spread of the Sapphire/Slammer Worm, by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver
Network problems: Slammer Worm (6:00 am, 25 Jan, 2003)
13
Pictures taken from The Spread of the Sapphire/Slammer Worm, by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver
A third cause of security problems: humans
3. Humans make lousy security decisions, have a hard time assessing online risks, fall for silly scams, choose predictable and short
passwords ...
– eg. phishing, scareware
A root cause: on the internet we lack the context that we use in the physical world to make security decisions
14
Nigerian 419 scams
• predates internet and email• named after article 419 of Nigerian criminal code
• recent variant:
email from friend
on holiday
abroad whose
email account
has been hijacked
in internet cafe
15
Phishing
16
Variant:spear-phishing aka whaling:
targeted phishing attackon one person (with personalisedemail) that is very rich (a whale)
Malware
Some security attacks only need a gullible human user...
• eg the phishing, scareware, etc
Some security problems involve malware(malicious software)• worms, viruses, trojans, ...
20
How does malware spread?
1. worm
malware that spreads autonomously
2. virus
malware in a file (pdf, word document, jpg, ...) that needs to be opened by a program to do damage; spreading requires human interaction
• even if it is just opening attachment or visiting webpage
3. Trojan horse
malware part of an apparently benign program that user will willingly download & install but with hidden malicious functionality
• eg. free version of a game with a backdoor for remote login
What does malware do?
• send out spam
NB the vast majority of all email (> 80 - 90%) is spam
• carry out Denial of Service (DoS) attacks
• steal usernames with passwords, intercept internet banking, ...
• rootkit hides deep in the operating system en waits for instructions as part of a botnet– eg to steal information, carry out Distributed Denial of
Service (DDoS) attacks,...
botnet example: Pobelka
• Pobelka was an instance of the Citadel botnet– Citadel is software to create botnets, that you can
buy or download
• This botnet infected around 200,000 computers, mainly in Netherlands and Germany
• It was taken down early 2013• The command-and-control server collected
750Gbyte of data stolen from infected machines– including from Radboud University and UMC
25
Internetbanking fraud in the Netherlands
by infected computers, fake websites of by phone
NB this is serious branch of organised crime, not done by clever teenagers
Cyber crime is highly organised and specialised, with different people selling different products & services: producing malware, selling or renting infected machines, selling credit card numbers, ...
2008 2.1 M€
2009 1.9 M€
2010 9.8 M€ (7100€ per incident)
2011 35 M€ (4500€ per incident)
2012 34.8 M€[Source: NVB]
Security goals
Confidentiality, Integrity, Availability = CIA
• Confidentiality– who can access which data?– a special case for personal data: privacy
• Integrity • is the data genuine? • who can add or modify data?
• Availability• is data or are services available?
29
Conflicts
• There is no clear and fixed meaning of what “secure” means
• There can be trade-offs between CIA objectives– for instance, cloud services
• using gmail for your mail rather than storing it locally on your computer
• using flickr.com for you holiday photos
can be good for availability,
but may be bad for confidentiality
30
Security goal: Authentication
Authentication
= ensuring that some entity is who they say they are
This pre-supposes some notion of identity (name, IP address,...)
Authentication can be done using • passwords• cryptography• biometry: recognising physical characteristics, such as
face, voice, fingerprints
31
How does internet work?
• Security was not a design goal for the internet
– surprising, as origin of internet are networks for military applications
– resilience was a design goal
33
Fundamental problems on the internet• who are you ?• who is this website you talk to?
internet
bank
internet
IP basics
Home PC and website identified by IP address: unique address of individual computer
Web browers requests webpage, web server returns webpage
35
home PCIP address 123.123.123.45
web site (web server)IP address 234.234.234.56
IP packetwith sourceand destinationIP address
IP packetas reply back tosource ID address
Third party content
A web page returned by a website will usually contain content
from other website, which the browser will immediately fetch
36
home PCIP address 123.123.123.45
web site (web server)IP address 234.234.234.56
www.nu.nl/pagina.htmlcontains images from youtube.com, facebook like button, ...
lots of other requests toother websites
(Lack of) anonymity in normal internet use
• any website you visits knows your IP address– as do all websites that provide third-party
content to this website
• ISPs and telcos report which person uses which IP address & telephone number to a central point for law enforcement
In Netherlands: Centraal Informatiepunt Onderzoek Telecommunicatie (CIOT);
consulted 2.9 million times/year in 2009
[Source: Bits of Freedom, bof.nl]
37
myth
38
[Peter Steiner,1993]
Welcome user29.(IP address: 131.174.16.131)RU Nijmegen, NL; male german shepherd, 4 yrs old, neutered, interests: dogfoodcats
reality
Cookies
Cookies installed by website in browser to• maintain a session after the user logs in
– after logging in to gmail or facebook, a cookie stored on your machine to authenticate you, so that you don’t have to login for the next N hours
• record user preferences– eg information in English or Dutch
• track a user across many websites– eg for targetted aka behavourial advertising
39
Cookies
40
home PCwill store the facebook cookie
web site facebook.com
IP packetto login tofacebook.com
IP packetas reply,including cookie
After first visit to facebook.com to login you receive a cookie
Cookies
41
home PCwith cookies stored on it
web site facebook.com
IP packetwith cookiefor facebook.com
IP packetas reply
Cookie is sent along to every subsequent IP request to facebook.com.Also when you visit any page with a facebook like button• Viewing one website can mean getting & sending cookies from/to many others!
Cookies vs IP addresses
Why use cookies instead of IP addresses to track users?
• Cookies allow sites to track users across different IP addresses– connecting to different Wifi points with your
smartphone or laptop will result in different IP addresses
• Legally, an IP address is personal information, and there are legal restrictions on what you can do with this– personal information = information that can be
related to one human individual
42
IP address spoofing
• IP addresses are not trustworthy and can be spoofed:
computer with IP address X can sent IP packets giving spoofed IP address Z as source instead of X
• This can be abused in DDoS attacks– to hide the real origin– to amplify the attack
44
Abusing IP basics for DDoS: hiding origin
45
botnetcommandand controlcentre
bots (ie infected computer)
DDoS targetxxx.yyy.zzz.ww
many IP requestswith spoofed source address to hide identityof the bots
.
.
.
Abusing IP basics for DDoS: amplification
46
botnetcommandand controlcentre
bots (ie infectedcomputer)
DDoS targetxxx.yyy.zzz.ww
small IP requestswith target address as the spoofed source address.
.
.
larger IP responsessent to target
A
B
Big data
• What does Google know about you?
• What does your internet provide know about you?
• What does your telephone company know about you?
48
“Big data”
• “Big data” : huge quantities of data kept by companies
• NB ‘’free’ services diensten (gmail, facebook, ..) are paid with ads and collecting personal information for marketing
if you are not paying for it, then you are the product being sold
49
Anonimity?
• Even without IP adresses and cookies, your browser configuration may uniquely identify you, eg.– browser version– various settings in browsers– plugins installed– fonts installed– ...)
Try it at http://panopticlick.eff.org
50
Telecom legislation
• Internet providers & telcos have to preserve traffic data for 6 months– internet: time of use, address but not content of
email, v, no IP traffic– mobile phones: location, numbers called, numbers
SMSed, no call or SMS content
Ov-chip data is kept for 2 years (original plan: 7 years )
51
Behavioural advertising & profiling
Data can be used for• targetted advertising• targetted pricing
– eg online shops asking higher prices from rich people
• targetted offering of products and services– eg online shops not offering products to certain people,
insurance to people in certain neighbourhoods, ...
What profiles are being used to categorise people?German legislation requires basis for automated decisions to be made public.
54
Function creep
• The possibilities (functionality) of a system will in the longer run be used for different goals than originally intended
Function creep does not only occur in ICT systems, but the rapid evolution & flexibility of ICT creates many opportunities for it.
Examples:
• first deciding to store fingerprints in electronic passports (offline & de-centrally), but later also trying to set up a central online database with all fingerprints. Plans for this aborted in the Netherlands in 2011 after public debate, but for how long...
• TomTom selling customer data to police for optimal placement of speed cameras...
– Even if you dopay, you may still be one of the products …
55
International complications
Computer networks – and any criminal activity that use them – crosses border
Legal complications in finding and persecuting perpetrators !
• Where is the internet?• Where are your gmail, twitter, facebook, Whatsapp
data?– and which governments have access?
56
Conclusions
Computer networks – esp. internet - are very useful
• Downside– also useful for criminals– also useful for unwanted data gathering & processing
by companies, governments, ...
Storing & searching vast amounts of data offers many possibilities here – for use and abuse– Recording all fingerprints in this building is infeasible;
recording all network traffic isn’t...– What options do we consider unwanted?
• Eg googling a picture of someone on facebook to find out who they are?
57