security, privacy data protection and perspectives to counter cybercrime 04092008

1. Security, Privacy Data Protection,and Perspectives to Counter CybercrimeGohsuke TakamaMeta Associates, [email protected] CodeGate ConferenceApril 2008, Seoul, Korea

2. outline: introduction security vs. privacy? privacy today - revisited state of cybercrime today balance of powers psychological layer security 3. about Gohsuke Takama Privacy International (London, UK), advisory board member http://www.privacyinternational.org/ Computer Professionals for Social Responsibility /Japan chapter, founding supporter http://www.cpsr.org/ independent journalist for over 10 years Meta Associates, founder & president http://www.meta-associates.com/ 4. introductionsome works of Privacy International a report in June 2007: quot;A Race to the Bottom - Privacy Ranking of Internet Service Companiesquot; a study in Dec 2007: quot;Leading surveillance societies in the EU and the World 2007quot; 5. introductionPrivacy International (PI) is a human rights group formed in 1990 as a watchdog on surveillance and privacy invasions by governments and corporations. PI is based in London, England, and has an office in Washington, D.C. PI has over 50 members of international advisory board including MIT's Noam Chomsky and a former member of the U.S. House of Representatives Bob Barr 6. quot;Privacy Ranking of Internet Service Companiesquot; Amazon, AOL, Apple, BBC, Bebo, eBay, Facebook, Friendster, Google, Hi5, Last.fm, LinkedIn, LiveJournal, Microsoft, Myspace, Orkut, Reunion.com, Skype, Wikipedia, Windows Live Space, Xanga, Yahoo!, YouTube 7. quot;Leading surveillance societies in the EU and the World 2007quot; 8. security vs. privacy 9. security vs. privacy really? false dichotomy? balance? 10. Sep 11, 2001 11. some government's viewthreat #1 = terrorists threat #2n = criminals, illegal immigrants, etc 12. some government's viewterrorists mingling among people thus people need to be watched people's movements need to be tracked people's communications need to be monitored 13. more surveillance 14. more tracking 15. more tracking 16. more monitoring 17. more monitoring 18. some government's view security = surveillance privacy = barrier 19. some government's view security 100privacy 0100 20. centralization 21. panopticon? 22. data concentration 23. data concentration is data secure? is data accurate? is operation efficient? 24. is data secure? 25. is data secure? 26. individual's view how I live how I work 27. privacy today- revisited privacy in physical world privacy in data world 28. physical world data world 29. individual's viewhow I live in physical world how I work in physical world howI live in data world howI work in data world 30. likely decentralized economic activities 31. privacy todayactivities shifting to data world more activity = more data trail personally identifiable information (PII) = privacy data privacy protection = personal security = privacy data protection 32. individual's view security 100privacy 0100 33. businesses' view 34. businesses' view monitoring of protection of users user data employees employees' data traffic traffic activitiesactivities 35. businesses' view security 100privacy 0100 36. security vs. privacy 37. state of cybercrime 38. McAfeecriminology report a recent online banking study... 2 million Americans = 5% of onlinebanking customers their accounts illegally accessed androbbed average loss = $1,200 banking industry total losses > $2billion 39. McAfeecriminology report one North American credit companyreported... in 2005 online fraud losses = $30 million (all losses = $100 million) 40. McAfee criminology report one FBI estimate in 2005... in the USA cost of cybercrime = $67 billion 41. McAfee criminology report a Gartner Inc. survey identity theft-related fraud in 12 months ending in mid 2006 approx 15 million Americans = victims average loss = $3,257 (total losses > $48 billion?) 42. crime techniques phishing XSRF spear phishing XSS scam spam pharming virus website spoofing trojan content altering spyware code injection keylogger IP hijacking rootkit rogue WiFi AP bot + botnet sniffer 43. targetordinary computer users personally identifiable information for identity theft to illegally use credit cards to illegally access bank accounts to illegally access stock trading to illegally access organizations' networks 44. value for crimepersonally identifiable information (PII) = monetizable data 45. criminal's view profit 100privacy 0100 46. ENISA report 47. crime on web 2.0 ? long tail user data (PII) = core competence the web as platform (for attack) user as a contributor (of botnet, etc) mash ups (web, malware, botnet, etc) rich user experiences (of trouble) distributed operation loose connection among operatives collective intelligence 48. spoof/altered site 1st line2nd linevictims victims stock trading organized crime coders banks credit companies lost/stolen data 49. final victim our economy economy is held as hostage one type of national security issue 50. security & profitvs. privacy 51. quot;security vs. privacyquot; or 'security & privacy' security for whom? misleading dichotomy security & privacy are not opposite 52. securityprocess & action matrix prevention detection responselaw making investigategov - lawsurveillance administerarrest enforcement monitorpromoteprosecuteself self self defence individual accustomed awareness call police? rule makingawareness org defencebusiness manuals monitorcall policeappliancesspoof 0 day transbordercriminaldeceptionobfuscation remote op 53. privacy data protectionprocess & action matrix prevention detectionresponselaw making surveyinvestigategov - law administerhearing give penalty enforcementpromote called inprosecuteself selfcall service individual accustomed awarenesscall gov? rule makingawareness org defencebusiness manuals monitor call police PIA PET usecalled inspoof 0 daytransbordercriminaldeceptionobfuscationremote op 54. some acronyms PIA = Privacy Impact Assessment PET = Privacy Enhancing Technology ROI = Return On Investment 55. how they lure talents? 56. how they lure talents? (excerpt) find target students in password posting site, cracking tool sites, chat, etc (on online game sites possible) offer easy low risk tasks with rewards if successful, offer increased level tasks with higher rewards once involved, blackmail target for forcing to do risky tasks sometimes sponsor target students to get IT degrees in Univ. (as a reward) 57. law enforcement's limit international jurisdiction can act only after the incident limited operation & human resources 58. balance of powers: asymmetric? attack side: defence side: organized cybercrime gov, security industry no compliance to the compliance to the lawlaw borderless adhoc limit by international alliancesjurisdiction long tail attack model concentric defence spontaneous action action after incidents operation low cost = security often looked high ROI as anti-ROI cost luring technically more security sophisticated youngsters professionals needed psychological attack psychological defence approach effective possible? 59. remedies need to make businesses to understand security is for averting the risk PII data is targeted the size of damages (what if 5% ofusers attacked) guidance & aid for small & middlesize businesses = over 90% of businesses are S&M sizecompanies = attacks are long tail model 60. remedies need to prevent technically talentedyoungsters going to be lured bycriminals (from the dark side) rescue remedy to save luredyoungsters from blackmail (& ransom?)(c ) Lucas Film 61. remediesneed to increase number of security professionals for defence need to make security professionals as a glamorous job = cool = respected = high pay ( > US$200/hour?) 62. psychological layer security 63. psychological layer security still a theoretical idea Bruce Schneier is also looking atsimilar direction Feb 2007 quot;The Psychology of Securityquot; 64. layer approach examle: OSI model 65. a security layer model7 PsychologicalcognitionHuman Factor 6 Custom (Habit) behavior 5 Operationrules 4 Contentdata Intangibles3 OS/Application software 2 HardwareTangibles1 Physical 66. attacks vs. remedies Psychological phishing, spear phish, ? scam, pharming Custom spoof phishing spam,accustomed best practicepharming, XSS, XSRF,, awareness, digitalID spoofsignature, PKI OperationDoS, spam, sabotage,filter, opsec procedure,espionage, ransomware policy, law enforcement Contentsniffing, spam, encryption, filter,spyware, alteration content-scan, host IDS OS/DoS, vuln exploit,FW, network IDS, IPS, Application0day, rootkit, botnet anti-virus, OS/app patch Hardware direct access,perimeter guard, anti-tampering, alteration tampering, hard seal Physical lock pick, break in,surveillance, perimetervandalism alarm, armed guard 67. psychological attacks exploit social interaction exploit social protocols exploit social norms exploit social status of users 68. social interactors 69. prof. Lessig 70. what things regulate 71. extensive thought 72. elements 73. interactivity 74. motivation 75. ill-motivation 76. de-motivate 77. de-motivate example 78. Atocha station, Madrid 79. Mar 11, 2004 80. Madrid demonstrators 81. deflect motivation example 82. hack for cybercrime islame Borg, from Startrek (c ) Paramount Pictures 83. hack for security is coolMatrix Reloaded, (c )Warner Bros. Pictures 84. psychological layersecurity passive defence: user behavior modification to increase user alertness active defence: to de-motivate adversary to deflect direction of attacks potential field to look at: Cognitive Behavioral Therapy Neuro Linguistic Programming 85. + direct attacks to users' mental state 86. + a concept example:Psycho-acoustic Computer Virus creates near inaudible very low frequency sound (20-40Hz) by exploiting sound synthesizer chip such very low frequency sound is believed to create fear and awed feeling in hearers Nazi was believed as they used this sound technique for Nazi Party conventions 87. psychological attackshow can we counter? exploit social interaction exploit social protocols exploit social norms exploit social status of users exploit mental state of users 88. sources A Race to the Bottom - Privacy Ranking of Internet Service Companies http://www.privacyinternational.org/article.shtml?cm d[347]=x-347-553961 Leading surveillance societies in the EU and the World 2007 http://www.privacyinternational.org/article.shtml?cm d[347]=x-347-559597 Map developed: http://english.freemap.jp/ What Our Top Spy Doesn't Get: Security and Privacy Aren't Opposites http://www.wired.com/politics/security/commentary/se curitymatters/2008/01/securitymatters_0124?currentPa ge=all& 89. sources Our view on security vs. privacy_ Bush uses scare tactics ...USATODAY http://blogs.usatoday.com/oped/2008/02/our-view-on- sec.html MI5 seeks powers to trawl records in new terror hunt http://www.guardian.co.uk/uk/2008/mar/16/uksecurity. terrorism Police announce London 2012 plans http://news.bbc.co.uk/sport2/hi/olympics/london_2012 /7277918.stm UK considers RFID tags for prisoners http://www.itweek.co.uk/vnunet/news/2207145/governme nt-considers-rfid-tags 90. sources Bush Administration's Warrantless Wiretapping Program http://www.washingtonpost.com/wp- dyn/content/article/2007/05/15/AR2007051500999.html Mobile firms seek India govt meeting on BlackBerry http://www.reuters.com/article/ousiv/idUSBOM10000520 080312?sp=true UK MOD confirms loss of recruitment data http://www.mod.uk/DefenceInternet/DefenceNews/Defenc ePolicyAndBusiness/ModConfirmsLossOfRecruitmentData. htm TSA_securitybreach_20080111092648 http://oversight.house.gov/documents/20080111092648. pdf 91. sources What Is Web 2.0 http://oreillynet.com/pub/a/oreilly/tim/news/2005/09 /30/what-is-web-20.html Security, Economics, and the Internal Market http://www.enisa.europa.eu/doc/pdf/report_sec_econ_& _int_mark_20080131.pdf Criminals 'target tech students' http://news.bbc.co.uk/2/hi/technology/6220416.stm The Psychology of Security http://www.schneier.com/essay-155.html Hackers Assault Epilepsy Patients via Computer http://www.wired.com/politics/security/news/2008/03/ epilepsy 92. ? ?