comp3441 lecture 9: human factors & privacymeyden/3441/w9.pdf · 2013-05-13 · example: nick...

COMP3441 Lecture 9: Human Factors &

Privacy

Ron van der Meyden

(University of New South WalesSydney, Australia)

May 13, 2013

R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy

Overview

I Human Frailties as a Security Risk

I Security Policy

I Privacy


Human Frailties


People are often the weakest link in the security of a system,because they are

I Trusting

I Lazy

I Greedy

I Forgetful/Negligent

I Selfish

I Dishonest/Corrupt

I Sticky-beaks


Sociological Engineering

Sociological Engineering attacks rely upon human weaknessesto attack systems, and can work even when the best technicalmeasures are in place.

Reading: Kevin Mitnick, William L Simon, The art ofdeception: controlling the human element of security, Wiley2002.


People are trusting

Pretexting: getting information by just asking for it

I pretend to be a person that the target is likely to believeis entitled to know the information

I rely upon peoples’ desire to be helpful

I small pieces of information from different sources puttogether can be powerful


Pretexting Example

Call 1: “I’m writing a book on bank’s customer credit recordchecks, when you call the Credit Record agency, is MechantIDthe term that you use for the bank’s identifier?”

Call 2: “I’m from the Credit Record agency and doing a surveyto asses your bank’s level of satisfaction with our service....(List of questions including ‘What is you bank’s MerchantID?’)

Call 3 : “I’m from CitiBank, our MechantID is 3478, I’d like tocheck the credit record of John Smith.”


People are Lazy

or just too busy to do things that they should, like

I reading the manual

I changing weak factory defaults

I changing passwords


People are Greedy and Dishonest

Example: Bernard Madoff Ponzi scheme:

I claimed falsely high rates of investment return (c. 20%)to draw in new investors

I used new funds to pay redemptions to older investors

I fabricated books with assistance of a corrupt auditor

I for at least 10 years until final collapse of scheme in 2009

I fraud scale of the order of $US 10-20 billion


Example: Nick Leeson

I Trader for Baring’s bank in Singapore

I unauthorized speculative trades in derivatives, at firstsuccessful, earned large bonuses, then

I increasingly large losses, increasing desperation

I used accounting tricks to hide the true position

I failure of dual control: management allowed him to beboth Chief Trader and responsible for settling his trades

I series of bad bets, lost due to consequences of Kobeearthquake, led to final collapse, losses of $US 1.4 billion

I collapse of Baring’s bank as a result (1995)


People are Forgetful/Negligent

E.g. neglecting to disable accounts of ex-employees and/orcontractors

Example:

2003: Vitek Boden, disgruntled former contractor, usedpasswords and insider knowledge of the sewerage system ofMaroochy Shire Council (Queensland) to cause a spill of amillion litres of raw sewerage.


People are selfish

Example: Information is currency for governmentdepartments.

This leads to hoarding of information.

Failures to connect pieces of information available prior to9/11 attack attributed to this.


People are Sticky-beaks

Example: Annually, 100+ Medicare employees investigated forinappropriate access to personal records.

Motivations for such breaches:

I Checking up on (ex-)partners, neighbours

I Curiosity: snooping on celebrities

I Bribed by private investigators

I Fraud (case in 2008: medicare employee obtained tax filenumbers of dead people, claimed false Baby bonus andimmunisation payments worth $300,000.)


Security, or a Reassuring Illusion of Security?

Often, multiple weaknesses are implicated in a security failure.Prior to the 9/11 attacks:

I security staff low-wage, no career advancement prospects,high turnover

I lack of background checks on airport staff (particularly byfirms contracted to provide security), high rate of staffwith criminal backgrounds (after 9/11, 450 staff at 15airports arrested)

I penetration tests showed weapons could be carriedthrough security at a rate of 26 - 50%

I box-cutters permitted in carry-on luggageI 9 of the 19 hijackers received special attention at security

checks, but still let throughI reports to FBI of Arabs with suspicious backgrounds

taking flying lessons ignoredR. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy

Strategies for Countering Human Frailties

I Careful vetting of employees (in defense, intelligence,politics: stringent security clearance process)

I User Education (e.g. concerning sociological engineeringattacks)

I Well-advertised Organisational Security Policy

I Align staff interests with that of the organisation (e.g.,Google’s generous staff benefits)


I Staff management process checklists (e.g., for staff exit)

I Systematic logging and audit of insider actions

I Honeypots for insiders, e.g., fake data concerning famouspeople

I Frailty-aware design: e.g. make the lazy way the secureway (default is to deny access.)


Organisational Security Policy

I Designed to be read by people, to inform them of theorganisation’s stance on security.

I Written in general terms rather than too specific, so doesnot change frequently.

I Assert Senior management’s commitment to security.

I Provide a checklist for maintenance of security posture,and development of more detailed policies for specificdepartments/systems/networks/applications.


Examples

UNSW Security Policy:

I http://www.gs.unsw.edu.au/policy/documents/

itsecuritypolicy.pdf

I https://www.it.unsw.edu.au/policies/docs/IT_

Security_Stds.pdf

Australian Government:

I Protective Security Policy Frameworkhttp://www.ag.gov.au/pspf

I Dept of Finance Policy for Blackberry Usehttp://www.finance.gov.au/e-government/

security-and-authentication/docs/Better_

Practice_Guidance.pdf


http://www.gs.unsw.edu.au/policy/documents/itsecuritypolicy.pdf

http://www.gs.unsw.edu.au/policy/documents/itsecuritypolicy.pdf

https://www.it.unsw.edu.au/policies/docs/IT_Security_Stds.pdf

https://www.it.unsw.edu.au/policies/docs/IT_Security_Stds.pdf

http://www.ag.gov.au/pspf

http://www.finance.gov.au/e-government/security-and-authentication/docs/Better_Practice_Guidance.pdf



Privacy


Privacy

Privacy = the ability of an individual

I to control distribution of personal information

I to prevent incursions into their “private space”

Personal information includes

I name, address

I medical information

I financial information

I personal preferences & interests

I political opinions

I photos & videos


Privacy Risks

The following can benefit from personal information in waysthat can be detrimental to the individual

I personal enemies

I identity thieves

I financial fraudsters

I blackmailers

I newspapers & television stations (if you are famous)

I oppressive governments

I corrupt government agents, police

I marketing firms

I financial firms

I company/person that you are negotiating with


Contextual Dependency of Privacy

People in different cultures/countries have differentexpectations/laws concerning rights to privacy

I US Bill of Rights http://www.archives.gov/

exhibits/charters/bill_of_rights.html

I EUI http://ec.europa.eu/justice_home/fsj/privacy/

index_en.htmI Data Protection Directivehttp://europa.eu/legislation_summaries/

information_society/l14012_en.htm


http://www.archives.gov/exhibits/charters/bill_of_rights.html

http://www.archives.gov/exhibits/charters/bill_of_rights.html

http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

http://europa.eu/legislation_summaries/information_society/l14012_en.htm

http://europa.eu/legislation_summaries/information_society/l14012_en.htm

Contextual Dependency of Privacy

I Australian Privacy Commisionerhttp://www.privacy.gov.au/

I Chinese Firewall

I Scot McNealy, SUN CEO (1999) ”You have zero privacyanyway. Get over it.”


http://www.privacy.gov.au/

Privacy in US Bill of Rights

Amendment I (Privacy of Beliefs): Congress shall make nolaw respecting an establishment of religion, or prohibiting thefree exercise thereof; or abridging the freedom of speech, or ofthe press; or the right of the people peaceably to assemble,and to petition the Government for a redress of grievances.

Amendment III (Privacy of the Home): No Soldier shall,in time of peace be quartered in any house, without theconsent of the Owner, nor in time of war, but in a manner tobe prescribed by law.


Amendment IV (Pivacy of the Person and Possessions):The right of the people to be secure in their persons, houses,papers, and effects, against unreasonable searches andseizures, shall not be violated, and no Warrants shall issue, butupon probable cause, supported by Oath or affirmation, andparticularly describing the place to be searched, and thepersons or things to be seized.

Liberty Clause of the Fourteenth Amendment: No Stateshall... deprive any person of life, liberty, or property, withoutdue process of law.


EU Data Protection Directive

Principles relating to

I Data Quality: information must be collected fairly andlawfully, kept accurate, and used only for the specificpurpose for which it was collected .....

I Personal Data processing legitimate only if there isunambigous consent by the individual, or necessary forcompliance with contract to which the individual is party,or necesary for compliance with law, or in the vitalinterest of the individual .....

I prohibitions against processing of special categories ofinformation inc. racial or ethnic origin, political opinions,religious or philosophical beliefs, trade-union membership,and the processing of data concerning health or sex life(some exceptions, e.g. consent,, vital interest)


I Information to be provided to the individual concern datacollection and use (e.g. recipients, rights of access)

I Rights of the individual includeI right to know data being processed, purposes of the

processing, the recipients to whom the data aredisclosed,

I right to know data undergoing processing andinformation about the source,

I right to know the logic involved in any automaticprocessing of data

I right to object to data processing/collectionI right to decisions concerning the individual not being

fully automated

I + clauses on notification, liability, international transferof data, codes of conduct, implementation.


Technological Risks to Privacy

The rise of the Internet has created many new ways thatpersonal information can be obtained:

I Tracking of browsing history

I Linking of Corporate and Government Data sources

I Linking of Public Information (e.g. Electoral Roll) withcorporate data

I Search engine logs

I Free webmail accounts

I Social networks

I Smart Transport infrastructure (location data)

I E-health databases


Business Interests in Collection of Personal Data

Business has a strong incentive to build up detailed profiles ofindividuals:

I targeted marketing (e.g. of Ferraris/Manolo-Blahniks tohigh net wealth male/female individuals)

I assessment of risks in doing business with the individual,e.g.

I giving them a loan/creditI giving them insurance coverI are they a high or low yield customer?


Case Study: Tracking your browsing history

A story of how various WWW technologies , intended forgood, useful purposes:

I cookies

I iframes

I javascript

can also be applied for unintended ”evil” (privacy invasion)


Cookies

A problem faced early in the development of WWW:

I http is a stateless protocol (fetch/return)

I some applicationsI ”shopping cart” on ecommerce siteI personalization of page presentationI login sessions

require maintenance of state across page requests

Cookies introduced (Netscape, 1994) to help web serverscorrelate requests and maintain state on behalf of the client


browser web server

PAGE REQUEST

PAGE + COOKIE

PAGE REQUEST + COOKIE

cookie store

Cookie content:

I Cookie Name

I Cookie Value (a number)

I Domain (e.g. amazon.com)

I Expiry date

I Security attributes (discussed later)


Third Party Cookies

browserweb

server1: smh.com.au

PAGE REQUEST

PAGE = ….http://3rdparty/img-smh.gif….

3rdpartyweb server


Third Party Cookies

browserweb

server1: smh.com.au

PAGE REQUEST

PAGE = ….http://3rdparty/img-smh.gif….

3rdpartyweb server

REQUEST http://3rdparty/img-smh.gif

http://3rdparty/img-smh.gif + COOKIE


Third Party Cookies

browserweb

server2: amazon

PAGE REQUEST

PAGE = ….http://3rdparty/img-amazon.gif….

3rdpartyweb server

COOKIE


Third Party Cookies

browserweb

server2: amazon

PAGE REQUEST

PAGE = ….http://3rdparty/img-amazon.gif….

3rdpartyweb server

REQUEST http://3rdparty/img-amazon.gif+COOKIE

http://3rdparty/img-amazon.gif

COOKIE


Who are the third parties?

I DoubleClick http://www.doubleclick.com/

(acquired by Google 2007)

I Google Analytics http://www.google.com/analytics/

Some examples of sites using these:

I PCworld.com

I harveynorman.com.au


http://www.doubleclick.com/

http://www.google.com/analytics/

PCworld.com

harveynorman.com.au

Cookie Security Attributes

I Secure: send only through encrypted https channel(defends against man-in-middle cookie theft)

I HttpOnly: not available to java-script, etc.(defends against java-script injection attacks, which cansteal cookies)

attacker

Web 2.0site, e.g.

Facebook

1. Content containing javascript

targetbrowser

4. runsjavascript

2. request page with attacker content

3. Content containing javascript

4. javascript action


Personal Identifiers

Aggregation of data concerning a person is facilitated by theexistence of unique identifiers for a person, used for manytransactions, e.g.,

I name, age, address

I passport number

I tax file number

I medicare number

I unique identifier for e-health system

I national identity card

I static IP address


Reconstructing Identity

Current research is showing that it is often possible for data tobe linked even when there is not a personal identifier, based oncommon characteristics of the data

I Common profile information in multiple social networks

I structure of friends network

I similarities in anonymous and identified data (Netflixcompetition and Internet Movie Database)

I browser configuration profile


Privacy Enhancing Technology

Defenses against privacy incursions:

I Cookie cutters (cookie controls now available in browsers,firewalls)

Beware: Flash stores its own cookies, not removed byBrowser Cookie controls: http:

//www.macromedia.com/support/documentation/

en/flashplayer/help/settings_manager09.html

I Anonymous browsing services (e.g. Tor, Crowds)

I Digital Cash (yet to happen in practice)


http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager09.html



Tor

I https://www.torproject.org/

I Developed at US Naval Research Lab to help protect staffposted in Middle East from traffic analysis

I Objective: Anonymous Browsing

I ”Onion Routing”: randomized routing, encrypted content

I Not perfect: anyone can set up a Tor node, and monitorexit trafficReported cases of Plaintext embassy account passwordscaptured this way!


https://www.torproject.org/

comp3441 lecture 9: human factors & privacymeyden/3441/w9.pdf · 2013-05-13 · example: nick...

Documents