COMP3441 Lecture 9: Human Factors & Privacymeyden/3441/w9.pdf · 2013-05-13 · Example: Nick Leeson I Trader for Baring’s bank in Singapore I unauthorized speculative trades in
Post on 28-May-2020
1 Views
Preview:
Transcript
COMP3441 Lecture 9: Human Factors &
Privacy
Ron van der Meyden
(University of New South WalesSydney, Australia)
May 13, 2013
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Overview
I Human Frailties as a Security Risk
I Security Policy
I Privacy
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Human Frailties
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
People are often the weakest link in the security of a system,because they are
I Trusting
I Lazy
I Greedy
I Forgetful/Negligent
I Selfish
I Dishonest/Corrupt
I Sticky-beaks
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Sociological Engineering
Sociological Engineering attacks rely upon human weaknessesto attack systems, and can work even when the best technicalmeasures are in place.
Reading: Kevin Mitnick, William L Simon, The art ofdeception: controlling the human element of security, Wiley2002.
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
People are trusting
Pretexting: getting information by just asking for it
I pretend to be a person that the target is likely to believeis entitled to know the information
I rely upon peoples’ desire to be helpful
I small pieces of information from different sources puttogether can be powerful
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Pretexting Example
Call 1: “I’m writing a book on bank’s customer credit recordchecks, when you call the Credit Record agency, is MechantIDthe term that you use for the bank’s identifier?”
Call 2: “I’m from the Credit Record agency and doing a surveyto asses your bank’s level of satisfaction with our service....(List of questions including ‘What is you bank’s MerchantID?’)
Call 3 : “I’m from CitiBank, our MechantID is 3478, I’d like tocheck the credit record of John Smith.”
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
People are Lazy
or just too busy to do things that they should, like
I reading the manual
I changing weak factory defaults
I changing passwords
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
People are Greedy and Dishonest
Example: Bernard Madoff Ponzi scheme:
I claimed falsely high rates of investment return (c. 20%)to draw in new investors
I used new funds to pay redemptions to older investors
I fabricated books with assistance of a corrupt auditor
I for at least 10 years until final collapse of scheme in 2009
I fraud scale of the order of $US 10-20 billion
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Example: Nick Leeson
I Trader for Baring’s bank in Singapore
I unauthorized speculative trades in derivatives, at firstsuccessful, earned large bonuses, then
I increasingly large losses, increasing desperation
I used accounting tricks to hide the true position
I failure of dual control: management allowed him to beboth Chief Trader and responsible for settling his trades
I series of bad bets, lost due to consequences of Kobeearthquake, led to final collapse, losses of $US 1.4 billion
I collapse of Baring’s bank as a result (1995)
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
People are Forgetful/Negligent
E.g. neglecting to disable accounts of ex-employees and/orcontractors
Example:
2003: Vitek Boden, disgruntled former contractor, usedpasswords and insider knowledge of the sewerage system ofMaroochy Shire Council (Queensland) to cause a spill of amillion litres of raw sewerage.
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
People are selfish
Example: Information is currency for governmentdepartments.
This leads to hoarding of information.
Failures to connect pieces of information available prior to9/11 attack attributed to this.
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
People are Sticky-beaks
Example: Annually, 100+ Medicare employees investigated forinappropriate access to personal records.
Motivations for such breaches:
I Checking up on (ex-)partners, neighbours
I Curiosity: snooping on celebrities
I Bribed by private investigators
I Fraud (case in 2008: medicare employee obtained tax filenumbers of dead people, claimed false Baby bonus andimmunisation payments worth $300,000.)
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Security, or a Reassuring Illusion of Security?
Often, multiple weaknesses are implicated in a security failure.Prior to the 9/11 attacks:
I security staff low-wage, no career advancement prospects,high turnover
I lack of background checks on airport staff (particularly byfirms contracted to provide security), high rate of staffwith criminal backgrounds (after 9/11, 450 staff at 15airports arrested)
I penetration tests showed weapons could be carriedthrough security at a rate of 26 - 50%
I box-cutters permitted in carry-on luggageI 9 of the 19 hijackers received special attention at security
checks, but still let throughI reports to FBI of Arabs with suspicious backgrounds
taking flying lessons ignoredR. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Strategies for Countering Human Frailties
I Careful vetting of employees (in defense, intelligence,politics: stringent security clearance process)
I User Education (e.g. concerning sociological engineeringattacks)
I Well-advertised Organisational Security Policy
I Align staff interests with that of the organisation (e.g.,Google’s generous staff benefits)
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
I Staff management process checklists (e.g., for staff exit)
I Systematic logging and audit of insider actions
I Honeypots for insiders, e.g., fake data concerning famouspeople
I Frailty-aware design: e.g. make the lazy way the secureway (default is to deny access.)
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Organisational Security Policy
I Designed to be read by people, to inform them of theorganisation’s stance on security.
I Written in general terms rather than too specific, so doesnot change frequently.
I Assert Senior management’s commitment to security.
I Provide a checklist for maintenance of security posture,and development of more detailed policies for specificdepartments/systems/networks/applications.
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Examples
UNSW Security Policy:
I http://www.gs.unsw.edu.au/policy/documents/
itsecuritypolicy.pdf
I https://www.it.unsw.edu.au/policies/docs/IT_
Security_Stds.pdf
Australian Government:
I Protective Security Policy Frameworkhttp://www.ag.gov.au/pspf
I Dept of Finance Policy for Blackberry Usehttp://www.finance.gov.au/e-government/
security-and-authentication/docs/Better_
Practice_Guidance.pdf
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Privacy
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Privacy
Privacy = the ability of an individual
I to control distribution of personal information
I to prevent incursions into their “private space”
Personal information includes
I name, address
I medical information
I financial information
I personal preferences & interests
I political opinions
I photos & videos
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Privacy Risks
The following can benefit from personal information in waysthat can be detrimental to the individual
I personal enemies
I identity thieves
I financial fraudsters
I blackmailers
I newspapers & television stations (if you are famous)
I oppressive governments
I corrupt government agents, police
I marketing firms
I financial firms
I company/person that you are negotiating with
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Contextual Dependency of Privacy
People in different cultures/countries have differentexpectations/laws concerning rights to privacy
I US Bill of Rights http://www.archives.gov/
exhibits/charters/bill_of_rights.html
I EUI http://ec.europa.eu/justice_home/fsj/privacy/
index_en.htmI Data Protection Directivehttp://europa.eu/legislation_summaries/
information_society/l14012_en.htm
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Contextual Dependency of Privacy
I Australian Privacy Commisionerhttp://www.privacy.gov.au/
I Chinese Firewall
I Scot McNealy, SUN CEO (1999) ”You have zero privacyanyway. Get over it.”
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Privacy in US Bill of Rights
Amendment I (Privacy of Beliefs): Congress shall make nolaw respecting an establishment of religion, or prohibiting thefree exercise thereof; or abridging the freedom of speech, or ofthe press; or the right of the people peaceably to assemble,and to petition the Government for a redress of grievances.
Amendment III (Privacy of the Home): No Soldier shall,in time of peace be quartered in any house, without theconsent of the Owner, nor in time of war, but in a manner tobe prescribed by law.
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Amendment IV (Pivacy of the Person and Possessions):The right of the people to be secure in their persons, houses,papers, and effects, against unreasonable searches andseizures, shall not be violated, and no Warrants shall issue, butupon probable cause, supported by Oath or affirmation, andparticularly describing the place to be searched, and thepersons or things to be seized.
Liberty Clause of the Fourteenth Amendment: No Stateshall... deprive any person of life, liberty, or property, withoutdue process of law.
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
EU Data Protection Directive
Principles relating to
I Data Quality: information must be collected fairly andlawfully, kept accurate, and used only for the specificpurpose for which it was collected .....
I Personal Data processing legitimate only if there isunambigous consent by the individual, or necessary forcompliance with contract to which the individual is party,or necesary for compliance with law, or in the vitalinterest of the individual .....
I prohibitions against processing of special categories ofinformation inc. racial or ethnic origin, political opinions,religious or philosophical beliefs, trade-union membership,and the processing of data concerning health or sex life(some exceptions, e.g. consent,, vital interest)
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
I Information to be provided to the individual concern datacollection and use (e.g. recipients, rights of access)
I Rights of the individual includeI right to know data being processed, purposes of the
processing, the recipients to whom the data aredisclosed,
I right to know data undergoing processing andinformation about the source,
I right to know the logic involved in any automaticprocessing of data
I right to object to data processing/collectionI right to decisions concerning the individual not being
fully automated
I + clauses on notification, liability, international transferof data, codes of conduct, implementation.
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Technological Risks to Privacy
The rise of the Internet has created many new ways thatpersonal information can be obtained:
I Tracking of browsing history
I Linking of Corporate and Government Data sources
I Linking of Public Information (e.g. Electoral Roll) withcorporate data
I Search engine logs
I Free webmail accounts
I Social networks
I Smart Transport infrastructure (location data)
I E-health databases
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Business Interests in Collection of Personal Data
Business has a strong incentive to build up detailed profiles ofindividuals:
I targeted marketing (e.g. of Ferraris/Manolo-Blahniks tohigh net wealth male/female individuals)
I assessment of risks in doing business with the individual,e.g.
I giving them a loan/creditI giving them insurance coverI are they a high or low yield customer?
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Case Study: Tracking your browsing history
A story of how various WWW technologies , intended forgood, useful purposes:
I cookies
I iframes
I javascript
can also be applied for unintended ”evil” (privacy invasion)
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Cookies
A problem faced early in the development of WWW:
I http is a stateless protocol (fetch/return)
I some applicationsI ”shopping cart” on ecommerce siteI personalization of page presentationI login sessions
require maintenance of state across page requests
Cookies introduced (Netscape, 1994) to help web serverscorrelate requests and maintain state on behalf of the client
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
browser web server
PAGE REQUEST
PAGE + COOKIE
PAGE REQUEST + COOKIE
cookie store
Cookie content:
I Cookie Name
I Cookie Value (a number)
I Domain (e.g. amazon.com)
I Expiry date
I Security attributes (discussed later)
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Third Party Cookies
browserweb
server1: smh.com.au
PAGE REQUEST
PAGE = ….http://3rdparty/img-smh.gif….
3rdpartyweb server
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Third Party Cookies
browserweb
server1: smh.com.au
PAGE REQUEST
PAGE = ….http://3rdparty/img-smh.gif….
3rdpartyweb server
REQUEST http://3rdparty/img-smh.gif
http://3rdparty/img-smh.gif + COOKIE
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Third Party Cookies
browserweb
server2: amazon
PAGE REQUEST
PAGE = ….http://3rdparty/img-amazon.gif….
3rdpartyweb server
COOKIE
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Third Party Cookies
browserweb
server2: amazon
PAGE REQUEST
PAGE = ….http://3rdparty/img-amazon.gif….
3rdpartyweb server
REQUEST http://3rdparty/img-amazon.gif+COOKIE
http://3rdparty/img-amazon.gif
COOKIE
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Who are the third parties?
I DoubleClick http://www.doubleclick.com/
(acquired by Google 2007)
I Google Analytics http://www.google.com/analytics/
Some examples of sites using these:
I PCworld.com
I harveynorman.com.au
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Cookie Security Attributes
I Secure: send only through encrypted https channel(defends against man-in-middle cookie theft)
I HttpOnly: not available to java-script, etc.(defends against java-script injection attacks, which cansteal cookies)
attacker
Web 2.0site, e.g.
1. Content containing javascript
targetbrowser
4. runsjavascript
2. request page with attacker content
3. Content containing javascript
4. javascript action
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Personal Identifiers
Aggregation of data concerning a person is facilitated by theexistence of unique identifiers for a person, used for manytransactions, e.g.,
I name, age, address
I passport number
I tax file number
I medicare number
I unique identifier for e-health system
I national identity card
I static IP address
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Reconstructing Identity
Current research is showing that it is often possible for data tobe linked even when there is not a personal identifier, based oncommon characteristics of the data
I Common profile information in multiple social networks
I structure of friends network
I similarities in anonymous and identified data (Netflixcompetition and Internet Movie Database)
I browser configuration profile
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Privacy Enhancing Technology
Defenses against privacy incursions:
I Cookie cutters (cookie controls now available in browsers,firewalls)
Beware: Flash stores its own cookies, not removed byBrowser Cookie controls: http:
//www.macromedia.com/support/documentation/
en/flashplayer/help/settings_manager09.html
I Anonymous browsing services (e.g. Tor, Crowds)
I Digital Cash (yet to happen in practice)
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
Tor
I https://www.torproject.org/
I Developed at US Naval Research Lab to help protect staffposted in Middle East from traffic analysis
I Objective: Anonymous Browsing
I ”Onion Routing”: randomized routing, encrypted content
I Not perfect: anyone can set up a Tor node, and monitorexit trafficReported cases of Plaintext embassy account passwordscaptured this way!
R. van der Meyden COMP3441 Lecture 9: Human Factors & Privacy
top related