ICT Security Issues ICT Security Issues in Europe in Europe Tony Brett Tony Brett Oxford University Oxford University Computing Services Computing Services http:// http:// users.ox.ac.uk/~tony users.ox.ac.uk/~tony
ICT Security Issues in ICT Security Issues in EuropeEurope
Tony BrettTony Brett
Oxford University Oxford University Computing ServicesComputing Services
http://users.ox.ac.uk/~tonyhttp://users.ox.ac.uk/~tony
AgendaAgenda
Brief Security UpdateBrief Security Update Identity TheftIdentity Theft Standards and GovernmentsStandards and Governments The Future of SpamThe Future of Spam VulnerabilitiesVulnerabilities BiometricsBiometrics Some StoriesSome Stories Questions & URLsQuestions & URLs
““Even in 2003, security is the least Even in 2003, security is the least
understood of all computer system understood of all computer system
components.”components.”
A Brief Security UpdateA Brief Security Update
What is being spent?What is being spent?
Security budget per managed machine by organization, 2002-2003Source: Information Security Magazine, May 2003
$6000
$5000
$4000
$3000
$2000
$1000
0Very Large Large Medium Small
June 02 February 03
How much of the Budget?How much of the Budget?
Security budget as a percentage of IT budget by organization, 2002-2003
Source: Information Security Magazine, May 2003
20%
10%8%6%4%2%
0Very Large Large Medium Small
June 02 February 03
12%14%16%18%
Security Adoption in EuropeSecurity Adoption in Europe
Source: IDC’s “European Security Products & Strategies Service”
Biometrics
Intrusion Detection
Monitoring Employees
Encryption
Firewall HW
Firewall SW
Antivirus
0% 20% 40% 60% 80%100%
Are you serious?Are you serious?European Password Survey by NTA:European Password Survey by NTA:
–67% of users rarely or never change 67% of users rarely or never change their passwordstheir passwords
–22% admit that they would only ever 22% admit that they would only ever change their password even if forced change their password even if forced to by a Web site or system/IT to by a Web site or system/IT departmentdepartment
–Average passwords to know:Average passwords to know:Average: 21Average: 21Maximum: 70Maximum: 70
–Users who write down their Users who write down their passwords:passwords:
49% heavy computer users 49% heavy computer users 31% average of all users31% average of all users
November 2002 (http://www.nta-monitor.com/fact-sheets/pwd-main.htm)
Source: Computing Technology Industry Assn., 2003
…of security breaches
are caused by human
error
63%
Identity TheftIdentity Theft
Sources: Gartner, July 2003, based on U.S. stats; BBC NewsSources: Gartner, July 2003, based on U.S. stats; BBC News
Identity theft claimed 3.4% Identity theft claimed 3.4%
of U.S. citizens, or of U.S. citizens, or 7 million7 million
victims during the past year victims during the past year
The UK government estimates The UK government estimates
this crime has cost more than this crime has cost more than
£1 billion£1 billion over the same period over the same period
• The typical identity-theft victim in the United States The typical identity-theft victim in the United States
spends spends 175 hours175 hours actively trying to resolve the actively trying to resolve the
problems caused by identity theftsproblems caused by identity thefts
SourceSource: Congressional Press Release, Sep. Congressional Press Release, Sep. 20002000
…is Britain's fastest-growing white-collar crime, increasing at nearly 500% a year.
Identity theft
“The number of consumers who have fallen prey to identity thieves is severely underreported.” Moreover, arrests in identity theft cases are extremely rare, catching the perpetrator in only one out of every 700 cases.
Source: Unesco Observatory on the Information Society Source: Unesco Observatory on the Information Society
““The current [Internet] identity-theft hot spots are The current [Internet] identity-theft hot spots are Eastern Eastern EuropeEurope and and Southeast AsiaSoutheast Asia where the level of education and where the level of education and technical sophistication is high, and where tracking down technical sophistication is high, and where tracking down and prosecuting criminals can be very tricky.” and prosecuting criminals can be very tricky.”
Bruce TownsendBruce Townsend
Special Agent, Financial Crimes DivisionSpecial Agent, Financial Crimes Division
US Secret ServiceUS Secret Service
A true storyA true story
TriWest Healthcare Alliance in Arizona TriWest Healthcare Alliance in Arizona provided healthcare services for members provided healthcare services for members of the U.S. military. of the U.S. military.
Thieves stole computers containing Thieves stole computers containing confidential records.confidential records.
Losses were $2.7 million.Losses were $2.7 million. Cost to victims: $30 million to repair Cost to victims: $30 million to repair
damage to credit ratingsdamage to credit ratings
The worst case scenarioThe worst case scenario
Stolen identities used for criminal Stolen identities used for criminal actsacts
–First day of work for a woman in San First day of work for a woman in San DiegoDiego
–Employer did a background checkEmployer did a background check–She arrived, and then departed in She arrived, and then departed in
handcuffshandcuffs
Her ID was used when another Her ID was used when another woman was arrested for drug woman was arrested for drug possession.possession.
PhishingPhishing
E-mail purporting to be from Bank etcE-mail purporting to be from Bank etc Invites submission of personal detailsInvites submission of personal details The recent Russian phishing scams load the The recent Russian phishing scams load the
real Barclays/Halifax/Nationwide etc. pages in real Barclays/Halifax/Nationwide etc. pages in one browser window along with a pop-up site one browser window along with a pop-up site from the fake site requesting account details. from the fake site requesting account details.
Fake URLS: Fake URLS: http://www.barclays.co.uk@3468664375/verify.htm http://www.barclays.co.uk@3468664375/verify.htm
Pop Quiz 1Pop Quiz 1
Since 1976, more than 2.5 million Since 1976, more than 2.5 million U.S. patents have been issued. How U.S. patents have been issued. How many reference the word “security”?many reference the word “security”?
–A. 16,475A. 16,475–B. 123,210B. 123,210–C. 64,689C. 64,689–D. 493,298D. 493,298D. 493,298
Standards & GovernmentsStandards & Governments
The United States has taken an industry-The United States has taken an industry-by-industry approach to privacy protection by-industry approach to privacy protection in its laws and regulations, in contrast to in its laws and regulations, in contrast to European countries. European countries.
Privacy measures are contained in specific Privacy measures are contained in specific laws on credit reporting, cable television laws on credit reporting, cable television regulation, video rental data, banking regulation, video rental data, banking information, telecommunications, etc… information, telecommunications, etc…
Variation by CountryVariation by Country
The United States relies on citizen The United States relies on citizen initiative and judicial enforcementinitiative and judicial enforcement
Britain uses a registration systemBritain uses a registration system Germany uses an ombudsmanGermany uses an ombudsman Sweden employs a licensing system Sweden employs a licensing system Info on comparative laws: Colin J. Bennett, Info on comparative laws: Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy Regulating Privacy: Data Protection and Public Policy in Europe and the United States in Europe and the United States (Ithaca: Cornell University Press, 1992) (Ithaca: Cornell University Press, 1992)
Standards to WatchStandards to Watch XML is basis for many new protocolsXML is basis for many new protocols Security Assertion Markup LanguageSecurity Assertion Markup Language
Web Services Description LanguageWeb Services Description Language
– Tells apps what web services are available and how to ask for Tells apps what web services are available and how to ask for themthem
Simple Object Access ProtocolSimple Object Access Protocol
– Defines the conversation between service provider and Defines the conversation between service provider and requestorrequestor
Universal Description, Discovery, and IntegrationUniversal Description, Discovery, and Integration
– Provides repositories for service definitionsProvides repositories for service definitions
European StandardsEuropean Standards
British Standard 7799 Part 1British Standard 7799 Part 1
– High-level security adviceHigh-level security advice
– Just a checklist and not a process?Just a checklist and not a process?
British Standard 7799 Part 2British Standard 7799 Part 2
– Similar to part 1, but with fewer suggestions for implementation Similar to part 1, but with fewer suggestions for implementation (“shall” instead of “should”)(“shall” instead of “should”)
ISO 17799ISO 17799
– Based on BS 7799, passed in 2000Based on BS 7799, passed in 2000
Other Security WorksOther Security Works
ISO Guidelines for the Management of IT ISO Guidelines for the Management of IT SecuritySecurity
– Five-part technical reportFive-part technical report
NIST Special Publication 800-14NIST Special Publication 800-14
– Best practices based on BS 7799 but more detailedBest practices based on BS 7799 but more detailed
– Security handbook: 800-12Security handbook: 800-12
– Security self-assessment: 800-26Security self-assessment: 800-26
The Midas Touch…The Midas Touch…
U.S. requires the 27 visa-waved countries to install U.S. requires the 27 visa-waved countries to install biometric codes onto passports by October 2004biometric codes onto passports by October 2004
Singapore may be first country to implementSingapore may be first country to implement
U.K. to use fingerprint infoU.K. to use fingerprint info
New EU passports will be embedded with a radio New EU passports will be embedded with a radio frequency ID chip that contains biometric datafrequency ID chip that contains biometric data
European Digital RightsEuropean Digital Rights European Digital Rights (EDRi), was formed by 10 separate European Digital Rights (EDRi), was formed by 10 separate
bodies in seven EU member statesbodies in seven EU member states
In the UK, the Foundation for Information Policy Research In the UK, the Foundation for Information Policy Research (FIPR) and Privacy International will work with EDRi. (FIPR) and Privacy International will work with EDRi.
They oppose EU and Council of Europe incursions into They oppose EU and Council of Europe incursions into personal datapersonal data
– Data retention requirementsData retention requirements
– Telecommunications interceptionTelecommunications interception
– Council of Europe cybercrime treatyCouncil of Europe cybercrime treaty
– Internet rating and filteringInternet rating and filtering
– Restrictions on Web-based freedom of speech.Restrictions on Web-based freedom of speech.
Viva la Air France!Viva la Air France!
Air France won the right to take over a Web site that uses a Air France won the right to take over a Web site that uses a garbled version of its name apparently to steer business garbled version of its name apparently to steer business toward other travel firms and some finance companies. toward other travel firms and some finance companies.
Known as "typosquatting'' Known as "typosquatting''
Ruling by United Nations' World Intellectual Property Ruling by United Nations' World Intellectual Property Organisation (Wipo), which runs an arbitration service for Organisation (Wipo), which runs an arbitration service for Internet name disputesInternet name disputes
The arbitrator said that the "typographical misspelling'' of the The arbitrator said that the "typographical misspelling'' of the Air France trademark showed that the site was registered in Air France trademark showed that the site was registered in bad faithbad faith
http://www.0xford-university.org/http://www.0xford-university.org/
http://http://www.yaju.comwww.yaju.com
The Future of SPAMThe Future of SPAM
MessageLabs scanned (Oct. 2003)MessageLabs scanned (Oct. 2003)
– 252 million e-mail messages for spam252 million e-mail messages for spam
– 325.8 milion e-mails for viruses325.8 milion e-mails for viruses
ResultsResults
– Spam was 50.5% (15% in oct 2002) of Spam was 50.5% (15% in oct 2002) of overall messages; increasing at 15% per overall messages; increasing at 15% per monthmonth
– 1% Viruses1% Viruses
Ratio of SPAM in E-mail
99.0%
64.9%
51.8%
49.8%
46.9%
45.5%
39.5%
39.2%
38.5%
37.5%
36.6%
35.6%
34.1%
34.1%
27.4%
26.5%
26.0%
24.6%
21.4%
16.0%
7.3%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Real Estate
IT & Telecoms
Education
Mining & Fuel
Chemical & Pharm
Healthcare
Retail
Administration
General Services
Non-Profit
Manufacturing
Distribution
Marketing, Media & Publishing
Professional Services
Finance & Insurance
Agriculture
Hospitality
Recreation & Leisure
Utilities
Gov & Public Sector
Construction
55thth March 2003 March 2003
AOL announced it had blocked AOL announced it had blocked one billionone billion spam emails from spam emails from
reaching its members in one dayreaching its members in one day
US LawsUS Laws
Many new laws being created by states, Many new laws being created by states, feds, internationalfeds, international
Lawsuits being filed against “legitimate” Lawsuits being filed against “legitimate” spammers (AOL is a big plaintiff)spammers (AOL is a big plaintiff)
California court upheld a law requiring California court upheld a law requiring unsolicited commercial email to have unsolicited commercial email to have “ADV:” or “ADV:ADLT” in the subject“ADV:” or “ADV:ADLT” in the subject
False headers in Minnesota are subject to False headers in Minnesota are subject to $25 per email or $35,000 per day max$25 per email or $35,000 per day max
Euro-SPAMEuro-SPAM Opt-in and opt-out laws for EC Opt-in and opt-out laws for EC
(Directive 2002/58/EC(Directive 2002/58/EC
Entry into official journal 31Entry into official journal 31stst July July 20022002
3131stst October 2003, Implementation October 2003, Implementation by member statesby member states
Prohibits unsolicited email, SMS, Prohibits unsolicited email, SMS, mail, etc.mail, etc.
Requires that prior explicit consent Requires that prior explicit consent of the recipientsof the recipients
(OK The pictures are Euro-Trash!)(OK The pictures are Euro-Trash!)
EuroCAUCEEuroCAUCE
The European Coalition Against The European Coalition Against Unsolicited Commercial Email Unsolicited Commercial Email
Internet users who are fed up with spam Internet users who are fed up with spam and have formed a coalition to promote and have formed a coalition to promote legislation which would outlaw UCElegislation which would outlaw UCE
Volunteers, don’t take moneyVolunteers, don’t take money
http://www.euro.cauce.org/en/index.html
The GoalThe Goal
Make spamming cost Make spamming cost prohibitiveprohibitive
Spammers will send out Spammers will send out millions of messages to millions of messages to reach a few stupid usersreach a few stupid users
We all sufferWe all suffer
How they do itHow they do it
Number/symbol substitutionNumber/symbol substitution– ““Get Low Mortgage” or “Get Low M0rtgage”Get Low Mortgage” or “Get Low M0rtgage”– Holy Sh!tHoly Sh!t
Misspell key wordsMisspell key words– CreditcardCreditcard
Innocuous wordsInnocuous words– Come see meCome see me
Use your name in the subject or messageUse your name in the subject or message
Filter technologiesFilter technologies Statistical FiltersStatistical Filters
– Looks for words in email over period of timeLooks for words in email over period of time
– Calculates the likelihood of spamCalculates the likelihood of spam
– Reliable 95-99% of the timeReliable 95-99% of the time
– Generate few false positivesGenerate few false positives
Open source spam filtersOpen source spam filters
Bayesian Filters - Bayesian Filters - http://spamconference.orghttp://spamconference.org
VulnerabilitiesVulnerabilities
They can be anywhereThey can be anywhere– Is MP3 or WMF modified? Will it take over your Is MP3 or WMF modified? Will it take over your
machine?machine?
Port Scans WorldwidePort Scans Worldwide
Source: Internet Storm Center Nov 2003
Top 10 Ports ScannedTop 10 Ports Scanned 80 World Wide Web HTTP80 World Wide Web HTTP 1433 Microsoft-SQL-Server1433 Microsoft-SQL-Server 1434 Microsoft-SQL-Monitor1434 Microsoft-SQL-Monitor 135 DCE endpoint resolution135 DCE endpoint resolution 137 NETBIOS Name Service137 NETBIOS Name Service 445 Win2k+ Server Message Block445 Win2k+ Server Message Block 25 Simple Mail Transfer25 Simple Mail Transfer 901 RealSecure sensor901 RealSecure sensor 53 Domain Name Server53 Domain Name Server 554 Real Time Stream Control Protocol554 Real Time Stream Control Protocol
Source: Internet Storm Center Nov 2003
Attacks by Business SectorAttacks by Business Sector
Source: ISS; from 10/28/02 to 12/31/02
Managerial InsuranceTelecommunications
Manufacturing
Services
Information Technology
Entertainment
Government
Virus ControlVirus Control
Trying to improve upon heuristics to Trying to improve upon heuristics to prevent virusesprevent viruses
Still not used by all usersStill not used by all users
Stupid users still are enticedStupid users still are enticed
– Can bypass email when users jump to a web Can bypass email when users jump to a web sitesite
– Click here and see big thingies…Click here and see big thingies…
Pop Quiz #2Pop Quiz #2
What was the first patent that used the term What was the first patent that used the term “biometrics”?“biometrics”?
A. A fingerprint ID machineA. A fingerprint ID machine
B. A basal body temperature monitorB. A basal body temperature monitor
C. A method for tranquilizing warm-blooded animalsC. A method for tranquilizing warm-blooded animals
D. A treadmill that tracks heart rateD. A treadmill that tracks heart rateD. A treadmill that tracks heart rate
Biometrics: Free lunch through eyesBiometrics: Free lunch through eyes
Problem: Problem: – Poor kids showed voucher while “rich” Poor kids showed voucher while “rich”
kids used moneykids used money Solution: Solution:
– Uses retina scan to verify studentUses retina scan to verify student– Pull money from account or redeem Pull money from account or redeem
electronic voucherelectronic voucher
Western England High SchoolWestern England High School
You smell!You smell!
Each mouse has a unique urine smellEach mouse has a unique urine smell
Similar link may exist between genes that control Similar link may exist between genes that control a human’s immune system and their body odora human’s immune system and their body odor
Funding to determine if human smells are uniqueFunding to determine if human smells are unique
Walk the walkWalk the walk
Nationwide Building Society (UK) is Nationwide Building Society (UK) is using biometric signatures to combat using biometric signatures to combat fraudulent transactions and cut the use fraudulent transactions and cut the use of paperof paper
Requires employees to verify Requires employees to verify fingerprints every several transactionsfingerprints every several transactions
Vacation messagesVacation messages
““Sorry I can’t reply to your email. Sorry I can’t reply to your email. I’m on a holiday until …”I’m on a holiday until …”
Use “out of the office today” Use “out of the office today” or use the auto-reply only on internal emailor use the auto-reply only on internal email
With a simple cross-With a simple cross-reference, reference, a bad guy can get your a bad guy can get your home addresshome address
Young hacker!Young hacker!
At lunch, went to classroomAt lunch, went to classroom Teacher hadn’t logged offTeacher hadn’t logged off Changed his gradesChanged his grades Facing felony charges (doubtful he’ll Facing felony charges (doubtful he’ll
see any jail time)see any jail time)
11 year old boy in Florida11 year old boy in Florida
Jail time…Jail time… Trippin SmurfsTrippin Smurfs
– Broke into 10 JPL servers on day of Columbia tragedy Broke into 10 JPL servers on day of Columbia tragedy (Feb. 1)(Feb. 1)
– Expected to receive long prison termExpected to receive long prison term Brian FergusonBrian Ferguson
– Hacked AOL account of NY judge Kim EatonHacked AOL account of NY judge Kim Eaton– 3 years3 years
William Grace & Brandon WilsonWilliam Grace & Brandon Wilson– Hacked California CourtHacked California Court– 9 years behind bars9 years behind bars
Douglas BoudreqeauDouglas Boudreqeau– Broke into Boston College networkBroke into Boston College network– Charged $2000 to other BC studentsCharged $2000 to other BC students– Suspended, and school will pay for his defence to Suspended, and school will pay for his defence to
“ensure he is adequately represented”“ensure he is adequately represented”
Nigerian Bank Scan – 419Nigerian Bank Scan – 419 People receive email claiming that they’ve People receive email claiming that they’ve
won $10 million won $10 million All they need to do is cash cheque and All they need to do is cash cheque and
have $1 million transferred to account in have $1 million transferred to account in NigeriaNigeria
User makes $9 million for effortUser makes $9 million for effort After money is transferred, bank account After money is transferred, bank account
is closed; cheque bounces; user out $1 is closed; cheque bounces; user out $1 millionmillion
$90,000 average loss to 150 U.K. $90,000 average loss to 150 U.K. residents who fell for itresidents who fell for it
“Don’t mess with a bull…
As principal Vernon said in The Breakfast
Club…
…you’ll get the horns.”
Resources and QuestionsResources and Questions
Thanks to Alan Mark of Novell for Thanks to Alan Mark of Novell for permission to use some of his slides from permission to use some of his slides from Brainshare Europe 2003 in this Brainshare Europe 2003 in this presentationpresentation
Questions?Questions? http://users.ox.ac.uk/~tonyhttp://users.ox.ac.uk/~tony
URLsURLs http://www.usdoj.gov/criminal/cybercrime/usamarch2001_3.htm http://www.usdoj.gov/criminal/cybercrime/usamarch2001_3.htm http://www.usdoj.gov/criminal/fraud/idtheft.html http://www.usdoj.gov/criminal/fraud/idtheft.html http://www.privacyrights.org/ http://www.privacyrights.org/ http://www.fraud.org/ http://www.fraud.org/ http://www.nfcglobal.com http://www.nfcglobal.com http://www.ftc.gov/ http://www.ftc.gov/ http://www.computerworld.com/cwi/itresources/resource_center/0,,NAV63_KEY73,00.html http://www.computerworld.com/cwi/itresources/resource_center/0,,NAV63_KEY73,00.html http://www.calpirg.org/consumer/privacy/idtheft2000/ http://www.calpirg.org/consumer/privacy/idtheft2000/ http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm http://moneycentral.msn.com/articles/banking/credit/1342.asp http://moneycentral.msn.com/articles/banking/credit/1342.asp http://www.usnews.com/usnews/issue/000214/nycu/credit.htm http://www.usnews.com/usnews/issue/000214/nycu/credit.htm http://www.cnn.com/TECH/computing/9910/11/id.theft.idg/index.html http://www.cnn.com/TECH/computing/9910/11/id.theft.idg/index.html http://seattletimes.nwsource.com/news/local/html98/cens28m_20000328.html http://seattletimes.nwsource.com/news/local/html98/cens28m_20000328.html http://news.bbc.co.uk/hi/english/uk/newsid_1395000/1395109.shtm http://news.bbc.co.uk/hi/english/uk/newsid_1395000/1395109.shtm http://news.bbc.co.uk/hi/english/business/newsid_526000/526709.shtm http://news.bbc.co.uk/hi/english/business/newsid_526000/526709.shtm http://dailynews.yahoo.com/h/wdiv/20010605/lo/823519_1.html http://dailynews.yahoo.com/h/wdiv/20010605/lo/823519_1.html http://dailynews.yahoo.com/h/nf/20010607/tc/11076_1.html http://dailynews.yahoo.com/h/nf/20010607/tc/11076_1.html http://news.bbc.co.uk/hi/english/business/newsid_1395000/1395109.shtm http://news.bbc.co.uk/hi/english/business/newsid_1395000/1395109.shtm http://news.bbc.co.uk/hi/english/static/in_depth/uk/2001/life_of_crime/cybercrime.shtm http://news.bbc.co.uk/hi/english/static/in_depth/uk/2001/life_of_crime/cybercrime.shtm http://204.202.137.113/sections/scitech/DailyNews/ie010430_idtheft_feature.html http://204.202.137.113/sections/scitech/DailyNews/ie010430_idtheft_feature.html http://www.unesco.org/webworld/observatory/in_focus/identity_theft.shtml http://www.unesco.org/webworld/observatory/in_focus/identity_theft.shtml