1 SECURITY OF THE DIGITAL NATIVES
Oct 21, 2014
1
SECURITY OF THEDIGITAL NATIVES
2
Security of The Digital Natives
Aim of the study
The goal of this survey is twofold: on the one hand the focus is on the awareness and knowledge of the university students trying to understand what is their perception of security compared to their actual knowledge; on the other hand we focus on outlining the threat landscape on the basis of their habits, on the way they use their mobile devices, on the type of data they store and on the operations they perform.
3
Security of The Digital Natives
Who we are
Tech and Law Center is an interdisciplinary center promoted by a research group composed of members from Università di Milano, Università di Milano–Bicocca, Università dell’Insubria and Politecnico di Milano. The center projects and events address digital technologies and their interaction with law and society.
4
Security of The Digital Natives
The research team
Giuseppe VaciagoTech and Law
Executive Committee
Francesca BoscoTech and Law
Executive Committee
Valeria FerrarisResearcher
Pasquale StirparoTech and Law
Fellow
5
Security of The Digital Natives
The research team
Stefano ZaneroTech and Law
Executive Committee
Pierluigi PerriResearcher
Davide AriuTech and Law
Fellow
Brikena MemajTech and Law
Member
6
Security of The Digital Natives
Giuseppe Vaciago has been a lawyer of the Milan Bar since 2002 and for the last 10 years his primary focus has been IT Law with a focus on cyber crime. He has assisted many national and international IT companies. He is the author of many publications on cybercrime, including both scientific journals and textbooks, which have been adopted by the University where he teaches. Academically, he received his PhD on Digital Forensics from Università di Milano and he is a lecturer at Insubria University (Varese and Como) where he holds a course on IT law. He has also delivered many lectures and presentations in both Italy and abroad.
He attended Fordham Law School and Stanford Law School as a Visiting Scholar to expand his studies in his own particular research area
He is member of the executive committee of Tech and Law Center and fellow at the Nexa Center and at the Cybercrime Institute of Koln.
Twitter: @giuseppevaciago
Lawyer at Milan and Professor of IT Law
Partner at R&P Legal
Giuseppe Vaciago
Giuseppe Vaciago
7
Security of The Digital Natives
Francesca Bosco earned a law degree in International Law and joined UNICRI in 2006 as a member of the Emerging Crimes Unit. In her role in this organization Ms. Bosco is responsible for cybercrime prevention projects, and in conjunction with key strategic partners, has developed new methodologies and strategies for researching and countering computer related crimes.
More recently, Francesca is researching and developing technical assistance and capacity building programs to counter the involvement of organized crime in cybercrime, as well as on the legal implications and future scenarios of cyberterrorism and cyber war. Furthermore, she is researching and managing projects on hate speech online and on data protection issues related to automated profiling.
Francesca is one of the founder of the Tech and Law Center, she is in the Advisory Board of the Koln Cybercrime Institute and she is currently a PhD candidate at the University of Milan.
Twitter: @francibosco
UNICRI ProjectOfficer and PhD
student at Università di Milano
Bicocca
Francesca Bosco
Francesca Bosco
8
Security of The Digital Natives
Pasquale Stirparo is Digital Forensics Engineer and founder of SefirTech, a company focusing on Mobile Security, Digital Forensics and Incident Response. Prior to found SefirTech, Pasquale was working at the Joint Research Centre (JRC) of European Commission as Digital Forensics and Mobile Security Researcher, with particular interest on the security and privacy issues related to mobile devices communication protocols, mobile malware and cybercrime. He has also been involved in the development of the standard “ISO/IEC 27037: Guidelines for identification, collection and/or acquisition and preservation of digital evidence”, for which he led the WG ISO27037 for the Italian National Body in 2010.
Author of many scientific publications, he has also been invited as speaker to several national and international conferences and seminars on Digital Forensics and lecturer on the same subject for Politecnico di Milano and United Nations (UNICRI). Pasquale is Ph.D. candidate at the Royal Institute of Technology (KTH) of Stockholm, holds a MSc in Computer Engineering from Politecnico di Torino and he’s certified GCFA, OPST, OWSE, ECCE.
Twitter: @pstirparo
Digital Forensics Engineer,
Founder at SefirTech
Ph.D. candidate at Royal Institute
of Technology (KTH) Stockholm.
Pasquale Stirparo
Pasquale Stirparo
9
Security of The Digital Natives
Chapters of thereport LEGAL AND POLICY
MAKINGCONSIDERATIONS
ANALYSIS OF THEQUESTIONNAIRES
CONCLUSIONS AND RECOMMENDATIONS
TECHNICALCONSIDERATIONS
Analysis of the questionnaires
11
Security of The Digital Natives
The survey was carried out using a questionnaire containing 60 multiple-choice questions divided into sections related to the different aspects of the issue: practice patterns for smartphones, tablets and laptops; approach to the various networks; and, for all the applications on the devices, the use of passwords, the perceptions of the security risks, and the general interest in and knowledge of the topic.
The target population was university students. The administration of the questionnaire was carried out anonymously through the platform “Google Form” from September to November 2013 and it involved over 15 Italian Universities.
1012 questionnaires were collected. These presented responses from a wide range of geographic areas and degree choices (with a good mix of students from both the sciences and the humanities).
Methodological remarks
12
Security of The Digital Natives
This group represents the 38,3%.
This group represents the 24%.
This group represents the 37,4 %.
Light usersMedium usersHeavy users
Users Groups
The statistical technique helped in identifying 3 well-diversified groups, each one presenting homogeneous characteristics useful to define 3 users’ profiles
13
Security of The Digital Natives
The sample: gender and study
Communication Science 8,9 %
Law 29,6%
Other Faculties 22,2%
Computer science and engineering 39,3 %
Smartphones and tablet users are 58% male and 42% female, in line with male higher presence in IT studies.
14
Security of The Digital Natives
The use of mobile devicesSome preliminary questions aimed at understanding how students use their mobile devices and what they save on the devices. .
take photos and videos with their
smartphones and tablets
70%
they store personal
passwords on their devices.
27,7%
they save contacts/photos and videos
97%
75%
“always or often” make phone calls, receive
text messages/e-mails; browse the web; use Skype, social
apps
15
Security of The Digital Natives
The knowledge and fear of risks
How worried they are about the security of their mobile devices
33,4%
5,6%
53%
8%
16
Security of The Digital Natives
The knowledge and fear of risksHow secure they feel when doing these activities with their mobile devices
17
Security of The Digital Natives
Protect mobile devices with PIN
number28,8%Protect mobile
devices with pattern lock
23,9% Protect mobile devices
with password/passphrase
6,6%Protect mobile devices
with biometrics (e.g.voice recognition)
0,6%
The password use and management and the technologies to protect mobile devices
18
Security of The Digital Natives
Technical solutions to protect data in mobile devices20% of the students do not know what these solutions are and another 20% do not use them. Among the systems used:
19
Security of The Digital Natives
Final question on self assessmentHow they assess their knowledge on mobile security (%)
Legal and policy making considerations
21
Security of The Digital Natives
Students pay absolutely no
attention at all to the password
relevant security requirements and
they simply use the predictable password
Students installs software and
applications from unauthorized stores
or without giving importance at right
of access
Mobile device is passed on to
someone else, in particular where they are sold as
second hand or lent to someone.
PASSWORD APPS SHARING
Results of the survey and possible scenarios
22
Security of The Digital Natives
of students interviewed
save, on their device, pins and passwords used
for private services 1
27%
Results of the survey and possible scenarios
of students interviewed do
not log out after using a service
online
40%
of students interviewed very rarely or never
check the type of permissions
required when downloading an
app
53%
of students interviewed use
open Wi-Fi systems to connect to the Internet on their mobile device
using all types of functions
41%
23
Security of The Digital Natives
of students interviewed do not use a password to protect their mobile
device40%
of students interviewed said that, when asked to change their password, the new password that they create takes the form of a minor variation on the previous one
41%
is currently using two-factors authentication 5%
Password is tiring... It follows that one of the most critical issues to be tackled in the IT field is the fact that users need to be persuaded to use a password that can actually operate to protect their data. Our research in fact revealed that
24
Security of The Digital Natives
Identity Theft – A fragmented scenario
1.Lack of specific legislation on ID Theft
2.Lack of National reporting System on ID Theft
3.Different Penalties from Country to Country
Comparative Study on Legislative and Non Legislative Measures to Combat Identity Theft and Identity Related Crime: Final Report”, RAND Europe, June 2011.
25
Security of The Digital Natives
Identity Theft
1.Introduction of an ad hoc Legislation
2.Reinforcement of the collaboration between national investigative bodies via an EU contact Network
• Centralized reporting system on EU Basis
A good example: CONSAP Project on ID Theft for the following project: Financial, TELCO and Insurance (Legislative decree 64/11)
26
Security of The Digital Natives
The Italian Data Protection Authority focus attention on the correct use of mobile devices with its 'Fatti smart!' ['Be Smart!'] campaign
ENISA organize in the next months a cybersecurity championship where university students compete on Network Information Security Challenge
Cybersecurity Campaign Initiative
27
Security of The Digital Natives
Security v. Usability
54.5% of the students go onto sites that require authentication via Google or Facebook.
This confirms the extent to which usability is a determining factor in terms of the level of trust that a user places in an online service.
Usability is the central issue to increase the levels of security of the mobile device
28
Security of The Digital Natives
1.D. Solove: “Schools are gathering and sharing a mammoth amount of personal data”
2.There is no a clear Security policy for mobile devices in the Italian University
3.Not only the students, but also the Professor are not always aware of cybersecurity risks
D. Solove, 5 Things School Officials Must Know About Privacy
The Regulation of Mobile Devices in Universities
In certain American universities security standards (e.g. HIPAA) are imposed for mobile devices owned by students and university staff (Bring Your Own Device- BYOD) in order to verify their security levels (use of anti-virus software, updates to the operating system and encryption systems)
29
Security of The Digital Natives
Awareness Responsibility Response
Ethics Democracy Riskassessment
Proposed Solutions and Initiatives
Securitydesign and
implementation
Security management Reassessment
Technical Considerations
31
Security of The Digital Natives
When asked to evaluate their knowledge of mobile security issues, on a scale from 1 to 10, a significantly high percentage of the respondents (55%) graded themselves between 6 and 8. This, however, contrasts with the average percentage of “correct” technical answers of the questionnaire, which was 29%.
This discrepancy between perceived knowledge and actual knowledge conveyed through answers to technical questions, was confirmed by the different levels of confidence at the beginning and at the end of the survey.
After going through the security questions in the survey, the confidence of university students on their level knowledge falls from 82% of respondents evaluating their confidence above 6 before the survey, to 66% at the end.
The possibility of a potential bias induced by the Dunning-Kruger effect should be taken into consideration, which is a cognitive bias in which unskilled individuals suffer from illusory superiority, mistakenly rating their ability much higher than is accurate. This bias is attributed to a metacognitive inability of the unskilled to recognize their ineptitude.
Awareness, knowledge and (false) perception
32
Security of The Digital Natives
Habits and behaviors that may impact all security aspects, reflecting on all the threats.
Habits that involve personal data and potential security and privacy threats.
Habits that may have economic consequences (losses) for the individuals.
General
Identity Theft Economical
Security ThreatsThreats that may arise from the students' behavior and habits
33
Security of The Digital Natives
General Security IssuesWhich concerns how respondents behave with respect to software updates and application permissions
7%Of respondents perform regular updates to both mobile OS and
apps
81%
Is the share of iOS devices in
the wild outdated for longer than a
year
4%of Android in the wild still run the 3
years old Gingerbread
version
24%
do not regularly update their
mobile operating
system (OS) or their mobile
apps
Oddly enough, presence in the market of old
mobile OS versions, mainly
related to Android phones, is still
very high.
34
Security of The Digital Natives
General Security IssuesWhich concerns how respondents behave with respect to software updates and application permissions
53,8%
25,5%
20,7% Moving to the installation and usage of
apps, almost 54% of the respondents never or rarely check the permissions apps require. Such behavior is a dangerous trend that needs to be addressed: overlooking the privileges an app requires increases the proliferation of malware, since users will install and click on “YES” on anything
35
Security of The Digital Natives
of users store their Address Book on their phones equiping it with personal photos and videos
96%just 25% of responders
regularly log out when done using an app
25% do not use any lock mechanism
to prevent non-authorized access to the device40
%claimed to forsake the security features in order to maintain easy access to the device
52%
Identity Theft
36
Security of The Digital Natives
It appears that users very often do not check the permissions required by the apps. This may be due to the fact that on some mobile platforms (Android, Windows Phone) permissions are granted in an “all or nothing” form.
This is a dangerous model that trains people to overlook permissions, because they want to install that application not matter what the requisites are.
This result becomes more worrisome if linked with the fact that 17% of the respondents install mobile applications from untrusted sources other than the official application markets.
These two results together support the proliferation of mobile malware and particularly of the category of “toll fraud”, where the application silently subscribes the user to premium-rate SMS services.
Economical Threats & the risk of mobile malware
37
Security of The Digital Natives
What about Secure Development?
8,5%
40,1%
28,2%Among the respondents who declared to develop mobile applications (either for fun or profit), only 28% was following the guidelines for secure mobile programming.
23,2%
38
Security of The Digital Natives
From the questionnaire emerged that the respondents are inclined to regularly update their devices. We can infer from this that they are conscious of the importance of software updates, but also that the procedures to update mobile devices and apps are considerably more intuitive than they used to be in the “desktop” environment.
However, this result appears to be in contrast with a some worrisome statistics concerning the number of mobile devices running outdated OSs.
The reason of this, we can argue, is that the responsibility of this lies on reasons such as the market policies of carriers and manufacturers and, in the case of the Android platform, even in the extreme fragmentation of the market.
Therefore a key role is played by vendors, who should be required to grant software updates for their products for a longer period of time .
Proposed solutions and initiativesFrom a Manufacturers and Vendors perspective
39
Security of The Digital Natives
Should allow users to install the applications without being obliged to accept all the permissions required. It has to be possible for users to revoke/grant any single permission at any time, without being compelled to reject the entire application
Should provide, alongside the device reset functionalities, the possibility of removing the users’ private data stored within the installed applications in a centralized and straightforward way.
Should deliver advanced solutions to ease password management. In fact, although most of the respondents (85%) agree and understand the importance of having a passlock mechanism in place, still most of them struggle to use them.
Proposed solutions and initiativesFrom the Mobile Operating System perspective
40
Security of The Digital Natives
Could enforce the use of (strong) passwords, imposing that advanced features of certain applications are enabled only if passwords have been properly configured. A similar approach could be adopted also to enforce the use of non rooted/jailbroken devices.
Should be liable in case the application does not implement the security mechanisms required to ensure the adequate storage and transmission of the users’ data. Policies, standards and laws should be introduced that establish the responsibility.
Proposed solutions and initiativesFrom the mobile software development companies and individual developers perspective
41
Security of The Digital Natives
Contact Us
facebook.com/[email protected]
twitter.com/techlawcenter
Tech and Law Center
www.techandlaw.net