SECURITY OF THE DIGITAL NATIVES - English version

1

SECURITY OF THEDIGITAL NATIVES

2

Security of The Digital Natives

Aim of the study

The goal of this survey is twofold: on the one hand the focus is on the awareness and knowledge of the university students trying to understand what is their perception of security compared to their actual knowledge; on the other hand we focus on outlining the threat landscape on the basis of their habits, on the way they use their mobile devices, on the type of data they store and on the operations they perform.

3


Who we are

Tech and Law Center is an interdisciplinary center promoted by a research group composed of members from Università di Milano, Università di Milano–Bicocca, Università dell’Insubria and Politecnico di Milano. The center projects and events address digital technologies and their interaction with law and society.

4


The research team

Giuseppe VaciagoTech and Law

Executive Committee

Francesca BoscoTech and Law

Executive Committee

Valeria FerrarisResearcher

Pasquale StirparoTech and Law

Fellow

5


The research team

Stefano ZaneroTech and Law

Executive Committee

Pierluigi PerriResearcher

Davide AriuTech and Law

Fellow

Brikena MemajTech and Law

Member

6


Giuseppe Vaciago has been a lawyer of the Milan Bar since 2002 and for the last 10 years his primary focus has been IT Law with a focus on cyber crime. He has assisted many national and international IT companies. He is the author of many publications on cybercrime, including both scientific journals and textbooks, which have been adopted by the University where he teaches. Academically, he received his PhD on Digital Forensics from Università di Milano and he is a lecturer at Insubria University (Varese and Como) where he holds a course on IT law. He has also delivered many lectures and presentations in both Italy and abroad.

He attended Fordham Law School and Stanford Law School as a Visiting Scholar to expand his studies in his own particular research area

He is member of the executive committee of Tech and Law Center and fellow at the Nexa Center and at the Cybercrime Institute of Koln.

Twitter: @giuseppevaciago

Lawyer at Milan and Professor of IT Law

Partner at R&P Legal

Giuseppe Vaciago

Giuseppe Vaciago

7


Francesca Bosco earned a law degree in International Law and joined UNICRI in 2006 as a member of the Emerging Crimes Unit. In her role in this organization Ms. Bosco is responsible for cybercrime prevention projects, and in conjunction with key strategic partners, has developed new methodologies and strategies for researching and countering computer related crimes.

More recently, Francesca is researching and developing technical assistance and capacity building programs to counter the involvement of organized crime in cybercrime, as well as on the legal implications and future scenarios of cyberterrorism and cyber war. Furthermore, she is researching and managing projects on hate speech online and on data protection issues related to automated profiling.

Francesca is one of the founder of the Tech and Law Center, she is in the Advisory Board of the Koln Cybercrime Institute and she is currently a PhD candidate at the University of Milan.

Twitter: @francibosco

UNICRI ProjectOfficer and PhD

student at Università di Milano

Bicocca

Francesca Bosco

Francesca Bosco

8


Pasquale Stirparo is Digital Forensics Engineer and founder of SefirTech, a company focusing on Mobile Security, Digital Forensics and Incident Response. Prior to found SefirTech, Pasquale was working at the Joint Research Centre (JRC) of European Commission as Digital Forensics and Mobile Security Researcher, with particular interest on the security and privacy issues related to mobile devices communication protocols, mobile malware and cybercrime. He has also been involved in the development of the standard “ISO/IEC 27037: Guidelines for identification, collection and/or acquisition and preservation of digital evidence”, for which he led the WG ISO27037 for the Italian National Body in 2010.

Author of many scientific publications, he has also been invited as speaker to several national and international conferences and seminars on Digital Forensics and lecturer on the same subject for Politecnico di Milano and United Nations (UNICRI). Pasquale is Ph.D. candidate at the Royal Institute of Technology (KTH) of Stockholm, holds a MSc in Computer Engineering from Politecnico di Torino and he’s certified GCFA, OPST, OWSE, ECCE.

Twitter: @pstirparo

Digital Forensics Engineer,

Founder at SefirTech

Ph.D. candidate at Royal Institute

of Technology (KTH) Stockholm.

Pasquale Stirparo

Pasquale Stirparo

9


Chapters of thereport LEGAL AND POLICY

MAKINGCONSIDERATIONS

ANALYSIS OF THEQUESTIONNAIRES

CONCLUSIONS AND RECOMMENDATIONS

TECHNICALCONSIDERATIONS

Analysis of the questionnaires

11


The survey was carried out using a questionnaire containing 60 multiple-choice questions divided into sections related to the different aspects of the issue: practice patterns for smartphones, tablets and laptops; approach to the various networks; and, for all the applications on the devices, the use of passwords, the perceptions of the security risks, and the general interest in and knowledge of the topic.

The target population was university students. The administration of the questionnaire was carried out anonymously through the platform “Google Form” from September to November 2013 and it involved over 15 Italian Universities.

1012 questionnaires were collected. These presented responses from a wide range of geographic areas and degree choices (with a good mix of students from both the sciences and the humanities).

Methodological remarks

12


This group represents the 38,3%.

This group represents the 24%.

This group represents the 37,4 %.

Light usersMedium usersHeavy users

Users Groups

The statistical technique helped in identifying 3 well-diversified groups, each one presenting homogeneous characteristics useful to define 3 users’ profiles

13


The sample: gender and study

Communication Science 8,9 %

Law 29,6%

Other Faculties 22,2%

Computer science and engineering 39,3 %

Smartphones and tablet users are 58% male and 42% female, in line with male higher presence in IT studies.

14


The use of mobile devicesSome preliminary questions aimed at understanding how students use their mobile devices and what they save on the devices. .

take photos and videos with their

smartphones and tablets

70%

they store personal

passwords on their devices.

27,7%

they save contacts/photos and videos

97%

75%

“always or often” make phone calls, receive

text messages/e-mails; browse the web; use Skype, social

apps

15


The knowledge and fear of risks

How worried they are about the security of their mobile devices

33,4%

5,6%

53%

8%

16


The knowledge and fear of risksHow secure they feel when doing these activities with their mobile devices

17


Protect mobile devices with PIN

number28,8%Protect mobile

devices with pattern lock

23,9% Protect mobile devices

with password/passphrase

6,6%Protect mobile devices

with biometrics (e.g.voice recognition)

0,6%

The password use and management and the technologies to protect mobile devices

18


Technical solutions to protect data in mobile devices20% of the students do not know what these solutions are and another 20% do not use them. Among the systems used:

19


Final question on self assessmentHow they assess their knowledge on mobile security (%)

Legal and policy making considerations

21


Students pay absolutely no

attention at all to the password

relevant security requirements and

they simply use the predictable password

Students installs software and

applications from unauthorized stores

or without giving importance at right

of access

Mobile device is passed on to

someone else, in particular where they are sold as

second hand or lent to someone.

PASSWORD APPS SHARING

Results of the survey and possible scenarios

22


of students interviewed

save, on their device, pins and passwords used

for private services 1

27%

Results of the survey and possible scenarios

of students interviewed do

not log out after using a service

online

40%

of students interviewed very rarely or never

check the type of permissions

required when downloading an

app

53%

of students interviewed use

open Wi-Fi systems to connect to the Internet on their mobile device

using all types of functions

41%

23


of students interviewed do not use a password to protect their mobile

device40%

of students interviewed said that, when asked to change their password, the new password that they create takes the form of a minor variation on the previous one

41%

is currently using two-factors authentication 5%

Password is tiring... It follows that one of the most critical issues to be tackled in the IT field is the fact that users need to be persuaded to use a password that can actually operate to protect their data. Our research in fact revealed that

24


Identity Theft – A fragmented scenario

1.Lack of specific legislation on ID Theft

2.Lack of National reporting System on ID Theft

3.Different Penalties from Country to Country

Comparative Study on Legislative and Non Legislative Measures to Combat Identity Theft and Identity Related Crime: Final Report”, RAND Europe, June 2011.

25


Identity Theft

1.Introduction of an ad hoc Legislation

2.Reinforcement of the collaboration between national investigative bodies via an EU contact Network

• Centralized reporting system on EU Basis

A good example: CONSAP Project on ID Theft for the following project: Financial, TELCO and Insurance (Legislative decree 64/11)

26


The Italian Data Protection Authority focus attention on the correct use of mobile devices with its 'Fatti smart!' ['Be Smart!'] campaign

ENISA organize in the next months a cybersecurity championship where university students compete on Network Information Security Challenge

Cybersecurity Campaign Initiative

27


Security v. Usability

54.5% of the students go onto sites that require authentication via Google or Facebook.

This confirms the extent to which usability is a determining factor in terms of the level of trust that a user places in an online service.

Usability is the central issue to increase the levels of security of the mobile device

28


1.D. Solove: “Schools are gathering and sharing a mammoth amount of personal data”

2.There is no a clear Security policy for mobile devices in the Italian University

3.Not only the students, but also the Professor are not always aware of cybersecurity risks

D. Solove, 5 Things School Officials Must Know About Privacy

The Regulation of Mobile Devices in Universities

In certain American universities security standards (e.g. HIPAA) are imposed for mobile devices owned by students and university staff (Bring Your Own Device- BYOD) in order to verify their security levels (use of anti-virus software, updates to the operating system and encryption systems)

29


Awareness Responsibility Response

Ethics Democracy Riskassessment

Proposed Solutions and Initiatives

Securitydesign and

implementation

Security management Reassessment

Technical Considerations

31


When asked to evaluate their knowledge of mobile security issues, on a scale from 1 to 10, a significantly high percentage of the respondents (55%) graded themselves between 6 and 8. This, however, contrasts with the average percentage of “correct” technical answers of the questionnaire, which was 29%.

This discrepancy between perceived knowledge and actual knowledge conveyed through answers to technical questions, was confirmed by the different levels of confidence at the beginning and at the end of the survey.

After going through the security questions in the survey, the confidence of university students on their level knowledge falls from 82% of respondents evaluating their confidence above 6 before the survey, to 66% at the end.

The possibility of a potential bias induced by the Dunning-Kruger effect should be taken into consideration, which is a cognitive bias in which unskilled individuals suffer from illusory superiority, mistakenly rating their ability much higher than is accurate. This bias is attributed to a metacognitive inability of the unskilled to recognize their ineptitude.

Awareness, knowledge and (false) perception

32


Habits and behaviors that may impact all security aspects, reflecting on all the threats.

Habits that involve personal data and potential security and privacy threats.

Habits that may have economic consequences (losses) for the individuals.

General

Identity Theft Economical

Security ThreatsThreats that may arise from the students' behavior and habits

33


General Security IssuesWhich concerns how respondents behave with respect to software updates and application permissions

7%Of respondents perform regular updates to both mobile OS and

apps

81%

Is the share of iOS devices in

the wild outdated for longer than a

year

4%of Android in the wild still run the 3

years old Gingerbread

version

24%

do not regularly update their

mobile operating

system (OS) or their mobile

apps

Oddly enough, presence in the market of old

mobile OS versions, mainly

related to Android phones, is still

very high.

34


General Security IssuesWhich concerns how respondents behave with respect to software updates and application permissions

53,8%

25,5%

20,7% Moving to the installation and usage of

apps, almost 54% of the respondents never or rarely check the permissions apps require. Such behavior is a dangerous trend that needs to be addressed: overlooking the privileges an app requires increases the proliferation of malware, since users will install and click on “YES” on anything

35


of users store their Address Book on their phones equiping it with personal photos and videos

96%just 25% of responders

regularly log out when done using an app

25% do not use any lock mechanism

to prevent non-authorized access to the device40

%claimed to forsake the security features in order to maintain easy access to the device

52%

Identity Theft

36


It appears that users very often do not check the permissions required by the apps. This may be due to the fact that on some mobile platforms (Android, Windows Phone) permissions are granted in an “all or nothing” form.

This is a dangerous model that trains people to overlook permissions, because they want to install that application not matter what the requisites are.

This result becomes more worrisome if linked with the fact that 17% of the respondents install mobile applications from untrusted sources other than the official application markets.

These two results together support the proliferation of mobile malware and particularly of the category of “toll fraud”, where the application silently subscribes the user to premium-rate SMS services.

Economical Threats & the risk of mobile malware

37


What about Secure Development?

8,5%

40,1%

28,2%Among the respondents who declared to develop mobile applications (either for fun or profit), only 28% was following the guidelines for secure mobile programming.

23,2%

38


From the questionnaire emerged that the respondents are inclined to regularly update their devices. We can infer from this that they are conscious of the importance of software updates, but also that the procedures to update mobile devices and apps are considerably more intuitive than they used to be in the “desktop” environment.

However, this result appears to be in contrast with a some worrisome statistics concerning the number of mobile devices running outdated OSs.

The reason of this, we can argue, is that the responsibility of this lies on reasons such as the market policies of carriers and manufacturers and, in the case of the Android platform, even in the extreme fragmentation of the market.

Therefore a key role is played by vendors, who should be required to grant software updates for their products for a longer period of time .

Proposed solutions and initiativesFrom a Manufacturers and Vendors perspective

39


Should allow users to install the applications without being obliged to accept all the permissions required. It has to be possible for users to revoke/grant any single permission at any time, without being compelled to reject the entire application

Should provide, alongside the device reset functionalities, the possibility of removing the users’ private data stored within the installed applications in a centralized and straightforward way.

Should deliver advanced solutions to ease password management. In fact, although most of the respondents (85%) agree and understand the importance of having a passlock mechanism in place, still most of them struggle to use them.

Proposed solutions and initiativesFrom the Mobile Operating System perspective

40


Could enforce the use of (strong) passwords, imposing that advanced features of certain applications are enabled only if passwords have been properly configured. A similar approach could be adopted also to enforce the use of non rooted/jailbroken devices.

Should be liable in case the application does not implement the security mechanisms required to ensure the adequate storage and transmission of the users’ data. Policies, standards and laws should be introduced that establish the responsibility.

Proposed solutions and initiativesFrom the mobile software development companies and individual developers perspective

41


Contact Us

facebook.com/[email protected]

twitter.com/techlawcenter

Tech and Law Center

www.techandlaw.net

https://www.facebook.com/techandlawcenter

mailto:[email protected]

mailto:[email protected]

http://twitter.com/techlawcenter

http://twitter.com/techlawcenter

http://www.techandlaw.net/

http://www.techandlaw.net/

SECURITY OF THE DIGITAL NATIVES - English version

Technology

politecnico

universit

digital nativesidentity

digital nativesthe

digital forensics

digital nativesresults

group represents

proposed solutions