Privacy and Security Demos and Presentations Presentation Basics Speak loudly and clearly Give the audience something to look at Show interest even w hen not speaking Show passion This is passion ID: 723636
Download Presentation The PPT/PDF document "Demos & presentations" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Demos & presentations Privacy and Security Slide2
Demos and PresentationsSlide3
Presentation Basics
Speak loudly and
clearly
Give the audience something to look at
Show interest even
w
hen not
speaking
Show passionSlide4
This is passion.Slide5
This is passion.Slide6
This is passion.Slide7
This is
not
.Slide8
Demo Basics
Script
your demos
Avoid
a lot of typing
Avoid silences
Use the “turkey in the oven”Slide9
Privacy and Security Slide10
Security and PrivacySecurity: the protection of data, networks and computing power
Privacy: complying with a person's desires when it comes to handling his or her personal information Slide11
PRIVACY
When you walk into the store, the big-screen displays "Hello Tom," your shopping habits, and other information
from
Minority ReportSlide12
Some Views on Privacy“All this secrecy is making life harder, more expensive, dangerous …”
Peter Cochran, former head of BT (British Telecom) Research
“You have zero privacy anyway.”
Scott McNealy, CEO Sun Microsystems
“By 2010, privacy will become a meaningless concept in western society”
Gartner report, 2000Slide13
Legal Realities of PrivacySelf-regulation approach in US, Japan
Comprehensive laws in Europe, Canada, Australia
European Union
Limits data collection
Requires comprehensive disclosures
Prohibits data export to unsafe countries
Or any country for some types of dataSlide14
Aspects of PrivacyAnonymitySecurity
Transparency and Control: knowing what is being collectedSlide15
Privacy and TrustRight of individuals to determine
if, when, how, and to what extent
data about themselves will be
collected, stored, transmitted, used, and shared
with others
Includes
right to browse the Internet or use applications without being tracked unless permission is granted in advancedright to be left alone True privacy implies invisibilityWithout invisibility, we require trustSlide16
Privacy Aware Technologies
non-privacy-related
solutions that enable users to protect their privacy
Examples
password and file-access security programs
unsubscribe
encryptionaccess control Slide17
Privacy Enhancing Technologies
S
olutions
that help consumers and companies protect their privacy, identity, data and actions
Examples
popup blockers
anonymizersInternet history clearing toolsanti-spyware software Slide18
Impediments to PrivacySurveillance
Data collection and sharing
Cookies – how long are they retained?
Sniffing
,
Snarfing
, SnortingAll are forms of capturing packets as they pass through the networkDiffer by how much information is captured and what is done with it Slide19
P3P (2002)
Platform for Privacy
Preference
(P3P)
World Wide Web Consortium (
W3C
) projectVoluntary standardStructures a web site’s policies in a machine readable formatAllows browsers to understand the policy and behave according to a user’s defined preferencesShort-lived: why?Slide20
Do Not Track
Opt out technology
HTTP header
2012 pledge not
honoredSlide21
Privacy and Wireless
“
Wardriver
” program: scans for broadcast SSIDs
broadcasting improves network access, but at a cost
once the program finds the SSID
obtains the IP addressobtains the MAC address…Lowe’s was penetrated this wayStole credit card numbers Slide22
Deep WebAnything that can’t be indexed (estimate 97%!)
Accessible through secure browsers:
Tor
Anonymity
Difficulty in tracing
Onion addresses of interestSlide23
Security: broad issues, not technologySlide24
Consider1994: Vladimir Levin breaks into Citibank's network and transfers $10 million dollars into his accounts
Mid 90’s: Phonemasters
stole tens of thousands of phone card numbers
found private White House telephone lines
1996: Tim Lloyd, disgruntled employee inserts time bomb that destroys all copies of Omega Engineering machining code. Estimated lost: $10 million. Slide25
Security “Gospel”The Morris Internet worm of 1988 cost
$98
million to clean up
The
Melissa
virus
crashed email networks at 300 of the Fortune 500 companiesThe Chernobyl virus destroyed up to a million PCs throughout AsiaThe ExploreZip virus alone cost $7.6 billion to clean up Slide26
Security Reality
The Morris Internet worm of 1988 cost
$98
under $1
million to
clean upThe Melissa virus crashed scared executives into disconnecting email networks at 300 of the Fortune 500 companiesThe Chernobyl virus destroyed caused replacement of up to a million PCs throughout AsiaThe ExploreZip virus alone could have cost $7.6 billion to clean up Slide27
Information Systems Security
Deals with
Security of (end) systems
Operating system, files, databases, accounting information, logs, ...
Security of information in transit over a network
e-commerce transactions, online banking, confidential e-mails, file transfers,...
Slide28
Basic Components of Security
Confidentiality
Keeping data and resources secret or hidden
Integrity
Ensuring authorized modifications
Refers to both data and origin integrity
AvailabilityEnsuring authorized access to data and resources when desiredAccountabilityEnsuring that an entity’s action is traceable uniquely to that entitySecurity assuranceAssurance that all four objectives are metSlide29
Info Security 20 Years AgoPhysical security
Information was primarily on paper
Lock and key
Safe transmission
Administrative security
Control access to materials
Personnel screeningAuditingSlide30
Information Security Today
Increasing
system complexity
Digital information
security importance
Competitive advantage
Protection of assetsLiability and responsibilityFinancial lossesFBI estimates that an insider attack results in an average loss of $2.8 millionEstimates of annual losses: $5 billion - $45 billion (Why such a big range?)Protection of critical infrastructuresPower gridAir transportationGovernment agenciesGAO report (03): “severe concerns” security mgmt &
access control Grade F for most of the agenciesLimkages accerbateSlide31
Attack Vs ThreatA
threat
is a “potential” violation of security
Violation need not actually occur
Fact that the violation
might
occur makes it a threatThe actual violation (or attempted violation) of security is called an attackSlide32
Common security attacks
Interruption, delay, denial of receipt or denial of service
System assets or information become unavailable or are rendered unavailable
Interception or snooping
Unauthorized party gains access to information by browsing through files or reading communications
Modification or alteration
Unauthorized party changes information in transit or information stored for subsequent accessFabrication, masquerade, or spoofingSpurious information is inserted into the system or network by making it appear as if it is from a legitimate sourceRepudiation of originFalse denial that the source created somethingSlide33
Denial of Service Attacks
explicit attempt to prevent legitimate users from using service
two types of attacks
denial of service (DOS)
distributed denial of service (DDOS)
asymmetric attack
attacker with limited resource (old PC and slow modem) may be able to disable much faster and more sophisticated machines or networks
methodsBots or Zombie machinesTrojans or Smurf attack: distributed attack that sends specified number of data packets to a victimSlide34
Phishing (Spoofing)
use
'spoofed' e-mails and fraudulent websites
designed to fool recipients into divulging personal financial data
credit card numbers
account usernames and passwords
social security numbershijacking of trusted brands banks
online retailers credit card companiesable to convince up to 5% of recipients to respondhttp://www.antiphishing.org/Slide35
Goals of Security
Prevention
Prevent someone from violating a security policy
Detection
Detect activities in violation of a security policy
Verify the efficacy of the prevention mechanism
RecoveryStop attacksAssess and repair damageEnsure availability in presence of ongoing attackFix vulnerabilities to prevent future attacksDeal with the attackerSlide36
Human IssuesOutsiders and insiders
Which
is
the real threat?
Social engineering
How much
should a company disclose about security?Claim more or less security than existsSlide37
Honeypots
Setting up a server to attract hackers
Used by corporations as early warning system
Used to attract spam to improve filters
Used to attract viruses to improve detection
http://www.honeypots.net/Slide38
ENCRYPTIONSlide39
Security Level of Encrypted Data
Unconditionally Secure
Unlimited resources + unlimited time
Still the plaintext CANNOT be recovered from the ciphertext
Computationally Secure
Cost of breaking a ciphertext exceeds the value of the hidden information
The time taken to break the ciphertext exceeds the useful lifetime of the informationSlide40
Types of AttacksCiphertext only
adversary has only ciphertext
goal is to find plaintext, possibly key
Known plaintext
adversary has plaintext and ciphertext goal is to find keyChosen plaintext adversary can get a specific plaintext enciphered goal is to find keySlide41
Attack MechanismsBrute forceStatistical analysis
Knowledge of natural language
Examples:
All English words have vowels
There are only 2 1-letter words in English
High probability that u follows q
…Slide42
PRIVATE KEY HISTORICALSlide43
Caesar CipherSubstitute the letter 3 ahead for each one
Example:
Et tu, Brute
Hw wx, Euxwh
Quite sufficient for its time
High illiteracy
New ideaSlide44
Enigma Machine(Germany, World War II)
Simple Caesar cipher through each rotor
But rotors shifted at different rates
Roller 1 rotated one position after every encryption
Roller 2 rotated every 26 times…Slide45
Private Key CryptographySender, receiver share common key
Keys may be the same, or trivial to derive from one another
Sometimes called
symmetric cryptography
or
classical cryptography
Two basic typesTransposition ciphers (rearrange bits)Substitution ciphersProduct ciphersCombinations of the two basic typesSlide46
DES (Data Encryption Standard)A block cipher:
encrypts blocks of 64 bits using a 64 bit key
outputs 64 bits of
ciphertext
A product cipher
performs both transposition (permutation) and substitution on the bits
Considered weakSusceptible to brute force attackSlide47
Cracking DES1998: Electronic Frontier Foundation cracked DES in
56 hrs
using a supercomputer
1999: Distributed.net cracked DES in
22 hrs
With specialized hardware, DES can be cracked in less than an hour. Slide48
History of DES
IBM develops
Lucifer
for banking systems (1970’s )
NIST and NSA evaluate and modify Lucifer (1974
)
Modified Lucifer adopted as federal standard (1976) Name changed to Data Encryption Standard (DES)Defined in FIPS (46-3) and ANSI standard X9.32NIST defines Triple DES (3DES) (1999) Single DES use deprecated - only legacy systems.NIST approves Advanced Encryption Std. (AES) (2001)AES (128-bit block)Attack published in 2009Current state of the art is AES-256Slide49
PUBLIC KEYSlide50
Public Key Cryptography
Two keys
Private key
known only to individual
Public key
available to anyone
Public key, private key inversesConfidentialityencipher using public keydecipher using private keyIntegrity/authenticationencipher using private key decipher using public oneSlide51
Public Key Requirements
Computationally easy to encipher or decipher a message given the appropriate key
Computationally infeasible to derive the private key from the public key
Computationally infeasible to determine the private key using a
chosen plaintext attackSlide52
RSAPublic key algorithm described in 1977 by
Rivest
, Shamir, and Adelman
Exponentiation
cipher
Relies
on the difficulty of factoring a large integer RSA Labs now owned by EMCA Guide to RSA Slide53
SummaryPrivate key (classical) cryptosystems
encipher and decipher using the same key
Public key cryptosystems
encipher and decipher using different keys
computationally infeasible to derive one from the
other
Both depend on keeping keys secretDepend on computational difficultyAs computers get faster, …Slide54
Photon CryptographyUse photons for key distribution
Prevents eavesdropping: reading a photon changes its stateSlide55
AUTHENTICATIONSlide56
AuthenticationAssurance of the identity of the party that you’re talking to
Primary technologies
Digital Signature
KerberosSlide57
“
Using encryption on the Internet
is the
equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench
”
– Gene Spafford (Purdue)NETWORK SECURITYSlide58
Firewall TechniquesFiltering
Doesn’t allow unauthorized messages through
Can be used for both sending and receiving
Most common method
Proxy
The firewall actually sends and receives the information
Sets up separate sessions and controls what passes in the secure part of the networkSlide59
DMZ: Demilitarized ZoneArrangement of firewalls to form a buffer or transition environment between networks with different trust levels
Internet
Fire
wall
Fire
wall
Internal resourcesSlide60
Three Tier DMZ
Internet
Fire
wall
Fire
wall
Fire
wall
Internal resourcesWebServerAppServer