Cybernaughties - Knowledge on Line
advertisement
Cybernaughties ACS Forum National Professional Development “Education Across the Nation” May/June 2002 About Education Across the Nation ACS Professional Development Board identifies topical topics and provides presentation material for Forums in each ACS Branch – presentation is also available on the ACS web site Members earn PCP hours for attending, e.g. 1.5 hour session = 1.5 PCP, 1 hour = 1 PCP hour Evaluations are requested to help with planning future forums, please tell us what topics you would like in future sessions, hand in the evaluations at end of session - thanks Copyright ACS Cybernaughties May 2002 2 Relevance to CMACS Program The topics we are discussing tonight are covered in several CMACS subjects *IT Trends *Business, Legal and Ethical Issues (BLE) Project Management *E-Business Management and Strategy for IS Software Development * These have been updated already for 2002. Security and privacy issues occupy a module, 17.5% of total content, in BLE. Copyright ACS Cybernaughties May 2002 3 What are cybernaughties? Which ones are cyberspace crime? Cyberterrorism Identity theft Fraud Cyberstalking Surveillance Censorship Privacy breaches Damaging data Cybersquatting Web page defacement Copyright ACS Cookies Dangerous emails Trade secret theft Social engineering Plagiarism Hacking and cracking Unauthorised access/ computer trespass Data theft Cybernaughties May 2002 4 What we plan to cover Some stats on who’s doing what and to whom? Are these things always naughty? How can you protect against them? Should vulnerabilities be publicly discussed? Are National ID cards the answer? Copyright ACS Cybernaughties May 2002 5 Cyberterrorism Who’s protecting critical IT infrastructure from naughty folk? Health organisations Banking and finance Telecommunications Transport Power and Water Emergency services Other??? Copyright ACS Cybernaughties May 2002 6 Netwar Networked force can offset a disadvantage in numbers, technology or position. Hard to target Few formal procedures to disrupt Little physical infrastructure Hard to infiltrate “Borrow” expensive equipment when needed. E.g. Boeing planes Just like the self managing teams recommended in business Copyright ACS Cybernaughties May 2002 7 Netwar 2 If you can accurately map a network, you can figure out how to break it apart. Inflow analyses and clusters nodes in network according to activity, betweenness and closeness Read Thomas Stewart “America’s Secret Weapon” in Business 2.0 December 2001 Copyright ACS Cybernaughties May 2002 8 Netwar FBI has used keylogging software to legally “steal” encryption keys in a high profile Mafia case Echelon detection system can monitor mobiles and Internet traffic. But who might be monitoring the chatty emails to loved ones for battlefield soldiers? What’s the Internet equivalent of “loose lips sink ships?” Copyright ACS Cybernaughties May 2002 9 DC-1000, nee Carnivore FBI can request a court order to use Carnivore when a person is suspected of Terrorism Child pornography/exploitation Espionage Information warfare Fraud Need to show probable cause Copyright ACS Cybernaughties May 2002 10 In Australia States and territories are responsible for protecting physical infrastructure, e.g. roads, railway lines, sea ports, airports, national icons (Opera House, MCG) In US, Bush admin is establishing a central office to co-ordinate government’s response to cyber attacks In Australia, national vs states issues are being debated – will we ever learn? Copyright ACS Cybernaughties May 2002 11 Cyberterrorism 22 March, 2002 125,000 attempts to penetrate an air force computer system A concerted and directed attack, “one of the most orchestrated we’ve seen in about the last six months” Originated overseas Copyright ACS The Harrow Report, 1 April, 2002 Cybernaughties May 2002 12 Email can be dangerous 2 workers at Narrabri Shire Council referred to their superiors as Huey, Dewey and Louie in an email And lost their jobs Employers face risks of Defamation Sexual harassment Discrimination Copyright infringement Emails are like postcards no matter how many caveats you include in them Copyright ACS Cybernaughties May 2002 13 Vint Cerf on email “Be thoughtful in what you commit to email, news groups and other Internet communication channels – it may well end up in a web search some day” Great presentations and papers at www1.worldcom.com Check out his “The Internet is for Everyone” draft Feb 2002 Copyright ACS Cybernaughties May 2002 14 Online gambling- is it naughty? Australia’s Interactive Gambling Act, passed in July 2001 bans Australian online gambling operators from offering their services to Australians. Feb 2001 – 3% of Australian Internet users accessed an online casino from home PC Feb 2002 – 3.4 % did the same What’s the point of the above Act? There are 1,400 Internet casinos – many of them in the Caribbean. Copyright ACS Cybernaughties May 2002 15 Is Altnet naughty? File swapping program Kazaa (Napster-like) includes stealth software that is capable of tapping spare computing capacity – maybe 20 million downloads in Feb 2002 Will work on opt-in basis, users will be remunerated for services, you can de-install it – but is it spam? Or a virus? How often do you know what’s in a download? Or any software? Are cookies stealth software? Copyright ACS Cybernaughties May 2002 16 What about cybersmearing? Falsehoods about you or your organisation on the Internet – attack sites/rogue sites. Company found a concocted interview about it during difficult negotiations with a union – could not locate name or contact details of person who posted it. Did find an email address. Went to dejanews, typed in the email address and found many postings from same email address, a cancer survivors group, blues music group, weddings group - where there were contact details. Copyright ACS Cybernaughties May 2002 17 Cybersmearing cont. Web page with offending material was on a real estate agency’s site –a little digging showed that the cybersmearer worked for the the real estate company. Lawyer contacted the cybersmearer “Hello. We know you had breast cancer, your favourite blues artist is BB King, your daughter is getting married in July. We know you posted a web page with inaccuracies…..if it’s still there in half an hour, we will contact your boss who will not be happy to know you are posting libelous material on her site…. Is this a good approach to such a problem? Copyright ACS Cybernaughties May 2002 18 Spam This is a vexed issue for ISPs as spam generates traffic and traffic generates money Dr John Costello proposed a hash-cash solution in a letter to the Age If you want to send me an email, my mail server requires yours to perform a computationally intensive task before it will decode and accept it This is OK for one recipient – but for one million? What’s needed is an upgrade to Internet mail protocol ……. plus the will to act. Is this a good solution? Copyright ACS Cybernaughties May 2002 19 Cookies The good news is that fewer large sites are sending you cookies Of the 100 most visited sites only 48% use cookies, down from 78% 84% collect personal information, down from 96% Copyright ACS Cybernaughties May 2002 20 Censorship Is it naughty? CSIRO report on effectiveness of filtering software products showed that few are successful BUT – 60% of parents believe that content filtering software is effective Copyright ACS Cybernaughties May 2002 21 CSIRO study Net Nanny blocked 30%, passed 70% I-gear blocked 98%, passed 2% AOL under 12 years blocked 100% Internet sheriff blocked 98% Cyber sentinel blocked 90% Copyright ACS Cybernaughties May 2002 22 Reverse censorship SafeWeb Triangle Boy give users the ability to secretly lend internet address to users behind restricted firewalls Being funded by In-Q-Tel (CIA) and Voice of America which has 100 Triangle Boy machines Growing use in China, Saudi Arabia, United Arab Emirates, Syria Copyright ACS Cybernaughties May 2002 23 Hacking Stand up if you are Male 14-28 years old Intelligent Could have done better in exams Work or study in technical area Based on averages, those standing represent the likely hackers – but this is a gross generalisation Copyright ACS Cybernaughties May 2002 24 Real hackers Stay standing if you are indeed a hacker Could any other hackers also please stand so we can test this average Copyright ACS Cybernaughties May 2002 25 Why the naughty hack Status Media attention Expose security flaw Monetary gain Payback, increasing number of disgruntled ex-employees are hacking Sex appeal? ”All the girls thought it was cool” said one 16 year old male hacker Copyright ACS Cybernaughties May 2002 26 Lots of hacking Every 13 seconds, computer networks of federal government are probed by hackers Auscert – security incidents reported by members doubled in 2001 Security software – CAGR 22% to 2004 according the Gartner Copyright ACS Cybernaughties May 2002 27 Hacker praised by judge for Bill Gates prank “You demonstrated some sense of humour by sending Viagra to Bill Gates to mock him. Even the prosecution had difficulty identifying the criminality of what you did. You have computer skills which many, including myself, envy.” How do we change judicial attitudes? Copyright ACS Cybernaughties May 2002 28 Internet abuse It was reported in The Age in Feb 2002 that 4 New Zealand judges were being investigated for surfing Internet sex sites using computers provided by the Department of Courts. Is this naughty? Copyright ACS Cybernaughties May 2002 29 Security is more than money “You can spend a huge amount of money and be tremendously ineffective. It’s about having the intellectual capability to conceive of how to address those issues, and then having the commitment, enthusiasm and support to actively execute those things.” Stephen Ford, Assoc Dir IT security at Macquarie Bank Copyright ACS Cybernaughties May 2002 30 Top ten security threats Complacency Poor execution Virus attack Hackers and crackers Trojan horses DoS attacks Disgruntled employees Naïve employees Mobile devices Data hijacking Copyright ACS Cybernaughties May 2002 31 Data security NSW Bureau of Crime Statistics In 2000, 10,221 laptops were stolen 336 were recovered None of the recovered had data security Hands up if your laptop has any data security. Copyright ACS Cybernaughties May 2002 32 CSI/FBI computer crime and security survey Activity 2001 2000 System penetration from outside Denial of service attacks 40% 25% 38% 22% Employer abuse of Internet access Detected computer viruses 91% 79% 94% 85% Copyright ACS Cybernaughties May 2002 33 CSI/FBI computer crime and security survey Intrusions take place despite the presence of firewalls Theft of trade secrets takes place despite the presence of encryption Net abuse flourishes despite corporate edicts against it Copyright ACS Cybernaughties May 2002 34 Liability issues You could be accountable for compromised data due to cyberintruders Even if security measures are in place and in your organisation has done anything wrong Distributed denial of service is one example – you get hijacked but still could be liable for damage caused Copyright ACS Cybernaughties May 2002 35 Cyberfraud – who’s doing it? Top 12 countries – US data Ukraine Indonesia Yugoslavia Lithuania Egypt Romania Copyright ACS Bulgaria Turkey Russia Pakistan Malaysia Israel Cybernaughties May 2002 36 What are teens doing most on Internet Download music Play games Seek health info Chat Shop Check sports scores Copyright ACS 72% 72% 75% 67% 50% 46% Cybernaughties May 2002 37 Teens get health info Net School Parents Doctors Copyright ACS 75% 47% 45% 41% Cybernaughties May 2002 38 Biggest online fraud? Online auctions, up from 63% of frauds in 2000 to 78% in 2001. Nigerian money offers up from 1% in 2000 to 11% in 2001. Web sites are the most common way for fraudsters to solicit, but there is an increase in con artists contacting by email. Copyright ACS Cybernaughties May 2002 39 Credit card fraud Harvey Norman closed its online shopping site – 25% involved stolen credit cards Recent research by KPMG put it at 20-25% 5% of Internet transactions are fraudulent, compared with .05% of bricks and mortar ones Editor at MSNBC challenged 2 reporters to go online and get credit card numbers, names and expiration dates. Within 2 hours, they had 2,500. Copyright ACS Cybernaughties May 2002 40 Cheque fraud TV show Dateline did a report on cheque fraud. Produced a $1,000 cheque with “Void” written all over it Plus the words “Please don’t pay me. I am a counterfeit cheque.” The cheque was cashed. Copyright ACS Cybernaughties May 2002 41 Cyberforgery 25 years ago, it took 12 weeks to create a forged cheque and a 4-colour printing press cost $250,000 Today, it takes 12 minutes and requires a laptop, laser printer, scanner which is about US $5,000 But the good news is that you can print the cheque to pay for it. On laser printed cheques, you can remove the name and dollar amount with cloudy type scotch tape Copyright ACS Cybernaughties May 2002 42 Disposable credit cards? What about a one-time use card? You get a private payment number that can be used once and only once Available/being trialled from American Express and Visa Copyright ACS Cybernaughties May 2002 43 Encryption –how effective is it? Powerful ciphers guarantee absolute security in theory But hardly ever in practice Because people don’t use them properly A good key is a long string of random symbols – hard to remember, so write it on a post-it or put it in a file, protected with a password like “1234”? Copyright ACS Cybernaughties May 2002 44 What about ID theft? In 2001, identity theft became the top consumer fraud complaint reported to the US govt. 750,00 citizens will have their identities stolen in 2002 Do National ID cards solve the problem? Copyright ACS Cybernaughties May 2002 45 Michelle Brown’s story 1 Single, late 20’s, owned 15 credit cards, never late on a payment Call from bank – overdue payment on her car. But not her car. Bank officer explained they had trouble finding her as phone calls in credit application not valid – so they used directory assistance. Yet it was her name and her social security number on the loan form. Copyright ACS Cybernaughties May 2002 46 Michelle Brown’s story 2 She contacted credit reporting agencies and division of motor vehicles, duplicate licence recently issued, delinquent bills for thousands of dollars, arrest warrant in Texas for drug offences It took her about 2 years to sort things out, and she has never really recovered, now has shredder at home. Check out how to avoid identity theft at Australian Bankers Association site Copyright ACS Cybernaughties May 2002 47 Don’t make is too easy! Pre-approved credit applications sent via mail is a known method of identity theft – all the naughty person has to do is forge a signature and change the address on the form. Expert advice is to shred all documentation with your financial details, and use a post office box as mail theft is often a prelude to identity theft. There’s heaps of identity theft information on the web Copyright ACS Cybernaughties May 2002 48 Australian Financial Review 13 May 2001 National Crime Authority investigation into identity fraud Crime group (Sydney-based) allegedly using illicit bank accounts to claim tax returns Serving/former ATO officers under investigation Illicit bank accounts opened in name of people whose tax history suggests are unlikely to ever get a refund Improvements in scanning technology make it easier to produce fake IDs Copyright ACS Cybernaughties May 2002 49 Organised drug make/traffic Motorcycle gangs in Australia and New Zealand use the Internet for secure encrypted transmission of drug recipes, Illegitimate financial transactions, business case proposals and communications Web sites in the Netherlands and the UK offer to sell and deliver potent varieties of cannabis to almost any destination in the world The Internet itself has numerous sites where the recipes for illicit drug preparation are detailed in step by step detail, including alternative ingredients for those hard to obtain supplies. (Int.Narcotics Control Board, 2000) Source Peter Wilkins presentation to Privacy Conference 2001 Copyright ACS Cybernaughties May 2002 50 Organised Child Pornography and Trafficking in Human Beings Trafficking in women and children for prostitution and forced labour has become a highly lucrative and well organised growth industry. (Interpol General Secretariat) Nexus between viewing large amounts of child porn and the propensity of offending. A child molester who after viewing child porn went to a school and raped two five year old girls said “I was determined next day to grab a kid, that stuff fuelled me” Offender possessed on his computer 30,000 child porn images in 175 directories. (Victoria Police) Source – Peter Wilkins slides from Privacy Conference 2001 Copyright ACS Cybernaughties May 2002 51 Development of policing strategies The commissioners have prioritised the strategy development and priority issues as follows: The development of national accredited training for all levels of law enforcement ranging from initial action at e-crime crime scenes, through to forensic analysis e-crime law reform The identification of private sector partnerships including; their role and function; and The development of the proposal for a national centre for cybercrime (Source: Peter Wilkins) Copyright ACS Cybernaughties May 2002 52 Available at www.privacy.gov.au MALCOLM CROMPTON FEDERAL PRIVACY COMMISSIONER Biometrics and Privacy: The End of the World as We Know IT or The White Knight of Privacy Biometrics, Security and Authentication Conference 10 March 2002 See also Roger Clarke’s April 2002 paper, referenced in second last slide Copyright ACS Cybernaughties May 2002 53 Biometrics – what’s driving it? Authentication – efficient and fraud proof Law enforcement Technology developments Cost – cheaper and cheaper Security – post 11 September Copyright ACS Cybernaughties May 2002 54 International Biometric Industry Association “Simply put, it’s getting harder and harder to preserve personal privacy without using biometrics…” Copyright ACS Cybernaughties May 2002 Richard E Norton, IBIA 55 But then…….. “…Biometrics are among the most threatening of all surveillance technologies, and herald the severe curtailment of freedoms, and the repression of ‘different thinkers’, public interest advocates and ‘troublemakers’.” Copyright ACS Cybernaughties May 2002 Roger Clarke 56 Biometrics and Privacy “ Biometrics need not subvert informational privacy. A pro-privacy position should not be construed as anti-biometric. The technology can actually be privacy enhancing if systems are designed with that objective in mind.” Information Privacy Commissioner, Ontario, Canada Copyright ACS Cybernaughties May 2002 57 Resistance to biometrics There’s a reluctance to use human body parts for security systems In US, Christian fundamentalists have brought 2 court cases …clear warnings in the bible against “marking” of individuals But, “if God did not want us to use biometrics, he would not have given us individual iris patterns.” Copyright ACS Cybernaughties May 2002 58 Not all resist At Heathrow airport, passengers are volunteering to use iris scanning – Sydney airport is trialling face recognition But terrorists are unlikely to volunteer so we still need face recognition improvements The good get through security quickly with iris scanning The naughty get caught by the face recognition software Copyright ACS Cybernaughties May 2002 59 What about fingerprinting? It is no 2 in reliability, after iris scanning But it is more affordable Fingerprinting looks below the skin so latex fingers and severed fingers do not work What about acceptance? What about fingerprinting school kids? Would you volunteer for a biometrics pilot? Copyright ACS Cybernaughties May 2002 60 Fingerprinting in schools In US, at least one school has mugged and fingerprinted all parents and volunteers…….. A failed school employee had moved from school to school molesting children employee. Will fingerprinting prevent this happening again? Copyright ACS Cybernaughties May 2002 61 Quebec’s new IT Framework Law A person’s identity may not be verified or confirmed by means of a process that allows biometric characteristics or measurements to be recorded except with the express consent of the person concerned……..… The creation of a database of biometric characteristics and measurements must be disclosed beforehand to the Commission d’accès à l’information. As well, the existence of such a database, whether or not it is in service, must be disclosed. The Commission may make orders determining how such databases are to be set up, used, consulted, released and retained and how measurements or characteristics recorded for personal identification purposes are to be archived or destroyed. The Commission may also suspend or prohibit the bringing into service of such a database or order its destruction, if the database is not in compliance with the orders of the Commission or otherwise constitutes an invasion of privacy. Copyright ACS Cybernaughties May 2002 62 Biometrics in Australia Edith Cowan Uni in WA uses fingerprint scanning to secure the PCs controlling access to campus buildings Melbourne’s Crown Casino and the Australian Customs Service are trialling face recognition using Face-IT from US CSIRO is developing SQUIS – system for quick image search NSW Police, casinos and retailers are using face recognition Sydney airport is trialling iris scanning Copyright ACS Cybernaughties May 2002 63 Biometics future? CSIRO has developed face recognition based surveillance but there are reliability problems. Maybe the solution is a mix of iris scanning and face recognition with humans making the problematic matches Copyright ACS Cybernaughties May 2002 64 Surveillance Carnegie Mellon project to identify humans at up to 150 metres –Human Id at a Distance Blue Eyes – IBM product used in retail stores to record face and eye expressions and measure effectiveness of in-store promotions Vegas security systems have used face recognition for three years In UK where video surveillance is used, per capita crime is down Copyright ACS Cybernaughties May 2002 65 Ethically speakeing “We develop the technologies. The policy and how you implement them is not my province.” Human ID at A Distance Program Manager “They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor saftey” Benjamin Franklin Copyright ACS Cybernaughties May 2002 66 Surveillance technology Cookies Travel cards/e-tolls Employee id cards Phone cards Credit card records Airline tickets Cell phones GPS Video camera Copyright ACS Cybernaughties May 2002 67 Bullet proof ID? Does not exist 3-factor security Something you know, e.g. a password Something you have, e.g. ID card/security token Something that confirms who you are, e.g. a biometric Copyright ACS Cybernaughties May 2002 68 ID cards – an each-way bet? Americans should carry drivers license with routine data plus a biometric identifier….. Stored in uniform databases in every state, tied into a national network, to verify identities at a moment’s notice But not a National ID card as these raise civil liberties concerns Copyright ACS Cybernaughties May 2002 69 Who’s got ID cards? Spain – id cards for citizens over 14 Argentina – card at 8, re-register at 17 Kenya – carry card at all times Germany_over 16,m carry a card Belgium – used since WW1, over 15, carry a card which police can request at any time Copyright ACS Cybernaughties May 2002 70 ID cards Finland – voluntary smart card with chip used as a travel card in 15 European countries In US. Most likely use will be id cards for immigrants and foreign visitors Malaysia – piloting a smart card that is drivers license, cash card, health card, and passport. Copyright ACS Cybernaughties May 2002 71 What’s needed? Organisations need security software but it’s not enough. Need Policies Processes Risk analysis – ongoing Disaster recovery – tested Business continuity plans – tested Awareness and training – ongoing The will to act Copyright ACS Cybernaughties May 2002 72 Disclosing vulnerabilities Who needs to know when vulnerabilities are discovered? Does public disclosure encourage the naughty to take advantage of the vulnerability? Microsoft and several specialist security firms have announced voluntary adherence to a new disclosure policy Copyright ACS Cybernaughties May 2002 73 Case study You are an IT manager where a detection tool report shows that IT staff member Freda is accessing restricted Internet sites and downloading objectionable material. You remotely access Freda’s PC to obtain evidence You find the evidence, and fire Freda Copyright ACS Cybernaughties May 2002 74 Evidence issues Data collected for purpose of evidence Untampered with Accounted for at every stage of its life from collection to presentation in court Comply with Law of evidence This can be “just too hard” for some organisations to pursue Don’t disturb the crime scene Copyright ACS Cybernaughties May 2002 75 Can you steal data? In some jurisdictions, theft permanently deprives a victim of property. If I copy your database, you still have it, so it has not been stolen. In any case, is data “property”? Copyright ACS Cybernaughties May 2002 76 Good reads Tangled Web by Richard Power - excellent. Que, 2001. Useful links The Art of the Steal - very readable. Frank Abagnale. Bantam, 2001 Access Denied - useful explanations and best practice checklists. Cathy Cronkhite & Jack McCullough. Osborne, 2001 Roger Clarke’s notes from the Computers, Freedom & Privacy 2002 Conference at www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP02.html Lots of useful links including Roger’s slides on biometrics Copyright ACS Cybernaughties May 2002 77 What’s next? Thanks you for your attendance and for completing your evaluation form. The next Education Across the Nation forum is “The Getting o Agility”- alternative ways of developing systems – lite, extreme, agile methods. These are not just a return to the “quick and dirty” approaches of the past – they are rigorous methods which work well if done properly. Tell us what you would like to know about these approaches on your evaluation for tonight and we’ll try and meet all needs. Copyright ACS Cybernaughties May 2002 78
