Information Assurance
How it affects you and all of
society
Topics
•
•
•
•
•
•
What it is.
What are the issues?
Malicious software (viruses, worms)
Authentication (passwords, biometrics)
Digital copyright
Other legal issues
What is Information Assurance?
• IA is the hardware, software, policies, and
procedures needed to protect information
and information systems by ensuring
availability, integrity, authentication,
confidentiality, and non-repudiation.
• IA implies the ability to protect, detect, and
successfully react to information attacks.
• Also called InfoSec (information security)
We Depend on Computers
• Every aspect of our lives is increasingly
dependent on computerized systems.
• Transportation and communication
systems
• Banking and finance
• Manufacturing and retail
However, this information
infrastructure is vulnerable
Impact on Society: more info
• The Risks Forum: www.risks.org
• Carnegie Mellon’s CERT: www.cert.org
• National IA Partnership:
http://niap.nist.gov/
• Computer Incident Advisory Capability,
CIAC http://ciac.llnl.gov/ciac/index.html
Example from Risks Forum
• *The New York Times* on line editorial on 31 Jan 2004, at
http://www.nytimes.com/2004/01/31/opinion/31SAT1.html they conclude with the remark "Given the growing body of
evidence, it is clear that electronic voting machines cannot
be trusted until more safeguards are in place."
• Concerned citizens have been warning that new electronic
voting technology being rolled out nationwide can be used
to steal elections. Now there is proof. When the State of
Maryland hired a computer security firm to test its new
machines, these paid hackers had little trouble casting
multiple votes and taking over the machines' voterecording mechanisms. They were disturbingly successful.
It was an "easy matter," they reported, to reprogram the
access cards used by voters and vote multiple times.
Example: Computer and Internet
Viruses and Attacks
• Very visible cost to society
• Widely reported in the news media
• Computer viruses, worms (Nimda, Code
Red, Melissa, SQL Slammer, etc.)
• DDOS attacks
• Identity theft through online databases
Cost Estimate
.
• What is included in cost?
– Lost data, lost productivity
– Cost of employing security personnel
– Cost of “cleaning” and restoring
• Who should collect info?
• Nimda virus estimated at $3 billion
• Code Red estimated at $2.6 billion
Increasing Costs
• Whatever the costs, they are increasing.
– Cost estimates available at: www.Mi2g.com
and www.net-security.org
• Frequency of incidents is increasing.
• Sophistication and destructiveness of the
incidents is increasing.
• Attackers are organized and tools are
easy to use and readily available.
Should You Be Concerned?
• Are we as engineers creating faulty products?
• Is it our fault that our products are misused?
• Is it our responsibility to give society the tools
to protect itself from the misuse of our
products?
Questions and Issues
• Many are extensions of noncomputer issues to cyberspace
– Plagiarism made easy
– Software piracy
– Product liability
– Improper e-mail or Internet use
– Violating copyright (including downloading
copyrighted music)
– Security vs privacy vs convenience
Issues Unique to Cyberspace
• Viruses, worms and other malicious
software (malware)
– The threat is not limited to cyberspace
• Passwords, Biometrics and Access
Control
• Digital Copyright
• Computer Crime and Identity Theft
• Privacy and more legal issues
Viruses, Worms and other
Malicious Software
Viruses, Worms, etc.
What are they?
• Viruses- a piece of software that attaches to
programfiles. Each time the program runs, the
virus runs too and has the chance to reproduce.
• E-mail Viruses- a virus that moves around in email messages and duplicates itself by
automatically mailing itself to people in the
victim’s e-mail address book.
• Worms- software that can reproduce and use
computer networks to propagate. Email viruses
can also be classified as worms.
Viruses, Worms, etc.
What are they?
• Trojan Horses- a computer program that claims
to do one thing (it may claim to be a game), but
does something malicious when you run it.
• On the Internet, a distributed denial-of-service
(DDoS) attack is one in which a multitude of
compromised systems attack a single target,
causing denial of service for users of the
targeted system. The flood of incoming
messages to the target system forces it to shut
down, denying service to legitimate users.
Viruses, Worms, etc.
Where do they come from?
• People create them for various reasons:
– Psychology of vandalism: the thrill of creating
destruction.
– Fascination of creating something powerful
that spreads quickly (Code Red achieved
global saturation in 18 hours).
– Owning the bragging rights in the hacker
community.
– Revenge on a company
– Financial gain
Viruses, Worms, etc.
What you should do
• Have anti-virus software and update it
frequently – they work!
• Use a strong password (password
cracking programs are readily available on
the Internet) www.password-crackers.com
• Install security patches (and tell your
friends)
Viruses, Worms, etc.
A problem for ALL computers
• If your computer is on the
Internet you need to protect it.
• Attackers use unguarded
systems to launch DDOS
attacks and spread
malware.
How it Affects You
• Anything connected to the Internet is
vulnerable
– Vulnerabilities in products that enable control
of home appliances via Internet
• Anything using a common operating
system
– Viruses now appearing for cell phones and
PDAs
Cyberspace is Linked to Physical
Space
• Much of our critical infrastructure is
controlled by computer: SCADA
• 1997 survey of 50 U.S. utilities found that
40 percent of water facilities allow their
operators direct access to the Internet,
and 60 percent of the SCADA systems
could be connected by modem.
Water Treatment Plant Vulnerable
• November 2001: water treatment facility
in Queensland, Australia was attacked
via the Internet.
• 1 million liters of raw sewage released
into a local park and river.
Nuclear Power Plant Vulnerable
• In January 2003, the "Slammer" Internet
worm took down monitoring computers at
FirstEnergy's idled Davis-Besse nuclear
plant.
More Slammer Damage
• A subsequent report by the North
American Electric Reliability Council said
the January 2003 “Slammer” infection
blocked commands that operated other
power utilities, although it caused no
outages.
Electrical Grid Vulnerable
• Substations are the electricity distribution points
where high-voltage electricity is transformed for
local use. The circuit breakers for the
substations are programmable.
• A hacker could lower settings on some circuit
breakers, while raising others.
• Normal power usage could trip the breakers with
low settings and take those lines out of service,
diverting power and overloading neighboring
lines.
• The substations with breakers set high would
overload: transformers and other critical
equipment could be damaged.
Passwords, Biometrics and
Related Problems
Restrict Access
• Should you restrict access to your system?
• Does it hold sensitive information?
• You need AUTHENTICATION
– Something you know
– Something you have
– Something you are
How to Authenticate?
• User identity most often established
through passwords.
– Easy to implement in the system.
– Passwords must be kept secret.
• Frequent change of passwords.
• Use of “non-guessable” passwords.
• Tokens are also used (sometimes in
combination with passwords).
– Access card, key, credit card, ATM card
Handling Passwords
• Password should not be visible on screen
• Passwords should not be stored in
memory or on disk unencrypted.
– Can use 1-way hash
• Do you need to protect passwords even if
your system is not that sensitive?
– Users reuse passwords
More on Passwords
• How will you handle lost/forgotten
passwords?
• Always reset password and require
change on first use.
– Design Center default is not good
• Best not to use email (it is not confidential
and address can be changed), but it is a
common practice.
More on Authentication
• Something you have (the garage door
opener, key, token)
• Something you know (passwords,
mother’s maiden name)
• Something you are (fingerprint, iris scan)
Authentication with Biometrics
• Biometrics identify people by measuring
some aspect of individual physiology
(fingerprint or hand geometry), deeply
ingrained behavioral characteristic
(signature) or a combination (voice).
Biometrics
• Specified by fraud and insult rates (called type 1
and type 2 errors).
• Many systems can be tuned to favor one over
the other.
• Fraud rate is the rate of false accept: My forgery
was accepted as the bank manager’s signature.
• Insult rate is the rate of false reject: I signed your
add-drop form for my class but the registrar
wouldn’t accept it because I signed it in a hurry.
Handwritten Signature
• Widely used in this country for authentication.
Good forgery is not that difficult.
• Signature tablet
– Can catch speed and pressure info as well as size
and contour.
– If fraud rate is set low, then insult rate is
unacceptably high and vice versa.
– What works: Set fraud rate low, then when signature
is rejected, instruct staff to ask for photo ID or do
additional checks.
Face Recognition
• Humans are very good at recognizing people
they know. They are not so good at identifying
strangers from photo ID. Neither are computers.
• Trying to automate the process: computers do
reasonably well with facial geometry if subject
looks straight at the camera and the lighting is
controlled. Anything less controlled has very
high error rates.
• Requiring photo ID is more of a psychological
deterrent than a fraud detection mechanism.
Fingerprints
• Fairly good computer systems are available for
fingerprint ID. If prints are taken under good
conditions, error rate is extremely low and
depends on number of match points needed to
make a match. Equal error rate is below 1%.
• Problems: finger damage - scar on finger. Can
be transferred using adhesive tape or molds.
• Cultural: many people are reluctant to be
fingerprinted.
Iris Scan
• Every human iris is measurably unique. Even
twins have different codes. Can reach good
recognition with zero fraud rate.
• Problem is getting user cooperation. Future:
should be possible to get non-intrusive scan
with pan and zoom.
• Attacks: Photo of targets eyes. Counter:
measure the natural 0.5 Hz fluctuation in the
diameter of the pupil.
Speaker (Voice) Recognition
• Most current systems are text dependent
and background noise is a problem.
• Can be forged with recordings.
• Sickness or alcohol intake affects
recognition.
Other Biometrics
• Facial thermograms
• Retinal scan (low equal error rate, but invasive)
• Hand geometry (equal error rate under good
conditions of 0.2%)
• DNA (too slow, twin problem, privacy
problem:DNA reveals more about you than just
your identity)
• Digital Doggie - recognize smell
Problems with Biometrics
• Environment - dust, vibration, noise,
lighting.
• Unattended op - attack with suitable
recording.
• Minimize false accept or false reject?
• How to store/transmit/allow-access-to the
database.
SENSITIVE DATA!!
Digital Copyright and Digital
Property Rights
Digital Property Rights
• What is digital property?
– Artistic work (computer program?)
– Invention (computer chip?)
• Why and when should it be protected?
• What legal vehicle to use?
– Copyright
– Patent
– Trade secret
Copyright
• Copyrights are designed to protect expressions
of ideas. Ideas are free, however, when an artist
expresses those ideas in a work of art, that can
be copyrighted. Thus, a copyright applies to a
creative work such as a story, painting, or song.
• Copyright gives the author the exclusive right to
make copies of the expression and sell them to
the public. Copyright laws exist so that artists
can earn a living at their art.
Copyright: Fair Use
• All copyrighted material is subject to “fair
use”. This allows reproduction for
“purposes such as criticism, comment,
news reporting, teaching (including
multiple copies for classroom use)
scholarship or research.”
DMCA (1998)
• The “anti-circumvention” provisions of the
Digital Millennium Copyright Act (“DMCA”), are
sometimes not used according to the original
intent.
• Original intent was to stop copyright pirates
from defeating anti-piracy protections added to
copyrighted works, and to ban “black box”
devices intended for that purpose.
DMCA Example
• In 2001, a Russian programmer was jailed for
several weeks when he entered the US.
• He had worked on a software program which
allowed owners of Adobe electronic books
(“e-books”) to convert them from Adobe’s eBook format into Adobe Portable Document
Format (“pdf”) files, thereby removing copy
restrictions embedded into the files.
• His alleged crime was working on a software
tool with many legitimate uses, simply
because third parties might use the tool to
violate copyright.
Your Project or Next Job
• Will you be working on
software or hardware that
uses or copies material that
is copyrighted?
• Can it be used to violate
copyright?
Computer Crime and Other
Legal Issues
Computer Crime
• Increase of computer crimes
– Fraud – especially credit card, ATM
– Embezzlement (anonymity of computer
makes it easier)
– Sabotage, Identity Theft, etc
– Network intrusion
Law Enforcement Issues
• Questions About Penalties
– Intent
• Should hackers who did not intend to do damage
or harm be punished differently than those with
criminal intentions?
– Age
• Should underage hackers receive a different
penalty than adult hackers?
– Damage Done
• Should the penalty correspond to the actual
damage done or the potential for damage?
Ask Yourself
• How might the products or devices that
you design in your next job be misused?
– Prevent unintended uses?
• Product should be easy for authorized
users to use and hard for unauthorized
users
– How to tell the difference?
Privacy Issues
• Spreading information (and
disinformation) about you is possible
because of computerized databases.
• Medical (HIPAA) and financial (GLBA)
information should be confidential.
• Data broker problem - Choicepoint
Protecting Children
• Protection of children on the
Internet
• Elementary and secondary
schools use web-based learning
and provide Internet access to
children.
• How to protect children from
pornography and inappropriate
material and activities?
Children and the Internet
• Laws
– Communications Decency Act (CDA 1996);
– Child Online Protection Act (COPA 1998);
– Children’s Online Privacy Protection Act
(COPPA).
• Filters/parental control devices
– Will you be the one to design a parental
control filter that works well?
For More Info
• The Center for Democracy and
Technology http://www.cdt.org
• The Electronic Frontier Foundation
http://www.eff.org
• The Privacy Rights Clearinghouse
http://www.privacyrights.org
• Computer Professionals for Social
Responsibility http://www.cpsr.org