Embed Size (px)
DESCRIPTION
Citation preview
Privacy and Cybercrime
The individual’s responsibilities in staying safe online
The Center for Information Assurance and Cybersecurity (CIAC) at the University of Washington integrates industry, academia and the Pacific Northwest community to promote multi-disciplined, regional collaboration, produce innovative research directions and educational programs, and develop information assurance professionals at all levels who are well-prepared to contend with the dynamics of the Information Age.
Center for Information Assurance and Cybersecurity (CIAC)
Dr. Barbara Endicott-PopovskyDepartment Fellow Aberystwyth UniversityDirector Center for Information Assurance and Cybersecurity University of Washington
Academic Director Master of Infrastructure Planning and ManagementResearch Associate Professor University of Washington Information School email: [email protected] Office: Suite 400 RCBPhone: 206-284-6123 Website: http://faculty.washington.edu/endicott
Barbara Endicott-Popovsky, Ph.D., is Director for the Center of Information Assurance and Cybersecurity at the University of Washington, designated by the NSA as a Center for Academic Excellence in Information Assurance Education and Research, Academic Director for the Masters in Infrastructure Planning and Management in the Urban Planning Department of the School of Built Environments and holds an appointment as Research Associate Professor with the Information School. Her academic career follows a 20-year career in industry marked by executive and consulting positions in IT architecture and project management.
Her research interests include enterprise-wide information systems security and compliance management, forensic-ready networks, the science of digital forensics and secure coding practices. For her work in the relevance of archival sciences to digital forensics, she is a member of the American Academy of Forensic Scientists. Barbara earned her Ph.D. in Computer Science/Computer Security from the University of Idaho (2007), and holds a Masters of Science in Information Systems Engineering from Seattle Pacific University (1987), a Masters in Business Administration from the University of Washington (1985) and a Bachelor of Arts from the University of Pittsburgh.
Context Evolution
Agricultural Age
Industrial Age
Information Age
AttributeAgricultur
al AgeIndustrial
AgeInformation
Age
Wealth Land Capital Knowledge
Advancement Conquest Invention Paradigm Shifts
Time Sun/Seasons
Factory Whistle
Time Zones
Workplace Farm Capital equipment
Networks
OrganizationStructure
Family Corporation Collaborations
Tools Plow Machines Computers
Problem-solving
Self Delegation Integration
Knowledge Generalized Specialized Interdisciplinary
Learning Self-taught Classroom Online
Our Love Affair with the Internet
“Shoppers embrace the
online model”
POSTED: 0727 GMT (1527
HKT), December 20, 2006
“Embracing Internet
Technologies”
“Baby Boomers Embracing Mobile Technology”
“US Internet Users Embrace Digital Imaging”
“Docs Embracing Internet”
.
.
.
.
.
..
.
.
.
.
.
.
.
.
.
.
.. .
.
.
.
.
.
.
.
.
.
.
.
RESISTANCE IS FUTILE.PREPARE TO BE ASSIMULATED?
.
.
.
.
.
.
.
. .
..
..
...
.
..
.
..
.
.
.
..
.
..
.
.
Species 8472
Courtesy: K. Bailey/E. Hayden, CISOs
Smashing
Industrial Age
Infrastructure!
Surprise!!
Unintended Consequences of Embracing the Internet…..
.
.
.
.
.
.
.
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
.
.
.
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
.
.41,000,000 of ‘em out there!
“In the world of networked computers every sociopath is you neighbor.”
Troubling Realities
Dan Geer Chief Scientist
Verdasys
Growing Threat Spectrum
High
Low
1980 1985 1990 1995 2000+
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers Technical Skills
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
Cross site scripting
Stagedattack
Cyber Attack SophisticationContinues To Evolve
bots
Source: CERT 2004
Cybercrime and Money…
• McAfee CEO: “Cybercrime has become a $105B business that now surpasses the value of the illegal drug trade worldwide”
Symantec Internet Security Threat Report
– Threat landscape is more dynamic than ever– Attackers rapidly adapting new techniques and
strategies to circumvent new security measures– Today’s Threat Landscape..
• Increased professionalism and commercialization of malicious activities
• Threats tailored for specific regions• Increasing numbers of multi-staged attacks• Attackers targeting victims by first exploiting trusted
entities• Convergence of attack methods
“If the Internet were a street, I wouldn’t walk it in daytime…” K. Bailey, CISO UW
• 75% of traffic is malicious
• Unprotected computer infected in < 1 minute
• Organized crime makes more money on the Internet than through drugs
• The ‘take’ from the Internet doubles e-commerce
Courtesy: FBI, LE
What does all this mean to you?….
http://www.engadget.com/2009/04/28/electronic-voting-outlawed-in-ireland-michael-flatley-dvds-okay/
Electronic voting outlawed in Ireland, Michael Flatley DVDs okay for now by Tim Stevens posted Apr 28th 2009 at 7:23AM
Yes, it's another international blow for electronic voting. We've seen the things proven to be insecure, illegal,
and, most recently, unconstitutional. Now the Emerald Isle is taking a similar step, scrapping an e-voting
network that has cost €51 million to develop (about $66 million) in favor of good 'ol paper ballots. With that
crisis averted Irish politicians can get back to what they do best: blaming each other for wasting €51 million
in taxpayer money.
July 31, 2009, 12:34 pm
Student Fined $675,000 in Downloading Case
By Dave Itzkoff
Bizuayehu Tesfaye/Associated Press Joel Tenenbaum was found liable for copyright violations in a trial in Boston.
Updated | 7:03 p.m. A jury decided Friday that a Boston University student should pay $675,000 to four record labels for illegally downloading and sharing music, The Associated Press reported.
A judge ruled that Joel Tenenbaum, 25, who admitted to downloading more than 800 songs from the Internet between 1999 and 2007 did so in violation of copyright laws and is liable for damages. Mr. Tenenbaum testified Thursday in federal district court in Boston that he had downloaded and shared hundreds of songs by artists including Nirvana, Green Day and the Smashing Pumpkins, and said that he had lied in pretrial depositions when he said that friends or siblings may have downloaded the songs to his computer. The record labels involved the case have focused on only 30 of the songs that Mr. Tenenbaum downloaded. Under federal law they were entitled to $750 to $30,000 per infringement, but the jury could have raised that to as much as $150,000 per track if it found the infringements were willful. In arguments on Friday, The A.P. reported, a lawyer for Mr. Tenenbaum urged a jury to “send a message” to the music industry by awarding only minimal damages.
http://artsbeat.blogs.nytimes.com/2009/07/31/judge-rules-student-is-liable-in-music-download-case/
Majority think outsourcing threatens network security Angela Moscaritolo September 29, 2009 A majority of IT security professionals believe that outsourcing technology jobs to offshore locations has a negative impact on network security, according to a survey released Tuesday. In the survey of 350 IT managers and network administrators concerned with computer and network security at their organizations, 69 percent of respondents said they believe outsourcing negatively impacts network security, nine percent said it had a positive impact and 22 said it had no impact.
The survey, conducted this month by Amplitude Research and commissioned by VanDyke Software, a provider of secure file transfer solutions, found that 29 percent of respondents' employers outsource technology jobs to India, China and other locations.
Of those respondents whose companies outsource technology jobs, half said that they believe doing so has had a negative impact on network security.
Sixty-one percent of respondents whose companies outsource technology jobs also said their organization experienced an unauthorized intrusion. In contrast, just 35 percent of those whose company does not outsource did. However, the survey noted that organizations that do outsource were “significantly” more likely than those that do not to report intrusions.
“We're not going to say we have any proven cause and effect,” Steve Birnkrant, CEO of Amplitude Research, told SCMagazineUS.com on Tuesday. “Correlation doesn't prove causation, but it's definitely intriguing that the companies that outsource jobs offshore are more likely to report unauthorized intrusions.”
In a separate survey released last December from Lumension Security and the Ponemon Institute, IT security professionals said that outsourcing would be the biggest cybersecurity threat of 2009.
In light if the recession, companies are outsourcing to reduce costs, but the practice opens organizations up to the threat of sensitive or confidential information not being properly protected, and unauthorized parties gaining access to private files, the survey concluded.
In contrast to their overall views about the impact that outsourcing has on network security, Amplitude/VanDyke Software survey respondents were largely positive about the impact of outside security audits. Seventy-two percent of respondents whose companies paid for outside audits said they were worthwhile investments and 54 percent said they resulted in the discovery of significant security problems.
http://www.scmagazineus.com/Majority-think-outsourcing-threatens-network-security/article/150955/
Connecticut drops felony charges against Julie Amero, four years after her arrest By Rick Green on November 21, 2008 5:16 PM |
The unbelievable story of Julie Amero concluded quietly Friday afternoon at Superior Court in Norwich, with the state of Connecticut dropping four felony pornography charges.
Amero agreed to plead guilty to a single charge of disorderly conduct, a misdemeanor. Amero, who has been hospitalized and suffers from declining health, also surrendered her teaching license.
"Oh honey, it's over. I feel wonderful," Amero, 41, said a few minutes after accepting the deal where she also had to surrender her teaching license. "The Norwich police made a mistake. It was proven. That makes me feel like I'm on top of the world."
In June of 2007, Judge Hillary B. Strackbein tossed out Amero's conviction on charges that she intentionally caused
a stream of "pop-up" pornography on the computer in her classroom and allowed students to view it. Confronted with evidence compiled by forensic computer experts, Strackbein ordered a new trial, saying the conviction was based on "erroneous" and "false information."
But since that dramatic reversal, local officials, police and state prosecutors were unwilling to admit that a mistake may have been made -- even after computer experts from around the country demonstrated that Amero's computer had been infected by "spyware."
New London County State's Attorney Michael Regan told me late Friday the state remained convinced Amero was guilty and was prepared to again go to trial.
"I have no regrets. Things took a course that was unplanned. Unfortunately the computer wasn't examined properly by the Norwich police," Regan said.
"For some reason this case caught the media's attention,'' Regan said.
The case also caught the attention of computer security experts from California to Florida, who read about Amero's conviction on Internet news sites. Recognizing the classic signs of a computer infected by malicious adware, volunteers examined computer records and the hard drive and determined that Amero was not responsible for the pornographic stream on her computer.
The state never conducted a forensic examination of the hard drive and instead relied on the expertise of a Norwich detective, with limited computer experience. Experts working for Amero ridiculed the state's evidence, saying it was a classic case of spyware seizing control of the computer. Other experts also said that Amero's response -- she failed to turn off the computer -- was not unusual in cases like this.
Among other things, the security experts found that the Norwich school system had failed to properly update software that would have blocked the pornography in the first place.
http://blogs.courant.com/rick_green/2008/11/connecticut-drops-felony-charg.html
Interdependence of Critical Infrastructure
A Metaphor…..
Security/Privacy
How do we stay safe online?
Security:OutwardFacing
Privacy:InwardFacing
Security and Privacy: Two Faces of the Same Coin
1960-1980 1985 1995 -
Computer Security INFOSEC Information Assurance
Information System SecurityRevolution
Other Networks
PacketSwitch
Gateway
FileServer
Bridge
The Castle Approach: Defense in Depth
Protect your data
• Perimeter defense: firewalls• Layered defense: AV, IDS, IPS
• However, these aren’t working!
Trusting Controls Assumes:
• Design implements your goals
• Sum total of controls implement all goals
• Implementation is correct
• Installation/administration arecorrect
Bottom line assumption:
You Will Never Own a Perfectly Secure System!!!
You Will Never Own a Perfectly Secure System!!!
You Will Never Own a Perfectly Secure System!!!
Individual Strategy• Awareness of the threat• Layered Defense on your home computer
– Multiple tools– Patch program– Upgrade
• Implement privacy options in social media• Be deliberate about where your data resides• Think like a “bad guy!”• Limit your children’s access
Kid Nation
• Kids know technology better than adults
• More prone to commit cyber crime• Plagiarism sites• Music downloads• Disrespect for IP
• Cyberbullying
• Blind trust online
• Need for cyberethics training
http://www.identitytheft.org/
Identity-Theft is the fastest growing crime in America; 9.9 MILLION victims were reported last year, according to a Federal Trade Commission survey!
Mari J. Frank. Esq. is a survivor of identity-theft, and the author of the book From Victim to Victor; A Step-by-Step Guide For Ending The Nightmare Of
Identity Theft.
http://www.identitytheft.gov/
