Embed Size (px)
Citation preview
Deliveringthebestinzservices,so2ware,hardwareandtraining.Deliveringthebestinzservices,so2ware,hardwareandtraining.
WorldClasszSpecialists
TheBillionDollarProduct–OnlinePrivacy
RuiMiguelFeio–SecurityLead
Agenda• Introduc:on• Freeonlineservices• Nothinginlifeisforfree• Paidonlinewebservices• Howdotheydoit?• Risks• Security(orlackofit)• Themainframe• Conclusion• Ques:ons
Introduc:on– SecurityleadatRSMPartners
– Beenworkingwithmainframesforthepast17years
– StartedasanMVSSystemsProgrammerwithIBM
– Specialisesinmainframesecurity
– Experienceinnon-mainframeplaTormsaswell
– Beengivenpresenta:onsallovertheworld
FreeOnlineServices
Freeonlineservices
It’sfreeinreturnfor…• Placingcookiesonyourdevicestotrackyouandyouronline
ac:vi:es
• Collec:ng‘some’ofyourpersonaldata
• Includingadsinthewebsitesyouuse
Isthisfair?• YES!!Theservicesareforfree!!!
• Whocares?...Idon’thaveanythingtohide!
• Sawagreatquotetheotherday…“MybiggestfeariswhenIdie......IsthatmywifesellsmymotorbikesforwhatItoldherIpaidforthem!!!”
• SeeweallhavesomethingtohideJ
Nothinginlifeisforfree
“[…]apersonhasnolegi:mateexpecta:onofprivacyininforma:onhevoluntarilyturnsovertothirdpar:es”
Google’slegalteam
PrivacyPolicy&TermsandCondi:ons
• Howmanyofyoueverreadthem?
• Typicallytheseareextensiveanddifficulttodecipher
• Theyarelegallybindingbusinessproposi:onsbetweenyouandtheonlineserviceprovider
• Ok,butwhocares…?
• It’safreeservice!!...Really?
Letmeaskyousomething…• Howmuchdoyouvalueyourprivacy?
• Howaboutyourfriendsandfamily’sprivacy?
• Whatdoyouthinkcouldhappenifyourdatawasmisused?
• Haveyoueversearchedorvisitedanonlinewebsitethatyouwouldratherliketokeepa‘secret’?
• IknowIhaveJ
Interes:ngfacts• OnadailybasisGoogleprocessesaround24Petabytesofdata
• Thisdataisthenstoredandsoldforadver:sement
• TheuseofCookies:– Fingerprintsthatallowyoutobetracedandcatalogued
• Whatyouseeonlineiscustomisedforyoubasedonyour‘onlineprofile’
ValueofaCompany• WhydoyouthinkFacebookorGoogleareworthbillionsofdollars?
• AstudypublishedbytheWallStreetJournalonFacebook:
– Eachlong-termuserisworth$80.95– Eachfriendshipisworth$0.62– Yourprofilepageisworth$1,800– Abusinesspageandassociatedadrevenuesareworth$3.1million
LetmeseeifIgotthisright…• Youusethese‘free’onlinewebservices• Youcreateyourownsocialnetwork• Youinviteotherstojointhe‘free’onlineservice• Youaddcontent:
– Ideasandthoughts– Statusupdates– Photos,videos,…– Linkstootherusersandpages– Interactwithotherpeople– Search– …
So…• Howmuchdoyougetpaidforallthis?
• Allofthiseffortisworthalotofmoneyforthe‘free’onlineserviceproviderandyougetnothing?
• Hmmm…youareindeedagreatvalueforthe‘free’onlineservice!
Interes:ngfacts• Peoplewhouse‘free’onlineserviceshavebecomethelargest
unpaidworkforceinhistory!
• Thedatathatyouhavefreelyprovidedcanbeusedbythe‘free’onlineservicecompaniestobesoldtothirdpar:es
• Youjustdon’tgetanymoney…andyouhavenosayeither!
Paidonlinewebservices
Paidonlineservices–aretheyanydifferent?• Notreally…
• Manyofthepaidonlineservicesusethedatayouprovideasmeanstocapitaliseandmakemoremoney:
– Customisedservicesorproducts– Ads– Datasoldtothirdpar:es
Howdotheydoit?
Howdoesitwork?• Theonlineserviceprovidersprofileyouasdomanyother
organisa:ons:
– Reads,scans,andsearchesyourdata,messagesandwebsearches
– Analysesyourdataandyouronlinetrends
– Tracksyou(cookies,smartphones,…)
– Createsan‘online’profileofYou!!
Howdoesitwork?• Theonlineserviceprovidersmone:sesYOU!
• Triestosellyouproductsandservicesbasedonyour‘online’profile
• Displaysdataonyourscreenaccordingtoyour‘online’profile
• Sellsyouandyourdatatothirdpar:es
Whowouldwantyourdata?• Everyone!Everysinglecompanywantsit!
• Why?
– Becausenowtheyhaveawayofprofilingyou– Theyknowwhoyouare,whatyoulike,whatyoudon’tlike,whatyoudo,whomyoudoitwith,whoareyourfriends,whatyourhabitsare…
– Aninsurancecompanyknowsyourhabits,andcannowdecideifyouare‘worthytobeinsured’
– Afinancialbankcandecideifitwilllendyoumoneyornot– Theyknowyoufromyour‘online’profile!
Risks
Oh,oh,we’reintrouble!...• Whoarethethirdpar:esthataregeungyourdata?
– Othercompanies– DataBrokers
• Lackoflegisla:on
• HowsecurearetheITinfrastructureofthecompaniesthatnowhaveyourdataandyour‘online’profile?
Danger!Danger!• Websites,smartphones,tablets,smartwatches,GPSdevices,…
• Howisyourdatabeingused?
• Forwhatpurposesisyourdatabeingused?
• Howsecurearethesewebsitesanddevices?
Interes:ngfacts• 82%ofAndroidappstrackandcollectyouronlineac:vi:es
• Databrokersgetinforma:onfromyourISP,onlineac:vity,creditcardcompanies,mobilephonecompanies,banks,etc.
• Databrokersaimtoprovide‘behaviouraltarge:ng’
Interes:ngfacts• DatabrokercompanyAcxiomCorpora:on:
– Hasmorethan23,000servers– Theseserverscollect,collateandanalysemorethan50trillionuniquedatatransac:onsperyear
– 96%ofAmericanhouseholdsareinitsDBs– Hasmorethan700millionuserprofilesfromaroundtheworld– Eachprofilehasmorethan1,500specifictraits
• Onequotestated‘Thisistheageofthestalkereconomy’…
• Wellisit???
Security(orlackofit)
Interes:ngfacts• Worldwidespendingonsecurityso2waretotallednearly$20billion
in2012
• Worldwidespendingonsecurityso2warees:matedtoreach$94billionby2017
• Anaverageof62%oftheintrusionsagainstbusinesseswereonlydetecteda2er2months
• Theaverage:mefromtheini:albreachun:ldiscoveryoftheintrusionis210days
• Companiesfacenearly$154incostsperrecordstolen
Costsofdatabreachforabusiness• Detec:ngthebreach• Containingtheawacks• Inves:ga:ngtheawacks• Iden:fyingtheawackers• Remedia:ngtheITinfrastructure• Salesdecline• Creditcardreplacementfees• Consumercredit-monitoringservices• Insurancepremiums• Dropinstockmarketshareprice• Company’simage
Oh,oh,we’vebeenhacked!• MossackFonseca(PanamaPapers)–11millionrecords(2016)• 21stCenturyOncology–2.2millionrecords(2016)• Verizon–1.5millionrecords(2016)• USVotersdatabase-191millionrecords(2015)• VTech-12millionrecords(2015)• AshleyMadison–37millionrecords(2015)• Mspykids&partnertrackingservice–400,000records(2015)• HomeDepot–56millionrecords(2015)• Anthemhealthinsurance–80millionrecords(2015)• JPMorganChase–76millionrecords(2014)• Andsomanymore…
World’sbiggestdatabreaches
hHp://www.informaKonisbeauKful.net/visualizaKons/worlds-biggest-data-breaches-hacks/
World’sbiggestdatabreaches
hHp://www.informaKonisbeauKful.net/visualizaKons/worlds-biggest-data-breaches-hacks/
CostofdatabreachforYou• Thehackercannowpoten:allyhave:
– Youronlinelogincreden:als– Detailedinforma:onaboutyou– Yourcreditcardinforma:on
• Thehackercannow:– Sellyourdata(yes,eventocompanies)– Testyourlogincreden:alsinothersitesandservers– Manipulateyourdata– Stealyouiden:ty– Blackmailyou!
So,letmeaskyouagain…• Howmuchdoyouvalueyourprivacy?
• Howaboutyourfriendsandfamily’sprivacy?
• Whatdoyouthinkitcouldhappenifyourdatawasmisused?
• Areyousureyouhavenothingtohide?
TheMainframe
Ah,we’resafe!Noonehacksthemainframe!!• Areyousureaboutthat?
– ITfirmLogica–morethan10,000socialsecuritynumbers(2012)– SwedishNordeabank–personaldata,money(2013)– InternalhackinonemajorUKBank(2013)-£2millioninlosses
• ButthemainframeisthemostsecureplaTormintheworld!– No,themainframeisthemostsecurableplaTormintheworld– Requireseffort,investmentandresources– Peopleneedtobetrainedtobekeptuptodatewiththenewsecurity
threatsandtrends
Frommyexperiencewithmainframeclients…• Themainframeispartofanecosystemofmul:pleplaTorms.
– Ifoneofthemgetscompromisedhowwillitaffectthemainframe?
• Hackersaregeungreallyinterestedonthemainframe
• It’sjustamawerof:meun:lamainframeisseriouslycompromised
• Ohmy,alotofworkneedstobedone!
Ourexperiencewithmainframeclients…• Managements:llseesthemainframeasun-hackablewhichleads
toalackofinvestmentorinterestinmainframesecurity
• Whileperformingmainframeauditsandpenetra:ontestsforvariousclientsweseethesamecommonsecurityproblemsoverandoveragain
• Wassatwithaclienttheotherdayandtheystated:
“Themainframeistheonlysystemthathascompleteviewofourclients,it’soursystemofrecord…But......Wedon’tprotectitproperly”
Conclusion
Conclusion• ‘Free’onlineservicescanbeuseful
• Usethem,butdon’tabusethem!
• Think:“DoIreallyneedtousethisservice?”
• Becarefulaboutthedatayouprovide!
• Otherscanpickyourdigitalfootprintandinterpretitwithoutyourknowledgeandinwaysthatcancauseyouharm.
• Governmentsneedtoimplementappropriatelegisla:onarounddataandprivacy!
• Privatedataisworthbillions!
Conclusion• Ifyouarereallyconcernedaboutyouronlineprivacytakealookat:
– TOR– DISCONNECTME
TOR(TheOnionRouter)• ThemostpopularbrowserisTOR
• TORisnotnecessarilyjustfortheDarkWeb
• TORisallaboutonlineprivacy
• ItcanbedownloadedatTORPROJECT.ORG
• SeveralDownloadsavailable
DisconnectStatement:TheTorProjectisanon-profitdedicatedtoresearch,development,andeduca:onaboutonlineanonymityandprivacy.ThismissionisinalignmentwithDisconnect’sownmissiontomakeprivacythedefaultonline,andourpartnershipwithTormarksamajormilestoneinachievingourmutualgoals.
AndFinally….....
Ques:ons
RuiMiguelFeio,[email protected]:+44(0)7570911459linkedin:www.linkedin.com/in/rfeiowww.rsmpartners.com
Contact
