1 / 48

ICT Security Issues in Europe

ICT Security Issues in Europe. Tony Brett Oxford University Computing Services http://users.ox.ac.uk/~tony. Agenda. Brief Security Update Identity Theft Standards and Governments The Future of Spam Vulnerabilities Biometrics Some Stories Questions & URLs. A Brief Security Update.

lotus
Download Presentation

ICT Security Issues in Europe

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ICT Security Issues in Europe Tony Brett Oxford University Computing Services http://users.ox.ac.uk/~tony

  2. Agenda • Brief Security Update • Identity Theft • Standards and Governments • The Future of Spam • Vulnerabilities • Biometrics • Some Stories • Questions & URLs

  3. A Brief Security Update “Even in 2003, security is the least understood of all computer system components.”

  4. What is being spent? $6000 $5000 $4000 $3000 $2000 $1000 0 Very Large Large Medium Small June 02 February 03 Security budget per managed machine by organization, 2002-2003 Source: Information Security Magazine, May 2003

  5. How much of the Budget? 20% 18% 16% 14% 12% 10% 8% 6% 4% 2% 0 Very Large Large Medium Small June 02 February 03 Security budget as a percentage of IT budget by organization, 2002-2003 Source: Information Security Magazine, May 2003

  6. Security Adoption in Europe Biometrics Intrusion Detection Monitoring Employees Encryption Firewall HW Firewall SW Antivirus 0% 20% 40% 60% 80% 100% Source: IDC’s “European Security Products & Strategies Service”

  7. Are you serious? • European Password Survey by NTA: • 67% of users rarely or never change their passwords • 22% admit that they would only ever change their password even if forced to by a Web site or system/IT department • Average passwords to know: • Average: 21 • Maximum: 70 • Users who write down their passwords: • 49% heavy computer users • 31% average of all users November 2002 (http://www.nta-monitor.com/fact-sheets/pwd-main.htm)

  8. 63% …of security breaches are caused by human error Source: Computing Technology Industry Assn., 2003

  9. Identity Theft • Identity theft claimed 3.4% of U.S. citizens, or 7 million victims during the past year • The UK government estimates this crime has cost more than £1 billion over the same period Sources: Gartner, July 2003, based on U.S. stats; BBC News • The typical identity-theft victim in the United States spends 175 hours actively trying to resolve the problems caused by identity thefts Source: Congressional Press Release, Sep. 2000

  10. Identity theft …is Britain's fastest-growing white-collar crime, increasing at nearly 500% a year. “The number of consumers who have fallen prey to identity thieves is severely underreported.” Moreover, arrests in identity theft cases are extremely rare, catching the perpetrator in only one out of every 700 cases.

  11. “The current [Internet] identity-theft hot spots are Eastern Europe and Southeast Asia where the level of education and technical sophistication is high, and where tracking down and prosecuting criminals can be very tricky.” Bruce Townsend Special Agent, Financial Crimes Division US Secret Service Source: Unesco Observatory on the Information Society

  12. A true story • TriWest Healthcare Alliance in Arizona provided healthcare services for members of the U.S. military. • Thieves stole computers containing confidential records. • Losses were $2.7 million. • Cost to victims: $30 million to repair damage to credit ratings

  13. The worst case scenario • Stolen identities used for criminal acts • First day of work for a woman in San Diego • Employer did a background check • She arrived, and then departed in handcuffs • Her ID was used when another woman was arrested for drug possession.

  14. Phishing • E-mail purporting to be from Bank etc • Invites submission of personal details • The recent Russian phishing scams load the real Barclays/Halifax/Nationwide etc. pages in one browser window along with a pop-up site from the fake site requesting account details. • Fake URLS: http://www.barclays.co.uk@3468664375/verify.htm

  15. Pop Quiz 1 • Since 1976, more than 2.5 million U.S. patents have been issued. How many reference the word “security”? • A. 16,475 • B. 123,210 • C. 64,689 • D. 493,298 D. 493,298

  16. Standards & Governments • The United States has taken an industry-by-industry approach to privacy protection in its laws and regulations, in contrast to European countries. • Privacy measures are contained in specific laws on credit reporting, cable television regulation, video rental data, banking information, telecommunications, etc…

  17. Variation by Country • The United States relies on citizen initiative and judicial enforcement • Britain uses a registration system • Germany uses an ombudsman • Sweden employs a licensing system Info on comparative laws: Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Ithaca: Cornell University Press, 1992)

  18. Standards to Watch • XML is basis for many new protocols • Security Assertion Markup Language • Web Services Description Language • Tells apps what web services are available and how to ask for them • Simple Object Access Protocol • Defines the conversation between service provider and requestor • Universal Description, Discovery, and Integration • Provides repositories for service definitions

  19. European Standards • British Standard 7799 Part 1 • High-level security advice • Just a checklist and not a process? • British Standard 7799 Part 2 • Similar to part 1, but with fewer suggestions for implementation (“shall” instead of “should”) • ISO 17799 • Based on BS 7799, passed in 2000

  20. Other Security Works • ISO Guidelines for the Management of IT Security • Five-part technical report • NIST Special Publication 800-14 • Best practices based on BS 7799 but more detailed • Security handbook: 800-12 • Security self-assessment: 800-26

  21. The Midas Touch… • U.S. requires the 27 visa-waved countries to install biometric codes onto passports by October 2004 • Singapore may be first country to implement • U.K. to use fingerprint info • New EU passports will be embedded with a radio frequency ID chip that contains biometric data

  22. European Digital Rights • European Digital Rights (EDRi), was formed by 10 separate bodies in seven EU member states • In the UK, the Foundation for Information Policy Research (FIPR) and Privacy International will work with EDRi. • They oppose EU and Council of Europe incursions into personal data • Data retention requirements • Telecommunications interception • Council of Europe cybercrime treaty • Internet rating and filtering • Restrictions on Web-based freedom of speech.

  23. Viva la Air France! • Air France won the right to take over a Web site that uses a garbled version of its name apparently to steer business toward other travel firms and some finance companies. • Known as "typosquatting'' • Ruling by United Nations' World Intellectual Property Organisation (Wipo), which runs an arbitration service for Internet name disputes • The arbitrator said that the "typographical misspelling'' of the Air France trademark showed that the site was registered in bad faith • http://www.0xford-university.org/ • http://www.yaju.com

  24. The Future of SPAM • MessageLabs scanned (Oct. 2003) • 252 million e-mail messages for spam • 325.8 milion e-mails for viruses • Results • Spam was 50.5% (15% in oct 2002) of overall messages; increasing at 15% per month • 1% Viruses

  25. 5th March 2003 • AOL announced it had blocked one billion spam emails from reaching its members in one day

  26. US Laws • Many new laws being created by states, feds, international • Lawsuits being filed against “legitimate” spammers (AOL is a big plaintiff) • California court upheld a law requiring unsolicited commercial email to have “ADV:” or “ADV:ADLT” in the subject • False headers in Minnesota are subject to $25 per email or $35,000 per day max

  27. Euro-SPAM • Opt-in and opt-out laws for EC (Directive 2002/58/EC • Entry into official journal 31st July 2002 • 31st October 2003, Implementation by member states • Prohibits unsolicited email, SMS, mail, etc. • Requires that prior explicit consent of the recipients (OK The pictures are Euro-Trash!)

  28. EuroCAUCE • The European Coalition Against Unsolicited Commercial Email • Internet users who are fed up with spam and have formed a coalition to promote legislation which would outlaw UCE • Volunteers, don’t take money http://www.euro.cauce.org/en/index.html

  29. The Goal • Make spamming cost prohibitive • Spammers will send out millions of messages to reach a few stupid users • We all suffer

  30. How they do it • Number/symbol substitution • “Get Low Mortgage” or “Get Low M0rtgage” • Holy Sh!t • Misspell key words • Creditcard • Innocuous words • Come see me • Use your name in the subject or message

  31. Filter technologies • Statistical Filters • Looks for words in email over period of time • Calculates the likelihood of spam • Reliable 95-99% of the time • Generate few false positives • Open source spam filters • Bayesian Filters - http://spamconference.org

  32. Vulnerabilities • They can be anywhere • Is MP3 or WMF modified? Will it take over your machine?

  33. Port Scans Worldwide Source: Internet Storm Center Nov 2003

  34. Top 10 Ports Scanned • 80 World Wide Web HTTP • 1433 Microsoft-SQL-Server • 1434 Microsoft-SQL-Monitor • 135 DCE endpoint resolution • 137 NETBIOS Name Service • 445 Win2k+ Server Message Block • 25 Simple Mail Transfer • 901 RealSecure sensor • 53 Domain Name Server • 554 Real Time Stream Control Protocol Source: Internet Storm Center Nov 2003

  35. Attacks by Business Sector Telecommunications Managerial Insurance Manufacturing Services Government Information Technology Entertainment Source: ISS; from 10/28/02 to 12/31/02

  36. Virus Control • Trying to improve upon heuristics to prevent viruses • Still not used by all users • Stupid users still are enticed • Can bypass email when users jump to a web site • Click here and see big thingies…

  37. Pop Quiz #2 • What was the first patent that used the term “biometrics”? A. A fingerprint ID machine B. A basal body temperature monitor C. A method for tranquilizing warm-blooded animals D. A treadmill that tracks heart rate D. A treadmill that tracks heart rate

  38. Biometrics: Free lunch through eyes • Problem: • Poor kids showed voucher while “rich” kids used money • Solution: • Uses retina scan to verify student • Pull money from account or redeem electronic voucher • Western England High School

  39. You smell! • Each mouse has a unique urine smell • Similar link may exist between genes that control a human’s immune system and their body odor • Funding to determine if human smells are unique

  40. Walk the walk • Nationwide Building Society (UK) is using biometric signatures to combat fraudulent transactions and cut the use of paper • Requires employees to verify fingerprints every several transactions

  41. Vacation messages “Sorry I can’t reply to your email. I’m on a holiday until …” With a simple cross-reference, a bad guy can get your home address Use “out of the office today” or use the auto-reply only on internal email

  42. Young hacker! • 11 year old boy in Florida • At lunch, went to classroom • Teacher hadn’t logged off • Changed his grades • Facing felony charges (doubtful he’ll see any jail time)

  43. Jail time… • Trippin Smurfs • Broke into 10 JPL servers on day of Columbia tragedy (Feb. 1) • Expected to receive long prison term • Brian Ferguson • Hacked AOL account of NY judge Kim Eaton • 3 years • William Grace & Brandon Wilson • Hacked California Court • 9 years behind bars • Douglas Boudreqeau • Broke into Boston College network • Charged $2000 to other BC students • Suspended, and school will pay for his defence to “ensure he is adequately represented”

  44. Nigerian Bank Scan – 419 • People receive email claiming that they’ve won $10 million • All they need to do is cash cheque and have $1 million transferred to account in Nigeria • User makes $9 million for effort • After money is transferred, bank account is closed; cheque bounces; user out $1 million • $90,000 average loss to 150 U.K. residents who fell for it

  45. As principal Vernon said in The Breakfast Club… “Don’t mess with a bull… …you’ll get the horns.”

  46. Resources and Questions • Thanks to Alan Mark of Novell for permission to use some of his slides from Brainshare Europe 2003 in this presentation • Questions? • http://users.ox.ac.uk/~tony

  47. URLs • http://www.usdoj.gov/criminal/cybercrime/usamarch2001_3.htm • http://www.usdoj.gov/criminal/fraud/idtheft.html • http://www.privacyrights.org/ • http://www.fraud.org/ • http://www.nfcglobal.com • http://www.ftc.gov/ • http://www.computerworld.com/cwi/itresources/resource_center/0,,NAV63_KEY73,00.html • http://www.calpirg.org/consumer/privacy/idtheft2000/ • http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm • http://moneycentral.msn.com/articles/banking/credit/1342.asp • http://www.usnews.com/usnews/issue/000214/nycu/credit.htm • http://www.cnn.com/TECH/computing/9910/11/id.theft.idg/index.html • http://seattletimes.nwsource.com/news/local/html98/cens28m_20000328.html • http://news.bbc.co.uk/hi/english/uk/newsid_1395000/1395109.shtm • http://news.bbc.co.uk/hi/english/business/newsid_526000/526709.shtm • http://dailynews.yahoo.com/h/wdiv/20010605/lo/823519_1.html • http://dailynews.yahoo.com/h/nf/20010607/tc/11076_1.html • http://news.bbc.co.uk/hi/english/business/newsid_1395000/1395109.shtm • http://news.bbc.co.uk/hi/english/static/in_depth/uk/2001/life_of_crime/cybercrime.shtm • http://204.202.137.113/sections/scitech/DailyNews/ie010430_idtheft_feature.html • http://www.unesco.org/webworld/observatory/in_focus/identity_theft.shtml

More Related