ITIS 6200/8200: HCIP 6200 Principles of Information Security and Privacy

1. ITIS 6200/8200: HCIP 6200Principles of Information Security and Privacy Dr. Weichao Wang

2. Syllabus • See handout • Homework will usually have 4-5 questions and due in one week. It is due at the time that the class begins. • Late homework, term paper, and project • Within 24 hours: 50% of full score • After that: 0% • Project/term paper • Individual effort • Conduct some hands-on experiments • Choose a security problem and write a survey paper • A reference question list will be provided • For PhD students • Figure out a project that will help your thesis • Midterm and final exam • Misc: eating, drinking, and cell phone

3. What will be covered

4. Before class • Are you really surprised when you learn the government is collecting our communication records? • Several interesting questions • Two companies each has some private data. They need to jointly calculate some result without disclosing their information. • Secure multiparty computation • Is this solution useful? • Zero knowledge proof: • Can I prove to you that I know a secret without telling you anything? (practically) • Car key remote jammer

5. Compromise of user privacy • Key logger through your typing sounds • Copy of your physical key • Recovery of voices through a bag of snack

6. Perfect Storm of Social Networks • By March 2014, Facebook has 1.28 Billion active users each month. Twitter has 500 Million tweets per day. • Human activities explain only 40% of the Internet traffic, the other 60%: Bots • Bingbots and Googlebots explain a big portion of the traffic

8. Examples in real life • Attack on Twitter • Hack into the victim’s email account • DDoS to paralyze Twitter, facebook, etc • Data mining attacks on public database • MyEdu.com • Groupon, Google Offer, and Amazon Local • Worm attack on smart grid • Use social network to detect disease breakout • Remotely control insulin pump of a patient

9. Security overview • Risks • Why there are risks • Adversaries • Smart and dedicated • Many of them, considering the high unemployment rate • Hiding in the dark • From fun to profit (worm self-changing  botnet  target at specific systems)

10. Security overview • Physical security is not enough (can you be sure that your physical security methods are sound and enough? Example in Las Vegas, supply chain attacks, ATM machine, hotel doors)

11. Security overview • What can go wrong • Trojan horse: USB keys • Corrupted internal worker • Vulnerabilities of protocols or security mechanisms (security patch has problems too) • By-passing protection walls • Backdoors for systems (Linux password) • Known attacks ignored (push and poll)

12. Information security • Encryption • You can read the information only when you know the key • Authentication • You are who you claim you are • Authorization • The role and the right

13. Information security • Information integrity • The data has never been changed or changed in an inappropriate way • Non-repudiation • Cannot deny your words (digital cash example) • Privacy • Who should know, how much, how to use the information • Your cell phone or medical records • RFID • Traffic cameras in Minnesota

14. Security overview • Defending methods • Prevention • Prevent (password, salt, private salt, searching) • Deter: raising the bar (password guessing, login slow) • Deflect: making other target more attractive • Diversify • Detection • Monitoring (who, what, and how) • Intrusion detection (signature based, anomaly based) • IP telephony track • Authenticity of the evidence (digital media)

15. Security Overview • Recovery • Recover data (check point) • Identify the damage • Forensics • Confinement • Tolerance • Maintain a decent service quality • Automatically degrade video quality while reserving bandwidth for voice