1 / 60

Demos & presentations Privacy and Security

This presentation focuses on the basics of giving effective demos and presentations, with a specific focus on privacy and security. It covers presentation techniques such as speaking clearly, using visuals, and showing passion. The presentation also delves into the importance of privacy and security, discussing various aspects and technologies that can protect personal data.

wei
Download Presentation

Demos & presentations Privacy and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Demos & presentations Privacy and Security

  2. Demos and Presentations

  3. Presentation Basics • Speak loudly and clearly • Give the audience something to look at • Show interest even when not speaking • Show passion

  4. This is passion.

  5. This is passion.

  6. This is passion.

  7. This is not.

  8. Demo Basics • Script your demos • Avoid a lot of typing • Avoid silences • Use the “turkey in the oven”

  9. Privacy and Security

  10. Security and Privacy • Security: the protection of data, networks and computing power • Privacy: complying with a person's desires when it comes to handling his or her personal information

  11. When you walk into the store, the big-screen displays "Hello Tom," your shopping habits, and other information from Minority Report PRIVACY

  12. Some Views on Privacy • “All this secrecy is making life harder, more expensive, dangerous …” Peter Cochran, former head of BT (British Telecom) Research • “You have zero privacy anyway.” Scott McNealy, CEO Sun Microsystems • “By 2010, privacy will become a meaningless concept in western society” Gartner report, 2000

  13. Legal Realities of Privacy • Self-regulation approach in US, Japan • Comprehensive laws in Europe, Canada, Australia • European Union • Limits data collection • Requires comprehensive disclosures • Prohibits data export to unsafe countries • Or any country for some types of data

  14. Aspects of Privacy • Anonymity • Security • Transparency and Control: knowing what is being collected

  15. Privacy and Trust • Right of individuals to determine if, when, how, and to what extent data about themselves will be collected, stored, transmitted, used, and shared with others • Includes • right to browse the Internet or use applications without being tracked unless permission is granted in advanced • right to be left alone • True privacy implies invisibility • Without invisibility, we require trust

  16. Privacy Aware Technologies • non-privacy-related solutions that enable users to protect their privacy • Examples • password and file-access security programs • unsubscribe • encryption • access control

  17. Privacy Enhancing Technologies • Solutions that help consumers and companies protect their privacy, identity, data and actions • Examples • popup blockers • anonymizers • Internet history clearing tools • anti-spyware software

  18. Impediments to Privacy • Surveillance • Data collection and sharing • Cookies – how long are they retained? • Sniffing, Snarfing, Snorting • All are forms of capturing packets as they pass through the network • Differ by how much information is captured and what is done with it

  19. P3P (2002) • Platform for Privacy Preference (P3P) • World Wide Web Consortium (W3C) project • Voluntary standard • Structures a web site’s policies in a machine readable format • Allows browsers to understand the policy and behave according to a user’s defined preferences • Short-lived: why?

  20. Do Not Track • Opt out technology • HTTP header • 2012 pledge not honored

  21. Privacy and Wireless • “Wardriver” program: scans for broadcast SSIDs • broadcasting improves network access, but at a cost • once the program finds the SSID • obtains the IP address • obtains the MAC address • … • Lowe’s was penetrated this way • Stole credit card numbers

  22. Deep Web • Anything that can’t be indexed (estimate 97%!) • Accessible through secure browsers: Tor • Anonymity • Difficulty in tracing • Onion addresses of interest

  23. Security: broad issues, not technology

  24. Consider • 1994: Vladimir Levin breaks into Citibank's network and transfers $10 million dollars into his accounts • Mid 90’s: Phonemasters • stole tens of thousands of phone card numbers • found private White House telephone lines • 1996: Tim Lloyd, disgruntled employee inserts time bomb that destroys all copies of Omega Engineering machining code. Estimated lost: $10 million.

  25. Security “Gospel” • The Morris Internet worm of 1988 cost $98 million to clean up • The Melissa virus crashed email networks at 300 of the Fortune 500 companies • The Chernobyl virus destroyed up to a million PCs throughout Asia • The ExploreZip virus alone cost $7.6 billion to clean up

  26. Security Reality • The Morris Internet worm of 1988 cost $98under $1 million to clean up • The Melissa virus crashedscared executives into disconnecting email networks at 300 of the Fortune 500 companies • The Chernobyl virus destroyedcaused replacement of up to a million PCs throughout Asia • The ExploreZip virus alone could have cost $7.6 billion to clean up

  27. Information Systems Security • Deals with • Security of (end) systems • Operating system, files, databases, accounting information, logs, ... • Security of information in transit over a network • e-commerce transactions, online banking, confidential e-mails, file transfers,...

  28. Basic Components of Security • Confidentiality • Keeping data and resources secret or hidden • Integrity • Ensuring authorized modifications • Refers to both data and origin integrity • Availability • Ensuring authorized access to data and resources when desired • Accountability • Ensuring that an entity’s action is traceable uniquely to that entity • Security assurance • Assurance that all four objectives are met

  29. Info Security 20 Years Ago • Physical security • Information was primarily on paper • Lock and key • Safe transmission • Administrative security • Control access to materials • Personnel screening • Auditing

  30. Information Security Today • Increasing system complexity • Digital information security importance • Competitive advantage • Protection of assets • Liability and responsibility • Financial losses • FBI estimates that an insider attack results in an average loss of $2.8 million • Estimates of annual losses: $5 billion - $45 billion (Why such a big range?) • Protection of critical infrastructures • Power grid • Air transportation • Government agencies • GAO report (03): “severe concerns” security mgmt & access control • Grade F for most of the agencies • Limkagesaccerbate

  31. Attack Vs Threat • A threat is a “potential” violation of security • Violation need not actually occur • Fact that the violation might occur makes it a threat • The actual violation (or attempted violation) of security is called an attack

  32. Common security attacks • Interruption, delay, denial of receipt or denial of service • System assets or information become unavailable or are rendered unavailable • Interception or snooping • Unauthorized party gains access to information by browsing through files or reading communications • Modification or alteration • Unauthorized party changes information in transit or information stored for subsequent access • Fabrication, masquerade, or spoofing • Spurious information is inserted into the system or network by making it appear as if it is from a legitimate source • Repudiation of origin • False denial that the source created something

  33. Denial of Service Attacks • explicit attempt to prevent legitimate users from using service • two types of attacks • denial of service (DOS) • distributed denial of service (DDOS) • asymmetric attack • attacker with limited resource (old PC and slow modem) may be able to disable much faster and more sophisticated machines or networks • methods • Bots or Zombie machines • Trojans or Smurf attack: distributed attack that sends specified number of data packets to a victim

  34. Phishing (Spoofing) • use 'spoofed' e-mails and fraudulent websites • designed to fool recipients into divulging personal financial data • credit card numbers • account usernames and passwords • social security numbers • hijacking of trusted brands • banks • online retailers • credit card companies • able to convince up to 5% of recipients to respond • http://www.antiphishing.org/

  35. Goals of Security • Prevention • Prevent someone from violating a security policy • Detection • Detect activities in violation of a security policy • Verify the efficacy of the prevention mechanism • Recovery • Stop attacks • Assess and repair damage • Ensure availability in presence of ongoing attack • Fix vulnerabilities to prevent future attacks • Deal with the attacker

  36. Human Issues • Outsiders and insiders • Which is the real threat? • Social engineering • How much should a company disclose about security? • Claim more or less security than exists

  37. Setting up a server to attract hackers Used by corporations as early warning system Used to attract spam to improve filters Used to attract viruses to improve detection http://www.honeypots.net/ Honeypots

  38. ENCRYPTION

  39. Security Level of Encrypted Data • Unconditionally Secure • Unlimited resources + unlimited time • Still the plaintext CANNOT be recovered from the ciphertext • Computationally Secure • Cost of breaking a ciphertext exceeds the value of the hidden information • The time taken to break the ciphertext exceeds the useful lifetime of the information

  40. Types of Attacks • Ciphertext only • adversary has only ciphertext • goal is to find plaintext, possibly key • Known plaintext • adversary has plaintext and ciphertext • goal is to find key • Chosen plaintext • adversary can get a specific plaintext enciphered • goal is to find key

  41. Attack Mechanisms • Brute force • Statistical analysis • Knowledge of natural language • Examples: • All English words have vowels • There are only 2 1-letter words in English • High probability that u follows q • …

  42. PRIVATE KEY HISTORICAL

  43. Caesar Cipher • Substitute the letter 3 ahead for each one • Example: • Et tu, Brute • Hw wx, Euxwh • Quite sufficient for its time • High illiteracy • New idea

  44. Simple Caesar cipher through each rotor But rotors shifted at different rates Roller 1 rotated one position after every encryption Roller 2 rotated every 26 times… Enigma Machine(Germany, World War II)

  45. Private Key Cryptography • Sender, receiver share common key • Keys may be the same, or trivial to derive from one another • Sometimes called symmetric cryptography or classical cryptography • Two basic types • Transposition ciphers (rearrange bits) • Substitution ciphers • Product ciphers • Combinations of the two basic types

  46. DES (Data Encryption Standard) • A block cipher: • encrypts blocks of 64 bits using a 64 bit key • outputs 64 bits of ciphertext • A product cipher • performs both transposition (permutation) and substitution on the bits • Considered weak • Susceptible to brute force attack

  47. Cracking DES • 1998: Electronic Frontier Foundation cracked DES in 56 hrs using a supercomputer • 1999: Distributed.net cracked DES in 22 hrs • With specialized hardware, DES can be cracked in less than an hour.

  48. History of DES • IBM develops Lucifer for banking systems (1970’s ) NIST and NSA evaluate and modify Lucifer (1974) • Modified Lucifer adopted as federal standard (1976) • Name changed to Data Encryption Standard (DES) • Defined in FIPS (46-3) and ANSI standard X9.32 • NIST defines Triple DES (3DES) (1999) • Single DES use deprecated - only legacy systems. • NIST approves Advanced Encryption Std. (AES) (2001) • AES (128-bit block) • Attack published in 2009 • Current state of the art is AES-256

  49. PUBLIC KEY

  50. Public Key Cryptography • Two keys • Private key known only to individual • Public key available to anyone • Public key, private key inverses • Confidentiality • encipher using public key • decipher using private key • Integrity/authentication • encipher using private key • decipher using public one

More Related