ACS$InstrumentStatus$ · ACS$InstrumentStatus$ $$ (N.$Grogin$and$the$ACS$Team)$ STUC$–Apr$2015$ 1
Cybernaughties ACS Forum National Professional Development “Education Across the Nation”...
-
Upload
phebe-rich -
Category
Documents
-
view
215 -
download
0
Transcript of Cybernaughties ACS Forum National Professional Development “Education Across the Nation”...
Cybernaughties
ACS Forum National Professional Development
“Education Across the Nation”May/June 2002
Copyright ACS Cybernaughties May 2002 2
About Education Across the Nation
ACS Professional Development Board identifies topical topics and provides presentation material for Forums in each ACS Branch – presentation is also available on the ACS web site
Members earn PCP hours for attending, e.g. 1.5 hour session = 1.5 PCP, 1 hour = 1 PCP hour
Evaluations are requested to help with planning future forums, please tell us what topics you would like in future sessions, hand in the evaluations at end of session - thanks
Copyright ACS Cybernaughties May 2002 3
Relevance to CMACS Program
The topics we are discussing tonight are covered in several CMACS subjects *IT Trends *Business, Legal and Ethical Issues (BLE) Project Management *E-Business Management and Strategy for IS Software Development
* These have been updated already for 2002. Security and privacy issues occupy a module, 17.5% of total content, in BLE.
Copyright ACS Cybernaughties May 2002 4
What are cybernaughties?Which ones are cyberspace
crime?CyberterrorismIdentity theftFraudCyberstalkingSurveillanceCensorshipPrivacy breachesDamaging dataCybersquattingWeb page defacement
Cookies
Dangerous emails
Trade secret theft
Social engineering
Plagiarism
Hacking and cracking
Unauthorised access/ computer trespass
Data theft
Copyright ACS Cybernaughties May 2002 5
What we plan to cover
Some stats on who’s doing what and to whom?
Are these things always naughty?
How can you protect against them?
Should vulnerabilities be publicly discussed?
Are National ID cards the answer?
Copyright ACS Cybernaughties May 2002 6
Cyberterrorism
Who’s protecting critical IT infrastructure from naughty folk? Health organisations Banking and finance Telecommunications Transport Power and Water Emergency services Other???
Copyright ACS Cybernaughties May 2002 7
Netwar
Networked force can offset a disadvantage in numbers, technology or position.Hard to target Few formal procedures to disrupt Little physical infrastructure Hard to infiltrate “Borrow” expensive equipment when needed.
E.g. Boeing planes
Just like the self managing teams recommended in business
Copyright ACS Cybernaughties May 2002 8
Netwar 2
If you can accurately map a network, you can figure out how to break it apart.Inflow analyses and clusters nodes in network according to activity, betweenness and closenessRead Thomas Stewart “America’s Secret Weapon” in Business 2.0 December 2001
Copyright ACS Cybernaughties May 2002 9
Netwar
FBI has used keylogging software to legally “steal” encryption keys in a high profile Mafia case
Echelon detection system can monitor mobiles and Internet traffic. But who might be monitoring the chatty emails to loved ones for battlefield soldiers?
What’s the Internet equivalent of “loose lips sink ships?”
Copyright ACS Cybernaughties May 2002 10
DC-1000, nee Carnivore
FBI can request a court order to use Carnivore when a person is suspected of Terrorism Child pornography/exploitation Espionage Information warfare Fraud
Need to show probable cause
Copyright ACS Cybernaughties May 2002 11
In Australia
States and territories are responsible for protecting physical infrastructure, e.g. roads, railway lines, sea ports, airports, national icons (Opera House, MCG)
In US, Bush admin is establishing a central office to co-ordinate government’s response to cyber attacks
In Australia, national vs states issues are being debated – will we ever learn?
Copyright ACS Cybernaughties May 2002 12
Cyberterrorism
22 March, 2002125,000 attempts to penetrate an air
force computer systemA concerted and directed attack, “one of
the most orchestrated we’ve seen in about the last six months”
Originated overseas The Harrow Report, 1 April, 2002
Copyright ACS Cybernaughties May 2002 13
Email can be dangerous
2 workers at Narrabri Shire Council referred to their superiors as Huey, Dewey and Louie in an emailAnd lost their jobsEmployers face risks of Defamation Sexual harassment Discrimination Copyright infringement
Emails are like postcards no matter how many caveats you include in them
Copyright ACS Cybernaughties May 2002 14
Vint Cerf on email
“Be thoughtful in what you commit to email, news groups and other Internet communication channels – it may well end up in a web search some day”
Great presentations and papers at www1.worldcom.com
Check out his “The Internet is for Everyone” draft Feb 2002
Copyright ACS Cybernaughties May 2002 15
Online gambling- is it naughty?
Australia’s Interactive Gambling Act, passed in July 2001 bans Australian online gambling operators from offering their services to Australians.Feb 2001 – 3% of Australian Internet users accessed an online casino from home PCFeb 2002 – 3.4 % did the same
What’s the point of the above Act?There are 1,400 Internet casinos – many of
them in the Caribbean.
Copyright ACS Cybernaughties May 2002 16
Is Altnet naughty?
File swapping program Kazaa (Napster-like) includes stealth software that is capable of tapping spare computing capacity – maybe 20 million downloads in Feb 2002Will work on opt-in basis, users will be remunerated for services, you can de-install it – but is it spam? Or a virus? How often do you know what’s in a download? Or any software?Are cookies stealth software?
Copyright ACS Cybernaughties May 2002 17
What about cybersmearing?
Falsehoods about you or your organisation on the Internet – attack sites/rogue sites.Company found a concocted interview about it during difficult negotiations with a union – could not locate name or contact details of person who posted it. Did find an email address.Went to dejanews, typed in the email address and found many postings from same email address, a cancer survivors group, blues music group, weddings group - where there were contact details.
Copyright ACS Cybernaughties May 2002 18
Cybersmearing cont.
Web page with offending material was on a real estate agency’s site –a little digging showed that the cybersmearer worked for the the real estate company.
Lawyer contacted the cybersmearer “Hello. We know you had breast cancer, your favourite blues artist is BB King, your daughter is getting married in July. We know you posted a web page with inaccuracies…..if it’s still there in half an hour, we will contact your boss who will not be happy to know you are posting libelous material on her site….
Is this a good approach to such a problem?
Copyright ACS Cybernaughties May 2002 19
Spam
This is a vexed issue for ISPs as spam generates traffic and traffic generates moneyDr John Costello proposed a hash-cash solution in a letter to the Age If you want to send me an email, my mail server requires
yours to perform a computationally intensive task before it will decode and accept it
This is OK for one recipient – but for one million? What’s needed is an upgrade to Internet mail protocol
……. plus the will to act. Is this a good solution?
Copyright ACS Cybernaughties May 2002 20
Cookies
The good news is that fewer large sites are sending you cookies
Of the 100 most visited sites only 48% use cookies, down from 78%
84% collect personal information, down from 96%
Copyright ACS Cybernaughties May 2002 21
Censorship
Is it naughty?
CSIRO report on effectiveness of filtering software products showed that few are successful
BUT – 60% of parents believe that content filtering software is effective
Copyright ACS Cybernaughties May 2002 22
CSIRO study
Net Nanny blocked 30%, passed 70%
I-gear blocked 98%, passed 2%
AOL under 12 years blocked 100%
Internet sheriff blocked 98%
Cyber sentinel blocked 90%
Copyright ACS Cybernaughties May 2002 23
Reverse censorship
SafeWeb Triangle Boy give users the ability to secretly lend internet address to users behind restricted firewallsBeing funded by In-Q-Tel (CIA) and Voice of America which has 100 Triangle Boy machinesGrowing use in China, Saudi Arabia, United Arab Emirates, Syria
Copyright ACS Cybernaughties May 2002 24
Hacking
Stand up if you are Male 14-28 years old Intelligent Could have done better in exams Work or study in technical area
Based on averages, those standing represent the likely hackers – but this is a gross generalisation
Copyright ACS Cybernaughties May 2002 25
Real hackers
Stay standing if you are indeed a hacker
Could any other hackers also please stand so we can test this average
Copyright ACS Cybernaughties May 2002 26
Why the naughty hack
StatusMedia attentionExpose security flawMonetary gainPayback, increasing number of disgruntled ex-employees are hackingSex appeal? ”All the girls thought it was cool” said one 16
year old male hacker
Copyright ACS Cybernaughties May 2002 27
Lots of hacking
Every 13 seconds, computer networks of federal government are probed by hackers
Auscert – security incidents reported by members doubled in 2001
Security software – CAGR 22% to 2004 according the Gartner
Copyright ACS Cybernaughties May 2002 28
Hacker praised by judge for Bill Gates prank
“You demonstrated some sense of humour by sending Viagra to Bill Gates to mock him. Even the prosecution had difficulty identifying the criminality of what you did. You have computer skills which many, including myself, envy.”
How do we change judicial attitudes?
Copyright ACS Cybernaughties May 2002 29
Internet abuse
It was reported in The Age in Feb 2002 that 4 New Zealand judges were being investigated for surfing Internet sex sites using computers provided by the Department of Courts.
Is this naughty?
Copyright ACS Cybernaughties May 2002 30
Security is more than money
“You can spend a huge amount of money and be tremendously ineffective. It’s about having the intellectual capability to conceive of how to address those issues, and then having the commitment, enthusiasm and support to actively execute those things.”Stephen Ford, Assoc Dir IT security at
Macquarie Bank
Copyright ACS Cybernaughties May 2002 31
Top ten security threats
ComplacencyPoor executionVirus attackHackers and crackersTrojan horsesDoS attacksDisgruntled employeesNaïve employeesMobile devicesData hijacking
Copyright ACS Cybernaughties May 2002 32
Data security
NSW Bureau of Crime Statistics
In 2000, 10,221 laptops were stolen336 were recoveredNone of the recovered had data
securityHands up if your laptop has any data
security.
Copyright ACS Cybernaughties May 2002 33
CSI/FBI computer crime and security survey
Activity 2001 2000
System penetration from outside
40% 25%
Denial of service attacks 38% 22%
Employer abuse of Internet access
91% 79%
Detected computer viruses 94% 85%
Copyright ACS Cybernaughties May 2002 34
CSI/FBI computer crime and security survey
Intrusions take place despite the presence of firewalls
Theft of trade secrets takes place despite the presence of encryption
Net abuse flourishes despite corporate edicts against it
Copyright ACS Cybernaughties May 2002 35
Liability issues
You could be accountable for compromised data due to cyberintruders
Even if security measures are in place and in your organisation has done anything wrong
Distributed denial of service is one example – you get hijacked but still could be liable for damage caused
Copyright ACS Cybernaughties May 2002 36
Cyberfraud – who’s doing it?Top 12 countries – US data
Ukraine
Indonesia
Yugoslavia
Lithuania
Egypt
Romania
Bulgaria
Turkey
Russia
Pakistan
Malaysia
Israel
Copyright ACS Cybernaughties May 2002 37
What are teens doing most on Internet
Download music
Play games
Seek health info
Chat
Shop
Check sports scores
72%
72%
75%
67%
50%
46%
Copyright ACS Cybernaughties May 2002 38
Teens get health info
Net
School
Parents
Doctors
75%
47%
45%
41%
Copyright ACS Cybernaughties May 2002 39
Biggest online fraud?
Online auctions, up from 63% of frauds in 2000 to 78% in 2001.Nigerian money offers up from 1% in 2000 to 11% in 2001. Web sites are the most common way for fraudsters to solicit, but there is an increase in con artists contacting by email.
Copyright ACS Cybernaughties May 2002 40
Credit card fraud
Harvey Norman closed its online shopping site – 25% involved stolen credit cardsRecent research by KPMG put it at 20-25%5% of Internet transactions are fraudulent, compared with .05% of bricks and mortar ones Editor at MSNBC challenged 2 reporters to go online and get credit card numbers, names and expiration dates. Within 2 hours, they had 2,500.
Copyright ACS Cybernaughties May 2002 41
Cheque fraud
TV show Dateline did a report on cheque fraud.
Produced a $1,000 cheque with “Void” written all over it
Plus the words “Please don’t pay me. I am a counterfeit cheque.”
The cheque was cashed.
Copyright ACS Cybernaughties May 2002 42
Cyberforgery
25 years ago, it took 12 weeks to create a forged cheque and a 4-colour printing press cost $250,000
Today, it takes 12 minutes and requires a laptop, laser printer, scanner which is about US $5,000
But the good news is that you can print the cheque to pay for it.
On laser printed cheques, you can remove the name and dollar amount with cloudy type scotch tape
Copyright ACS Cybernaughties May 2002 43
Disposable credit cards?
What about a one-time use card?
You get a private payment number that can be used once and only once
Available/being trialled from American Express and Visa
Copyright ACS Cybernaughties May 2002 44
Encryption –how effective is it?
Powerful ciphers guarantee absolute security in theory
But hardly ever in practice
Because people don’t use them properly
A good key is a long string of random symbols – hard to remember, so write it on a post-it or put it in a file, protected with a password like “1234”?
Copyright ACS Cybernaughties May 2002 45
What about ID theft?
In 2001, identity theft became the top consumer fraud complaint reported to the US govt.
750,00 citizens will have their identities stolen in 2002
Do National ID cards solve the problem?
Copyright ACS Cybernaughties May 2002 46
Michelle Brown’s story 1
Single, late 20’s, owned 15 credit cards, never late on a paymentCall from bank – overdue payment on her car. But not her car.Bank officer explained they had trouble finding her as phone calls in credit application not valid – so they used directory assistance.Yet it was her name and her social security number on the loan form.
Copyright ACS Cybernaughties May 2002 47
Michelle Brown’s story 2
She contacted credit reporting agencies and division of motor vehicles, duplicate licence recently issued, delinquent bills for thousands of dollars, arrest warrant in Texas for drug offencesIt took her about 2 years to sort things out, and she has never really recovered, now has shredder at home.Check out how to avoid identity theft at Australian Bankers Association site
Copyright ACS Cybernaughties May 2002 48
Don’t make is too easy!
Pre-approved credit applications sent via mail is a known method of identity theft – all the naughty person has to do is forge a signature and change the address on the form.Expert advice is to shred all documentation with your financial details, and use a post office box as mail theft is often a prelude to identity theft.There’s heaps of identity theft information on the web
Copyright ACS Cybernaughties May 2002 49
Australian Financial Review 13 May 2001
National Crime Authority investigation into identity fraud
Crime group (Sydney-based) allegedly using illicit bank accounts to claim tax returns
Serving/former ATO officers under investigation
Illicit bank accounts opened in name of people whose tax history suggests are unlikely to ever get a refund
Improvements in scanning technology make it easier to produce fake IDs
Copyright ACS Cybernaughties May 2002 50
Organised drug make/traffic
Motorcycle gangs in Australia and New Zealand use the Internet for secure encrypted transmission of drug recipes, Illegitimate financial transactions, business case proposals and communications
Web sites in the Netherlands and the UK offer to sell and deliver potent varieties of cannabis to almost any destination in the world
The Internet itself has numerous sites where the recipes for illicit drug preparation are detailed in step by step detail, including alternative ingredients for those hard to obtain supplies. (Int.Narcotics Control Board, 2000)
Source Peter Wilkins presentation to Privacy Conference 2001
Copyright ACS Cybernaughties May 2002 51
Organised Child Pornography and Trafficking in Human
BeingsTrafficking in women and children for prostitution and forced labour has become a highly lucrative and well organised growth industry. (Interpol General Secretariat)
Nexus between viewing large amounts of child porn and the propensity of offending. A child molester who after viewing child porn went to a school and raped two five year old girls said “I was determined next day to grab a kid, that stuff fuelled me”
Offender possessed on his computer 30,000 child porn images in 175 directories. (Victoria Police)
Source – Peter Wilkins slides from Privacy Conference 2001
Copyright ACS Cybernaughties May 2002 52
Development of policing strategies
The commissioners have prioritised the strategy development and priority issues as follows:The development of national accredited training for all levels of law enforcement ranging from initial action at e-crime crime scenes, through to forensic analysise-crime law reformThe identification of private sector partnerships including; their role and function; andThe development of the proposal for a national centre for cybercrime (Source: Peter Wilkins)
Copyright ACS Cybernaughties May 2002 53
Available at www.privacy.gov.au
MALCOLM CROMPTONFEDERAL PRIVACY COMMISSIONER
Biometrics and Privacy: The End of the World as We Know IT or The White Knight of Privacy
Biometrics, Security and Authentication Conference
10 March 2002
See also Roger Clarke’s April 2002 paper, referenced in second last slide
Copyright ACS Cybernaughties May 2002 54
Biometrics – what’s driving it?
Authentication – efficient and fraud proofLaw enforcementTechnology developments Cost – cheaper and cheaperSecurity – post 11 September
Copyright ACS Cybernaughties May 2002 55
International Biometric Industry Association
“Simply put, it’s getting harder and harder to preserve personal privacy without using biometrics…”
Richard E Norton, IBIA
Copyright ACS Cybernaughties May 2002 56
But then……..
“…Biometrics are among the most threatening of all surveillance technologies, and herald the severe curtailment of freedoms, and the repression of ‘different thinkers’, public interest advocates and ‘troublemakers’.”
Roger Clarke
Copyright ACS Cybernaughties May 2002 57
Biometrics and Privacy
“ Biometrics need not subvert informational privacy. A pro-privacy position should not be construed as anti-biometric. The technology can actually be privacy enhancing if systems are designed with that objective in mind.”
Information Privacy Commissioner, Ontario, Canada
Copyright ACS Cybernaughties May 2002 58
Resistance to biometrics
There’s a reluctance to use human body parts for security systems
In US, Christian fundamentalists have brought 2 court cases …clear warnings in the bible against “marking” of
individuals
But, “if God did not want us to use biometrics, he would not have given us individual iris patterns.”
Copyright ACS Cybernaughties May 2002 59
Not all resist
At Heathrow airport, passengers are volunteering to use iris scanning – Sydney airport is trialling face recognitionBut terrorists are unlikely to volunteer so we still need face recognition improvementsThe good get through security quickly with iris scanningThe naughty get caught by the face recognition software
Copyright ACS Cybernaughties May 2002 60
What about fingerprinting?
It is no 2 in reliability, after iris scanning
But it is more affordable
Fingerprinting looks below the skin so latex fingers and severed fingers do not work
What about acceptance?
What about fingerprinting school kids?
Would you volunteer for a biometrics pilot?
Copyright ACS Cybernaughties May 2002 61
Fingerprinting in schools
In US, at least one school has mugged and fingerprinted all parents and volunteers……..
A failed school employee had moved from school to school molesting children employee.
Will fingerprinting prevent this happening again?
Copyright ACS Cybernaughties May 2002 62
Quebec’s new IT Framework Law
A person’s identity may not be verified or confirmed by means of a process that allows biometric characteristics or measurements to be recorded except with the express consent of the person concerned……..… The creation of a database of biometric characteristics and measurements must be disclosed beforehand to the Commission d’accès à l’information. As well, the existence of such a database, whether or not it is in service, must be disclosed. The Commission may make orders determining how such databases are to be set up, used, consulted, released and retained and how measurements or characteristics recorded for personal identification purposes are to be archived or destroyed.
The Commission may also suspend or prohibit the bringing into service of such a database or order its destruction, if the database is not in compliance with the orders of the Commission or otherwise constitutes an invasion of privacy.
Copyright ACS Cybernaughties May 2002 63
Biometrics in Australia
Edith Cowan Uni in WA uses fingerprint scanning to secure the PCs controlling access to campus buildingsMelbourne’s Crown Casino and the Australian Customs Service are trialling face recognition using Face-IT from USCSIRO is developing SQUIS – system for quick image searchNSW Police, casinos and retailers are using face recognitionSydney airport is trialling iris scanning
Copyright ACS Cybernaughties May 2002 64
Biometics future?
CSIRO has developed face recognition based surveillance but there are reliability problems.
Maybe the solution is a mix of iris scanning and face recognition with humans making the problematic matches
Copyright ACS Cybernaughties May 2002 65
Surveillance
Carnegie Mellon project to identify humans at up to 150 metres –Human Id at a DistanceBlue Eyes – IBM product used in retail stores to record face and eye expressions and measure effectiveness of in-store promotionsVegas security systems have used face recognition for three yearsIn UK where video surveillance is used, per capita crime is down
Copyright ACS Cybernaughties May 2002 66
Ethically speakeing
“We develop the technologies. The policy and how you implement them is not my province.”Human ID at A Distance Program Manager
“They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor saftey”Benjamin Franklin
Copyright ACS Cybernaughties May 2002 67
Surveillance technology
CookiesTravel cards/e-tollsEmployee id cardsPhone cardsCredit card recordsAirline ticketsCell phonesGPSVideo camera
Copyright ACS Cybernaughties May 2002 68
Bullet proof ID?
Does not exist
3-factor securitySomething you know, e.g. a passwordSomething you have, e.g. ID card/security
tokenSomething that confirms who you are, e.g.
a biometric
Copyright ACS Cybernaughties May 2002 69
ID cards – an each-way bet?
Americans should carry drivers license with routine data plus a biometric identifier….. Stored in uniform databases in every state, tied into a national network, to verify identities at a moment’s notice
But not a National ID card as these raise civil liberties concerns
Copyright ACS Cybernaughties May 2002 70
Who’s got ID cards?
Spain – id cards for citizens over 14
Argentina – card at 8, re-register at 17
Kenya – carry card at all times
Germany_over 16,m carry a card
Belgium – used since WW1, over 15, carry a card which police can request at any time
Copyright ACS Cybernaughties May 2002 71
ID cards
Finland – voluntary smart card with chip used as a travel card in 15 European countriesIn US. Most likely use will be id cards for immigrants and foreign visitorsMalaysia – piloting a smart card that is drivers license, cash card, health card, and passport.
Copyright ACS Cybernaughties May 2002 72
What’s needed?
Organisations need security software but it’s not enough. Need Policies Processes Risk analysis – ongoing Disaster recovery – tested Business continuity plans – tested Awareness and training – ongoing The will to act
Copyright ACS Cybernaughties May 2002 73
Disclosing vulnerabilities
Who needs to know when vulnerabilities are discovered?Does public disclosure encourage the naughty to take advantage of the vulnerability?Microsoft and several specialist security firms have announced voluntary adherence to a new disclosure policy
Copyright ACS Cybernaughties May 2002 74
Case study
You are an IT manager where a detection tool report shows that IT staff member Freda is accessing restricted Internet sites and downloading objectionable material.You remotely access Freda’s PC to obtain evidenceYou find the evidence, and fire Freda
Copyright ACS Cybernaughties May 2002 75
Evidence issues
Data collected for purpose of evidence Untampered withAccounted for at every stage of its life from
collection to presentation in courtComply with Law of evidence
This can be “just too hard” for some organisations to pursueDon’t disturb the crime scene
Copyright ACS Cybernaughties May 2002 76
Can you steal data?
In some jurisdictions, theft permanently deprives a victim of property.
If I copy your database, you still have it, so it has not been stolen.
In any case, is data “property”?
Copyright ACS Cybernaughties May 2002 77
Good reads
Tangled Web by Richard Power - excellent. Que, 2001. Useful linksThe Art of the Steal - very readable. Frank Abagnale. Bantam, 2001Access Denied - useful explanations and best practice checklists. Cathy Cronkhite & Jack McCullough. Osborne, 2001Roger Clarke’s notes from the Computers, Freedom & Privacy 2002 Conference at www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP02.html
Lots of useful links including Roger’s slides on biometrics
Copyright ACS Cybernaughties May 2002 78
What’s next?
Thanks you for your attendance and for completing your evaluation form.The next Education Across the Nation forum is “The Getting o Agility”- alternative ways of developing systems – lite, extreme, agile methods. These are not just a return to the “quick and dirty” approaches of the past – they are rigorous methods which work well if done properly. Tell us what you would like to know about these approaches on your evaluation for tonight and we’ll try and meet all needs.