INF529: Security and Privacy In Informaticscsclass.info/USC/INF529/S19-INF529-Lec6.pdf · respect...
Transcript of INF529: Security and Privacy In Informaticscsclass.info/USC/INF529/S19-INF529-Lec6.pdf · respect...
INF529: Security and Privacy
In Informatics
Policing and Government Access
Prof. Clifford Neuman
Lecture 615 February 2019OHE 100C
Announcements
• Mid-term exam is next Friday, February 22nd
– Location on campus is ZHS-352
– Exam is from Noon to 2PM
– Lecture will Follow in OHE 100C at 2:20
• You do not need to send new current events for
next weeks lecture.
• Review of material for mid-term at end of today’s
lecture.
1
Course Outline
• What data is out there and how is it used
• Technical means of protection
• Identification, Authentication, Audit
• The right of or expectation of privacy
• Government and Policing access to data – February15th
• Social Networks and the social contract – March 1st
• Criminal law, National Security, and Privacy – March 22nd
• Big data – Privacy Considerations – March 8th
• Civil law and privacy – March 29th (also Measuring Privacy)
• International law and conflict across jurisdictions – April 5th
• The Internet of Things – April 12th
• Technology – April 19th
• The future – What can we do – April 26th
Semester Project
All students are expected to prepare and present a 30 minute
lesson on a topic related to privacy that is of interest to them.– If on a topic that is already in the syllabus, your presentation will be made
in the week that the topic is covered in class. The next slide shows some
possible topics that align with lectures (your title should be more specific).
– If on a topic that is not already in the syllabus, I will assign a week from
your presentation, based on available time in lecture, and based on
relevance.– Please send me proposed topics for your class presentation by Thursday the
25th. You can suggest multiple topics if you like... if so let me know your order
of preference. All that you need is a short title and a one sentence description.
Topics may be chosen from among the topics listed in the syllabus for the
class, or you may propose topics around any particular problem domain (e.g.
type of system, type of business, type of activity) for which you will provide a
thorough discussion of privacy (or privacy invading) technology and policy.
Tentative – Social Networks – March 1
Social Networks
• Chloe Choe
• Nitya Mohini Harve
• Deepti Rajashekharaiah Siddagangappa
Tentative: Big Data, March 8th
Big Data
• Jacqueline Dobbas - Location Data
• Kavya Sethuraman
Monetization of PII
• Faris Almathami - Privacy vs. Marketers and
Advertisers
Tentative: March 22 - Policing, National Security
• Dewaine Redish – National Security and Privacy
• Andrew Carmer - History of Government Surveillance
• Gene Zakrzewski – NSA Surveillance Programs
Tentative – March 29 - Civil Law and Privacy
• Arjun Raman – CCPA and related
Also Measuring Privacy
• Sevanti Nag – Measurement of Pivacy in Social Media
Monetization of PII
• Ahmed Qureshi – Time shifted due to conflict
Tentative: April 5th – International Privacy Regulations
Mindy Huang
Abdulla Alshabanan
Anupama Abhay Sakhalkar – International
legal issues
Tentative: April 12 Internet of Things
• Lance Aaron - Smart Assistants
• Brianna Tu
• Yulie Felice - Amazon Alexa Security
• Sophia Choi – RFID, USN, M2M
• Jairo Hernandez - Security and Privacy of
NFC
• Ann Bailleul - Implication of IoT on
Privacy
April 19th Medical IoT and Technology
Security, Privacy and Safety of Medical Devices and
technology.
• Fumiko Uehara
• Joseph Mehltretter
• Abdullah Altokhais
Facial Recognition and related technologies
• Louis Uuh – Facial Recognition
Security and Privacy in Messaging Technologies
• Aaron Howland
April 26th – The Future of Privacy
Technology, Training, Legislation
• Charlene Chen – Right to be Forgotten and the future of privacy
• Kate Glazko
Todays Topic
Last week we had a brief introduction:
• Some foundations to guide us especially with
respect to constitutional protections.
This week we will discuss:• Going dark from a law enforcement perspective
• The legal and ethical battle between the FBI and Apple of retrieval of data
on a cell phone.
• A History of Mass Surveillance
Going Dark from a Law Enforcement Perspective
Those responsible for protecting us are not always able to access
evidence and/or materials necessary for their job to prosecute crimes
and prevent terrorism even when they have a lawful reason to do so.
Examples:
• Monitoring Phone calls, e-mail, and live chat sessions of criminals
and terrorists
• Recovering Data stored on the devices of criminals and terrorists,
such as e-mail, text messages, photos, and videos
For this reason, they seek solutions (laws) that will enable such
access.– In many cases, the laws they seek try to impose technical solutions to
this problem.
– Can there be technical solutions to the problem as defined above?
Post Snowden Distrust of Government“The people of the FBI are sworn to protect both security and liberty. We care
deeply about protecting liberty—including an individual’s right to privacy through
due process of law—while simultaneously protecting this country and safeguarding
the citizens we serve.” - FBI website
“In the wake of the Snowden disclosures, the prevailing view is that the
government is sweeping up all of our communications. That is not true.” - ex FBI
Director James Comey.
“Those of us in law enforcement can’t do what we need to do without your trust and
your support.” - ex FBI Director James Comey
Distrust of Government is a good thing.
Are they listening to me?
Are they listening to me?
INT
RU
SIV
EN
ES
S
EVIDENCE
GJ Subpoena -
Subscriber Only
GJ Subpoena
2703(d) Order
PR/TT
Search Warrant
Title III Wiretap
Assessment
Preliminary Investigation
Full Investigation
How hard is it?
INT
RU
SIV
EN
ES
S
EVIDENCE
Dif
fic
ult
yGJ Subpoena
Request to the United States Attorney’s Office
Relevant to the investigation
Non-disclosure Request
Periodic Audits
2703(d) Order
“Specific and articulable facts showing that there are reasonable
grounds to believe that the contents of a wire or electronic
communication, or the records or other information sought, are
relevant and material to an ongoing criminal investigation.”
Pen Register / Trap and Trace (18 U.S. Code §
3122)
“Information likely to be obtained is relevant to an ongoing
criminal investigation being conducted by that agency.”
Search Warrant - 2703(a)
Probable cause to believe that the information associated with
the [account] constitutes evidence, fruits, or instrumentalities of
criminal violations of 18 U.S.C. § 1030 (Computer Intrusion).
Notification Requirement
Search Warrant - Physical
Probable cause to conclude that [specific list of what you are
looking for], which constitute evidence, fruits, and
instrumentalities of violations of 18 U.S.C. § 1343 (Wire Fraud),
will be found at the [location].
Notification Requirement
Communications Assistance for Law Enforcement Act (CALEA) - October
25, 1994It requires that telecommunications carriers and manufacturers of telecommunications equipment design
their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities to
comply with legal requests for information. - FCC
Currently thousands of companies provide some form of communication service, and most are not
required by CALEA to develop lawful intercept capabilities for law enforcement. - FBI Website
As a result, many of today’s communication services are developed and deployed without consideration of
law enforcement’s lawful intercept and evidence collection needs. - FBI Website
So What Does It Take for the Private Sector?
References● “Going Dark,” https://www.fbi.gov/services/operational-technology/going-dark
● “Going Dark: Are Technology, Privacy, and Public Safety on a Collision Course?,” Ex-FBI Director Jim Comey’s
Speeh at the Brookings Institution (10/16/2014), https://www.fbi.gov/news/speeches/going-dark-are-technology-
privacy-and-public-safety-on-a-collision-course
● “Encryption and Cyber Security for Mobile Electronic Communication Devices,” Congressional testimony of Executive
Assistant Director Amy Hess (4/29/2015), https://www.fbi.gov/news/testimony/encryption-and-cyber-security-for-
mobile-electronic-communication-devices
● FBI Director Comments on San Bernardino Matter (2/21/2016), https://www.fbi.gov/news/pressrel/press-releases/fbi-
director-comments-on-san-bernardino-matter
● Manual of Model Criminal Jury Instructions, United States Courts for the 9th Circuit,
http://www3.ce9.uscourts.gov/jury-instructions/node/338
● FBI Domestic Investigations and Operations Guide (DIOG) 2011 Version,
http://documents.theblackvault.com/documents/fbifiles/diog.pdf
● “FBI knew earlier of Boston bombing suspect,” Politico (6/15/2013), https://www.politico.com/blogs/under-the-
radar/2013/06/fbi-knew-earlier-of-boston-bombing-suspect-166313
● “Communications Assistance for Law Enforcement Act,” https://www.fcc.gov/public-safety-and-homeland-
security/policy-and-licensing-division/general/communications-assistance
● Office of the United States Attorney’s, https://www.justice.gov/usam/usam-9-7000-electronic-surveillance
Fisa amendments act of 2008
• Reauthorized similar expired provisions in
Protect America Act of 2007
• Section 702: Allows the Attorney General and
the Director of National Intelligence to authorize
surveillance on “persons reasonably believed to
be located outside the United States” for up to
one year
• Sections 802 and 803: Provides legal immunity
to telecom companies for assisting intelligence
community
Criminal Law vs Security Debate
• Todays technology is increasingly more secure
• So secure, even with proper search warrant law
enforcement has difficulty accessing data
• Law enforcement has then requested for
backdoors or the other security risks be installed
on devices in case they need access
• Apple vs FBI case
22
INF529: Security and Privacy
In Informatics
Apple v. FBI
Prof. Clifford Neuman
Lecture 615 February 2019OHE 100C
Access to Data on Protected Devices
• For many years, law enforcement has been accessing data
on devices seized in raids, or incident to arrest. There is a
whole business around forensic analysis of such devices.
• With the widespread adoption of memory encryption in
phones around 2014 this process was made more difficult.
• There had been proposed legislation to limit this kind of
effective encryption, and we saw some of these bills earlier
in this class. The events that follow effect the debate on the
some of those bills.
Apple opposes order to help FBI unlock phone belonging to San Bernardino shooter
The News Release
The Motion and Order
The motion describes the reasons that the government is seeking an order to force Apple to assist them in getting access to the data on the device, and it describes the specific steps that they want Apple to perform.
Once issued (if issued) the order tells Apple what they must do, but Apple may appeal the order, or if “Apple believes that compliance with this order would be unreasonably burdensome,” they may make an application to this court for relief within five business days.
Apple chose to appeal, and also to argue their case in “the court of public opinion”. That option is not always possible since certain court orders prohibit disclosure of the request altogether. In any event, the issue became moot when the government was able to obtain the data on the phone through other sill undisclosed means. The debate is still important as it influences policy.
Ethical Issues
• Authority to search
– Device owned by SB County
– Court order based on showing of probably
cause.
– Genuine Probably Cause exists in this case
• Broader separate issue
– Intentional vulnerabilities (back doors) in
phone sold to other customers
– Many problems with this
Legal Issues
• All Writs Act – a very board law used to provide the
courts authority to order.
• At issue is the burden this imposes on Apple and
whether that is appropriate. Apple further argued 1st
amendment rights (no compelled speech).
• 4th Amendment Rights not at issue in this matter as
cause has been established.
• 4th Amendment is an issue in the broader discussion
regarding impact on privacy of other users.
• Would complying create a precedent.
Public Policy Issues
• Impact of Required Backdoors
• Requirements to provide access to cloud data
Technical Issues
• What data likely on phone: location, app data including
communications.
• Which keys
– Data key combined phone specific & passcode
– Entropy of passcode
– Different key (Apple’s) used to sign new iOS.
– Creating Backdoor vs using vulnerability
• Why not Google
– Open nature of Android means different parties needed to
sign the code.
– Similar technical approaches exist.
• Newer hardware and iOS: capability for secure element (used for
payment, but similar techniques can be applied.
International issues
• Level Playing Field
– Other Countries will demand same access
• Access to cloud data across jurisdictions
– International assistance
In the News FBI paid $1M for iPhone hack CBS News – April 21, 2016
• http://www.cbsnews.com/news/fbi-paid-more-than-1-million-for-
san-bernardino-iphone-hack-james-comey/
• LONDON -- FBI Director James Comey alluded to the fact the
bureau paid more than $1 million for the method used to disable
the security feature of the San Bernardino shooter's iPhone.
• At an Aspen Institute discussion in London, Comey said the FBI
paid more money than he would make in the time left as FBI
director.
INF529: Security and Privacy
In Informatics
Wikileaks v. CIA
Prof. Clifford Neuman
Lecture 615 February 2019OHE 100C
An Overview
• A couple of news stories
• Now let’s analyze using the same framework
Ethical Issues
Apple v FBI• Authority to search
– Device owned by SB
County
– Court order based on
showing of probably
cause.
– Genuine Probably Cause
exists in this case
• Broader separate issue– Intentional vulnerabilities
(back doors) in phone
sold to other customers
– Many problems with this
Wikileaks Disclosure• Authority to “hack”
• Broader separate issue
Legal Issues
Apple v FBI
• All Writs Act
• Burden on 3rd
parties
• Constitutionality
• Precedent.
Wikileaks DisclosuresIs the Hacking legal?
Broader Public Policy Issues
Apple v FBI
• Impact of
Required
Backdoors
• Requirements to
provide access
to existing data.
Wikileaks Disclosures
• Use of existing
exploits
• Duty to protect?
Technical Issues
Apple v FBI
• Data on Phone
• Cryptography
• Security of Software
• Upgrades
• be applied.
Wikileak Disclosures
• IoT Security
• Sensors Everywhere
International issues
Apple v FBI
• Level Playing Field
• Access across
jurisdictions
Wikileak Discosures
• Level Playing Field
Turning Devices Off
• How the NSA can 'turn on' your phone remotely –
CNN Money June 6 2014 - Jose Pagliery
• Even if you power off your cell phone, the U.S. government can turn it back on.
• That's what ex-spy Edward Snowden revealed in last week's interview with NBC's
Brian Williams. It sounds like sorcery. Can someone truly bring your phone back to life
without touching it?
• No. But government spies can get your phone to play dead.
• It's a crafty hack. You press the button. The device buzzes. You see the usual power-
off animation. The screen goes black. But it'll secretly stay on -- microphone listening
and camera recording.
Why some apps want access to the microphone
• FTC Warns App Developers Over Use of Audio Tracking
Code
– Used to figure out what is playing on the TV in the
background.
– But what else does this imply.
Camera Access
• Disable Your Laptop's Built-in Webcam to Protect Your
Privacy – Mark Wilson – Lifehacker – 6/27/14• Windows: Webcams offer a window
into your home, and they've been
known to targets for malware. If you
have a built-in camera, here's how
disable it and protect yourself.
• Malware can take over webcams,
so there is potential for your camera
to spy on you. You can easily
disable an external webcam just by unplugging it, but things are a little
different for integrated cameras.
• The simple solution is to just pop a piece of tape over the lens, but this is not
ideal. Sticky residue is left behind, and there is a risk that your improved
privacy shield could fall off. You could turn to third party software, but you can
also disable a webcam from within Device Manager.
Some Questions
• What’s newsworthy?– None of what came out is really surprising in that we
have known of these kinds of weakness for some time.
We voluntarily surround ourselves with surveillance
devices, i.e. cameras and microphones and location
tracking, and it is only the strength of the security for the
software on these devices that has protected us, and we
know that thestate of software security is abysmal.
Some Questions
• How worried should the general public be about
claims the government agencies can hack their
electronic devices?– The public should be very concerned that their devices
are hackable, not just by our own government agencies,
but even more so by foreign intelligence services that
also use these techniques, and by criminal enterprises
that may have or might acquire such capabilities.
Some Questions
• Could you explain how you see the main
vulnerabilities to users — is it mainly from apps or
devices and operating systems?– The weakness are all in software, and that includes apps,
operating systems, and software running on internet of things
type devices like smart TVs. The impact occurs because the
(vulnerable) software on these devices has access to the
sensors that acquire sensitive information.
Some Questions
• What can tech companies do to protect users?– "control their software supply chains". By this I mean that they need to
digitally sign updates to the software that runs on their devices, and
protect the systems they use for development and distribution of such
updates. They also need to ensure that thinks like "apps" that might
run on their systems are appropriately examined before they are
endorsed for use by their customers.
Some Questions
• Have the WikiLeaks releases provided enough
detail for tech companies to recognize
vulnerabilities and fix them?
– It helps direct scrutiny to the areas that need examination and it will
assist companies in identifying and fixing vulnerabilities, the current set
of vulnerabilities will only be replaced by a new set of zero-days down
the road, and one should never consider a software system to be
completely secure.
Some Questions
• Wikileaks said in a statement it is "avoiding the
distribution of 'armed' cyber weapons” — how
damaging could these tools be if they fell into the
hands of hackers and cyber criminals?
– Many of these tools are already in the hands of cyber-criminals, and
some might have been purchased from that community.
Some Questions
• How worried should we be that our smart TVs and wifi-
enabled refrigerators and toasters could be spying on us?
– They already are, the only question is one of what they do with the information
they collect. We expect the information to be used for our benefit. More often
than not, some of that information is used for commercial purposes (marketing),
and as we saw from these leaks, the information may also be used for intelligence
gathering. The only question is how much confidence we have in the software
running on those devices, and the answer to that is "not much confidence at all".
– Regularly when we install apps on our devices, we grant permission for the app to
access sensitive information (camera, microphone, address book, location, etc).
More often than not, if the app is commercial, that information is being sent to the
provider of the app. Consider recent changes to the location information gathered
by the uber app. The capability of apps to collect such information is not surprising.
Disclosure of Techniques in Legal Proceedings
• In FBI hacks, tech firms get left in the dark as feds resist
call to divulge secrets - Los Angeles Times, March 31, 2016.
– In US, when evidence is presented in court, defense has
opportunity to refute, and due process may require
disclosure of methods through which the evidence was
collected.
– In many cases, this limits the prosecutors ability to
present certain pieces of evidence.
5th Amendement Rights?
Child porn suspect jailed indefinitely for refusing to decrypt
hard drives – Ars Technia – April 27, 2016 – By David Kravets
A Philadelphia man suspected of possessing child pornography has been in
jail for seven months and counting after being found in contempt of a court
order demanding that he decrypt two password-protected hard drives.
The suspect, a former Philadelphia Police Department sergeant, has not
been charged with any child porn crimes. Instead, he remains indefinitely
imprisoned in Philadelphia's Federal Detention Center for refusing to unlock
two drives encrypted with Apple's FileVault software in a case that once
again highlights the extent to which the authorities are going to crack
encrypted devices. The man is to remain jailed "until such time that he fully
complies" with the decryption order.
52
Tracking TOR usersFebruary 2016
• A judge has ordered the Federal Bureau of Investigation to turn over the complete code it used to infiltrate a child pornography site on the Dark Web, Motherboard reports. The FBI seized the Tor-based site known as "Playpen" in February 2015 and kept it running via its own servers for two weeks --during this time, the bureau deployed a hacking tool that identified at least 1,300 IP addresses of visitors to the site worldwide.
• Playpen was "the largest remaining known child pornography hidden service in the world," according to the FBI. Roughly 137 people have been charged in the sting so far, Motherboard says. On Wednesday, a lawyer for one of the defendants won the right to view all of the code that the FBI used during the Playpen operation, apparently including the exploit that bypassed the Tor Browser's security features.
53
Current EventsCalifornia governor proposes 'new data dividend' that could call on Facebook and Google to pay users - CNBC 02/12/2019
Gov. Gavin Newsom proposes "a new data dividend" that could allow California consumers to get paid for their
digital data. Some tech experts have suggested that companies like Facebook and Google should pay consumers
for their information. - Nitya Harve
California Governor Talks Blockchain and Data privacy in State of the State Speech - CoinTelegraph 2/13/2019
The governor of California Gavin Newsom supported the development of blockchain and artificial intelligence (AI)-
based products in his "State of the State" speech. Newsom said California needs a comprehensive statewide
strategy to ensure technological advancements in AI, blockchain, big data are creating jobs, not destroying them.
He also pointed out that the state's citizens should be able to benefit from sharing their personal information on
online sites and services. He asked his team to develop a proposal for a "Data Dividend" for Californians, stressing
that "we recognize that your data has value and it belongs to you." -- Mindy Huang
California Governor Talks Blockchain and Data Privacy in State of the State Speech Futurism 02/13/2019
This article focuses on technological development for California. However, it also discusses giving users additional
control over their data. Specifically, Newsom believes that users data has value, and the user should be able to
benefit from it. -- Joseph Mehltretter
54
Current Events - FacebookThe U.S. government and Facebook are negotiating a record, multibillion-dollar fine for the company’s privacy lapses -
The Washington Post 2/14/19
The article discusses how Facebook is currently in private talks with the FTC trying to agree on amount in the
Billions for privacy violations. This would be the largest fine ever imposed on a tech company and if an amount is
not decided on then it would go to court. The article further talks about how its questioned how much of a privacy
agency the FTC is and if it will use its power to safeguard consumer data. -- Ahmed Qureshi
The U.S. government and Facebook are negotiating a record, multibillion-dollar fine for the company’s privacy lapses
The Washington Post – 2/14/2019
FTC (The Federal Trade Commission) orders with severe penalties (over a multi billion dollar) for Facebook after a
serious of privacy lapses. But lawmakers have faulted the tech company for mishandling users’ data while
spreading other digital ills, such as hate speech and disinformation from Russian and foreign actors. Since
Cambridge Analytica had a small fine by the United Kingdom, Facebook would contest and FTC to speed up its
work to penalize Facebook. -- Sophia Choi
The U.S. government and Facebook are negotiating a record, multibillion-dollar fine for the company’s privacy lapses -
The Washington Post - 2/14/2019
The FTC and Facebook are negotiating fines for Facebook's failure to meet FTC requirements for consumer
privacy protection. This is interesting because of the potential amount which could finally mean the FTC is finally
ready to become a real player in enforcement and consumer protection. Their previous top fine for privacy-related
issues (in the 10's of millions) is not significant enough of a threat to modify behavior of tech giants.
– Dewaine Reddish
55
Current Events - FacebookFTC and Facebook are negotiating a deal for Facebook's privacy lapses The Washington Post 14/02/2019
FTC's probe of Facebook began with Facebook's involvement with Cambridge Analytica. The probe focuses on whether
Facebook's conduct violates an agreement brokered by Facebook with the FTC in 2011 to improve its privacy practices. Facebook
is facing increasing pressure due to lawsuits by several states (California, New York, Pennsylvania) and the deal being negot iated
with FTC is estimated to contain a multi-billion dollar fine for Facebook. If the FTC punishes Facebook for its conduct, it could set a
good precedent for privacy violations by Silicon Valley companies in the future. –Anupama
FTC and Facebook are negotiating a deal for Facebook's privacy lapses
As a result of the recent privacy issues Facebook has been experiencing, the company is going to be fined by the Federal Trade
Commission. The settlement is still in the works, but this brings to light the question of whether this agency is willing and able to
use its authority to protect the privacy of consumers in this country. -- Ann Bailleul
FTC and Facebook are negotiating a deal for Facebook's privacy lapses
The U.S. Federal Trade Commission has decided to impose a fine upon Facebook following the agency’s investigations in
Facebook’s various privacy-related incidents over the last couple of years including the widely-reported Cambridge Analytica
scandal. The fine, which is still under negotiation between the FTC and Facebook, is expected to be a multi-billion dollar fine that
would break the record as the highest fine that the FTC has imposed on a tech company. The current largest fine is the $22.5
million fine imposed on Google by the FTC for their privacy practices in 2012. -- Kate Glazko
Government watchdog finds weak enforcement of US privacy regulations - CNET 2/13/19
The Government Accountability Office (GAO) issued a report stating that since 2009 over a hundred data privacy violations have
been investigated by the the FTC and almost all of them ended with settlement agreements without fines. The report states that
the FTC did not have the authority to issue fines for those specific privacy violations and that large companies (Google, Verizon,
Comcast, etc.) prefer the current data privacy regulations that limit the FTC's authority. The GAO is recommending a federal
internet privacy law with harsh, concrete consequences for companies that violate the future proposed law. -- Aaron Howland
56
Current Events - GoogleGoogle Maps might get an important new privacy option soon - 02/13/2019 Mashable
An update might be rolled out to Google Maps App on mobile phones that will give users more control over their
privacy. The added feature will allow the user to specify how long the location history can be recorded. That is the
user will be able to set a time range and every data out of this range will be deleted. -Abdulla Alshabanah
Thousands of Android Apps Break Googles Privacy Rules TomsGuide 2/14/19
International Computer Science Institute (ICSI) examined 24,000 Android apps. Of these apps, 70 percent were
breaking rules set forth by Google by sending out permanent IDs that ad networks can then use to track
movements and usage of other apps. The Ad IDs are temporary identifiers that identify the devices for the ads.
These IDs are specified as the only IDs the apps are allowed to transmit to the ad networks. However, they are
sending serial numbers of the devie or SIM card, the IMEI number, or even the Google account ID
- Andrew Carmer
Google Play Cracks Down on Malicious Apps ThreatPost 2/14/19
Google Play app submission rejections increased by more than 55%, & app suspensions increased by 66% in
2018. Google expanded its bug bounties as well as automated protections, human reviews, and developer policies
in order to mitigate malicious apps. However, Kapsersky Labs was able to find millions of apps that leak PII just in
April 2018 - repeat offenders often abuse the system and find ways back to the Play store. -- Charlene Chen
57
Current EventsIn healthcare, better data demands better privacy protection - TechCrunch 2/12/14
Big data and machine learning are beneficial to healthcare as it can help prevent diseases, diagnose and treat
patients more accurately, and more. However, we cannot simply anonymize personal information anymore as it
has been proven that individuals can be easily re-identified as more "breadcrumbs" are being left on the Internet
these days. In the article, it explains how the Israeli government adopted a National Health Plan that maintains
medical privacy and confidentiality, but does not take into account data privacy. Many of these solutions created by
these start-up nations do a great job selling the innovation aspect, but fail to look at how privacy of this data can be
affected. - Brianna Tu
The Technology 202: Is the FTC powerful enough to be an effective privacy cop? The Washington Post 2/14/2019
The Federal Trade Commission (FTC) is supposed to be the organization governing internet privacy of all
organizations residing in the United States. For the past decade, there has been uncountable cases of negligence
and irreverence by many organizations when it comes to users' privacy, especially when revenue is prioritized.
Considering this fact, the FTC has failed to take any proper actions such as severe financial penalties such as
what European competitors of the FTC hitting careless organizations with huge fines - Faris Almathami
Mumsnet reports itself to regulator over data breach 02/07/2019 The Guardian
Botched upgrade to Mumsnet let to a data breach allowing users logging in at the same time to get interchanged
access. This allowed a person full control over other person's account. Around 4000 users were affected by this
breach and 14 users have reported an issue . Mumsnet has voluntarily reported this issue to the Information
Commissioner, as it is legally required to do in the event of a data breach. -- Deepti
58
Current Events - AppleWhat Apple killing its Do Not Track feature means for online privacy -CNN Business-02-13-2019
Apple has recently announced that it will remove its "Do Not Track" feature from its Safari browser in the next
major mobile and PC update. There is not enough impetus to adopt it as an official privacy standard; third party
information collectors are allowed to disregard it even if selected in a browser setting. Privacy advocates are
concerned that it will prevent consumers from being able to express a desire for privacy, sparking fear that other
major companies, including Mozilla Firefox or Google, may follow suit. -Jacqueline Dobbas
New macOS security flaw lets malicious apps steal your Safari browsing history - ZDNet 02/13/19
MacOS application developer discovered a bug in macOS Mojave API to gain access to protected folders and data
such as Safari browsing history data. The developer reported the bug to Apple but there hasn't been any update
yet to patch the bug. The bug will allow malicious apps to bypass the OS protection on restricted folders without
acquiring any permission from the system or from the user. - Abdullah Altokhais
GO UPDATE IOS RIGHT NOW TO FIX THAT VERY BAD FACETIME BUG- The Inquirer - February 7th, 2019
A FaceTime eavesdropping bug that allowed users to activate the microphone—and even the camera—on any
phone they were calling through FaceTime and listen in before the recipient picked up has finally been solved. The
bug stemmed from a logic issue with FaceTime's group calling feature, which Apple introduced at the end of 2018
as part of launching its new iOS 12 mobile operating system. It's still difficult to guarantee it on the scale of a
platform like FaceTime—especially for group calls that have multiple participants despite it being reported in
advance to Apple. In addition, this has higher implications for how overarching software systems are developed
and deployed in an ecosystem and achieving overall success of end-to-end encrypted chat on various devices. -
Arjun Raman
59
Current EventsNew TLS encryption-busting attack also impacts the newer TLS 1.3 – ZDNet
Some people from academia released a new attack this week that can break encrypted TLS traffic. The attack is
not necessarily new per-say, but rather a variation of original Bleichenbacher oracle attack. – Louis Uuh
School bomb hoax suspect arrested in US - BBC 2/14/2019
Members of the Apophis Squad Hacker, Timothy Dalton Vaughn and George Duke-Cohen, have been arrested.
They are responsible to multiple pranks that include threatening FBI offices with anthrax and ebola, crashing
websites, defacing web pages, spoofing emails, sending bomb threats to 2000 US and 400 UK schools, sending a
bomb threat to United Airlines that resulted to a four-hour quarantine at San Fransisco International Airport. A
cyber-security expert, Brian Krebs, mentioned that the hackers were identified after a user database containing
their email addresses from an online gaming firm called Blank Media Games was stolen - Yulie Felice
VFEmail is no more after attack 2/14/19 infosecurity Group, threatpost, SecurityIntelligence
This article is about how a company was essentially shutdown from one attack that wiped all servers. An unknown
attacker reformatted almost all the disks for the servers of VFEmail (a privacy focused email company). There was
no clear motive behind the attack. About two decades worth of emails were just lost with no hope of recovery. This
case emphasizes the point that disaster recovery is not a checkbox you want to skip. With no backups on local
disks or other methods, this company is pretty much gone. -Jairo Hernandez
60
Current EventsEmployee data is a potential gold mine and a mine field
Just like how FB, Google has user data which is prone to leaks and concerns, enterprises holds the employee
information which are potentially more harmful unless correctly handled as employees can gather unprecedented
amount of data on workers far beyond personal details. Collected responsibly, made secure and put to good use,
employee data has the potential to benefit both company and individual. But when the data is misused or not
safeguarded correctly, the financial and reputation risks which an enterprise would face could be catastrophic.
-- Kavya Sethuraman
Lenovo Watch X Riddled with Security Vulnerabilities Threatpost (02/13/19)
The new Lenovo Watch X was originally praised for its affordability, design, and features but has since been
discovered to have countless security bugs. Such bugs included malicious users being able to set alarms, location
data being constantly sent to Lenovo headquarters, and forced password changes remotely. Lenovo said fixes are
on the way. - Chloe Choe
Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions - Krebs on Security 02/08/19
Bank Secrecy Act (BSA) officers at credit unions across the nation received emails spoofed to make it look like
they were sent by BSA officers at other credit unions. The missives addressed each contact by name, claimed that
a suspicious transfer from one of the recipient credit union’s customers was put on hold for suspected money
laundering, and encouraged recipients to open an attached PDF to review the suspect transaction. The PDF itself
comes back clean via a scan at Virustotal.com, but the body of the PDF includes a link to a malicious site.
They were sent only to specific anti-money laundering contacts at credit unions, and many credit union sources
say they suspect the non-public data may have been somehow obtained from the National Credit Union
Administration (NCUA) - Sevanti Nag
61
Current EventsInternet Connected Fridges Vulnerable to Remote Defrosting - Tech Crunch 2/08/2019
Various industrial refrigerators used in restaurants and hospitals were found to be using a default username and
password combination. These used browser accessible interfaces, which among other functions, allow a user to
remotely defrost the entire fridge. Manufacturer states that it is up to the installer to change the password, but this
situation raises questions of why these systems are on the open internet in the first place. - Lance Aaron See
With smart sneakers, privacy risks take a great leap | CNET - February 13th, 2019
With the rise of smart sneakers, privacy experts are waiting for a breach. The smart sneakers recently released by
Nike and other companies collect and share sensitive information like location, running routes, other personal
information (e.g., body mass, gender, etc.) and health routines. The shoes are equipped with multiple security
layers that may be open to potential hacks - bluetooth security layers, two-way authentication protocol- that are
linked to a user’s devices and encrypted. As more competitors come onto the market with less resources than say
Nike, the chances of a hack are much higher. Bluetooth Low Energy (BLE) chips the kinds used in these shoes
have in the past allowed hackers to spread malware across organizations hospitals and factories. In addition with
third party organizations and applications being built in conjunction with smart sneakers, the outlets for hackers is
much higher such as the Under Armour breach in March 2018 with the hack of MyFitnessPal app. Many of these
third party apps do not have the same security standards or resources for security as larger companies resulting in
the consumer being at risk. - Arjun Raman
62
Current EventsWhy It’s Dangerous to Share Your Birthday Online How-To-Geek 2/4/2019
Alongside the model of your first car and your mother’s maiden name, your birthday is perhaps the most common
security question asked on most websites. Security questions are notoriously awful. They’re likely the cause of
most social media “hacks” online, including the 2014 iCloud breach that affected many celebrities. The fault is in
password recovery systems; they’re designed for you to be able to reset your password easily, but they often make
it easy for hackers to do the same. -- Gene Zakrzewski
Doxxing: What Is It & Should You Be Worried? HTML.com
The act of revealing identifying information about someone online — their real name, address, workplace, phone
number, or other identifying information — is known as doxing (also spelled “doxxing”). The word evolved from the
phrase “dropping dox;” hacker slang referring to documents that identify an anonymous person online. Tearing
down a person’s anonymity has become one of the most powerful online weapons available, and the only way you
can really hurt someone from thousands of miles away. Michelle Obama, Beyonce and Donald Trump have all
been victims of doxxing. Is it illegal? -- Gene Zakrzewski
63
Mid-Term
Review for Mid-Term Exam• Mid-term will be Open Book, Open Note.
• Electronic devices may be used, but you must
have them in airplane mode, i.e. no Internet
Access.
• Previous mid-term exams on website.
• ** You will be asked to argue BOTH sides of
at least one Privacy issue ***
Mid-Term Outline of Material
Overview of security and privacyWhat are they, why we have neither
Relationship between the two
Understanding our data in the cloudWhat data exists and who can access it
Both officially and unofficially
What is the data used for
What can it be potentially used for
Mid-Term Outline of Material
Overview of Technical Security
Confidentiality, Integrity, Availability
The role of Policy
Risk Management from multiple perspectives
Mechanisms
Encryption/Key Management, Firewalls,
Authentication, Digital Signatures, Authorization,
Detection, Trusted hardware
Attacks
Malicious Code
Social Engineering
Attack Life Cycle
Mid-Term Outline of Material
Identity Management and Privacy
Expectations of Privacy
Issues on Government Access for Law Enforcement
or other Purposes.
I will ask opinions on the predominant current
events: GDPR, Facebook, Google, (others, let’s
discuss), specifically with respect to how they relate
to the topics above.
Mid-term Format
Sample service sector
Description of the service
Questions for you
Analyze the information requirements
And the policies to apply to preserve privacy.
Discuss ethical issues around that policy.
What are the expectations of users.
Discuss the vulnerabilities that likely exist and how
attacks might be facilitated
Discuss technical and design measures one might
use to preserve security and privacy in the system.
2016 Mid-Term
Privacy and Security for Healthcare –
As consumers we demand instant access to healthcare related data on an increasing basis. From portability
requirements for access to data so that test results from one physician are available to others, to our ability to review the
data personally, and eventually our ability to manage data from personal devices such as the Fitbit, monitoring our
heartrate, activities, and much more. Included in health data are medical records containing diagnoses and prescribed
medications, as well as medical histories including information about family members, various “risky” activities like
smoking, drinking, and unprotected sex. The results of medical labs such a blood tests and x-rays will be included. For
some individuals, this data may also include genetic characteristics, such as what can be obtained from the service 23
and me which sequences an individuals genome and provide information about ancestry and susceptibility to various
Medical conditions. This information may also contain payment information and identifying information like name,
address, phone number, and social security numbers.
The data above may need to be protected in terms of confidentiality, integrity, and availability. One example of a recent
breach to availability of data is the ransomware incident at Hollywood Presbyterian Hospital where data was encrypted
by malicious software and a $3 Million ransom was demanded to restore the data. The Hospital eventually paid
approximately $17,000, but the impact to their operations was more significant.
All three of the questions that follow pertain to systems being developed to collect, analyze, share, and utilize this
collection of heath related information.
69
2016 Mid-Term1. What are the consequences of compromise of the health data described above? In describing the
consequences, explain what might happen as a result of a breach of confidentiality, integrity, or
availability for specific pieces of data described above. Mention the consequences to the individuals
whose data is compromised, as well as consequences to the holder of that information. What might
other entities be able to with such data if they gain access to the data? (Answer on the rest of this
page and on the back of this page). (30 points)
2. For each kind of healthcare related information describe in the introduction to this exam (1st half of
page 2), list who should have access to the data and the kind of access (e.g. ability to read the data,
create the data, and modify the data). Describe any special constraints that should apply to this
access. Finally, suggest where in the system (e.g. on a server managed by X, on a patients
computer, on a patients mobile device, etc) would be the best place or places to store this data to
best protect it? (40 points)
3. Discuss some approaches that can be taken to protect the data against privacy, integrity, and
availability threats. These measures can be technical or legal and may be taken by the holder of the
data, by the subject of the data (the patient), or by others. Among other things, these approaches
may involve the way the data is stored or transmitted, the structure of the systems that will process
or store the data (including technical defenses applied on those systems) or the steps taken when
one seeks to access the data. In answering this question, consider the kinds of attacks (social
engineering, malicious code/viruses) etc that we discussed in class. (30 points)
70