Tuomas Aura T-110.4206 Information security technology Privacy regulation and research Aalto...
-
Upload
jody-armstrong -
Category
Documents
-
view
216 -
download
3
Transcript of Tuomas Aura T-110.4206 Information security technology Privacy regulation and research Aalto...
Tuomas AuraT-110.4206 Information security technology
Privacy regulation and research
Aalto University, autumn 2013
2
Outline1. Privacy legislation2. Examples of my own privacy research:
a) Unwanted metadata in digital documents b) Identifiers leaks to the local network
3
Two aspects of privacy Control over personal information
– Emphasized in Europe– Gathering, disclosure and false representation of
facts about someone’s personal life Right to be left alone
– Emphasized in America– Interference, control, discrimination, censorship,
also spam
4
Privacy legislation in FinlandWARNING: I’m not a lawyer. The following slides contain highly simplified interpretations of the law.
Perustuslaki (constitution), 10 §http://www.finlex.fi/fi/laki/ajantasa/1999/19990731#p10
– Protection of privacy, honor and home– Secrecy of letters, messages and telephone calls
Also:– Obligation to protect personal information by law– Exceptions can be made in other laws
5
Crimes against privacy in Finland Rikoslaki (criminal code), luku 24
http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001#l24
Kotirauhan rikkominen, Rikoslaki, luku 24, 1–2, 11 §– Disturbing people in their home (or equivalent place) is a crime– Telephone and mobile phone are also protected area
Salakuuntelu ja salakatselu, Rikoslaki, luku 24, 5–7 § – Using technical equipment to listen or record people’s speech at home or
in some other place when they don’t expect outsiders to hear is a crime– Using technical equipment to watch or record of pictures without
permission at someone’s home (or equivalent place) , fenced yard, toilet or dressing room is crime
– Ok to eavesdrop voices and sounds without equipment– Ok to record sound when you are legitimately present, e.g. keep a
microphone on your body or record telephone calls– Ok to photograph or record video in a public place
6
Crimes against privacy in Finland Yksityiselämää loukkaavan tiedon levittäminen, Rikoslaki, luku
24, 8 §– Publishing harmful information about an individual’s private life is a
crime– Exceptions for politicians and other public figures
Kunnianloukkaus (libel), luku 24, 9–10§– Spreading harmful false information about an individual is a crime – E.g. posting warnings about suspicious people on Facebook
Viestintäsalaisuuden loukkaus (breach of communications confidentiality), luku 38, 3–4 §– Opening a letter or closed or protected message addressed to
someone else is a crime (e.g. guessing email password)– Eavesdropping telecommunications networks is a crime– Being a system admin or using hacking tools makes the offence
especially serious– Communication metadata (e.g. called numbers) is also protected
7
Personally identifiable information Henkilötietolaki 22.4.1999/523
http://www.finlex.fi/fi/laki/ajantasa/1999/19990523
Law about personally identifiable information (PII) when it is either processed automatically or stored in a register– Does not apply to normal personal use of data, e.g. address book
Requirements for PII processing:– Following good data processing practices! (includes security)– Defined purpose: the sources, uses and transfer of information must be
defined beforehand; no new uses allowed– The person’s permission is required to process PII, except in some
specific cases (e.g. employment or customer relationship)– The PII processing must be necessary and the processor is responsible
for its correctness– The subject person must in informed
Rekisteriseloste: PII register holder must make a public declaration of what data is stored and for what purpose
Right to inspect your PII in the register (free once a year) and demand correction of incorrect information
8
Freedom of information legislation Laki viranomaisten toiminnan julkisuudesta 21.5.1999/621
http://www.finlex.fi/fi/laki/ajantasa/1999/19990621
All official (government) documents are public, unless secret by law– Includes both documents and data– No requirement to tell your identity or the reason for requesting the
information– Applies also to universities
Long list of exceptions (24 §) to protect security, economy etc.; for example, the following information is secret by default:– Research plans, thesis plans, exam questions, personal income, wealth,
benefits, use of social services, health, disability and sexual orientation, private information about crime suspects and victims, psychological evaluations, exam answers and verbal (non-numerical) evaluations of students, secret telephone numbers, addresses and mobile-device location, private political views, way of life, membership in associations, hobbies, family life
Asianosaisjulkisuus (11–12 §)– Individuals have access to secret information about themselves, and
information relevant to their rights and obligations (with some exceptions)
9
Protection of electronic communication Sähköisen viestinnän tietosuojalaki 16.6.2004/516
http://www.finlex.fi/fi/laki/ajantasa/2004/20040516 About telecom companies and subscriber organizations (yhteisötilaaja)– Message content, metadata and location information are
confidential by default– If you learn about a message, you must not tell others and must
not use the information for any purpose– Must not break technical protection or make tools for it (e.g.
password cracking or cryptanalysis)– Organizations (mainly employers) have some rights to access
communication metadata to prevent crime, “Lex Nokia”– ISP, email service or Internet telephony service must store
communication metadata for 12 months (for criminal investigations) – Right for forbid direct electronic marketing to yourself
Many other things…
10
Freedom of speech in public media Laki sananvapauden käyttämisestä
joukkoviestinnässä 13.6.2003/460http://www.finlex.fi/fi/laki/ajantasa/2003/20030460
– The law applies to media with a responsible published or editor
– The publisher has the right to protect the anonymity of messages (similar to the press)
– If publishing the message breaks a law, the authorities can break the anonymity (e.g. copyright violation, libel or incitement to crime),
– Also based on requests from foreign authorities– Court can order takedown of illegal messages
11
Privacy and employment Laki yksityisyyden suojasta työelämässä
13.8.2004/759, http://www.finlex.fi/fi/laki/ajantasa/2004/20040759
Rules for what information employers may record and process about their employees
Detailed rules for – Processing of PII and health data– Drug tests– Camera surveillance at work– Opening work-related emails addressed to an absent
employee
12
UNWANTED METADATA IN DIGITAL DOCUMENTS
Word XP/2003
13
Office 2007
14
Detecting unknown metadata Detection mostly done using unsystematic, ad-
hoc methods Goal to find something, not everything Exception: [Byers 2003/04]
strings
export to ASCII
.doc compare
15
PII detection tool We developed a tool for detecting names,
identifiers, addresses and other PII in documents Goals
– Testing Office 2007 document inspection must find strings in unknown locations
– User does not know what to look for must determine search strings automatically
– Document encoding unknown, fragments may be in different encodings must find strings in various encodings
Defensive only, used by document author
16
PII detection tool: architecture
IdHarvester
LeakHunterDocuments
IdDatabase
Online services
Personalcomputer
Manual entry
AuditReport
Doc viewers
Doc viewers
17
Example: authoring process Typical authoring process involves
a set of tools and software components from multiple vendors– who don’t know of each other– who have different of conflicting goals– who all produce and consume metadata
No single entity controls what goes into the final published document
20
PDF authoring with Word 2003
Acrobat/gs
Microsoft Word
PS printerdriver 2
Visio
Corel-Draw
.eps
.ps .pdf
Excel
.jpgPhoto library
PS printer driver 1
.docOLEobj.
21
Acrobat/gs
Microsoft Word
PS printerdriver 2
Visio
Corel-Draw
.eps
.ps .pdf
Excel
.jpgPhoto library
PS printer driver 1
.docOLEobj.
PDF authoring with Word 2003Assumption:no Word-specificmetadata added
22
Acrobat/gs
Microsoft Word
PS printerdriver 2
Visio
Corel-Draw
.eps
.ps .pdf
Excel
.jpgPhoto library
PS printer driver 1
.docOLEobj.
PDF authoring with Word 2003Assumption:no Word-specificmetadata added
23
Acrobat/gs
Microsoft Word
PS printerdriver 2
Visio
Corel-Draw
.eps
.ps .pdf
Excel
.jpgPhoto library
PS printer driver 1
.docOLEobj.
PDF authoring with Word 2003Assumption:no Word-specificmetadata added
24
Postscript comments Extracts from Postscript files:
%%Title: Microsoft Word - Testing.docx%%CreationDate: 1/23/2006 19:30:21%%For: tuomaura
%%OID_ATT_JOB_OWNER "tuomaura";%%OID_ATT_JOB_NAME "Microsoft Word -
Testing.docx“;
%%Creator: CorelDRAW 10%%Title: test-figures.ps%%CreationDate: Thu Apr 14 14:32:47 2005%%For: Michael Roe
25
PDF conversion PS-to-PDF conversion (Adobe Distiller or
Ghostscript) retains metadata from PS comments:
/Title(Microsoft Word - Testing.docx)/Author(tuomaura)
• PDF converters don’t know where the PS came from and assume all metadata is intentional
27
Leaks in PDF authoring
AcrobatDistiller/
ghostscript
Microsoft Word(no Word-specific metadata added)
Postscriptprinterdriver 2
Visio
Corel-Draw
.eps
.ps .pdf
Excel
.jpgPhoto library
Postscriptprinter driver 1
Username in Embedded Postscript, EPS file name
Usernamein OLE data structures
Username in Postscript / PDF comments
.doc
Word file name
Photo metadata, author and photo title
OLEobject
29
PDF authoring with Latex
dvipsLatexGhost-script
XFig .eps
.dvi .pdf.tex .ps
DVI file name and possibly path (path includes username)
31
Anonymous submissions Documents:
43 anonymized conference submissions that had already been accepted, PDF/PS
Search string:Names and affiliations from conference program, email addresses from papers
Results:– One author name in PDF \Author field– Two author names in embedded EPS– One user name in DVI file path in PS comments
(not detected by tool because we did not know the correct search string)
My own anon submissions... OOPS!
32
IDENTIFIER LEAKS TO THE LOCAL NETWORK
1 192.168.1.233255.255.255.255 DHCP Inform (xid=D2747AE9, host name=msrc-688342)
3 EAP Success
11 0.0.0.0255.255.255.255 DHCP Discover (xid=D3E24C58, host name=msrc688342)
23 192.168.1.233 192.168.1.255 NBT NS: Registration req. for MSRC-688342 <00>
24 192.168.1.233 224.0.0.22 IGMP Version 3 Membership Report
25 192.168.1.233 192.168.1.1 DNS Std Qry for msrc-688342.europe.corp.microsoft.com. of type SOA
26 192.168.1.233255.255.255.255 DHCP Inform (xid=EA6381E8, host name=msrc-688342)
33 192.168.1.233 192.168.1.1 DNS Std Qry for _sip._tls.microsoft.com. of type Srv Loc
34 192.168.1.1 192.168.1.233 DNS Std Qry Resp. for _sip._tls.microsoft.com. of type Srv Loc
49 192.168.1.233 192.168.1.255 NBT NS: Registration req. for MSRC-688342 <00>
57131.107.76.147 192.168.1.233 MSNMS VER 23 MSNP8 CVR0
58 192.168.1.233 131.107.76.147 MSNMS CVR 24 0x0409 winnt 5.1 i386 MSMSGS 5.1 WindowsMessenger [email protected]
59 192.168.1.233 192.168.1.1 DNS Std Qry for login.passport.com.
120 192.168.1.233 131.107.76.147 MSNMS USR 26 OK [email protected] Tuomas%20Aura 1 0
136 192.168.1.233 192.168.1.255 NBT NS: Registration req. for EUROPE <00>
144 192.168.1.233 207.46.107.2 MSNMS LST [email protected] [email protected] 3 0
150 192.168.1.233 192.168.1.255 NBT NS: Registration req. for MSRC-688342
155 192.168.1.233 192.168.1.1 DNS Std Qry for wpad.europe.corp.microsoft.com.
156 192.168.1.1 192.168.1.233 DNS Std Qry Resp. : Name does not exist
157 192.168.1.233 192.168.1.1 DNS Std Qry for wpad.corp.microsoft.com.
162 192.168.1.233 192.168.1.1 DNS Std Qry for wpad.microsoft.com.
175 192.168.1.233 192.168.1.1 DNS Std Qry for _ldap._tcp.EU-UK-IDC._sites.dc._msdcs.europe.corp.microsoft.
177 192.168.1.233 192.168.1.255 NBT NS: Query req. for EUROPE <1C>
Default DNS suffix (web proxy discovery)
Machine name (DHCP client)
Machine domain
Real name
Messenger buddy list and blacklist
Email address/messenger user name
SIP server
Full hostname (DNS)
Netmon trace of a Microsoft laptop at wireless hotspot
SIP server
182 192.168.1.233 192.168.1.1 DNS Std Qry for _ldap._tcp.EU-UK-IDC._sites.gc._msdcs.corp.microsoft.com. of type Srv Loc
187 192.168.1.233 65.53.212.30 ISAKMP Major Version: 1 Minor Version: 0 GSS-identity: msrc-688342.europe.corp.microsoft.com
193 192.168.1.233 65.53.212.30 HTTP CCM_POST Request from Client MSRC-688342
249 192.168.1.233 192.168.1.1 DNS Std Qry for msrc-688342.europe.corp.microsoft.com. of type SOA
271 192.168.1.233 192.168.1.1 DNS Std Qry for research.microsoft.com.
283 192.168.1.233 131.107.65.14 HTTP GET /users/tuomaura/ HTTP/1.0
516 192.168.1.233 255.255.255.255
DHCP Inform (xid=20CCCAE8, host name=msrc688342)
522 192.168.1.233 192.168.1.1 DNS 0x82A0:Std Qry for itgweb.europe.corp.microsoft.com.
525 192.168.1.233 192.168.1.255 NBT NS: Query req. for ITGWEB <00>
569 192.168.1.233 192.168.1.1 DNS 0x37BD:Std Qry for mail.microsoft.com.
675 192.168.1.233 192.168.1.1 DNS 0xDCBB:Std Qry for red-lcsdr-02.europe.corp.microsoft.com.
684 192.168.1.233 192.168.1.255 NBT NS: Query req. for RED-LCSDR-02 <00>
706 192.168.1.233 192.168.1.1 DNS 0xECB9:Std Qry for euro-dc-10.europe.corp.microsoft.com.
716 192.168.1.233 192.168.1.1 DNS 0xF5B7:Std Qry for prn-corp1.redmond.corp.microsoft.com.
717 192.168.1.233 192.168.1.255 NBT NS: Query req. for camitgs01
718 192.168.1.233 192.168.1.255 NBT NS: Query req. for POMO.KOTI.LOCAL
726 192.168.1.233 192.168.1.1 DNS 0x59B7:Std Qry for pomo.koti.local.
735 192.168.1.233 192.168.1.1 DNS 0x96B6:Std Qry for camitgs01.europe.corp.microsoft.com.
744 192.168.1.233 192.168.1.255 NBT NS: Query req. for KOTI <1C>
748 192.168.1.233 192.168.1.255 NBT NS: Query req. for camitgs01 <00>
754 192.168.1.233 192.168.1.1 DNS 0x76B6:Std Qry for sha-fp-01.fareast.corp.microsoft.com.
884 192.168.1.233 192.168.1.1 DNS 0x4FB5:Std Qry for cam-01-srv.europe.corp.microsoft.com.
930 192.168.1.233 192.168.1.255 NBT NS: Query req. for CAM-01-UNX
Domain controller
OWA / Exchange
IE home page
Print serversFile server (Z: drive)
Host name (IKE initiator id)
File server (shortcuts)
39
DNS queries Many connection attempts and service-discovery protocols
start with DNS queries Some DNS queries from traces:
– DC discovery: _ldap._tcp.EU-UK-IDC._sites.dc._msdcs.europe.corp.microsoft.
– Print server: camitgs01.europe.corp.microsoft.com– Web proxy: camproxy.europe.corp.microsoft.com– Exchange: euro-msg-43.europe.corp.microsoft.com– Exchange over HTTPS: mail.microsoft.com
Private DNS zones used on intranets– *.private.contoso.com or *.contoso.local
Default DNS suffix appended– To resolve www.tkk.fi, query first for
www.tkk.fi.europe.corp.microsoft.com
40
NetBIOS and LLMNR
Local-link name resolution protocols– NetBIOS for IPv4, LLMNR also for IPv6– Broadcast, so visible to others on switched LANs
Attempt to register computer and username in WINS server Automatic discovery of printers and file shares LLMNR name-conflict detection
Source Destination Protocol Info172.20.19.48 172.20.19.255 NBNS Registration NB MSRC-688404<00>
172.20.19.48 65.53.192.23 NBNS Multi-homed registration NB MSRC-688404<00>
172.20.19.48 172.20.19.255 NBNS Name query NB CAMITGDCA01<20>
172.20.19.48 172.20.19.255 NBNS Name query NB CAM-01-SRV<20>
172.20.19.48 172.20.19.255 NBNS Name query NB TVPITGDDSA01<20>
172.20.19.48 172.20.19.255 NBNS Name query NB ME-DC-09<20>
172.20.19.48 172.20.19.255 NBNS Name query NB camitgs01<20>172.20.19.48 172.20.19.255 NBNS Name query NB UKITGDDSA01<00>172.20.19.48 172.20.19.255 NBNS Registration TUOMAURA<03>
172.20.19.48 224.0.0.252 LLMNR Query fro MSRC-688404
File server
Primary DC
Machine name
Print server
User name
43
Potential solutions Each individual leak appears trivial, yet it is difficult to
prevent them all– Too many protocols, layers and applications involved
Obvious solutions, e.g. turning of all automation, are not acceptable– Computers should do stuff for the user without asking!
Could filter offending data at outbound host firewall– Danger: unpredictable application failures
Can recognize network location and enable/disable features [PETS 08]– Often unnecessary, failed connection attempts, to services
that are not available in the current network
THIS COURSE IS ENDING, WHAT NEXT?
44
45
Other security courses T-110.5241 Network Security (period 2, same time, T3?)
– https://noppa.aalto.fi/noppa/kurssi/t-110.5241/luennot T-110.6220 Special Course in Information Security: malware
analysis (periods 3-4, to be confirmed)– https://noppa.aalto.fi/noppa/kurssi/t-110.6220/etusivu
Mobile platform security (period 3 at University of Helsinki) – http://www.cs.helsinki.fi/en/courses/582704/2014/k/k/1
Software security (period 4 at University of Helsinki)– http://www.cs.helsinki.fi/en/courses/582708/2014/k/k/1