Tuomas AuraT-110.4206 Information security technology

Privacy regulation and research

Aalto University, autumn 2013

2

Outline1. Privacy legislation2. Examples of my own privacy research:

a) Unwanted metadata in digital documents b) Identifiers leaks to the local network

3

Two aspects of privacy Control over personal information

– Emphasized in Europe– Gathering, disclosure and false representation of

facts about someone’s personal life Right to be left alone

– Emphasized in America– Interference, control, discrimination, censorship,

also spam

4

Privacy legislation in FinlandWARNING: I’m not a lawyer. The following slides contain highly simplified interpretations of the law.

Perustuslaki (constitution), 10 §http://www.finlex.fi/fi/laki/ajantasa/1999/19990731#p10

– Protection of privacy, honor and home– Secrecy of letters, messages and telephone calls

Also:– Obligation to protect personal information by law– Exceptions can be made in other laws

5

Crimes against privacy in Finland Rikoslaki (criminal code), luku 24

http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001#l24

Kotirauhan rikkominen, Rikoslaki, luku 24, 1–2, 11 §– Disturbing people in their home (or equivalent place) is a crime– Telephone and mobile phone are also protected area

Salakuuntelu ja salakatselu, Rikoslaki, luku 24, 5–7 § – Using technical equipment to listen or record people’s speech at home or

in some other place when they don’t expect outsiders to hear is a crime– Using technical equipment to watch or record of pictures without

permission at someone’s home (or equivalent place) , fenced yard, toilet or dressing room is crime

– Ok to eavesdrop voices and sounds without equipment– Ok to record sound when you are legitimately present, e.g. keep a

microphone on your body or record telephone calls– Ok to photograph or record video in a public place

6

Crimes against privacy in Finland Yksityiselämää loukkaavan tiedon levittäminen, Rikoslaki, luku

24, 8 §– Publishing harmful information about an individual’s private life is a

crime– Exceptions for politicians and other public figures

Kunnianloukkaus (libel), luku 24, 9–10§– Spreading harmful false information about an individual is a crime – E.g. posting warnings about suspicious people on Facebook

Viestintäsalaisuuden loukkaus (breach of communications confidentiality), luku 38, 3–4 §– Opening a letter or closed or protected message addressed to

someone else is a crime (e.g. guessing email password)– Eavesdropping telecommunications networks is a crime– Being a system admin or using hacking tools makes the offence

especially serious– Communication metadata (e.g. called numbers) is also protected

7

Personally identifiable information Henkilötietolaki 22.4.1999/523

http://www.finlex.fi/fi/laki/ajantasa/1999/19990523

Law about personally identifiable information (PII) when it is either processed automatically or stored in a register– Does not apply to normal personal use of data, e.g. address book

Requirements for PII processing:– Following good data processing practices! (includes security)– Defined purpose: the sources, uses and transfer of information must be

defined beforehand; no new uses allowed– The person’s permission is required to process PII, except in some

specific cases (e.g. employment or customer relationship)– The PII processing must be necessary and the processor is responsible

for its correctness– The subject person must in informed

Rekisteriseloste: PII register holder must make a public declaration of what data is stored and for what purpose

Right to inspect your PII in the register (free once a year) and demand correction of incorrect information

8

Freedom of information legislation Laki viranomaisten toiminnan julkisuudesta 21.5.1999/621

http://www.finlex.fi/fi/laki/ajantasa/1999/19990621

All official (government) documents are public, unless secret by law– Includes both documents and data– No requirement to tell your identity or the reason for requesting the

information– Applies also to universities

Long list of exceptions (24 §) to protect security, economy etc.; for example, the following information is secret by default:– Research plans, thesis plans, exam questions, personal income, wealth,

benefits, use of social services, health, disability and sexual orientation, private information about crime suspects and victims, psychological evaluations, exam answers and verbal (non-numerical) evaluations of students, secret telephone numbers, addresses and mobile-device location, private political views, way of life, membership in associations, hobbies, family life

Asianosaisjulkisuus (11–12 §)– Individuals have access to secret information about themselves, and

information relevant to their rights and obligations (with some exceptions)

9

Protection of electronic communication Sähköisen viestinnän tietosuojalaki 16.6.2004/516

http://www.finlex.fi/fi/laki/ajantasa/2004/20040516 About telecom companies and subscriber organizations (yhteisötilaaja)– Message content, metadata and location information are

confidential by default– If you learn about a message, you must not tell others and must

not use the information for any purpose– Must not break technical protection or make tools for it (e.g.

password cracking or cryptanalysis)– Organizations (mainly employers) have some rights to access

communication metadata to prevent crime, “Lex Nokia”– ISP, email service or Internet telephony service must store

communication metadata for 12 months (for criminal investigations) – Right for forbid direct electronic marketing to yourself

Many other things…

10

Freedom of speech in public media Laki sananvapauden käyttämisestä

joukkoviestinnässä 13.6.2003/460http://www.finlex.fi/fi/laki/ajantasa/2003/20030460

– The law applies to media with a responsible published or editor

– The publisher has the right to protect the anonymity of messages (similar to the press)

– If publishing the message breaks a law, the authorities can break the anonymity (e.g. copyright violation, libel or incitement to crime),

– Also based on requests from foreign authorities– Court can order takedown of illegal messages

11

Privacy and employment Laki yksityisyyden suojasta työelämässä

13.8.2004/759, http://www.finlex.fi/fi/laki/ajantasa/2004/20040759

Rules for what information employers may record and process about their employees

Detailed rules for – Processing of PII and health data– Drug tests– Camera surveillance at work– Opening work-related emails addressed to an absent

employee

12

UNWANTED METADATA IN DIGITAL DOCUMENTS

Word XP/2003

13

Office 2007

14

Detecting unknown metadata Detection mostly done using unsystematic, ad-

hoc methods Goal to find something, not everything Exception: [Byers 2003/04]

strings

export to ASCII

.doc compare

15

PII detection tool We developed a tool for detecting names,

identifiers, addresses and other PII in documents Goals

– Testing Office 2007 document inspection must find strings in unknown locations

– User does not know what to look for must determine search strings automatically

– Document encoding unknown, fragments may be in different encodings must find strings in various encodings

Defensive only, used by document author

16

PII detection tool: architecture

IdHarvester

LeakHunterDocuments

IdDatabase

Online services

Personalcomputer

Manual entry

AuditReport

Doc viewers

Doc viewers

17

Example: authoring process Typical authoring process involves

a set of tools and software components from multiple vendors– who don’t know of each other– who have different of conflicting goals– who all produce and consume metadata

No single entity controls what goes into the final published document

20

PDF authoring with Word 2003

Acrobat/gs

Microsoft Word

PS printerdriver 2

Visio

Corel-Draw

.eps

.ps .pdf

Excel

.jpgPhoto library

PS printer driver 1

.docOLEobj.

21

Acrobat/gs

Microsoft Word

PS printerdriver 2

Visio

Corel-Draw

.eps

.ps .pdf

Excel

.jpgPhoto library

PS printer driver 1

.docOLEobj.

PDF authoring with Word 2003Assumption:no Word-specificmetadata added

22

Acrobat/gs

Microsoft Word

PS printerdriver 2

Visio

Corel-Draw

.eps

.ps .pdf

Excel

.jpgPhoto library

PS printer driver 1

.docOLEobj.

PDF authoring with Word 2003Assumption:no Word-specificmetadata added

23

Acrobat/gs

Microsoft Word

PS printerdriver 2

Visio

Corel-Draw

.eps

.ps .pdf

Excel

.jpgPhoto library

PS printer driver 1

.docOLEobj.

PDF authoring with Word 2003Assumption:no Word-specificmetadata added

24

Postscript comments Extracts from Postscript files:

%%Title: Microsoft Word - Testing.docx%%CreationDate: 1/23/2006 19:30:21%%For: tuomaura

%%OID_ATT_JOB_OWNER "tuomaura";%%OID_ATT_JOB_NAME "Microsoft Word -

Testing.docx“;

%%Creator: CorelDRAW 10%%Title: test-figures.ps%%CreationDate: Thu Apr 14 14:32:47 2005%%For: Michael Roe

25

PDF conversion PS-to-PDF conversion (Adobe Distiller or

Ghostscript) retains metadata from PS comments:

/Title(Microsoft Word - Testing.docx)/Author(tuomaura)

• PDF converters don’t know where the PS came from and assume all metadata is intentional

27

Leaks in PDF authoring

AcrobatDistiller/

ghostscript

Microsoft Word(no Word-specific metadata added)

Postscriptprinterdriver 2

Visio

Corel-Draw

.eps

.ps .pdf

Excel

.jpgPhoto library

Postscriptprinter driver 1

Username in Embedded Postscript, EPS file name

Usernamein OLE data structures

Username in Postscript / PDF comments

.doc

Word file name

Photo metadata, author and photo title

OLEobject

29

PDF authoring with Latex

dvipsLatexGhost-script

XFig .eps

.dvi .pdf.tex .ps

DVI file name and possibly path (path includes username)

31

Anonymous submissions Documents:

43 anonymized conference submissions that had already been accepted, PDF/PS

Search string:Names and affiliations from conference program, email addresses from papers

Results:– One author name in PDF \Author field– Two author names in embedded EPS– One user name in DVI file path in PS comments

(not detected by tool because we did not know the correct search string)

My own anon submissions... OOPS!

32

IDENTIFIER LEAKS TO THE LOCAL NETWORK

1 192.168.1.233255.255.255.255 DHCP Inform (xid=D2747AE9, host name=msrc-688342)

3     EAP Success

11 0.0.0.0255.255.255.255 DHCP Discover (xid=D3E24C58, host name=msrc688342)

23 192.168.1.233 192.168.1.255 NBT NS: Registration req. for MSRC-688342 <00>

24 192.168.1.233 224.0.0.22 IGMP Version 3 Membership Report

25 192.168.1.233 192.168.1.1 DNS Std Qry for msrc-688342.europe.corp.microsoft.com. of type SOA

26 192.168.1.233255.255.255.255 DHCP Inform (xid=EA6381E8, host name=msrc-688342)

33 192.168.1.233 192.168.1.1 DNS Std Qry for _sip._tls.microsoft.com. of type Srv Loc

34 192.168.1.1 192.168.1.233 DNS Std Qry Resp. for _sip._tls.microsoft.com. of type Srv Loc

49 192.168.1.233 192.168.1.255 NBT NS: Registration req. for MSRC-688342 <00>

57131.107.76.147 192.168.1.233 MSNMS VER 23 MSNP8 CVR0

58 192.168.1.233 131.107.76.147 MSNMS CVR 24 0x0409 winnt 5.1 i386 MSMSGS 5.1 WindowsMessenger tuomaura@messengeruser.com

59 192.168.1.233 192.168.1.1 DNS Std Qry for login.passport.com.

120 192.168.1.233 131.107.76.147 MSNMS USR 26 OK tuomaura@messengeruser.com Tuomas%20Aura 1 0

136 192.168.1.233 192.168.1.255 NBT NS: Registration req. for EUROPE <00>

144 192.168.1.233 207.46.107.2 MSNMS LST karth@messengeruser.com karth@microsoft.com 3 0

150 192.168.1.233 192.168.1.255 NBT NS: Registration req. for MSRC-688342

155 192.168.1.233 192.168.1.1 DNS Std Qry for wpad.europe.corp.microsoft.com.

156 192.168.1.1 192.168.1.233 DNS Std Qry Resp. : Name does not exist

157 192.168.1.233 192.168.1.1 DNS Std Qry for wpad.corp.microsoft.com.

162 192.168.1.233 192.168.1.1 DNS Std Qry for wpad.microsoft.com.

175 192.168.1.233 192.168.1.1 DNS Std Qry for _ldap._tcp.EU-UK-IDC._sites.dc._msdcs.europe.corp.microsoft.

177 192.168.1.233 192.168.1.255 NBT NS: Query req. for EUROPE <1C>

Default DNS suffix (web proxy discovery)

Machine name (DHCP client)

Machine domain

Real name

Messenger buddy list and blacklist

Email address/messenger user name

SIP server

Full hostname (DNS)

Netmon trace of a Microsoft laptop at wireless hotspot

SIP server

182 192.168.1.233 192.168.1.1 DNS Std Qry for _ldap._tcp.EU-UK-IDC._sites.gc._msdcs.corp.microsoft.com. of type Srv Loc

187 192.168.1.233 65.53.212.30 ISAKMP Major Version: 1 Minor Version: 0 GSS-identity: msrc-688342.europe.corp.microsoft.com

193 192.168.1.233 65.53.212.30 HTTP CCM_POST Request from Client MSRC-688342

249 192.168.1.233 192.168.1.1 DNS Std Qry for msrc-688342.europe.corp.microsoft.com. of type SOA

271 192.168.1.233 192.168.1.1 DNS Std Qry for research.microsoft.com.

283 192.168.1.233 131.107.65.14 HTTP GET /users/tuomaura/ HTTP/1.0

516 192.168.1.233 255.255.255.255

DHCP Inform (xid=20CCCAE8, host name=msrc688342)

522 192.168.1.233 192.168.1.1 DNS 0x82A0:Std Qry for itgweb.europe.corp.microsoft.com.

525 192.168.1.233 192.168.1.255 NBT NS: Query req. for ITGWEB <00>

569 192.168.1.233 192.168.1.1 DNS 0x37BD:Std Qry for mail.microsoft.com.

675 192.168.1.233 192.168.1.1 DNS 0xDCBB:Std Qry for red-lcsdr-02.europe.corp.microsoft.com.

684 192.168.1.233 192.168.1.255 NBT NS: Query req. for RED-LCSDR-02 <00>

706 192.168.1.233 192.168.1.1 DNS 0xECB9:Std Qry for euro-dc-10.europe.corp.microsoft.com.

716 192.168.1.233 192.168.1.1 DNS 0xF5B7:Std Qry for prn-corp1.redmond.corp.microsoft.com.

717 192.168.1.233 192.168.1.255 NBT NS: Query req. for camitgs01

718 192.168.1.233 192.168.1.255 NBT NS: Query req. for POMO.KOTI.LOCAL

726 192.168.1.233 192.168.1.1 DNS 0x59B7:Std Qry for pomo.koti.local.

735 192.168.1.233 192.168.1.1 DNS 0x96B6:Std Qry for camitgs01.europe.corp.microsoft.com.

744 192.168.1.233 192.168.1.255 NBT NS: Query req. for KOTI <1C>

748 192.168.1.233 192.168.1.255 NBT NS: Query req. for camitgs01 <00>

754 192.168.1.233 192.168.1.1 DNS 0x76B6:Std Qry for sha-fp-01.fareast.corp.microsoft.com.

884 192.168.1.233 192.168.1.1 DNS 0x4FB5:Std Qry for cam-01-srv.europe.corp.microsoft.com.

930 192.168.1.233 192.168.1.255 NBT NS: Query req. for CAM-01-UNX

Domain controller

OWA / Exchange

IE home page

Print serversFile server (Z: drive)

Host name (IKE initiator id)

File server (shortcuts)

39

DNS queries Many connection attempts and service-discovery protocols

start with DNS queries Some DNS queries from traces:

– DC discovery: _ldap._tcp.EU-UK-IDC._sites.dc._msdcs.europe.corp.microsoft.

– Print server: camitgs01.europe.corp.microsoft.com– Web proxy: camproxy.europe.corp.microsoft.com– Exchange: euro-msg-43.europe.corp.microsoft.com– Exchange over HTTPS: mail.microsoft.com

Private DNS zones used on intranets– *.private.contoso.com or *.contoso.local

Default DNS suffix appended– To resolve www.tkk.fi, query first for

www.tkk.fi.europe.corp.microsoft.com

40

NetBIOS and LLMNR

Local-link name resolution protocols– NetBIOS for IPv4, LLMNR also for IPv6– Broadcast, so visible to others on switched LANs

Attempt to register computer and username in WINS server Automatic discovery of printers and file shares LLMNR name-conflict detection

Source Destination Protocol Info172.20.19.48 172.20.19.255 NBNS Registration NB MSRC-688404<00>

172.20.19.48 65.53.192.23 NBNS Multi-homed registration NB MSRC-688404<00>

172.20.19.48 172.20.19.255 NBNS Name query NB CAMITGDCA01<20>

172.20.19.48 172.20.19.255 NBNS Name query NB CAM-01-SRV<20>

172.20.19.48 172.20.19.255 NBNS Name query NB TVPITGDDSA01<20>

172.20.19.48 172.20.19.255 NBNS Name query NB ME-DC-09<20>

172.20.19.48 172.20.19.255 NBNS Name query NB camitgs01<20>172.20.19.48 172.20.19.255 NBNS Name query NB UKITGDDSA01<00>172.20.19.48 172.20.19.255 NBNS Registration TUOMAURA<03>

172.20.19.48 224.0.0.252 LLMNR Query fro MSRC-688404

File server

Primary DC

Machine name

Print server

User name

43

Potential solutions Each individual leak appears trivial, yet it is difficult to

prevent them all– Too many protocols, layers and applications involved

Obvious solutions, e.g. turning of all automation, are not acceptable– Computers should do stuff for the user without asking!

Could filter offending data at outbound host firewall– Danger: unpredictable application failures

Can recognize network location and enable/disable features [PETS 08]– Often unnecessary, failed connection attempts, to services

that are not available in the current network

THIS COURSE IS ENDING, WHAT NEXT?

44

45

Other security courses T-110.5241 Network Security (period 2, same time, T3?)

– https://noppa.aalto.fi/noppa/kurssi/t-110.5241/luennot T-110.6220 Special Course in Information Security: malware

analysis (periods 3-4, to be confirmed)– https://noppa.aalto.fi/noppa/kurssi/t-110.6220/etusivu

Mobile platform security (period 3 at University of Helsinki) – http://www.cs.helsinki.fi/en/courses/582704/2014/k/k/1

Software security (period 4 at University of Helsinki)– http://www.cs.helsinki.fi/en/courses/582708/2014/k/k/1