Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International.

Similar presentations


Presentation on theme: "© 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International."— Presentation transcript:

1 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 0 Cutting through complexity (Tämä on mainos, esitys alkaa sivulta 8)

2 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 1 Suomessa 750 asiantuntijaa 23 tietoturva-ammattilaista 10 tekee teknistä tietoturvaa Globaali verkosto: yli 3000 tietoturva-ammattilaista

3 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 2 Tietoturvapalvelut Teknisen tietoturvallisuuden kehittäminen ja auditointi Tietoturvakoulutus (entinen Teleware) Hallinnollisen tietoturvallisuuden kehittäminen ja auditointi Jatkuvuussuunnittelun kehittäminen Käyttövaltuushallinnan kehittäminen Yksityisyydensuojan kehittäminen Palveluiden tietoturvatason varmistaminen Tietoturvapäällikön tehtävien ulkoistaminen h4ck1ing 7hr0ugh c0mpl3x1ty

4 PRISM ja USA:n verkkovakoilu KPMG Screen – mallipohjaa tulee käyttää kaikkiin ruudulta tai tykiltä näytettäviin esityksiin Kuvia kansislideen ja muihin kuvallisiin slideihin voi päivittää Master Sliden kautta

5 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 4 Agenda PRISMgate We don’t know the details What do we know? What can we do to protect our data?

6 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 5 Washington Postin julkaisema kuva

7 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 6 Washington Post

8 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 7 PRISM + Upstream Tätä on pelätty aina Tämä oli uutta?

9 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 8 Lähde Edward Snowden ■Töissä –CIA –teki hommia NSA:lle ■Huono omatunto, katsoi rikkovansa jos ei lakia niin ainakin lain henkeä ja jos lain henkeä niin yleistä oikeudentajua ■Antoi materiaalia Guardianille ja Washington Postille (ks. esityksen linkit) ■Piileksii Hong Kongissa –Ei ole vielä syytetty tai vaadittu kartoitettavaksi USA:han –Hong Kong on osa Kiinaa. Miten käy? ■Kiina ei halua alistua USA:n tahtoon? ■Kiina pelkää omia lavertelijoita: haluaa rankaista Snowdenia ankarimman mukaan? ■Hong Kong on teoriassa hyvin itsenäinen

10 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 9 The Taxonomy of PRISM Possibilities (1/2) Lähde 1. The PRISM program does not exist. 2. The PRISM program exists… …and gathers data only after an individual is targeted. ■Individuals are targeted with the cooperation of the listed companies. –The NSA requests data to be collected using existing facilities. –The NSA collects data using dedicated facilities. ■Individuals are targeted without the cooperation of the listed companies. –The NSA captures traffic using backbone/POP sniffing that is activated only after targeting. ■The NSA performs active middle-person attacks against targeted individuals. – –The NSA is using a US Government Certificate Authority or Intermediate CA to terminate TLS. –The NSA has obtained private keys from the listed companies. –The NSA is using a new cryptography breakthrough to impersonate the server.. ■The NSA passively sniffs the traffic of targeted individuals. –Only unencrypted traffic is captured. –Encrypted traffic is captured and decrypted. –The NSA captures traffic with the cooperation of last-mile ISPs. –The NSA has surreptitiously installed hardware or software backdoors at the affected companies.

11 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 10 The “bad” alternative - Broad data sets are gathered (2/2) …and gathers large amounts of information indiscriminately. –The NSA can login to backend databases and “pull” the data they want. –The companies regularly batch up the data sets and send them to the NSA using existing lawful intercept systems. –The NSA installs hardware on-site that receives data copied to it intentionally by the companies. ■Broad data sets are gathered without the knowledge of the end-providers. –The NSA is passively sniffing huge amounts of traffic on backbones and at interchange points. ■The NSA is only gathering unencrypted traffic. ■The NSA is decrypting traffic using a non-public breakthrough in cryptanalysis. ■The NSA is decrypting traffic using the private keys of these companies. –The NSA stole private keys from all of these companies. –The NSA convinced these companies to turn over their private keys. –The NSA is doing active middle-person attacks against large amounts of traffic on backbones and at interchange points. –The NSA is intercepting traffic in the datacenters of the listed companies without telling them.

12 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 11 A hypothesis - The ”good ”case at the Web companies The PRISM program exists… …and gathers data only after an individual is targeted. – This would make PRISM a more advanced version of the standard “Law and Order” wiretap, where a target needs to be identified before data collection begins. This seems to be contradicted by the available slides and reporting. ■Individuals are targeted with the cooperation of the listed companies. - This runs contrary to the very loud denials by these companies, although some options might fit between the weasel words utilized. –The NSA requests data to be collected using existing facilities. – This would be equivalent to the standard lawful intercept and subpoena process at these companies, although under a different legal basis.

13 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 12 Hypothesis - the ”bad” case at the telecomms providers ■Broad data sets are gathered at the BACKBONE without the knowledge of the end- providers (i.e. the small ISPs or Web companies are not scanning everybody’s data) –The NSA is passively sniffing huge amounts of traffic on backbones and at interchange points. ■The NSA is only gathering unencrypted traffic.

14 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved other hypotheses (all evil) 1. The tech executives do know about PRISM (in fact if not by name) but are continuing to deny it in the hopes of muddying the waters and limiting the damage to their company's brands internationally (this doesn't seem like it would be very smart given that more revelations seem likely, but it's at least a logical possibility). 2. The tech companies have employees with clearances who have implemented PRISM at the behest of the government, and non-cleared executives, including CEOs, genuinely don't know what's occurring. If so, they are going to be outraged, and with every right. 3. The NSA has gained access to company's internal data via some third party (eg a telco provider to the tech companies, or a hardware or operating system vendor who has provided equipment with a backdoor). 4. The NSA has used technical means to break into the tech companies and install monitoring systems without their knowledge or permission (much as China has been trying to do). 5. The reporting by the Washington Post and the Guardian mischaracterized PRISM, and for some hard-to-imagine reason, the administration has decided to confirm it rather than correct it or deny it.

15 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 14 FISA ■Yleensä USA:ssa kuten Suomessakin saa viranomainen (poliisi tai tiedustelupalvelu) salakuunnella vain oikeuden määräyksellä, perustellun rikosepäilyn perusteella –Ketään ei saa salakuunella varmuuden vuoksi ”avainsanojen” perusteella ■Poikkeus on Foreign Intelligence Surveillance Act (FISA) ■FISAn ehtoja: –(A) the electronic surveillance is solely directed at—(i) the acquisition of the contents of communications transmitted by means of communications used exclusively between or among foreign powers, as defined in section 1801 (a)(1), (2), or (3) of this title; …1801(a)(1) –(B) there is no substantial likelihood that the surveillance will acquire the contents of any communication to which a United States person is a party;

16 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 15 Maailmankuvaeroja ■Joku uskoo, että lakeja noudatetaan ■Toiset eivät usko –Heistäkin joku uskoo, että siitä jää demokratiassa ennen pitkää kiinni –Joku ei usko tätäkään → paranoia Andy Grove: ”Only the paranoid survive”

17 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 16 What we know and don’t know ■We know the FBI has issued tens of thousands of ultra-secret National Security Letters to collect all sorts of data on peopleNationalSecurityLetters ■Need to identify suspects first ■We know that the NSA is building an enormous computer facility in Utah to store all this data, as well as faster computer networks to process it all. We know the U.S. Cyber Command employs 4,000 people.computerfacility ■ We know quite a bit about the NSA's ECHELON program from a 2000 European investigation ■ We know Narus traffic analysis equipment has been installed in the AT&T backbone and elsewhere ■EFF (on behalf of a single customer) lost a court case gainst it ■it was deemed legal by the supreme court ■the Narus stayed there ■(similar cases are pending…might be decided otherwise) ■We know that the NSA has many domestic-surveillance and data-mining programs with codenames like Trailblazer, Stellar Wind, and Ragtime -- deliberately using different codenames for similar programs to stymie oversight and conceal what's really going on. likeTrailblazerStellar WindandRagtime ■There's much more we don't know, and often what we know is obsolete

18 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 17 Case Verizon

19 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 18 TAO ■The NSA Has A Secret Group Called ‘TAO’ That’s Been Hacking [mostly] China For 15 Years (Source:Foreign Policy, see links) ■Tailored Access Operations –Sanaleikki, ”TAO” viittaa tahallaan Kiinaan ■Tuhat työntekijää, pomo Robert Joyce –Olemassaolo on tiedetty (ks. Wikipedia) mutta laajuus paljastuu nyt ■Charlie Miller on maailman tunnetuin OS/X, iOS ja Android tietoturvan tutkija –Murtautuu ”mihin tahansa” –Paljasti vastikään olleensa ennen TAOssa

20 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 19 What should YOU do? ■ENCRYPT your traffic –Just like always –Internet is the road, if you need armoured trucks, use encryption –There is very little reason to suspect common crypto, if done right ■Except that it is difficult to implement right, and someone can always fool you into NOT using it (properly) –Get you to fake bank address (example: httpsI//solo1.nordea.nu) where there is a ”fake” phishing site that steals your passwords –Bugs, bugs, bugs (the software kind) ■Crypto (SSL and others) is just one link ín your security –Use Zeus to corrupt your browser, do whatever with real bank sites –NSA can social enginner your work place –TAO can hack your systems

21 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 20 Use non-USA services? ■Problem: your traffic might still go through USA –Hosting can happen anywhere –Content delivery networks route single web site traffic all over the place –Routing happens strange ways, especially if normal routes have ”financial” or technical problems ■It is not impossible, that the traffic inside Finland gets to just about any global route ■And NSA might still spy in EU by the American owned backbone operators? –Other cpountiers spy too. Sweden: FRA. Netherlands: accusations of wide phone call tracking, etc…

22 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 21 Bettter: use inherently secure new services client-to-backbone ■ENCRYPT everything CLIENT side –Use well known open source tools –Secure your systems from hacking ■Secure all communications (easy with SSL) –Add Tor if needed –Make sure the (possibly distributed) backend systems are either physically or cryptographically secured at all legs of communication ■Use secure remote file systems and databases –Kim Dotcom Mega –Many on-line backups already do client side encryption ■Bitcasa, Carbonite etc… –Camlistore 0.1 just published –Bittorrent Sync

23 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 22 Problems remain ■In practice, stuff on last slide IS NOT MAINSTREAM yet! –More like research problems and pilot studies –Business opportunities, anyone? ■Even bigger problem: unconditional * access control in public systems –Think about the Facebook Alcoholics Anonymous group –How can you make sure the admins or NSA do not have access to messages, but other members have? ■Yes, there are cryptographical possibilities –Encrypt every session/data key (per forum or per message) with multiple user (public) keys –Require strong mutual authentication of everybody –Trust participants ■Hard, very hard, or imposssible * unconditional = in crypto basically means a system where you don’t have to trust the admins

24 © 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 23 Anssi Porttikivi +358 (0) KPMG Oy Ab Mannerheimintie 20 B PL Helsinki Linkit: delicious.com/teleware/prism Yhteystiedot:


Download ppt "© 2013 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International."

Similar presentations


Ads by Google