Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Security Professionals Conference Washington DC April, 2005 Regaining User Trust in Cyberspace ­ Is it Already Too Late?

Similar presentations

Presentation on theme: "The Security Professionals Conference Washington DC April, 2005 Regaining User Trust in Cyberspace ­ Is it Already Too Late?"— Presentation transcript:

1 The Security Professionals Conference Washington DC April, 2005 Regaining User Trust in Cyberspace ­ Is it Already Too Late?

2 Copyright Greg Sprague, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Greg Sprague UNB and NRC IIT Project Manager, Privacy, Security & Trust (506) 444-0492

3 Outline 1.Background 2.Privacy, Security & Trust (PST) 3. Today’s Headlines: PST in the News 4. User Impact 5. Understanding Trust 6. Regaining Trust 7. Tomorrow’s Headlines 8. Conclusion

4 Outline 1.Background 2.Privacy, Security & Trust (PST) 3. Today’s Headlines: PST in the News 4. User Impact 5. Understanding Trust 6. Regaining Trust 7. Tomorrow’s Headlines 8. Conclusion

5 Map of New Brunswick UNB was founded by Loyalists in 1785.


7 NRC IIT e-Business and UNB e-Government e-Health e-Learning e-Commerce PST Team – Research Gaps

8 NRC Presence Across Canada Herzberg Institute of Astrophysics (Victoria, Penticton) Institute for Fuel Cell Innovation (Vancouver) Centre for Surface Transportation Technology (Vancouver) National Institute of Nanotechnology (Edmonton) Plant Biotechnology Institute (Saskatoon) Institute for Biodiagnostics (Winnipeg, Calgary) Biotechnology Research Institute (Montréal) Industrial Materials Institute (Boucherville) Aluminum Technologies Centre - (Ville Saguenay) Aerospace Manufacturing Technologies Centre (Montreal) Integrated Manufacturing Technologies Institute (London) Institute for Biological Sciences (Ottawa) Institute for Aerospace Research (Ottawa) Institute for Chemical Process and Environmental Technology (Ottawa) Institute for Information Technology (Ottawa, Gatineau) Institute for Microstructural Sciences (Ottawa) Institute for National Measurement Standards (Ottawa) Institute for Research in Construction (Ottawa) Steacie Institute for Molecular Sciences (Ottawa, Chalk River) Canadian Hydraulics Centre (Ottawa) Centre for Surface Transportation Technology (Ottawa) Regional Innovation Centre (Ottawa) Institute for Information Technology Institute for Marine Biosciences (Halifax) Institute for Biodiagnostics (Halifax) Institute for Marine Dynamics (St. John's) Institute for Nutrisciences and Health (Charlottetown) Fuel Cell Innovation Plant Biotechnology Nanotechnology Aerospace Marine Biosciences

9 NRC IIT Making Headlines Alzheimers Louvre Academy Awards Space Shuttle - NASA Nouse

10 Outline 1.Background 2.Privacy, Security & Trust (PST) 3. Today’s Headlines: PST in the News 4. User Impact 5. Understanding Trust 6. Regaining Trust 7. Tomorrow’s Headlines 8. Conclusion

11 Source: Common Sense Guide for Senior Managers, Internet Security Alliance, http://www.isalliance.org Easy, low risk, hard to trace

12 What are Hackers After? Attention, curiosity, mischief Fame, peer recognition Your data Your computer Your network connection Your company (ip, competitive advantage) Your identity Revenge Political support Your money (organized crime)

13 Impact of Information Compromises Loss of customers Violation of customer privacy Identity theft Damaged reputation Loss of market share, market confidence Financial and productivity loss (theft, fraud, downtime, interruption of service, rework) Promulgation of false, deceptive, misleading info Loss of partners, suppliers, staff Inadvertent disclosure Legal action, regulatory non-compliance Loss of life (health) Inability to recover, stay in business Research Inability to participate, publish; early release Loss of Trust

14 Security Security addresses the various components of an information system that safeguard the data and associated infrastructure from unauthorized activity. Network security relates to organizational control over network information and resources. Viruses Worms Denial of Service Attacks

15 Privacy Privacy concerns the operational policies, procedures and regulations implemented within an information system to prevent unauthorized use of, access to, or release of personal information held in any format. Network privacy relates to organizational norms that permit individuals to have control over their own personal information. PHISHING ID Theft SPAM

16 Trust Trust represents a subjective measure of confidence in the reliability and integrity of a service provider in terms of the provider's commitment and ability to complete an interaction in accordance with the expectations of those who use or otherwise rely upon that service. Network trust cannot be guaranteed but its likelihood is increased when those responsible for an information system adequately safeguard individual privacy and security interests and deliver the service in a manner that is reasonably transparent to the user. Social Engineering

17 Wal-Mart pushes RFID tracking tags By Richard Shim CNET June 6, 2003, 4:23 AM PT URL: Shim Inventory management technology that uses wireless signals to track products from the factory to store shelves is set to win a major new ally next week: Wal- Mart. Wal-Mart cancels 'smart shelf' trial By Alorie Gilbert and Richard Shim Staff Writer, CNET July 9, 2003, 4:00 AM PTAlorie GilbertRichard Shim Wal-Mart Stores has unexpectedly canceled testing for an experimental wireless inventory control system, ending one of the first and most closely watched efforts to bring controversial radio frequency identification technology to store shelves in the United States. 1984 1950 2005 1973

18 RFID Chips Are Here By Scott Granneman Posted: 27/06/2003 at 13:17 GMTScott Granneman Right now, you can buy a hammer, a pair of jeans, or a razor blade with anonymity. With RFID tags, that may be a thing of the past. Some manufacturers are planning to tag just the packaging, but others will also tag their products. There is no law requiring a label indicating that an RFID chip is in a product. Once you buy your RFID-tagged jeans at The Gap with RFID-tagged money, walk out of the store wearing RFID-tagged shoes, and get into your car with its RFID-tagged tires, you could be tracked anywhere you travel. Bar codes are usually scanned at the store, but not after purchase. But RFID transponders are, in many cases, forever part of the product, and designed to respond when they receive a signal. Imagine everything you own is "numbered, identified, catalogued, and tracked." Anonymity and privacy? Gone in a hailstorm of invisible communication, betrayed by your very law requiring a labelRFID-tagged shoesnumbered, identified, catalogued, and tracked

19 IT Infrastructure Pyramid E-Government E-Learning E-Health E-Commerce Privacy, Security, Trust Traditional IT Infrastructure –Networks (wired and wireless), switches, servers, software, desktops, staff

20 Soft Stuff is Hard The challenge is that the Internet was designed for sharing information. We did not anticipate “bad guys” adopting and adapting these technologies for questionable and illegal purposes. The world needs a huge research effort to re-engineer our information and communications technologies, to make our infrastructure more private, secure and trustworthy. This work is essential if we are to realize the potential benefits of advanced applications of ICT in areas such as eHealth, eBusiness and eLearning. Example: a health care application Secure – prevent hackers changing info Private – prevent disclosure of personal, sensitive info But trust? How to get doctors, nurses, pharmacists, patients at home to actually trust the systems enough to use it ? Trust represents the subjective, soft, human side of the equation. Most technology project failures are attributable to inadequate attention to the human side. So you can see that this reengineering effort requires more than technologists.

21 Privacy Trust Security Arts Law Business Administration Science Engineering Health Sciences Computer Science

22 PST*Net Critical Infrastructure Intrusion Detection Ambient Intelligence Lawful Surveillance Developing systems people will trust and use…

23 R&LRegulatory and Legal Issues PST… More Than “Just” Technology Issues Source: CATA, Jacques Lyrette, adga group TTechnologyIssues SSocialIssues R&L S T

24 Outline 1.Background 2.Privacy, Security & Trust (PST) 3. Today’s Headlines: PST in the News 4. User Impact 5. Understanding Trust 6. Regaining Trust 7. Tomorrow’s Headlines 8. Conclusion

25 Stolen UC Berkeley laptop exposes personal data of nearly 100,000 San Francisco Chronicle Tuesday, March 29, 2005 By MICHAEL LIEDTKE, AP Business Writer A thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society's vulnerability to identity theft. Universities have accounted for 28 percent of the 50 security breaches of personal information recorded by California since 2003, said Joanne McNabb, the chief of the state's Office of Privacy Protection. That's more than any other group, including financial institutions, which have accounted for 26 percent of the breaches affecting Californians. The risks of identity theft have risen in recent years as technological advances make it easier for businesses, schools and other organizations to create vast databases containing Social Security numbers, credit card account numbers and other personal information.

26 More University Computer Breaches (16 March 2005) California State University, Chico has informed more than 59,000 people that the security of their personal information may have been compromised due to an attack on the school's servers. The information included the names and Social Security numbers of current, former and prospective students and well as current and former faculty and staff. Those affected were notified through email and the postal service. The university says it will stop using Social Security Numbers as identifiers. A Boston College computer used for fund-raising purposes was broken into, but school officials say no personal data were stolen; they still plan to notify the 120,000 alumni whose information may have been compromised. Boston College spokesman Jack Dunn says the school will no longer use Social Security numbers as identifiers.

27 Computer Stolen from Nevada DMV Contains Motorist Data (11 March 2005) Thieves broke into a Nevada Department of Motor Vehicles office and stole a computer that contains personal data belonging to more than 8,900 licensed Nevada drivers. The information includes names, birth dates, Social Security numbers, photographs and signatures. The Nevada DMV initially said the data was encrypted, but DMV chief Ginny Lewis said the company that makes the state's digital driver's licenses told her the data was not encrypted. All Nevada DMV licensing stations have been ordered to remove personal information from computers; the department plans to send letters to the people whose data is on the stolen computer.

28 ONLINE BRIDE SCAM A Russian man who netted $300,000 by faking emails from prospective brides to unsuspecting foreigners was caught by Moscow police but received only a one-year suspended sentence. Yury Lazarev, 34, an English translator from the Urals, employed women to write flowery, romantic messages signed with real names picked off web dating sites. The photographs of seductive women that accompanied the text caught the attention of some 3000 men from New Zealand, Australia, Canada, the United States and other countries. Once a prospective victim got interested and wanted to meet his potential fiancé, the fictitious woman would ask for financial help in paying for visas and airline tickets. (The Age, 11 Nov 2004)

29 Paris Hilton's Sidekick Hacked The Register By Lucy SherriffLucy Sherriff Published Monday 21st February 2005 11:32 GMT Paris Hilton's address book, famously kept on a T-Mobile Sidekick, has been popping up all over the internet after someone managed to figure out her password. The Drudge Report says that it has confirmed the authenticity of many of the numbers, presumably a polite way of saying they've been crank calling Anna Kournikova and Lindsay Lohan all weekend. The FBI has reportedly opened an investigation. Files exposed to the world also include Paris' travel habits, airline and hotel preferences, along with her private notes. While Paris must by now be used to being overexposed online, many of the people in her little black book were less than pleased with the leak. According to the Drudge Report, one starlet said "I gave her my number after we met in Miami, I did not know she f**king kept it on her cellphone!"Drudge Report Reality TV star Victoria Gotti told New York Daily News that she had received over 100 phone calls in two hours. "It's driving me insane," she said.

30 ChoicePoint execs sold stock before leak revealed Harry R. Webber Associated Press Feb. 26, 2005 12:00 AM ATLANTA - ChoicePoint Inc.'s top two executives made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people's personal information may have been compromised and before the breach was made public, regulatory filings show. ChoicePoint's stock has dropped about 10 percent since last week when the company announced that criminals had duped it into allowing them access to its massive database.

31 Choicepoint

32 Bank Loses Tapes of Records of 1.2 Million With Visa Cards February 26, 2005 The New York Times by SAUL HANSELL Bank of America said yesterday that it had lost computer backup tapes containing personal information about 1.2 million federal employees, including some senators, with Visa charge cards issued by the bank. A spokeswoman for Bank of America, Alexandra Trower, said the bank did not believe that the information had been stolen or had fallen into the hands of people using it to commit fraud. There has been no suspicious activity on any of the affected accounts, she said.

33 FEDERAL AGENCIES GET FAILING GRADES ON CYBERSECURITY (Washington Post 16 Feb 2005) At least half of all federal agencies received a grade of "D" or worse on the House Government Reform Committee's annual cyber-security report card. Agencies that received failing marks include the departments of Agriculture, Commerce, Energy, Health and Human Services, Housing and Urban Development, and Veterans Affairs. A grade of "D" was awarded to the departments of Defense and Treasury, as well as the National Aeronautics and Space Administration and the Small Business Administration. Committee Chairman Tom Davis (R-VA) was encouraged by the fact that the scores of the 10 agencies, as poor as they were, have actually improved since last year, but he warned they must still do better: "I hope it won't take some kind of major cyber-attack to wake everybody up."

34 Feds 'vulnerable' to cyber-attacks: AG February 16, 2005 By MARIA McCLINTOCK -- Sun MediaMARIA McCLINTOCK OTTAWA -- Security within the federal government's computer systems is so lax that sensitive information about Canadians is at risk of falling into the hands of hackers, according to a new report from Auditor General Sheila Fraser. "The government is vulnerable to attacks... it's surprising because I think IT security is increasingly becoming an issue in the broad public but I get the sense that it's not getting the attention that it should be within government," she said yesterday. Fraser called on the feds to take computer security more seriously but stopped short yesterday of issuing a warning to Canadians about using the 130 online services offered by the federal government. "There are weaknesses that are serious in the system, but it is not my job here today to start saying to all Canadians 'stop doing business with government electronically,' and I would certainly hope that that's not the way this is interpreted," said Fraser.

35 J.K. ROWLING DENOUNCES INTERNET FRAUDSTERS J.K. Rowling, author of the mega-popular Harry Potter series, is warning fans to beware of Internet "phishing" scams claiming to sell electronic copies of her latest book, "Harry Potter and the Half- Blood Prince.“ "The only genuine copies of Harry Potter remain the authorized traditional book or audio tapes/CDs distributed through my publishers,“ says Rowling, and her copyright lawyer, Neil Blair, notes that Rowling has never granted licenses for electronic versions of her books. "Please, please protect yourselves, your computers and your credit cards and do not fall for these scams," says Rowling. Police say they suspect organized crime gangs in Eastern Europe are behind the fraudulent e-mail offers. (Reuters/Washington Post 2 Feb 2005)

36 Same Old Story SANS NewsBites March 23, 2005 Vol. 7, Num. 12 Editor's Note (Pescatore): Any day of any week you can publish a study that says "Company / Agency X Employees Vulnerable to Social Engineering.“ Cave-person Og fell for the old Pleistocene Shiny Rock swap scam and today people are still falling for the Nigerian Banking scam.

37 Exclusive from PC World Top Five Online Scams Thu Mar 10, 3:00 AM ET Dan Tynan 1. Auction Fraud 2. Phishing Scams 3. Nigerian 419 Letter 4. Postal Forwarding/Reshipping Scam 5. "Congratulations, You've Won an Xbox IPod, plasma TV, etc."

38 Outline 1.Background 2.Privacy, Security & Trust (PST) 3. Today’s Headlines: PST in the News 4. User Impact 5. Understanding Trust 6. Regaining Trust 7. Tomorrow’s Headlines 8. Conclusion

39 Fears of Identity Theft Chill Holiday Shoppers TRUSTe and TNS, Christmas 2004 58% of consumers surveyed may reduce online shopping this year due to fear of identity theft and other privacy concerns. Up from 49% last year. Concerns –ID Theft (52%) –Fear of Credit Card Theft (44%) –Spywear downloads (44%) –Receiving SPAM after purchasing from a Web site (42%)

40 Study suggests online banking is tapped out 2/1/2005 Sarah Lysecki Between 2000 and 2003, the proportion of Canadians who were banking online doubled from 14 to 33 per cent in 2003 compared with only two per cent in 1997, said Rhonda Grunier, a vice-president at TNS, which has been tracking online banking since 1997. “It had been growing at such a fast pace it would be difficult to maintain that,” said Grunier. “We’ll still see growth but it’s going to be at a much slower pace.” One of the main reasons behind this plateau in online banking among non-users is concern about Internet security, Grunier said. “We find consistently about a third of them say they’re concerned about online security so they would be hesitant to bank online because of that,” she said.However, Christopher Musto, vice-president of research at Watchfire Corp., said a big concern among banks is that consumers are starting not to trust online banking and because of that are less willing to try it.Watchfire Corp.

41 Internet Fraud Scares Off Seniors Elderly people have so much to gain from the internet, but they are being scared off by internet fraud and fake emails, according to a man who has introduced scores of older local people to the web. Recently a 75-year-old Port Macquarie woman was caught by an email scam. Emails purporting to be from Citibank and SunTrust asked the recipient to confirm their banking credit card and banking details. She replied to an email and three withdrawals totaling $9000 were made from her account in a three-hour period, according to police.

42 Concern about ID theft growing in Canada: Survey TORONTO — Computing Canada, March 11, 2005, Vol. 31 No. 3 Four in five Canadians think identity theft is a serious problem in Canada and that concern is growing as the number of people with personal experience with the crime increases, according to a new telephone poll conducted for Intersections Inc. and Carlson Marketing Group Canada Ltd. by Ipsos-Reid. The survey, called the Identity Theft Index Canada (ITIC), found that one in four Canadians reported that they have been, or someone they personally know has been, a victim of identity theft. Among those who have been a victim or personally know someone who has been a victim of identity theft, 70 per cent said the identity theft resulted in unauthorized credit card purchases, the most frequent, but least costly form of identity theft fraud for consumers. However, significant percentages of these respondents reported more serious frauds, including takeover of existing credit card accounts (43 per cent), the opening of new credit card accounts (36 per cent) or new loans (22 per cent), unauthorized bank account access (42 per cent) and the use of the victims' personal information in other types of frauds, such as to obtain government benefits or medical care (24 per cent).

43 Signs that User Trust is Rapidly Eroding Pornographic spam = rape? Computer free zone Patches = 42 Computer free zone

44 CYBERSECURITY LARGELY IGNORED BY INDIVIDUAL USERS A new study by America Online and the National Cyber Security Alliance indicates that about 80% of home PCs are infected with spyware, but most users aren't even aware of it. And while 85% of users had installed antivirus software, two-thirds of those had not updated it in the past week. In addition, about 20% had an active virus on their machines and two-thirds did not have a firewall installed. AOL chief trust officer Tatiana Gau says the results highlight just how vulnerable the average online user is to malicious hackers. "No consumer would walk down the street waving a stack of cash or leave their wallet sitting in a public place, but far too many are doing the exact same thing online. Without basic protections like antivirus, spyware and firewall software, consumers are leaving their personal and financial information at risk." (CNet 24 Oct 2004)

45 Giving Up Passwords For Pens “In February 2004, I attended a conference at which Kevin Mitnick, renowned reformed hacker, spoke. He referenced a survey where nine in ten of office workers at London's Waterloo Station gave away their computer password for a cheap pen - up from 65 per cent the previous year. What makes the above story even more astounding is that the survey was carried out an InfoSec conference where people ought to know better. Simply astounding.” Eric van Wiltenburg, University of Victoria

46 Outline 1.Background 2.Privacy, Security & Trust (PST) 3. Today’s Headlines: PST in the News 4. User Impact 5. Understanding Trust 6. Regaining Trust 7. Tomorrow’s Headlines 8. Conclusion

47 Layers of Trust Dispositional - The basic disposition of a person to be trusting or not (and how trusting). Learned - A person’s general tendency to trust, or not to trust, as a result of experience. Situational - A person’s trusting judgment in a specific situation. Stephen Marsh and Andrew S. Patrick NATIONAL RESEARCH COUNCIL OF CANADA Pamela Briggs UNIVERSITY OF NORTHUMBRIA, UK

48 Implement Trust Design Guidelines: Marsh et al 1. Ensure good ease of use. 2. Use attractive design. 3. Create a professional image—avoiding spelling mistakes and other simple errors. 4. Don’t mix advertising and content—avoid sales pitches and banner adverts. 5. Convey a ‘real world’ look and feel, for example with the use of high quality photographs of real places and people. 6. Maximize the consistency, familiarity, or predictability of an interaction both in terms of process and visually. 7. Include seals of approval such as TRUSTe. 8. Provide explanations, justifying the advice or information given. Response time Reliability

49 Trust Design Guidelines: Marsh et al 9. Include independent peer evaluation such as references from past and current users and independent message boards. 10. Provide clearly stated security and privacy statements, and also rights to compensation and returns. 11. Include alternative views, including good links to independent sites within the same business area. 12. Include background information such as indicators of expertise and patterns of past performance. 13. Clearly assign responsibilities (to the vendor and the customer). 14. Ensure that communication remains open and responsive and offer order tracking or alternative means of getting in touch. 15. Offer a personalized service which takes account of each client’s needs and preferences and reflects their social identity.

50 Principles of Trust Trust is earned over time Trust can be monitored by governments but not established by them Trust is an aggregation of many people’s experiences Trust can be lost in an instant Trust extends through the value chain The Economic Value of Trust Fan, Mathur, Shah Outlook Journal, October 2003

51 Practical Steps Plan your trusted services Understand trust in your customer base Make your policy clear Become part of a trusted value chain Be trustworthy internally Engage relevant government bodies Start now

52 Outline 1.Background 2.Privacy, Security & Trust (PST) 3. Today’s Headlines: PST in the News 4. User Impact 5. Understanding Trust 6. Regaining Trust 7. Tomorrow’s Headlines 8. Conclusion

53 Value Systems Change value systems –Open values of Internet –Hackers should not be glorified Compare to surface paper mail –Physical security is minimal –Law: serious offence –Culture: divorce Value systems can change –Alcohol: One for the road Lex – what the law actually says, rules Jus – accepted practice, mind set

54 Re-visit criminal code Fraud is technology neutral –Beware overly specific legislation White collar crime –Cyber stalking, ID theft –Preparatory activities collecting and trading ID info Writing spyware (conspiracy if paid) Having multiple ID cards PIPEDA in Canada –Anonymous –Not criminal –Notification not required (unlike California)

55 Recognize Global Nature of the Challenge Bank inspector vs Nigerian scam –Social engineering –Opportunity for your church On line vs. door to door –Easier to contact vulnerable individuals –Huge pool, don’t need a high take up rate –Low cost –Time minimal –Low risk of being caught (rub out of town) –Low penalty if caught –Easy to move on Phishing site average life time 6 days Trade sanctions

56 Address Shortage of Qualified People Sys Admins Network Admins Security Officers Privacy Officers Developers Auditors, Lawyers Law Enforcement Officers Researchers Certification

57 User Victimization and Education Issues SARS – not value laden, caught in a hospital AIDS – value laden, victim blaming Rape victims –What were you wearing? Computer Virus victims –Signature up to date? OS patched? Security Professionals – help change mind set –Cyber crime is not cute, neat – Report Incidents Risk-aware consumers can take remedial action –When to use a post card vs. registered mail Class action suits against vendors?


59 “Welcome to the World Passport Record Bureau web site - where you can search our online database. We have over 6 Billion Passports currently on file, absolutely FREE! Under the recent Inetrenational Passport Act (INPA - enacted on Nov 2, 2003), every country in the world is required to make available to the public a digitized copy of each and every valid passport issued, in their respective country.”

60 Good Privacy is Good Business “Privacy should be viewed as a business issue, not a compliance issue” Ann Cavoukian, Ph.D. Information & Privacy Commissioner Province of Ontario

61 The Golden Rules: Fair Information Practices Why are you asking? –Collection; purpose specification How will the information be used? –Primary purpose; use limitation Any secondary uses? –Notice and consent; prohibition against unauthorized disclosure Who will be able to see my information? –Restricted access from unauthorized third parties

62 Security is not technology: CEO By: Tom Venetis ComputerWorld Canada (18 Mar 2005) Security is about protecting a company’s brand and trustworthiness amongst consumers and business partners, and once security people begin to understand that, it will be easier to justify their continued existence and budgets. Mary Kirwan, CEO of Toronto-based Headfry Inc., said security is intimately tied to the brand value and the perception customers have of a company. Security protects a company’s brand value by imparting to customers the idea that the company is trustworthy enough to do business with. “A brand is a promise to the customer,” Kirwan added. “If you have customer’s private data, the promise you make to them is that you will do no harm to that data. If you handle data badly, it will affect your brand and the value of your company.”






68 Citi Identity Theft Gold Kelly Winner: Fallon for Citigroup Inc. “Citi Identity Theft” By using four consecutive right-hand magazine pages for maximum impact, Citigroup sought to generate consumer interest and increase credit card applications. The result – the campaign is credited with getting nearly 10,000 applications and more than 2,100 new accounts. The Fallon team included: David Lubars, Creative Director; Steve Driggs and John Matejczyk, Group Creative Directors; Steve Sage, Art Director; John Matejczyk, Copywriter; and Stephanie Rau, Photographer. “… if your identity is stolen, we’ll help you get your life back. You’ll get an Identity Theft Specialist who will things when you wouldn’t know where to start. From calling credit bureaus with you on the line to helping with police reports.”

69 Citi Identity Theft Tool Kit Should you become a victim of identity theft, our team of Identity Theft Specialists will provide you with personal support and assistance. The links below will allow you to download documentation and information that will put you on the path to restoring your credit. Citi® Identity Theft Solutions is a free service for Citi card members — because you can't put a price on your identity.Citi® Identity Theft Solutions Security Affidavit Identity Theft Worksheet Identity Theft: What You Need to Know

70 Canadians winning the spam battle says poll By: Vanessa Ho, ITWorld Canada (23 Mar 2005) A recent Ipsos-Reid poll suggests that Canadians are winning the battle against spam. The results of the survey revealed that 49 per cent of the average 177 e-mails Canadians received per week in 2004 were spam. The poll surveyed 2,000 participants either online or via telephone interviews. That may not seem like a resounding victory, but it is significant progress when one considers that in 2003, junk mail or spam accounted for 68 per cent of the average 197 e-mails received weekly. Ipsos-Reid attributed the drop to new laws such as Canada’s Personal Information Protection and Electronics Document Act (PIPEDA) and the proliferation of spam-filtering software.

71 IDENTITY THEFT SUSPECTS CAUGHT IN STING OPERATION Washington Post 28 Oct 2004 "Operation Firewall" -- an international law enforcement dragnet conducted by the U.S. Secret Service, the Justice and Homeland Security departments, the Royal Canadian Mounted Police, Europol and local police departments -- has led to the arrest of 28 individuals on suspicion of operating Web sites created to steal, sell and forge credit cards and ID documents. The suspects are thought to have bought or sold about 1.7 million stolen information and counterfeit documents such as credit cards, driver's licenses, birth certificates and foreign and domestic passports. A MasterCard security executive familiar with the operations says, "We're talking about an international network that has new sites popping up all the time. These aren't high-tech individuals. All it takes is a computer, a little bit of knowledge, and these guys can do a lot of damage."

72 Microsoft info-cards NEW YORK (CNN/Money) March 28, 2005- The new versions of Windows operating system and the Internet Explorer Web browser from Microsoft will put a new emphasis on security for Web users, according to a published report. The Wall Street Journal reported Monday that the next version of Windows, code-named Longhorn, will introduce a feature known as "Info-cards," that let computer users have more control over disclosure of information about themselves to businesses or others online. The paper also said that Internet Explorer 7 will provide more alerts to users about attempts to steal personal information over the Internet. "The way you earn customer trust is to put control of information in customers' hands," Peter Cullen, Microsoft's chief privacy strategist, told the paper. "It's more than just protecting information, it's providing them with the tools to make their own choices."

73 Outline 1.Background 2.Privacy, Security & Trust (PST) 3. Today’s Headlines: PST in the News 4. User Impact 5. Understanding Trust 6. Regaining Trust 7. Tomorrow’s Headlines 8. Conclusion

74 Virus Attacks Mobiles Via Bluetooth The Register by John OatesJohn Oates Published Tuesday 15th June 2004 12:07 GMT Some useful citizen has written a virus which targets mobile phones running the Symbian operating system. Anti-virus groups received the worm from its authors but it is not yet "in the wild". The Cabir worm is the first network worm for mobile phones, according to Kaspersky Labs. It was written by 29a, a group of virus writers which specialises in proof-of-concept viruses - they made the first viruses for.NET and for Win64.

75 WiFi users feel the sting of 'evil twins' Hackers setting up near hot spots trick wireless PC users into revealing data By JERRY LANGTON Special to The Globe and Mail Thursday, March 31, 2005 Updated at 8:22 AM EST Cheryl was suckered by a wireless hacker. ''I feel like such an idiot,'' says the IT technologist for a London-based banking company, who refused to let her surname be published. ''Considering what happened and what I do for a living, I just can't let people know that I was fooled like this.'' Working on her laptop in a park near her office, Cheryl thought she was logging onto the Internet using a public WiFi access point. From what happened next, she believes she inadvertently exposed herself to criminals bent on identity theft, despite the fact that she's something of a technology security expert and the would-be thieves were using a very simple trick. "I noticed the log-on was slightly different, but thought nothing of it," she said. "It wasn't until they asked for my credit card number that I noticed something was up."

76 Municipal administration Mobile – police, fire, recreation, engineering, etc. Regional – police Community Dark Fiber plus Commodity Internet Dedicated Dark Fiber Point to Point Wireless WiFi

77 SPITTING MAD AT SPAM Spam over Internet telephony, known as SPIT, will become commonplace as more people make phone calls over the Internet. Internet researcher Michael Osterman warns that Web- based phone systems attacked by spam will "trash voice-mail systems," and explains: "You can easily delete 100 spam text messages. But try to weed through a voice-mail system filled with 100 unsolicited pitches. That's a pain.“ Spam is already appearing frequently on instant messages, cell phones, and blogs, and one executive of an Internet service provider admits: "As everything gets connected, there are more ways to spam consumers. Spam is everywhere.“ (USA Today 9 Nov 2004)

78 Scammers Snag Money on Net Phones Story location:,1848,66954,00.html,1848,66954,00.html 12:36 PM Mar. 20, 2005 PT Internet phone services have drawn millions of users looking for rock-bottom rates. Now they're attracting identity thieves who want to turn stolen credit cards into cash. Some internet phone services allow scam artists to make it appear that they are calling from another phone number -- a useful trick that enables them to drain credit accounts and pose as banks or other trusted authorities, online fraud experts say.

79 U.S. approves implanted chip for patients CBC news Wed, 13 Oct 2004 19:16:01 EDT WASHINGTON - An implantable device that gets under the skin and allow doctors to access a patient's medical history has been approved by regulators in the U.S. In Mexico, the attorney general's office uses the chip to allow workers to gain access to high security areas. Medical ethicists point to potential privacy concerns, such as if an employer requires workers to be implanted. Others wonder about hackers cracking the encryption system. - chronic health problems - complicated medical records, such as patients who visit many specialists - Alzheimer's and other cognitive diseases

80 Drivecam Video Systems Car crashes kill 24 teenagers per day in US Ambulance fleet – driving improved –Under rear view mirror –Videos sent to parents –Seatbelt use up, risk taking down –? Spying? Parents don’t want to be seen to be spying –Precious, fragile relationship between parents, kids –Violate trust, unfair –But if insurance cost breaks are available……??? –www.devicecam

81 Lexus cars potentially vulnerable to virus? Posted Jan 26, 2005, 11:45 AM ET by Donald Melanson Related entries: Transportation, WirelessTransportationWireless Here’s another Technology Gone Wild story to scare you. Russian anti-virus research firm Kaspersky Lab says you can now add cars to the growing list of things that can be infected with a computer virus. It’s not clear whether or not this has ever actually happened, but apparently someone asked Kaspersky Lab if they knew “how to cure a virus, which ‘infected the onboard computers of automobiles Lexus LX470, LS430, Landcruiser 100 via a cell phone,’” and they conjecture that a virus could potentially use Bluetooth to jump from a Symbian-powered cellphone to the navigation system of certain Lexus models.Symbian

82 Hackers Strike at 'soft target' SME’s Online criminals are increasingly concentrating on "soft target" small and medium-sized firms, the Financial Services Authority (FSA) has warned. The organization investigated 18 financial firms as part of a review of security and found that, while the large financial institutions had made progress with online security, smaller firms were falling behind.

83 Phishing Without a Lure New York Times March 31, 2005 Phishers are ramping up their use of instant-messaging services instead of e-mail to trick people into revealing personal information, according to a new report. DNS cache poisoning is also an alternative means that can be used to resolve information to non-legitimate Web sites. Some security companies have dubbed DNS cache poisoning as “pharming” and have been warning customers against it.

84 Outline 1.Background 2.Privacy, Security & Trust (PST) 3. Today’s Headlines: PST in the News 4. User Impact 5. Understanding Trust 6. Regaining Trust 7. Tomorrow’s Headlines 8. Conclusion

85 We are facing a loss of trust due to: SPAM Pornography ID Theft Viruses Worms Denial of Service Spoofing Phishing Spyware He latest scam, vulnerability exploit We must not allow trust to erode further. The battle is too important to lose.

86 Today’s PST problems are non-trivial. The number and types of networked devices will grow rapidly. New technologies will bring new problems. Need to re-think our business models and re-invent our technology. Review our social and legal systems. The issues and challenges go beyond technology. We need multi-disciplinary research. Blaming the user (especially at home) doesn’t help. We need a better understanding of privacy, security and trust.

87 The Internet and the e-Economy: Building Trust and Confidence Online Draft Discussion Paper February 23, 2005 Industry Canada “Improving trust and confidence is essential if the enormous potential of the Internet as a platform for the e-economy is to be realized.”

88 Canada’s Third Annual Conference on Privacy, Security and Trust Research October 12-14, 2005 The Fairmont Algonquin St. Andrews, New Brunswick, Canada Following on the success of the PST2003 workshop in Montréal and the PST2004 conference in Fredericton, PST2005 will bring together researchers, practitioners and policy makers in the areas of Privacy, Security and Trust to share ideas and thoughts in a unique and inspiring sea-side setting.

89 Questions? Discussion? What is your experience? What trends are you seeing? Is the picture as bleak as I fear?


Download ppt "The Security Professionals Conference Washington DC April, 2005 Regaining User Trust in Cyberspace ­ Is it Already Too Late?"

Similar presentations

Ads by Google