Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICT Security Issues in Europe Tony Brett Oxford University Computing Services

Similar presentations


Presentation on theme: "ICT Security Issues in Europe Tony Brett Oxford University Computing Services"— Presentation transcript:

1 ICT Security Issues in Europe Tony Brett Oxford University Computing Services http://users.ox.ac.uk/~tony

2 Agenda  Brief Security Update  Identity Theft  Standards and Governments  The Future of Spam  Vulnerabilities  Biometrics  Some Stories  Questions & URLs

3 “Even in 2003, security is the least understood of all computer system components.” A Brief Security Update

4 What is being spent? Security budget per managed machine by organization, 2002-2003 Source: Information Security Magazine, May 2003 $6000 $5000 $4000 $3000 $2000 $1000 0 Very LargeLargeMediumSmall June 02February 03

5 How much of the Budget? Security budget as a percentage of IT budget by organization, 2002-2003 Source: Information Security Magazine, May 2003 20% 10% 8% 6% 4% 2% 0 Very LargeLargeMediumSmall June 02February 03 12% 14% 16% 18%

6 Security Adoption in Europe Source: IDC’s “European Security Products & Strategies Service” Biometrics Intrusion Detection Monitoring Employees Encryption Firewall HW Firewall SW Antivirus 0%20%40%60%80%100%

7 Are you serious?  European Password Survey by NTA: –67% of users rarely or never change their passwords –22% admit that they would only ever change their password even if forced to by a Web site or system/IT department –Average passwords to know:  Average: 21  Maximum: 70 –Users who write down their passwords:  49% heavy computer users  31% average of all users November 2002 (http://www.nta-monitor.com/fact-sheets/pwd-main.htm)

8 Source: Computing Technology Industry Assn., 2003 …of security breaches are caused by human error 63%

9 Identity Theft Sources: Gartner, July 2003, based on U.S. stats; BBC News  Identity  Identity theft claimed 3.4% of U.S. citizens, or 7 million million victims during the past year  The  The UK government estimates this crime has cost more than £1 billion over the same period The typical identity-theft victim in the United States spends 175 hours hours actively trying to resolve the problems caused by identity thefts SourceCongressional Press Release, Sep. 2000 Source: Congressional Press Release, Sep. 2000

10 …is Britain's fastest-growing white-collar crime, increasing at nearly 500% a year. Identity theft “The number of consumers who have fallen prey to identity thieves is severely underreported.” Moreover, arrests in identity theft cases are extremely rare, catching the perpetrator in only one out of every 700 cases.

11 Source: Unesco Observatory on the Information Society “The current [Internet] identity-theft hot spots are Eastern Europe and Southeast Asia where the level of education and technical sophistication is high, and where tracking down and prosecuting criminals can be very tricky.” Bruce Townsend Special Agent, Financial Crimes Division US Secret Service

12 A true story  TriWest Healthcare Alliance in Arizona provided healthcare services for members of the U.S. military.  Thieves stole computers containing confidential records.  Losses were $2.7 million.  Cost to victims: $30 million to repair damage to credit ratings

13 The worst case scenario  Stolen identities used for criminal acts –First day of work for a woman in San Diego –Employer did a background check –She arrived, and then departed in handcuffs  Her ID was used when another woman was arrested for drug possession.

14 Phishing  E-mail purporting to be from Bank etc  Invites submission of personal details  The recent Russian phishing scams load the real Barclays/Halifax/Nationwide etc. pages in one browser window along with a pop-up site from the fake site requesting account details.  Fake URLS: http://www.barclays.co.uk@3468664375/verify.htm http://www.barclays.co.uk@3468664375/verify.htm

15 Pop Quiz 1  Since 1976, more than 2.5 million U.S. patents have been issued. How many reference the word “security”? –A. 16,475 –B. 123,210 –C. 64,689 –D. 493,298 D. 493,298

16 Standards & Governments  The United States has taken an industry- by-industry approach to privacy protection in its laws and regulations, in contrast to European countries.  Privacy measures are contained in specific laws on credit reporting, cable television regulation, video rental data, banking information, telecommunications, etc…

17 Variation by Country  The United States relies on citizen initiative and judicial enforcement  Britain uses a registration system  Germany uses an ombudsman  Sweden employs a licensing system Info on comparative laws: Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Ithaca: Cornell University Press, 1992)

18 Standards to Watch  XML is basis for many new protocols  Security Assertion Markup Language  Web Services Description Language –Tells apps what web services are available and how to ask for them  Simple Object Access Protocol –Defines the conversation between service provider and requestor  Universal Description, Discovery, and Integration –Provides repositories for service definitions

19 European Standards  British Standard 7799 Part 1 –High-level security advice –Just a checklist and not a process?  British Standard 7799 Part 2 –Similar to part 1, but with fewer suggestions for implementation (“shall” instead of “should”)  ISO 17799 –Based on BS 7799, passed in 2000

20 Other Security Works  ISO Guidelines for the Management of IT Security –Five-part technical report  NIST Special Publication 800-14 –Best practices based on BS 7799 but more detailed –Security handbook: 800-12 –Security self-assessment: 800-26

21 The Midas Touch…  U.S. requires the 27 visa-waved countries to install biometric codes onto passports by October 2004  Singapore may be first country to implement  U.K. to use fingerprint info  New EU passports will be embedded with a radio frequency ID chip that contains biometric data

22 European Digital Rights  European Digital Rights (EDRi), was formed by 10 separate bodies in seven EU member states  In the UK, the Foundation for Information Policy Research (FIPR) and Privacy International will work with EDRi.  They oppose EU and Council of Europe incursions into personal data –Data retention requirements –Telecommunications interception –Council of Europe cybercrime treaty –Internet rating and filtering –Restrictions on Web-based freedom of speech.

23 Viva la Air France!  Air France won the right to take over a Web site that uses a garbled version of its name apparently to steer business toward other travel firms and some finance companies.  Known as "typosquatting''  Ruling by United Nations' World Intellectual Property Organisation (Wipo), which runs an arbitration service for Internet name disputes  The arbitrator said that the "typographical misspelling'' of the Air France trademark showed that the site was registered in bad faith  http://www.0xford-university.org/ http://www.0xford-university.org/  http://www.yaju.com http://www.yaju.com

24 The Future of SPAM  MessageLabs scanned (Oct. 2003) –252 million e-mail messages for spam –325.8 milion e-mails for viruses  Results –Spam was 50.5% (15% in oct 2002) of overall messages; increasing at 15% per month –1% Viruses

25

26 5 th March 2003  AOL announced it had blocked one billion spam emails from reaching its members in one day

27 US Laws  Many new laws being created by states, feds, international  Lawsuits being filed against “legitimate” spammers (AOL is a big plaintiff)  California court upheld a law requiring unsolicited commercial email to have “ADV:” or “ADV:ADLT” in the subject  False headers in Minnesota are subject to $25 per email or $35,000 per day max

28 Euro-SPAM  Opt-in and opt-out laws for EC (Directive 2002/58/EC  Entry into official journal 31 st July 2002  31 st October 2003, Implementation by member states  Prohibits unsolicited email, SMS, mail, etc.  Requires that prior explicit consent of the recipients (OK The pictures are Euro-Trash!)

29 EuroCAUCE  The European Coalition Against Unsolicited Commercial Email  Internet users who are fed up with spam and have formed a coalition to promote legislation which would outlaw UCE  Volunteers, don’t take money http://www.euro.cauce.org/en/index.html

30 The Goal  Make spamming cost prohibitive  Spammers will send out millions of messages to reach a few stupid users  We all suffer

31 How they do it  Number/symbol substitution –“Get Low Mortgage” or “Get Low M0rtgage” –Holy Sh!t  Misspell key words –Creditcard  Innocuous words –Come see me  Use your name in the subject or message

32 Filter technologies  Statistical Filters –Looks for words in email over period of time –Calculates the likelihood of spam –Reliable 95-99% of the time –Generate few false positives  Open source spam filters  Bayesian Filters - http://spamconference.org http://spamconference.org

33 Vulnerabilities  They can be anywhere –Is MP3 or WMF modified? Will it take over your machine?

34 Port Scans Worldwide Source: Internet Storm Center Nov 2003

35 Top 10 Ports Scanned  80 World Wide Web HTTP  1433 Microsoft-SQL-Server  1434 Microsoft-SQL-Monitor  135 DCE endpoint resolution  137 NETBIOS Name Service  445 Win2k+ Server Message Block  25 Simple Mail Transfer  901 RealSecure sensor  53 Domain Name Server  554 Real Time Stream Control Protocol Source: Internet Storm Center Nov 2003

36 Attacks by Business Sector Source: ISS; from 10/28/02 to 12/31/02 Managerial Insurance Telecommunications Manufacturing Services Information Technology Entertainment Government

37 Virus Control  Trying to improve upon heuristics to prevent viruses  Still not used by all users  Stupid users still are enticed –Can bypass email when users jump to a web site –Click here and see big thingies…

38 Pop Quiz #2  What was the first patent that used the term “biometrics”? A. A fingerprint ID machine B. A basal body temperature monitor C. A method for tranquilizing warm-blooded animals D. A treadmill that tracks heart rate

39 Biometrics: Free lunch through eyes  Problem: –Poor kids showed voucher while “rich” kids used money  Solution: –Uses retina scan to verify student –Pull money from account or redeem electronic voucher  Western England High School

40 You smell!  Each mouse has a unique urine smell  Similar link may exist between genes that control a human’s immune system and their body odor  Funding to determine if human smells are unique

41 Walk the walk  Nationwide Building Society (UK) is using biometric signatures to combat fraudulent transactions and cut the use of paper  Requires employees to verify fingerprints every several transactions

42 Vacation messages “Sorry I can’t reply to your email. I’m on a holiday until …” Use “out of the office today” or use the auto-reply only on internal email With a simple cross- reference, a bad guy can get your home address

43 Young hacker!  At lunch, went to classroom  Teacher hadn’t logged off  Changed his grades  Facing felony charges (doubtful he’ll see any jail time)  11 year old boy in Florida

44 Jail time…  Trippin Smurfs –Broke into 10 JPL servers on day of Columbia tragedy (Feb. 1) –Expected to receive long prison term  Brian Ferguson –Hacked AOL account of NY judge Kim Eaton –3 years  William Grace & Brandon Wilson –Hacked California Court –9 years behind bars  Douglas Boudreqeau –Broke into Boston College network –Charged $2000 to other BC students –Suspended, and school will pay for his defence to “ensure he is adequately represented”

45 Nigerian Bank Scan – 419  People receive email claiming that they’ve won $10 million  All they need to do is cash cheque and have $1 million transferred to account in Nigeria  User makes $9 million for effort  After money is transferred, bank account is closed; cheque bounces; user out $1 million  $90,000 average loss to 150 U.K. residents who fell for it

46 “Don’t mess with a bull… As principal Vernon said in The Breakfast Club… …you’ll get the horns.”

47 Resources and Questions  Thanks to Alan Mark of Novell for permission to use some of his slides from Brainshare Europe 2003 in this presentation  Questions?  http://users.ox.ac.uk/~tony

48 URLs  http://www.usdoj.gov/criminal/cybercrime/usamarch2001_3.htm  http://www.usdoj.gov/criminal/fraud/idtheft.html  http://www.privacyrights.org/  http://www.fraud.org/  http://www.nfcglobal.com  http://www.ftc.gov/  http://www.computerworld.com/cwi/itresources/resource_center/0,,NAV63_KEY73,00.html  http://www.calpirg.org/consumer/privacy/idtheft2000/  http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm  http://moneycentral.msn.com/articles/banking/credit/1342.asp  http://www.usnews.com/usnews/issue/000214/nycu/credit.htm  http://www.cnn.com/TECH/computing/9910/11/id.theft.idg/index.html  http://seattletimes.nwsource.com/news/local/html98/cens28m_20000328.html  http://news.bbc.co.uk/hi/english/uk/newsid_1395000/1395109.shtm  http://news.bbc.co.uk/hi/english/business/newsid_526000/526709.shtm  http://dailynews.yahoo.com/h/wdiv/20010605/lo/823519_1.html  http://dailynews.yahoo.com/h/nf/20010607/tc/11076_1.html  http://news.bbc.co.uk/hi/english/business/newsid_1395000/1395109.shtm  http://news.bbc.co.uk/hi/english/static/in_depth/uk/2001/life_of_crime/cybercrime.shtm  http://204.202.137.113/sections/scitech/DailyNews/ie010430_idtheft_feature.html  http://www.unesco.org/webworld/observatory/in_focus/identity_theft.shtml


Download ppt "ICT Security Issues in Europe Tony Brett Oxford University Computing Services"

Similar presentations


Ads by Google