Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCD 303 Essential Computer Security Winter 2014 Lecture 14 – Internet Privacy Reading: See links - End of Slides.

Published byWinfred Banks Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCD 303 Essential Computer Security Winter 2014 Lecture 14 – Internet Privacy Reading: See links - End of Slides."— Presentation transcript:

1 CSCD 303 Essential Computer Security Winter 2014 Lecture 14 – Internet Privacy Reading: See links - End of Slides

2 Overview Anonymity and Privacy Defined Reasons to be Anonymous Threats to Privacy Solutions to maintaining privacy

3 Anonymous Defined Anonymous 1. Without any name acknowledged, as that of author, contributor An anonymous letter to the editor; an anonymous donation. 2. Of unknown name; whose name is withheld 3. Lacking individuality, unique character, or distinction: an endless row of drab, anonymous houses.

4 Why Protect Anonymity?

5 A Few Good Reasons EFF McIntyre v. Ohio Elections Comm’n 514 U.S. 334 (1995) “Anonymity is a shield from the tyranny of the majority... [that] exemplifies the purpose [of the First Amendment] to protect unpopular individuals from retaliation … at the hand of an intolerant society.”

6 A Few Good Reasons EFF McIntyre v. Ohio Elections Comm’n, 514 U.S. 334 (1995) “[A]n author’s decision to remain anonymous, like other decisions concerning omissions or additions to the content of a publication, is an aspect of the freedom of speech protected by the First Amendment.”

7 A Few Good Reasons EFF Doe v. 2theMart.com, 140 F. Supp. 2d 1088 (W.D. Wash. 2001) “The right to speak anonymously extends to speech via the Internet. Internet anonymity facilitates the rich, diverse, and far ranging exchange of ideas.”

8 8 Applications of Anonymity Privacy Hide online transactions, Web browsing, etc. from intrusive governments, marketers and archivists Untraceable electronic mail Corporate whistle-blowers Political dissidents Confidential business negotiations Law enforcement and intelligence Sting operations and honeypots Secret communications on a public network

9 9 Applications of Anonymity Digital cash Electronic currency with properties of paper money (online purchases unlinkable to buyer’s identity) Anonymous electronic voting Censorship-resistant publishing

10 10 Anonymity in terms of Internet Traffic Sender anonymity A particular message is not linkable to any sender and that to a particular sender, no message is linkable Recipient anonymity A particular message cannot be linked to any recipient and that to a particular recipient, no message is linkable Relationship anonymity The sender and the recipient cannot be identified as communicating with each other, even though each of them can be identified as participating in some communication A. Pfizmann and M. Waidner, Networks without User Observability. Computers & Security 6/2 (1987) 158-166

11 Anonymity in terms of Internet Anonymity is the state of being not identifiable within set of subjects You cannot be anonymous by yourself! Hide your activities among others’ similar activities Unlinkability of action and identity For example, sender and his email are no more related after observing communication than they were before Unobservability (hard to achieve) Any item of interest (message, event, action) is indistinguishable from any other item of interest

12 Attacks on Anonymity What could you do to identify a subject? Passive traffic analysis Infer from network traffic who is talking to whom To hide your traffic, must carry other people’s traffic! Active traffic analysis Inject packets or put a timing signature on packet flow Compromise network nodes Attacker may compromise some routers It is not obvious which nodes have been compromised Attacker may be passively logging traffic Better not to trust any individual router Assume that some fraction of routers are good, don’t know which

13 13 One Solution, Randomized Routing Hide message source by routing it randomly Popular technique: Crowds, Freenet, Onion routing Routers don’t know for sure if source of message is true sender or another router

14 14 Onion Routing R R4R4 R1R1 R2R2 R R R3R3 Bob R R R  Sender chooses a random sequence of routers Some routers are honest, some controlled by attacker Sender controls the length of the path [Reed, Syverson, Goldschlag ’97] Alice

15 Tor is an Onion Router 15 Tor was originally designed, implemented, and deployed as third-generation onion routing project of U.S. Naval Research Laboratory, – Primary purpose of protecting government communications Tor is free tool that allows people to use the internet anonymously

16 Tor is an Onion Router 16 Basically, Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world How doe this help you achieve anonymity? It prevents somebody watching your Internet connection from learning what sites you visit It prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked Tor anonymizes the origin of your traffic!

17 What is Tor? 17 IP address that appears via other browsers at the same time IP address that appears via the Tor browser

18 What is under the hood? 18 Tor is based on Onion Routing, a technique for anonymous communication over a computer network. http://en.wikipedia.org/wiki/Onion_routing Steps Messages are repeatedly encrypted and then sent through several network nodes called onion routers Each onion router removes layer of encryption to uncover routing instructions, and sends message to the next router where this is repeated This prevents these intermediary nodes from knowing origin, destination, and contents of message Onions

19 Who is using Tor? 19 Normal people (e.g. protect their browsing records) Militaries (e.g. military field agents) Journalists and their audiences (e.g. citizen journalists encouraging social change ) Law enforcement officers (e.g. for online “undercover” operations) Activists and Whilstblowers (e.g. avoid persecution while still raising a voice) Bloggers IT professionals (e.g. during development and operational testing, access internet resources while leaving security policies in place)

20 Other Ways to Protect Your Anonymity Tools Removal of Information VPN's Encrypted Email

21 Privacy Settings Program that configures on-line accounts for optimum privacy Priveazy Lockdown is handy and reliable Firefox extension that helps you to tweak privacy and security settings for online accounts. Priveazy Lockdown works with websites such as Google, Facebook, Twitter, Gmail, AOL, YouTube, Pandora, Amazon and eBay Video on how to use the program http://www.frequency.com/video/priveazy-lockdo/85402212

22 Removing Your Information Remove your information from People Search databases One handy page has access to many databases http://abine.com/optouts.php Or, you can use their tool More complete list of Data Brokers https://www.privacyrights.org/online-information-brokers- list

23 Get Private Email Encypted, Private Email Use a secure email service for better email privacy No more Gmail for me !!! One page has links to multiple secure emailers plus reviews http://thesimplecomputer.info/free-webmail-for-better-privacy/

24 Secure VPN's to Hide IP Address Can use VPN's to either encrypt your connections or use as a proxy to hide your IP address Cyberghost is one VPN program http://cyberghostvpn.com/en/surf-anonym.html O rdinary surfing, use SecurityKISS. This program does store your IP address, but this is only associated with the total amount of data sent tunneled through SecurityKISS No other personally identifiable information is logged http://www.securitykiss.com/index.php

25 Privacy Treating privacy as a separate subject than anonymity In reality, they are linked Being anonymous is one way to achieve a level of privacy But, in reality, if corporations and governments respected our right to privacy, we would not need to be anonymous ….

26 Privacy Defined Privacy 1. The state of being private; retirement or seclusion 2. The state of being free from intrusion or disturbance in one's private life or affairs: the right to privacy; There is so much information about us online that personal privacy may be a thing of the past... 3. Secrecy

27 Is Privacy a Fundamental Human Right? Can also ask what are Fundamental Human Rights anyway? Human rights are rights inherent to all human beings, whatever our nationality, place of residence, sex, national or ethnic origin, colour, religion, language, or any other status We are all equally entitled to our human rights without discrimination

28 Fundamental Human Rights There is a United Nations defined – Universal Declaration of Human Rights The Universal Declaration of Human Rights, which was adopted by UN General Assembly on 10 December 1948, was result of experience of Second World War End of that war, creation of United Nations, international community vowed never again to allow those atrocities to happen again http://www.un.org/en/documents/udhr/

29 Back to Privacy Article 12 of 1948 Universal Declaration of Human Rights, specifically protects territorial and communications privacy Is there an explicit right to privacy in the United States?

30 Privacy in the United States Not Really !!! The U. S. Constitution contains no express right to privacy The Bill of Rights, however, reflects the concern of James Madison and other framers for protecting specific aspects of privacy, such as the privacy of beliefs (1st Amendment), privacy of the home against demands that it be used to house soldiers (3rd Amendment), privacy of the person and possessions as against unreasonable searches (4th Amendment), and the 5th Amendment's privilege against self-incrimination Plus, there are laws that protect privacy of various kinds

31 Privacy Laws in the US The Privacy Act of 1974 prevents unauthorized disclosure of personal information held by federal government The Fair Credit Reporting Act protects information gathered by credit reporting agencies The Children’s Online Privacy Protection Act grants parents authority over what information about their children (age 13 and under) can be collected by web sites The California Online Privacy Protection Act of 2003 (OPPA) – Effective as of July 1, 2004, is a California State Law – According to this law, operators of commercial websites that collect personally identifiable information from California's residents are required to conspicuously post and comply with a privacy policy that meets certain requirements

32 Privacy Laws Regulating Industry As it relates to securing computer networks or data Sarbanes-Oxley Act, http://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act - business practices HIPAA, http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Ac countability_Act GLBA http://www.business.ftc.gov/privacy-and-security/gramm- leach-bliley-act banks Contain at least some guarantee of an individual’s right not to have their personal or confidential information exposed These regulations mandate that companies take steps to ensure their customer’s data is secure and impose fines and penalties on companies that fail to do so

33 Summary Anonymity and privacy We do have a right to them !!! Even on the Internet … even dogs have these rights So, recommendation is to try out some of these methods Know your rights. To privacy and every other human right. Or else you might lose them. Money talks. Corporations want to make more money. If they violate your rights in the process … well, they are not all honest in that regard. Government, what can we say? Who is this really?

34 References About.com Article on Privacy http://netsecurity.about.com/od/newsandeditorial1/a/aaprivacyrights.htm Advice on Protecting Your Privacy On-line http://www.techsupportalert.com/content/how-protect-your-online- privacy.htm#Make_Sure_Any_Online_Accounts_Are_Properly_Configured_For _Optimum_Privacy Privacy Rights Clearinghouse https://www.privacyrights.org/privacy-survival-guide-take-control-your-personal- information

35 End Lab on XSS and CSRF, SQL - injection

Download ppt "CSCD 303 Essential Computer Security Winter 2014 Lecture 14 – Internet Privacy Reading: See links - End of Slides."

Similar presentations

US Constitution and Right to Privacy Generally only protects against government action Doesn’t obligate government to do something, but rather to refrain.

US Constitution and Right to Privacy Generally only protects against government action Doesn’t obligate government to do something, but rather to refrain.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Civil Subpoenas and User Anonymity Matt Zimmerman Senior Staff Attorney EFF Bootcamp May 11, 2009.

Civil Subpoenas and User Anonymity Matt Zimmerman Senior Staff Attorney EFF Bootcamp May 11, 2009.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Crowds: Anonymity for Web Transactions Paper by: Michael K. Reiter and Aviel D. Rubin, Presented by Eric M. Busse Portions excerpt from Crowds: Anonymity.

Crowds: Anonymity for Web Transactions Paper by: Michael K. Reiter and Aviel D. Rubin, Presented by Eric M. Busse Portions excerpt from Crowds: Anonymity.
ToR. Tor: anonymity online Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet.

ToR. Tor: anonymity online Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet.
A Usability Evaluation of the Tor Anonymity Network By Gregory Norcie.

A Usability Evaluation of the Tor Anonymity Network By Gregory Norcie.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.

Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.
Internet Security PA Turnpike Commission. Internet Security Practices, rule #1: Be distrustful when using the Internet!

Internet Security PA Turnpike Commission. Internet Security Practices, rule #1: Be distrustful when using the Internet!
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
Bill of Rights.

Bill of Rights.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
A. that can make major policy changes quickly Federalist vs. Anti-Federalist Quiz 1. A political system… A. with the greatest possible democracy,

A. that can make major policy changes quickly Federalist vs. Anti-Federalist Quiz 1. A political system… A. with the greatest possible democracy,
What are the rights and responsibilities of a citizen?

What are the rights and responsibilities of a citizen?
Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.

Anonymity on the Web: A Brief Overview By: Nipun Arora uni-na2271.
0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S

0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Similar presentations

Ads by Google