1. 1 CS5038 The Electronic Society Security and Crime Online Lecture Outline Types of Attacks Security Problems Major security issues in online systems Security Risk Management Security Technologies Government Intrusion Government Power

2. 2 Attack Sophistication Vs. Intruder Knowledge Source: Special permission to reproduce the CERT ©/CC graphic © 2000 by Carnegie Melon University, in Electronic Commerce 2002 in Allen et al. (2000). www.cert.org

3. 3 Types of Attacks Non-technical – phone or e-mail employee posing as administrator Buffer overflow – hide code at the end of a long entry DNS spoofing – change DNS tables or router maps Sniffing – listen to all packets on network Malicious code:  Viruses – propagate locally  Worms - propagate between systems  Macro viruses and macro worms  Trojan horses – e.g. posing as a game

4. 4 Security Problems Example: Denial of service (DOS) – purchases are not made, ads are not seen  Security and ease of use are antithetical to one another  E.g. passwords, electronic wallets/credit card  Security takes a back seat to market pressures  E.g. trying to hurry the time to market  Security systems are only as strong as their weakest points  Security of a site depends on the security of the whole Internet – DOS, e-mail  Knowledge of vulnerabilities is increasing faster than it can be combated - Hackers share secrets and write tools  Flaws in ubiquitous applications – Outlook, Word  Underreporting: in 1999 32%; in 2000 25% of organisations had serious attacks reported to law enforcement  Why might a company not report a crime?

5. 5 Security Concerns User’s perspective  Is Web server owned and operated by legitimate company?  Web page and form contain some malicious code content?  Will Web server distribute user’s information to another party? (or allow to be stolen) Company’s perspective  Will the user attempt to break into the Web server or alter the site?  Will the user try to disrupt the server so it isn’t available to others? Filling a form at a simple marketing site: Both perspectives  Is network connection free from eavesdropping?  Has information sent back and forth between server and browser been altered?

6. 6 Major security issues in online systems Privacy or Confidentiality  trade secrets, business plans, health records, credit card numbers, records of web activity Authentication – for Web page, e-mail  Something known – password  Something possessed – smartcard  Something unique – signature, biometrics Integrity – protect data from being altered or destroyed  Financial transaction Non-repudiation – not denying that you bought something PAIN – for payment systems

7. 7 Security Risk Management Definitions involved in risk management  Assets—anything of value worth securing  Threat—eventuality representing danger to an asset  Vulnerability—weakness in a safeguard Risk Assessment  Determine organizational objectives  Cannot safeguard against everything – limit to satisfying objectives  Example: if Web site is to service customer complaints then top priority is to ensure no disruption – rather than protect data  Inventory assets – value and criticality of all assets on network  Delineate threats – hackers, viruses, employees, system failure  Identify vulnerabilities - http://www.cve.mitre.org/cve/http://www.cve.mitre.org/cve/  Quantify the value of each risk  e.g. Risk = Asset x Threat x Vulnerability (Symantec.com)

8. 8 Security Technologies Firewall:  Like a bouncer, has rules to determine if data is allowed entry Virtual Private Network (VPN)  Encryption—scramble communications Intrusion Detection Systems (IDS)  Automatically review logs of file accesses and violations  Analyse suspicious activity for known patterns of attack

9. 9 Government Protecting Citizens Identity Cards:  The national Registration Act: outbreak of World War II  Help police know if citizens rightfully belonged to the UK  After War: member of public charged with not producing ID card when requested to by a policeman.  Case went to appeal:  Lord Chief Justice Lord Goddard “This Act was passed for security purposes and not for the purposes for which, apparently, it is now sought to be used”  Ruling underlined public’s disquiet with the way that ID cards had slowly become a compulsory feature of everyday life in the UK  Cards repealed in 1952 Based on essay by: Steven McGhee

10. 10 Government Protecting Citizens  Attempts at reintroducing ID cards made at various times over the intervening years  9/11 attacks  ID cards start to look more likely  Compulsory for foreign nationals resident in the UK from late 2008  Voluntary for British nationals from 2009 onwards  Compulsory for workers in certain high-security professions (airport)  Arguments put forward by the Government:  Fight against ID theft  Prevention of illegal immigration  Fight against terrorism  Reduce benefit fraud  “help safeguard civil liberties” (in direct contrast to critics) James Hall (chief executive of the Passport and Identity Cards service)

11. 11 A law abiding person has nothing to fear Why do we need privacy anyway?  Unpopular political beliefs  might lose job or promotion  Someone who has a disease which people fear  A person who is homosexual but their family does not know  A teenage girl secretly visiting her boyfriend of a different race to her family  Someone seeking to change job (needs to attend interviews)  A woman scouting out places to go to get away from her violent partner  Someone going to Alcoholics Anonymous or drugs rehabilitation sessions  Someone going to church, synagogue or mosque who fears the scorn of friends, colleagues or family  Someone attending classes of religious instruction prior to converting to another religion (fears vengeance)  A son or daughter visiting an estranged parent without the knowledge of the parent they live with.  An ex-criminal seeking to go straight who must meet his probation officer or register with the police. (there have been some examples with kids)  Authorised people may abuse access to information  Information not secure http://www.samizdata.net/blog/archives/004600.html

12. 12 Quis custodiet ipsos custodes? Who will watch the watchmen? problem posed by Plato in The Republic "Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad men.“ Lord Acton "Unlimited power is apt to corrupt the minds of those who possess it" William Pitt, the Elder

13. 13 Separation of Powers - Trias Politica Model was first developed in ancient Greece Came into widespread use by the Roman Republic  as part of the uncodified Constitution of the Roman Republic. State is divided into branches or estates, each with separate and independent powers and areas of responsibility. Montesquieu: French Enlightenment political philosopher  "the independence of the judiciary has to be real, and not apparent merely“  Judiciary most important of powers  independent and unchecked  also considered the least dangerous

14. 14 Separation of Powers – Need More? The Popular The Bureaucracy The Media The Financial Oligarchy?

15. 15 Summary Attack Sophistication Vs. Intruder Knowledge Types of Attacks – non-technical, buffer overflow, malicious code Security Problems - ease of use, market pressure, weak links Security Concerns – e.g. filling a form Major security issues in online systems - PAIN Security Risk Management – assessment, planning, implementation, monitoring Security Technologies – firewall, VPN, IDS Government Protecting Citizens