Cybernaughties ACS Forum National Professional Development “Education Across the Nation” May/June 2002

Cybernaughties

ACS Forum National Professional Development

“Education Across the Nation”May/June 2002

Copyright ACS Cybernaughties May 2002 2

About Education Across the Nation

ACS Professional Development Board identifies topical topics and provides presentation material for Forums in each ACS Branch – presentation is also available on the ACS web site

Members earn PCP hours for attending, e.g. 1.5 hour session = 1.5 PCP, 1 hour = 1 PCP hour

Evaluations are requested to help with planning future forums, please tell us what topics you would like in future sessions, hand in the evaluations at end of session - thanks


Relevance to CMACS Program

The topics we are discussing tonight are covered in several CMACS subjects *IT Trends *Business, Legal and Ethical Issues (BLE) Project Management *E-Business Management and Strategy for IS Software Development

* These have been updated already for 2002. Security and privacy issues occupy a module, 17.5% of total content, in BLE.


What are cybernaughties?Which ones are cyberspace

crime?CyberterrorismIdentity theftFraudCyberstalkingSurveillanceCensorshipPrivacy breachesDamaging dataCybersquattingWeb page defacement

Cookies

Dangerous emails

Trade secret theft

Social engineering

Plagiarism

Hacking and cracking

Unauthorised access/ computer trespass

Data theft


What we plan to cover

Some stats on who’s doing what and to whom?

Are these things always naughty?

How can you protect against them?

Should vulnerabilities be publicly discussed?

Are National ID cards the answer?


Cyberterrorism

Who’s protecting critical IT infrastructure from naughty folk? Health organisations Banking and finance Telecommunications Transport Power and Water Emergency services Other???


Netwar

Networked force can offset a disadvantage in numbers, technology or position.Hard to target Few formal procedures to disrupt Little physical infrastructure Hard to infiltrate “Borrow” expensive equipment when needed.

E.g. Boeing planes

Just like the self managing teams recommended in business


Netwar 2

If you can accurately map a network, you can figure out how to break it apart.Inflow analyses and clusters nodes in network according to activity, betweenness and closenessRead Thomas Stewart “America’s Secret Weapon” in Business 2.0 December 2001


Netwar

FBI has used keylogging software to legally “steal” encryption keys in a high profile Mafia case

Echelon detection system can monitor mobiles and Internet traffic. But who might be monitoring the chatty emails to loved ones for battlefield soldiers?

What’s the Internet equivalent of “loose lips sink ships?”


DC-1000, nee Carnivore

FBI can request a court order to use Carnivore when a person is suspected of Terrorism Child pornography/exploitation Espionage Information warfare Fraud

Need to show probable cause


In Australia

States and territories are responsible for protecting physical infrastructure, e.g. roads, railway lines, sea ports, airports, national icons (Opera House, MCG)

In US, Bush admin is establishing a central office to co-ordinate government’s response to cyber attacks

In Australia, national vs states issues are being debated – will we ever learn?


Cyberterrorism

22 March, 2002125,000 attempts to penetrate an air

force computer systemA concerted and directed attack, “one of

the most orchestrated we’ve seen in about the last six months”

Originated overseas The Harrow Report, 1 April, 2002


Email can be dangerous

2 workers at Narrabri Shire Council referred to their superiors as Huey, Dewey and Louie in an emailAnd lost their jobsEmployers face risks of Defamation Sexual harassment Discrimination Copyright infringement

Emails are like postcards no matter how many caveats you include in them


Vint Cerf on email

“Be thoughtful in what you commit to email, news groups and other Internet communication channels – it may well end up in a web search some day”

Great presentations and papers at www1.worldcom.com

Check out his “The Internet is for Everyone” draft Feb 2002


Online gambling- is it naughty?

Australia’s Interactive Gambling Act, passed in July 2001 bans Australian online gambling operators from offering their services to Australians.Feb 2001 – 3% of Australian Internet users accessed an online casino from home PCFeb 2002 – 3.4 % did the same

What’s the point of the above Act?There are 1,400 Internet casinos – many of

them in the Caribbean.


Is Altnet naughty?

File swapping program Kazaa (Napster-like) includes stealth software that is capable of tapping spare computing capacity – maybe 20 million downloads in Feb 2002Will work on opt-in basis, users will be remunerated for services, you can de-install it – but is it spam? Or a virus? How often do you know what’s in a download? Or any software?Are cookies stealth software?


What about cybersmearing?

Falsehoods about you or your organisation on the Internet – attack sites/rogue sites.Company found a concocted interview about it during difficult negotiations with a union – could not locate name or contact details of person who posted it. Did find an email address.Went to dejanews, typed in the email address and found many postings from same email address, a cancer survivors group, blues music group, weddings group - where there were contact details.


Cybersmearing cont.

Web page with offending material was on a real estate agency’s site –a little digging showed that the cybersmearer worked for the the real estate company.

Lawyer contacted the cybersmearer “Hello. We know you had breast cancer, your favourite blues artist is BB King, your daughter is getting married in July. We know you posted a web page with inaccuracies…..if it’s still there in half an hour, we will contact your boss who will not be happy to know you are posting libelous material on her site….

Is this a good approach to such a problem?


Spam

This is a vexed issue for ISPs as spam generates traffic and traffic generates moneyDr John Costello proposed a hash-cash solution in a letter to the Age If you want to send me an email, my mail server requires

yours to perform a computationally intensive task before it will decode and accept it

This is OK for one recipient – but for one million? What’s needed is an upgrade to Internet mail protocol

……. plus the will to act. Is this a good solution?


Cookies

The good news is that fewer large sites are sending you cookies

Of the 100 most visited sites only 48% use cookies, down from 78%

84% collect personal information, down from 96%


Censorship

Is it naughty?

CSIRO report on effectiveness of filtering software products showed that few are successful

BUT – 60% of parents believe that content filtering software is effective


CSIRO study

Net Nanny blocked 30%, passed 70%

I-gear blocked 98%, passed 2%

AOL under 12 years blocked 100%

Internet sheriff blocked 98%

Cyber sentinel blocked 90%


Reverse censorship

SafeWeb Triangle Boy give users the ability to secretly lend internet address to users behind restricted firewallsBeing funded by In-Q-Tel (CIA) and Voice of America which has 100 Triangle Boy machinesGrowing use in China, Saudi Arabia, United Arab Emirates, Syria


Hacking

Stand up if you are Male 14-28 years old Intelligent Could have done better in exams Work or study in technical area

Based on averages, those standing represent the likely hackers – but this is a gross generalisation


Real hackers

Stay standing if you are indeed a hacker

Could any other hackers also please stand so we can test this average


Why the naughty hack

StatusMedia attentionExpose security flawMonetary gainPayback, increasing number of disgruntled ex-employees are hackingSex appeal? ”All the girls thought it was cool” said one 16

year old male hacker


Lots of hacking

Every 13 seconds, computer networks of federal government are probed by hackers

Auscert – security incidents reported by members doubled in 2001

Security software – CAGR 22% to 2004 according the Gartner


Hacker praised by judge for Bill Gates prank

“You demonstrated some sense of humour by sending Viagra to Bill Gates to mock him. Even the prosecution had difficulty identifying the criminality of what you did. You have computer skills which many, including myself, envy.”

How do we change judicial attitudes?


Internet abuse

It was reported in The Age in Feb 2002 that 4 New Zealand judges were being investigated for surfing Internet sex sites using computers provided by the Department of Courts.

Is this naughty?


Security is more than money

“You can spend a huge amount of money and be tremendously ineffective. It’s about having the intellectual capability to conceive of how to address those issues, and then having the commitment, enthusiasm and support to actively execute those things.”Stephen Ford, Assoc Dir IT security at

Macquarie Bank


Top ten security threats

ComplacencyPoor executionVirus attackHackers and crackersTrojan horsesDoS attacksDisgruntled employeesNaïve employeesMobile devicesData hijacking


Data security

NSW Bureau of Crime Statistics

In 2000, 10,221 laptops were stolen336 were recoveredNone of the recovered had data

securityHands up if your laptop has any data

security.


CSI/FBI computer crime and security survey

Activity 2001 2000

System penetration from outside

40% 25%

Denial of service attacks 38% 22%

Employer abuse of Internet access

91% 79%

Detected computer viruses 94% 85%


CSI/FBI computer crime and security survey

Intrusions take place despite the presence of firewalls

Theft of trade secrets takes place despite the presence of encryption

Net abuse flourishes despite corporate edicts against it


Liability issues

You could be accountable for compromised data due to cyberintruders

Even if security measures are in place and in your organisation has done anything wrong

Distributed denial of service is one example – you get hijacked but still could be liable for damage caused


Cyberfraud – who’s doing it?Top 12 countries – US data

Ukraine

Indonesia

Yugoslavia

Lithuania

Egypt

Romania

Bulgaria

Turkey

Russia

Pakistan

Malaysia

Israel


What are teens doing most on Internet

Download music

Play games

Seek health info

Chat

Shop

Check sports scores

72%

72%

75%

67%

50%

46%


Teens get health info

Net

School

Parents

Doctors

75%

47%

45%

41%


Biggest online fraud?

Online auctions, up from 63% of frauds in 2000 to 78% in 2001.Nigerian money offers up from 1% in 2000 to 11% in 2001. Web sites are the most common way for fraudsters to solicit, but there is an increase in con artists contacting by email.


Credit card fraud

Harvey Norman closed its online shopping site – 25% involved stolen credit cardsRecent research by KPMG put it at 20-25%5% of Internet transactions are fraudulent, compared with .05% of bricks and mortar ones Editor at MSNBC challenged 2 reporters to go online and get credit card numbers, names and expiration dates. Within 2 hours, they had 2,500.


Cheque fraud

TV show Dateline did a report on cheque fraud.

Produced a $1,000 cheque with “Void” written all over it

Plus the words “Please don’t pay me. I am a counterfeit cheque.”

The cheque was cashed.


Cyberforgery

25 years ago, it took 12 weeks to create a forged cheque and a 4-colour printing press cost $250,000

Today, it takes 12 minutes and requires a laptop, laser printer, scanner which is about US $5,000

But the good news is that you can print the cheque to pay for it.

On laser printed cheques, you can remove the name and dollar amount with cloudy type scotch tape


Disposable credit cards?

What about a one-time use card?

You get a private payment number that can be used once and only once

Available/being trialled from American Express and Visa


Encryption –how effective is it?

Powerful ciphers guarantee absolute security in theory

But hardly ever in practice

Because people don’t use them properly

A good key is a long string of random symbols – hard to remember, so write it on a post-it or put it in a file, protected with a password like “1234”?


What about ID theft?

In 2001, identity theft became the top consumer fraud complaint reported to the US govt.

750,00 citizens will have their identities stolen in 2002

Do National ID cards solve the problem?


Michelle Brown’s story 1

Single, late 20’s, owned 15 credit cards, never late on a paymentCall from bank – overdue payment on her car. But not her car.Bank officer explained they had trouble finding her as phone calls in credit application not valid – so they used directory assistance.Yet it was her name and her social security number on the loan form.


Michelle Brown’s story 2

She contacted credit reporting agencies and division of motor vehicles, duplicate licence recently issued, delinquent bills for thousands of dollars, arrest warrant in Texas for drug offencesIt took her about 2 years to sort things out, and she has never really recovered, now has shredder at home.Check out how to avoid identity theft at Australian Bankers Association site


Don’t make is too easy!

Pre-approved credit applications sent via mail is a known method of identity theft – all the naughty person has to do is forge a signature and change the address on the form.Expert advice is to shred all documentation with your financial details, and use a post office box as mail theft is often a prelude to identity theft.There’s heaps of identity theft information on the web


Australian Financial Review 13 May 2001

National Crime Authority investigation into identity fraud

Crime group (Sydney-based) allegedly using illicit bank accounts to claim tax returns

Serving/former ATO officers under investigation

Illicit bank accounts opened in name of people whose tax history suggests are unlikely to ever get a refund

Improvements in scanning technology make it easier to produce fake IDs


Organised drug make/traffic

Motorcycle gangs in Australia and New Zealand use the Internet for secure encrypted transmission of drug recipes, Illegitimate financial transactions, business case proposals and communications

Web sites in the Netherlands and the UK offer to sell and deliver potent varieties of cannabis to almost any destination in the world

The Internet itself has numerous sites where the recipes for illicit drug preparation are detailed in step by step detail, including alternative ingredients for those hard to obtain supplies. (Int.Narcotics Control Board, 2000)

Source Peter Wilkins presentation to Privacy Conference 2001


Organised Child Pornography and Trafficking in Human

BeingsTrafficking in women and children for prostitution and forced labour has become a highly lucrative and well organised growth industry. (Interpol General Secretariat)

Nexus between viewing large amounts of child porn and the propensity of offending. A child molester who after viewing child porn went to a school and raped two five year old girls said “I was determined next day to grab a kid, that stuff fuelled me”

Offender possessed on his computer 30,000 child porn images in 175 directories. (Victoria Police)

Source – Peter Wilkins slides from Privacy Conference 2001


Development of policing strategies

The commissioners have prioritised the strategy development and priority issues as follows:The development of national accredited training for all levels of law enforcement ranging from initial action at e-crime crime scenes, through to forensic analysise-crime law reformThe identification of private sector partnerships including; their role and function; andThe development of the proposal for a national centre for cybercrime (Source: Peter Wilkins)


Available at www.privacy.gov.au

MALCOLM CROMPTONFEDERAL PRIVACY COMMISSIONER

Biometrics and Privacy: The End of the World as We Know IT or The White Knight of Privacy

Biometrics, Security and Authentication Conference

10 March 2002

See also Roger Clarke’s April 2002 paper, referenced in second last slide


Biometrics – what’s driving it?

Authentication – efficient and fraud proofLaw enforcementTechnology developments Cost – cheaper and cheaperSecurity – post 11 September


International Biometric Industry Association

“Simply put, it’s getting harder and harder to preserve personal privacy without using biometrics…”

Richard E Norton, IBIA


But then……..

“…Biometrics are among the most threatening of all surveillance technologies, and herald the severe curtailment of freedoms, and the repression of ‘different thinkers’, public interest advocates and ‘troublemakers’.”

Roger Clarke


Biometrics and Privacy

“ Biometrics need not subvert informational privacy. A pro-privacy position should not be construed as anti-biometric. The technology can actually be privacy enhancing if systems are designed with that objective in mind.”

Information Privacy Commissioner, Ontario, Canada


Resistance to biometrics

There’s a reluctance to use human body parts for security systems

In US, Christian fundamentalists have brought 2 court cases …clear warnings in the bible against “marking” of

individuals

But, “if God did not want us to use biometrics, he would not have given us individual iris patterns.”


Not all resist

At Heathrow airport, passengers are volunteering to use iris scanning – Sydney airport is trialling face recognitionBut terrorists are unlikely to volunteer so we still need face recognition improvementsThe good get through security quickly with iris scanningThe naughty get caught by the face recognition software


What about fingerprinting?

It is no 2 in reliability, after iris scanning

But it is more affordable

Fingerprinting looks below the skin so latex fingers and severed fingers do not work

What about acceptance?

What about fingerprinting school kids?

Would you volunteer for a biometrics pilot?


Fingerprinting in schools

In US, at least one school has mugged and fingerprinted all parents and volunteers……..

A failed school employee had moved from school to school molesting children employee.

Will fingerprinting prevent this happening again?


Quebec’s new IT Framework Law

A person’s identity may not be verified or confirmed by means of a process that allows biometric characteristics or measurements to be recorded except with the express consent of the person concerned……..… The creation of a database of biometric characteristics and measurements must be disclosed beforehand to the Commission d’accès à l’information. As well, the existence of such a database, whether or not it is in service, must be disclosed. The Commission may make orders determining how such databases are to be set up, used, consulted, released and retained and how measurements or characteristics recorded for personal identification purposes are to be archived or destroyed.

The Commission may also suspend or prohibit the bringing into service of such a database or order its destruction, if the database is not in compliance with the orders of the Commission or otherwise constitutes an invasion of privacy.


Biometrics in Australia

Edith Cowan Uni in WA uses fingerprint scanning to secure the PCs controlling access to campus buildingsMelbourne’s Crown Casino and the Australian Customs Service are trialling face recognition using Face-IT from USCSIRO is developing SQUIS – system for quick image searchNSW Police, casinos and retailers are using face recognitionSydney airport is trialling iris scanning


Biometics future?

CSIRO has developed face recognition based surveillance but there are reliability problems.

Maybe the solution is a mix of iris scanning and face recognition with humans making the problematic matches


Surveillance

Carnegie Mellon project to identify humans at up to 150 metres –Human Id at a DistanceBlue Eyes – IBM product used in retail stores to record face and eye expressions and measure effectiveness of in-store promotionsVegas security systems have used face recognition for three yearsIn UK where video surveillance is used, per capita crime is down


Ethically speakeing

“We develop the technologies. The policy and how you implement them is not my province.”Human ID at A Distance Program Manager

“They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor saftey”Benjamin Franklin


Surveillance technology

CookiesTravel cards/e-tollsEmployee id cardsPhone cardsCredit card recordsAirline ticketsCell phonesGPSVideo camera


Bullet proof ID?

Does not exist

3-factor securitySomething you know, e.g. a passwordSomething you have, e.g. ID card/security

tokenSomething that confirms who you are, e.g.

a biometric


ID cards – an each-way bet?

Americans should carry drivers license with routine data plus a biometric identifier….. Stored in uniform databases in every state, tied into a national network, to verify identities at a moment’s notice

But not a National ID card as these raise civil liberties concerns


Who’s got ID cards?

Spain – id cards for citizens over 14

Argentina – card at 8, re-register at 17

Kenya – carry card at all times

Germany_over 16,m carry a card

Belgium – used since WW1, over 15, carry a card which police can request at any time


ID cards

Finland – voluntary smart card with chip used as a travel card in 15 European countriesIn US. Most likely use will be id cards for immigrants and foreign visitorsMalaysia – piloting a smart card that is drivers license, cash card, health card, and passport.


What’s needed?

Organisations need security software but it’s not enough. Need Policies Processes Risk analysis – ongoing Disaster recovery – tested Business continuity plans – tested Awareness and training – ongoing The will to act


Disclosing vulnerabilities

Who needs to know when vulnerabilities are discovered?Does public disclosure encourage the naughty to take advantage of the vulnerability?Microsoft and several specialist security firms have announced voluntary adherence to a new disclosure policy


Case study

You are an IT manager where a detection tool report shows that IT staff member Freda is accessing restricted Internet sites and downloading objectionable material.You remotely access Freda’s PC to obtain evidenceYou find the evidence, and fire Freda


Evidence issues

Data collected for purpose of evidence Untampered withAccounted for at every stage of its life from

collection to presentation in courtComply with Law of evidence

This can be “just too hard” for some organisations to pursueDon’t disturb the crime scene


Can you steal data?

In some jurisdictions, theft permanently deprives a victim of property.

If I copy your database, you still have it, so it has not been stolen.

In any case, is data “property”?


Good reads

Tangled Web by Richard Power - excellent. Que, 2001. Useful linksThe Art of the Steal - very readable. Frank Abagnale. Bantam, 2001Access Denied - useful explanations and best practice checklists. Cathy Cronkhite & Jack McCullough. Osborne, 2001Roger Clarke’s notes from the Computers, Freedom & Privacy 2002 Conference at www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP02.html

Lots of useful links including Roger’s slides on biometrics


What’s next?

Thanks you for your attendance and for completing your evaluation form.The next Education Across the Nation forum is “The Getting o Agility”- alternative ways of developing systems – lite, extreme, agile methods. These are not just a return to the “quick and dirty” approaches of the past – they are rigorous methods which work well if done properly. Tell us what you would like to know about these approaches on your evaluation for tonight and we’ll try and meet all needs.

Documents

Cybernaughties ACS Forum National Professional Development “Education Across the Nation” May/June 2002