1
Cybersecurity: Technologies and their Impact on Privacy
Eran TochThe Minerva Center for Human Rights, The Hebrew University, June 2013
2
Eran Toch
Department of Industrial Engineering
Tel Aviv University, Israel
http://toch.tau.ac.il/
My Work
3
Managing Location Privacy
Temporal Aspects of Privacy
Generating Automatic Defaults
http://toch.tau.ac.il/
Cyber-Security and Privacy
4
Cyber Attacks
Cyber Security
Agenda
1. The Context Of Cyber Attacks
2. The Attack Model
3. The Cyber-security Response
5
1. The Context Of Cyber Attacks
6
Cyber Attacks
7
Actions to penetrate the computers or networks of a nation, organization or a person for the purposes of causing damage, disruption or to violate privacy.
http://www.flickr.com/photos/75468116@N04/8569854011
Three Questions
‣Who are the attackers?
‣What are the targets?
‣ How the attacks are carried out?
8
Who Are the Bad Guys?
9
10
“Off-the-shelf” Hackers
Sophisticated Hackers
Motivations:‣ Cyber Crime‣ Vandalism ‣Hactivism
Motivations:‣ Cyber Crime‣ Cyber Espionage ‣ Cyberwar
Where are the Victims?
11IBM Security Risk Report: http://www.ibm.com/ibm/files/I218646H25649F77/Risk_Report.pdf
Threats for Electronic Services‣Disrupting, sabotaging or exploiting electronic
services.
12http://www.nytimes.com/2012/01/17/world/middleeast/cyber-attacks-temporarily-cripple-2-israeli-web-sites.htmlhttp://www.nytimes.com/2013/03/28/technology/attacks-on-spamhaus-used-internet-against-itself.html?pagewanted=all
For Example, The Attack on ATMs
13http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html?pagewanted=all
Threats for the Computer Network‣ Disrupting the Internet network itself,
preventing the flow of communication.
14
Disrupting the Infrastructure‣ Electricity, water,
fuel and nuclear energy.
‣ Air control, traffic, building infrastructure.
15
But, Apart from Stuxnet...‣ Not many examples
of successful cyberattacks on infrastructure.
‣ However, physical infrastructure is getting increasingly connected.
16
The Stuxnet Attack, July 2012
Threats for Privacy‣ Accessing private information on servers and
personal devices.
17
1. The attack model
18
Attack Models
19
‣ The Internet Architecture
‣ Attacks
‣ Denial-of-service
‣ Trojan horse
‣ Phishing
‣ Man-in-the-middle
‣ Social Network attacks
‣ Insiders
The Internet Protocol
Client
Routers
Server
20
IP Packet
132.66.237.203
64.233.160.0
209.85.128.0
IP Address
Global IP Network
21
Properties of the Internet Network
‣ Multi channels of communication.‣ Anonymity and trustfulness.
22
First Attack
23http://www.flickr.com/photos/caioschiavo/6309585830
Zombies!
Denial-of-Service Attacks‣ Distributed denial-of-
service attack (DDoS attack)
‣ An attempt to make a machine or network resource unavailable to its intended users.
‣ Attackers hide themselves by employing “zombies”.
24
Example: The Attack on Spamhaus
25http://www.nytimes.com/interactive/2013/03/30/technology/how-the-cyberattack-on-spamhaus-unfolded.html
Second Attack
26http://www.flickr.com/photos/lars_in_japan/6129526077
Trojan Horses!
Trojan Horses Attack‣ A Trojan horse is a
malware that appears to perform a desirable function but instead drops a malicious payload
‣ Often including a backdoor allowing unauthorized access to the target's computer.
27
Example: The Zeus Trojan Malware
28
1. Zeus Trojan sells for $3,000 to $4,000 in the black market
2. Victims download and install the trojan malware
3. When victims surf to a select bank website, it displays a fake site
4. The malware steals account numbers, Social Security number, usernames and passwords
Trojan Horses
29
http://www.androidauthority.com/trojan-horse-apps-found-disguised-as-legit-google-play-store-apps-security-company-reveals-207408/http://iphone.pandaapp.com/news/07052012/220417591.shtml#.UbYMbPaSAUI
Third Attack
30http://www.flickr.com/photos/25689440@N06
Phishing!
Phishing Attacks‣ In Phishing attacks, the victim receives an email, a text message or
another communication. The link or reference will take the victim to a dummy site.
31http://www.gartner.com/newsroom/id/565125
The Cost‣ Gartner estimates that
3.6 million U.S. million adults lost money in phishing attacks in 2007.
‣ $3.2 billion was lost to these attacks.
32
Fourth Attack
33http://www.flickr.com/photos/lars_in_japan/6129526077
Man in the Middle in Mobile
Attacks on Mobile Devices‣ Mobile devices generate
and store very sensitive information:
‣ Our location
‣ Voice and video
‣ Contacts and communications
‣ Applications
‣ Various sensor data34
Man-in-the-middle Attack
35
Malicious Router
Sensitive Website
Man-in-the-Middle + Trojan
36
Malicious Router
Fifth Attack
37http://www.flickr.com/photos/lars_in_japan/6129526077
Social Network Attack
Facebook Botnets‣ How would you
respond to this Facebook friend request?
‣ The cyber attack: to become your friend.
‣ Social engineering can be used to get close to targeted people.
38
Social Network Attacks
39
The Socialbot Network: When Bots Socialize for Fame and Money - Yazan Boshmaf et al, In Proceedings of ACSAC'11, 2011.
Boshmaf et al. engineered a botnet server, and measured the rate in which people will fall for the attack.
Fifth Attack
40http://www.flickr.com/photos/lars_in_japan/6129526077
Insiders
Insiders‣ Cybersecurity is turning its eyes to insiders
such as employees and subcontractors.
41http://www.haaretz.co.il/news/law/1.1831775
The Risk‣ External threats count
for only 47.1% of perceived risks by IT managers.
‣ The majority of risk is from insiders and from management limitations.
42AlgoSec 2012 Report
2. The cyber-security Response
43
Cybersecurity Responses
44
‣ Organizations and governments respond to cyber attacks by:
‣ Developing technologies
‣ Regulating organizations
‣ Educating users and service providers
‣ Applying different levels of monitoring
http://www.flickr.com/photos/6892190693
Israel National Cyber Bureau‣ The Israel National Cyber Bureau
can be seen as a test case for government cybersecurity response.
‣ The Bureau activities include:
‣ Response formulation.
‣ Regulation roadmap.
‣ Research and development.
45
Levels of Response
Technology, Research and Education
CitizenEducation
Small Service ProvidersRegulation
Civil OrganizationsPolicy and Enforcement
Government Internal Procedures
All Front‣ Unlike traditional warfare, there is no clear
front.
‣ The question of how to regulate civic organizations and individuals is still open.
47
Cybersecurity Technologies
48
‣ Network Monitoring
‣ Syntactic monitoring
‣ Semantic monitoring
‣ Identification systems
‣ Monitoring systems
Syntactic Monitoring‣ Tracking the network
communication by:
‣ Firewalls
‣ Proxies
‣ Radius servers
‣ Monitoring is based on IP characteristics, such as destination, origin etc.
49
Syntactic Monitoring and Privacy
‣ Sites users visit.
‣ Applications used by the user:
‣ Bitorrent.
‣ http / https.
‣ VOIP.
‣ Geographical origins and destinations.
50
Semantic Monitoring ‣ Application firewalls
look at the content of network communication.
‣ It operates by monitoring and potentially blocking the input, output, and system service calls.
51
What can it Block?
52
The most comprehensive Web Application threat mitigation • SQL injection• Cross-site scripting• Parameter tampering• Hidden field manipulation• Session manipulation• Cookie poisoning• Stealth commanding• Backdoor and debug options• Geolocation-based blocking• Application buffer overflow attacks• Brute force attacks• Data encoding• Unauthorized navigation• Gateway circumvention• Web server reconnaissance• SOAP and Web services manipulation• Parameters pollution
Imperva
Radware
Citrix
State-Wide Monitoring‣ Direct connection to
the network infrastructure and to service providers.
‣ Big-Data: Reading everything, detecting by Machine Learning.
53
Insiders‣ To battle insiders
from accessing the data, organizations:
‣ Design procedures for data access.
‣ Track end-user devices.
‣ Track communications and traces.
54
Deep Device Monitoring ‣ For example,
Trusteer, an Israeli Startup, provides technology that monitors end-user devices.
‣ Every application is scanned for key-logging etc.
55
Summary
56
Cyber-Security and Privacy
57
Cyber Attacks
Cyber Security
Cyber Attacks‣ Easier to carry out
‣ But not necessarily easier to succeed.
‣ Increasing threat to privacy.
‣ We are all the victims of the Agron 2006 attack.
‣ Increasing use of social engineering, personal devices, human vulnerabilities.
58
Cyber-Security ‣ Deeper and wider monitoring
‣ With a chilling effect on privacy.
‣ The front is increasingly ubiquitous
‣ Government, organizations, companies, services.
59
Where should be the line between security and privacy?
60
Eran TochDepartment of Industrial Engineering Tel Aviv University, Israel
http://toch.tau.ac.il/