"Security, Privacy Data Protection and Perspectives to Counter Cybercrime" was presented at the CodeGate 2008 security conference in Seoul, Korea, April 2008.
http://www.codegate.org/
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 04092008
1. Security,
Privacy Data Protection,
and Perspectives to
Counter Cybercrime
Gohsuke Takama
Meta Associates, Japan
gt@inter.net
CodeGate Conference
April 2008, Seoul, Korea
2. outline:
• introduction
• security vs. privacy?
• privacy today - revisited
• state of cybercrime today
• balance of powers
• psychological layer security
3. about…
• Gohsuke Takama
– Privacy International (London, UK),
advisory board member
• http://www.privacyinternational.org/
– Computer Professionals for Social
Responsibility /Japan chapter,
founding supporter
• http://www.cpsr.org/
– independent journalist for over 10 years
– Meta Associates,
founder & president
• http://www.meta-associates.com/
4. introduction
• some works of Privacy International
• a report in June 2007: quot;A Race to
the Bottom - Privacy Ranking of
Internet Service Companiesquot;
• a study in Dec 2007: quot;Leading
surveillance societies in the EU and
the World 2007quot;
5. introduction
• Privacy International (PI) is a human rights
group formed in 1990 as a watchdog on
surveillance and privacy invasions by
governments and corporations.
• PI is based in London, England, and has an
office in Washington, D.C.
• PI has over 50 members of international
advisory board including MIT's Noam Chomsky
and a former member of the U.S. House of
Representatives Bob Barr
6. quot;Privacy Ranking of
Internet Service Companiesquot;
• Amazon, AOL, Apple, BBC, Bebo, eBay,
Facebook, Friendster, Google, Hi5,
Last.fm, LinkedIn, LiveJournal,
Microsoft, Myspace, Orkut,
Reunion.com, Skype, Wikipedia, Windows
Live Space, Xanga, Yahoo!, YouTube
12. some government's view
• terrorists mingling among people
• thus people need to be watched
• people's movements need to be tracked
• people's communications need to be
monitored
31. privacy today…
• activities shifting to data world
• more activity = more data trail
• personally identifiable information
(PII)
• = privacy data
• privacy protection
• = personal security
• = privacy data protection
38. McAfee
criminology report
• a recent online banking study...
• 2 million Americans = 5% of online
banking customers
• their accounts illegally accessed and
robbed
• average loss = $1,200
• banking industry total losses > $2
billion
39. McAfee
criminology report
• one North American credit company
reported...
• in 2005
• online fraud losses = $30 million
• (all losses = $100 million)
40. McAfee
criminology report
• one FBI estimate in 2005...
• in the USA
• cost of cybercrime = $67 billion
41. McAfee
criminology report
• a Gartner Inc. survey…
• identity theft-related fraud
• in 12 months ending in mid 2006
• approx 15 million Americans = victims
• average loss = $3,257
• (total losses > $48 billion?)
43. target
• ordinary computer users
• personally identifiable information
• for identity theft
• to illegally use credit cards
• to illegally access bank accounts
• to illegally access stock trading
• to illegally access organizations'
networks
44. value for crime
• personally identifiable information
(PII) = monetizable data
47. crime on web 2.0 ?
• long tail
• user data (PII) = core competence
• the web as platform (for attack)
• user as a contributor (of botnet, etc)
• mash ups (web, malware, botnet, etc)
• rich user experiences (of trouble)
• distributed operation
• loose connection among operatives
• collective intelligence
48. spoof/altered site 1st line 2nd line
victims victims
stock trading
organized crime coders
banks
credit companies
lost/stolen data
49. final victim
• our economy
• economy is held as hostage
• one type of national security issue
51. quot;security vs. privacyquot;
or 'security & privacy'
• security for whom?
• misleading dichotomy
• security & privacy are not opposite
52. security
process & action matrix
prevention detection response
law making investigate
gov - law surveillance
administer arrest
enforcement monitor
promote prosecute
self self self defence
individual
accustomed awareness call police?
rule making
awareness org defence
business manuals
monitor call police
appliances
spoof 0 day transborder
criminal
deception obfuscation remote op
53. privacy data protection
process & action matrix
prevention detection response
law making survey investigate
gov - law
administer hearing give penalty
enforcement
promote called in prosecute
self self call service
individual
accustomed awareness call gov?
rule making awareness
org defence
business manuals monitor
call police
PIA PET use called in
spoof 0 day transborder
criminal
deception obfuscation remote op
54. some acronyms…
• PIA = Privacy Impact Assessment
• PET = Privacy Enhancing Technology
• ROI = Return On Investment
56. how they lure talents?
(excerpt)
• find target students in password
posting site, cracking tool sites,
chat, etc (on online game sites
possible)
• offer easy low risk tasks with rewards
• if successful, offer increased level
tasks with higher rewards
• once involved, blackmail target for
forcing to do risky tasks
• sometimes sponsor target students to
get IT degrees in Univ. (as a reward)
57. law enforcement's limit
• international jurisdiction
• can act only after the incident
• limited operation & human resources
58. balance of powers:
asymmetric?
• attack side: • defence side:
organized cybercrime gov, security industry
• no compliance to the • compliance to the
law law
• borderless adhoc • limit by international
alliances jurisdiction
• long tail attack model • concentric defence
• spontaneous action • action after incidents
• operation low cost = • security often looked
high ROI as anti-ROI cost
• luring technically • more security
sophisticated youngsters professionals needed
• psychological attack • psychological defence
approach effective possible?
59. remedies
• need to make businesses to understand…
• security is for averting the risk
• PII data is targeted
• the size of damages (what if 5% of
users attacked…)
• guidance & aid for small & middle
size businesses
• = over 90% of businesses are S&M size
companies
• = attacks are long tail model
60. remedies
• need to prevent technically talented
youngsters going to be lured by
criminals (from the dark side)
• rescue remedy to save lured
youngsters from blackmail (& ransom?)
(c ) Lucas Film
61. remedies
• need to increase number of security
professionals for defence
• need to make security professionals
as a glamorous job
• = cool
• = respected
• = high pay ( > US$200/hour…?)
63. psychological layer
security
• still a theoretical idea
• Bruce Schneier is also looking at
similar direction
• Feb 2007 quot;The Psychology of Securityquot;
83. hack for security is
cool
Matrix Reloaded, (c )Warner Bros. Pictures
84. psychological layer
security
• passive defence:
• user behavior modification
• to increase user alertness
• active defence:
• to de-motivate adversary
• to deflect direction of attacks
• potential field to look at:
• Cognitive Behavioral Therapy
• Neuro Linguistic Programming
86. + a concept example:
• Psycho-acoustic Computer Virus
• creates near inaudible very low
frequency sound (20-40Hz) by
exploiting sound synthesizer chip
• such very low frequency sound is
believed to create fear and awed
feeling in hearers
• Nazi was believed as they used this
sound technique for Nazi Party
conventions
87. psychological attacks
how can we counter?
• exploit social interaction
• exploit social protocols
• exploit social norms
• exploit social status of users
• exploit mental state of users
88.
89. sources
• A Race to the Bottom - Privacy Ranking of Internet
Service Companies
• http://www.privacyinternational.org/article.shtml?cm
d[347]=x-347-553961
• Leading surveillance societies in the EU and the
World 2007
• http://www.privacyinternational.org/article.shtml?cm
d[347]=x-347-559597
• Map developed: http://english.freemap.jp/
• What Our Top Spy Doesn't Get: Security and Privacy
Aren't Opposites
• http://www.wired.com/politics/security/commentary/se
curitymatters/2008/01/securitymatters_0124?currentPa
ge=all&
90. sources
• Our view on security vs. privacy_ Bush uses scare
tactics ...USATODAY
• http://blogs.usatoday.com/oped/2008/02/our-view-on-
sec.html
• MI5 seeks powers to trawl records in new terror hunt
• http://www.guardian.co.uk/uk/2008/mar/16/uksecurity.
terrorism
• Police announce London 2012 plans
• http://news.bbc.co.uk/sport2/hi/olympics/london_2012
/7277918.stm
• UK considers RFID tags for prisoners
• http://www.itweek.co.uk/vnunet/news/2207145/governme
nt-considers-rfid-tags
91. sources
• Bush Administration's Warrantless Wiretapping
Program
• http://www.washingtonpost.com/wp-
dyn/content/article/2007/05/15/AR2007051500999.html
• Mobile firms seek India govt meeting on BlackBerry
• http://www.reuters.com/article/ousiv/idUSBOM10000520
080312?sp=true
• UK MOD confirms loss of recruitment data
• http://www.mod.uk/DefenceInternet/DefenceNews/Defenc
ePolicyAndBusiness/ModConfirmsLossOfRecruitmentData.
htm
• TSA_securitybreach_20080111092648
• http://oversight.house.gov/documents/20080111092648.
pdf
92. sources
• What Is Web 2.0
• http://oreillynet.com/pub/a/oreilly/tim/news/2005/09
/30/what-is-web-20.html
• Security, Economics, and the Internal Market
• http://www.enisa.europa.eu/doc/pdf/report_sec_econ_&
_int_mark_20080131.pdf
• Criminals 'target tech students'
• http://news.bbc.co.uk/2/hi/technology/6220416.stm
• The Psychology of Security
• http://www.schneier.com/essay-155.html
• Hackers Assault Epilepsy Patients via Computer
• http://www.wired.com/politics/security/news/2008/03/
epilepsy