2. WHY HACKERS HACK?
• For material
benefits
• For status
• For vengence
(justice?)
• For fun
• For nothing
• For goodness
Photo from Google
3. WHAT HACKERS DO
• White hat, black hat
• Targeted or for all
• Security exploits
• From virus to malware
• Social engineering: phishing, baiting
• Botnets
• DDOS
• From PC to mobile
5. IT CAN BE WORSE: STUXNET (2010)
Graphic from
IEEE Spectrum
6. STUXNET
• Targeting critical infrastructure
• State-backed (American and Israeli intelligence)
• Targeting Iranian nuclear facilities
• Spread via Microsoft Windows
• Targets Siemens industrial control systems –
controlling, monitoring these systems
• Spread via malware or infiltrating
a loaded USB stick
7.
8. WHO IS HE?
• Born June 21, 1983
• High school dropout
• Worked for NSA, then CIA, then employed by
subcontractor Booz Allen Hamilton, working in NSA again
• Salary: roughly US$200,000 (―took a pay cut to get back
in NSA‖)
• Lived in Hawaii before coming to Hong Kong on May
20, 2013
• Left Hong Kong on June 23, 2013 to Moscow, Russia
9. FIRST, IT WAS VERIZON…
• First revealed by the Guardian (UK), NSA granted a
court order under FISA (Foreign Intelligence
Surveillance Act) of unlimited access to obtain
Verizon phone data
• Is it ―legal‖?
10. AND THEN, THERE WAS PRISM
• A "clandestine mass electronic
surveillance data mining program"
since 2007, after the passage of the
―Protect America Act‖ under the
Bush administration
• PRISM is "the number one source of raw intelligence
used for NSA analytic reports", and it accounts for
91% of the NSA's Internet traffic acquired under FISA
section 702 authority
11.
12.
13.
14.
15.
16.
17. MORE OF SNOWDEN’S REVELATIONS
• More secret programs to be revealed…
• 4 surveillance programs (US)
• MAINWAY
• MARINA
• NUCLEON
• PRISM
• Collecting and analyzing meta data on the internet (i.e. emails)
and telecom (i.e. call logs)
• Other released programs
• Evil Olive – broadening the scope of data collecting
• Shell Trumpet – another similar program revealed
• EU and its alliance were one of the top targets
18. WHAT ABOUT OTHER COUNTRIES?
British – Tempora (sharing information with the US)
France – "collects signals from devices in France, and
communications abroad‖
Germany – Providing intercepted data to the NSA
Russia – SORM, another surveillance programs
China?
Others?
19. SNOWDEN ON HONG KONG
• Why he chose to
come to Hong Kong?
• He told SCMP:
• Hacking into
computers/servers
in HK and China
• At least several
hundred times (>61,000 times globally)
• University, public officials, students, businesses
• Undersea cables
20. WORK IN COUNCIL
- June 15 rally
outside USCG
- June 19: followup on
urgent oral question;
amendment passed on
―building a safe city‖;
adjournment motion
debate on cyber security
- Letter to CE, Security
Bureau and PCPD
- June 26 Written question
on government response
- Forum on Infosec
with security
professionals
- July 17: Amendment on motion debate
21. THE DEMANDS
• Seeking response from the US government
• HKSARG sent a letter to the US government on June
21 – no answer
• Concrete measures to improve information security
measures and awareness of local users and SMEs
• Revive the Interdepartmental Working Group on
Computer-Related Crime to review and propose new
cross-departmental measures
22. GOVERNMENT’S RESPONSE
• No problem, it’s all fine – ―we are not aware of any
problems‖
• Repeating:
• OGCIO’s infosec website
• HKCERT
• Police’s Cyber Security Center
• Interdepartmental WG on cyber security? No.
• Everything is fine. Really.
26. WHAT NEXT?
• The US or other governments can
view almost everything they want
• Can we still trust the Internet and
cloud computing?
• Brazil’s President is pushing new legislation to force
Internet providers to store data locally gathered in Brazil
• But is it practicable?
Brazilian President
Dilma Rousseff
27. IS FISA JUST AND FAIR?
FISA (Foreign Intelligence Surveillance Act)
• Repeatedly enforced after 911 attacks
• Said to be for monitoring foreign threats in the US
• But the truth is that it allows surveillance on global
citizens, and even Americans
28. IS FISA JUST AND FAIR?
• The United Nations Human Rights Commission
recently discussed about regulating surveillance
technology on global citizens
• Suggest to advance international human rights
obligations on privacy
29. WHAT SHOULD WE DO?
• World class information security
capabilities in HK
• Highest density of CISSPs in the
world
• SMEs and individuals do not appreciate the importance of
information security
• Education
• Protection from ―basic hacking‖ as a start
• Set targets to reduce botnets?
• Legal or regulatory measures?
30. Charles Mok
Legislative Councilor (Information Technology)
charles@charlesmok.hk
www.charlesmok.hk
Facebook: Charles Mok B
Twitter: @charlesmok