Information Assurance

How it affects you and all of society

Topics

• What it is.

• What are the issues?

• Malicious software (viruses, worms) • Authentication (passwords, biometrics) • Digital copyright • Other legal issues

What is Information Assurance?

• IA is the hardware, software, policies, and procedures needed to protect information and information systems by ensuring availability, integrity, authentication, confidentiality, and non-repudiation. • IA implies the ability to protect, detect, and successfully react to information attacks. • Also called InfoSec (information security)

We Depend on Computers

• Every aspect of our lives is increasingly dependent on computerized systems.

• Transportation and communication systems • Banking and finance • Manufacturing and retail

However, this information infrastructure is vulnerable

Impact on Society: more info

• The Risks Forum: www.risks.org

• Carnegie Mellon’s CERT: www.cert.org

• National IA Partnership: http://niap.nist.gov/ • Computer Incident Advisory Capability, CIAC http://ciac.llnl.gov/ciac/index.html

Example from Risks Forum

• *The New York Times* on line editorial on 31 Jan 2004, at http://www.nytimes.com/2004/01/31/opinion/31SAT1.html

they conclude with the remark "Given the growing body of evidence, it is clear that electronic voting machines cannot be trusted until more safeguards are in place." • Concerned citizens have been warning that new electronic voting technology being rolled out nationwide can be used to steal elections. Now there is proof. When the State of Maryland hired a computer security firm to test its new machines, these paid hackers had little trouble casting multiple votes and taking over the machines' vote recording mechanisms. They were disturbingly successful. It was an "easy matter," they reported, to reprogram the access cards used by voters and vote multiple times.

Example: Computer and Internet Viruses and Attacks

• Very visible cost to society • Widely reported in the news media • Computer viruses, worms (Nimda, Code Red, Melissa, SQL Slammer, etc.) • DDOS attacks • Identity theft through online databases

Cost Estimate .

• What is included in cost?

– Lost data, lost productivity – Cost of employing security personnel – Cost of “cleaning” and restoring • Who should collect info?

• Nimda virus estimated at $3 billion • Code Red estimated at $2.6 billion

Increasing Costs

• Whatever the costs, they are increasing.

– Cost estimates available at: www.Mi2g.com

and www.net-security.org

• Frequency of incidents is increasing.

• Sophistication and destructiveness of the incidents is increasing.

• Attackers are organized and tools are easy to use and readily available.

Should You Be Concerned?

• Are we as engineers creating faulty products?

• Is it our fault that our products are misused?

• Is it our responsibility to give society the tools to protect itself from the misuse of our products?

Questions and Issues

• Many are extensions of non computer issues to cyberspace – Plagiarism made easy – Software piracy – Product liability – Improper e-mail or Internet use – Violating copyright (including downloading copyrighted music) – Security vs privacy vs convenience

Issues Unique to Cyberspace

• Viruses, worms and other malicious software (malware) – The threat is not limited to cyberspace • Passwords, Biometrics and Access Control • Digital Copyright • Computer Crime and Identity Theft • Privacy and more legal issues

Viruses, Worms and other Malicious Software

Viruses, Worms, etc.

What are they?

• Viruses- a piece of software that attaches to programfiles. Each time the program runs, the virus runs too and has the chance to reproduce.

• E-mail Viruses- a virus that moves around in e mail messages and duplicates itself by automatically mailing itself to people in the victim’s e-mail address book.

• Worms- software that can reproduce and use computer networks to propagate. Email viruses can also be classified as worms.

Viruses, Worms, etc.

What are they?

• Trojan Horses- a computer program that claims to do one thing (it may claim to be a game), but does something malicious when you run it.

• On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, causing denial of service for users of the targeted system. The flood of incoming messages to the target system forces it to shut down, denying service to legitimate users.

Viruses, Worms, etc.

Where do they come from?

• People create them for various reasons: – Psychology of vandalism: the thrill of creating destruction.

– Fascination of creating something powerful that spreads quickly (Code Red achieved global saturation in 18 hours).

– Owning the bragging rights in the hacker community.

– Revenge on a company – Financial gain

Viruses, Worms, etc.

What you should do

• Have anti-virus software and update it frequently – they work!

• Use a strong password (password cracking programs are readily available on the Internet) www.password-crackers.com

• Install security patches (and tell your friends)

Viruses, Worms, etc.

A problem for ALL computers

• If your computer is on the Internet you need to protect it.

• Attackers use unguarded systems to launch DDOS attacks and spread malware.

How it Affects You

• Anything connected to the Internet is vulnerable – Vulnerabilities in products that enable control of home appliances via Internet • Anything using a common operating system – Viruses now appearing for cell phones and PDAs

Cyberspace is Linked to Physical Space

• Much of our critical infrastructure is controlled by computer: SCADA • 1997 survey of 50 U.S. utilities found that 40 percent of water facilities allow their operators direct access to the Internet, and 60 percent of the SCADA systems could be connected by modem.

Water Treatment Plant Vulnerable

• November 2001: water treatment facility in Queensland, Australia was attacked via the Internet.

• 1 million liters of raw sewage released into a local park and river.

Nuclear Power Plant Vulnerable

• In January 2003, the "Slammer" Internet worm took down monitoring computers at FirstEnergy's idled Davis-Besse nuclear plant.

More Slammer Damage

• A subsequent report by the North American Electric Reliability Council said the January 2003 “Slammer” infection blocked commands that operated other power utilities, although it caused no outages.

Electrical Grid Vulnerable

• Substations are the electricity distribution points where high-voltage electricity is transformed for local use. The circuit breakers for the substations are programmable. • A hacker could lower settings on some circuit breakers, while raising others. • Normal power usage could trip the breakers with low settings and take those lines out of service, diverting power and overloading neighboring lines. • The substations with breakers set high would overload: transformers and other critical equipment could be damaged.

Passwords, Biometrics and Related Problems

Restrict Access

• Should you restrict access to your system?

• Does it hold sensitive information?

• You need AUTHENTICATION – Something you know – Something you have – Something you are

How to Authenticate?

• User identity most often established through

passwords

.

– Easy to implement in the system.

– Passwords must be kept secret.

• Frequent change of passwords.

• Use of “non-guessable” passwords.

• Tokens are also used (sometimes in combination with passwords).

– Access card, key, credit card, ATM card

Handling Passwords

• Password should not be visible on screen • Passwords should not be stored in memory or on disk unencrypted.

– Can use 1-way hash • Do you need to protect passwords even if your system is not that sensitive?

– Users reuse passwords

More on Passwords

• How will you handle lost/forgotten passwords?

• Always reset password and require change on first use.

– Design Center default is not good • Best not to use email (it is not confidential and address can be changed), but it is a common practice.

More on Authentication

• Something you have opener, key, token) (the garage door • Something you know (passwords, mother’s maiden name) • Something you are (fingerprint, iris scan)

Authentication with Biometrics

• Biometrics identify people by measuring some aspect of individual physiology (fingerprint or hand geometry), deeply ingrained behavioral characteristic (signature) or a combination (voice).

Biometrics

• Specified by fraud and insult rates (called type 1 and type 2 errors).

• Many systems can be tuned to favor one over the other. • Fraud rate is the rate of false accept : My forgery was accepted as the bank manager’s signature.

• Insult rate is the rate of false reject : I signed your add-drop form for my class but the registrar wouldn’t accept it because I signed it in a hurry.

Handwritten Signature

• Widely used in this country for authentication. Good forgery is not that difficult. • Signature tablet – Can catch speed and pressure info as well as size and contour. – If fraud rate is set low, then insult rate is unacceptably high and vice versa. – What works: Set fraud rate low, then when signature is rejected, instruct staff to ask for photo ID or do additional checks.

Face Recognition

• Humans are very good at recognizing people they know. They are not so good at identifying strangers from photo ID. Neither are computers.

• Trying to automate the process: computers do reasonably well with facial geometry if subject looks straight at the camera and the lighting is controlled. Anything less controlled has very high error rates.

• Requiring photo ID is more of a psychological deterrent than a fraud detection mechanism.

Fingerprints

• Fairly good computer systems are available for fingerprint ID. If prints are taken under good conditions, error rate is extremely low and depends on number of match points needed to make a match. Equal error rate is below 1%.

• Problems: finger damage - scar on finger. Can be transferred using adhesive tape or molds.

• Cultural: many people are reluctant to be fingerprinted.

Iris Scan

• Every human iris is measurably unique. Even twins have different codes. Can reach good recognition with zero fraud rate. • Problem is getting user cooperation. Future: should be possible to get non-intrusive scan with pan and zoom.

• Attacks : Photo of targets eyes. Counter : measure the natural 0.5 Hz fluctuation in the diameter of the pupil.

Speaker (Voice) Recognition

• Most current systems are text dependent and background noise is a problem. • Can be forged with recordings. • Sickness or alcohol intake affects recognition.

Other Biometrics

• Facial thermograms • Retinal scan (low equal error rate, but invasive) • Hand geometry (equal error rate under good conditions of 0.2%) • DNA (too slow, twin problem, privacy problem:DNA reveals more about you than just your identity) • Digital Doggie - recognize smell

Problems with Biometrics

• Environment - dust, vibration, noise, lighting. • Unattended op - attack with suitable recording. • Minimize false accept or false reject?

• How to store/transmit/allow-access-to the database. SENSITIVE DATA!!

Digital Copyright and Digital Property Rights

Digital Property Rights

• What is digital property?

– Artistic work (computer program?) – Invention (computer chip?) • Why and when should it be protected?

• What legal vehicle to use?

– Copyright – Patent – Trade secret

Copyright

• Copyrights are designed to protect expressions of ideas . Ideas are free, however, when an artist expresses those ideas in a work of art, that can be copyrighted. Thus, a copyright applies to a creative work such as a story, painting, or song. • Copyright gives the author the exclusive right to make copies of the expression and sell them to the public. Copyright laws exist so that artists can earn a living at their art.

Copyright: Fair Use

• All copyrighted material is subject to “fair use”. This allows reproduction for “purposes such as

criticism, comment, news reporting, teaching

(including multiple copies for classroom use)

scholarship or research

.”

DMCA (1998)

• The “ anti-circumvention ” provisions of the Digital Millennium Copyright Act (“DMCA”), are sometimes not used according to the original intent. • Original intent was to stop copyright pirates from defeating anti-piracy protections added to copyrighted works, and to ban “black box” devices intended for that purpose.

DMCA Example

• In 2001, a Russian programmer was jailed for several weeks when he entered the US. • He had worked on a software program which allowed owners of Adobe electronic books ( “ e-books ” ) to convert them from Adobe ’ s e Book format into Adobe Portable Document Format ( “ pdf ” ) files, thereby removing copy restrictions embedded into the files. • His alleged crime was working on a software tool with many legitimate uses, simply because third parties might use the tool to violate copyright.

Your Project or Next Job

• Will you be working on software or hardware that uses or copies material that is copyrighted?

• Can it be used to violate copyright?

Computer Crime and Other Legal Issues

Computer Crime

• Increase of computer crimes – Fraud – especially credit card, ATM – Embezzlement (anonymity of computer makes it easier) – Sabotage, Identity Theft, etc – Network intrusion

Law Enforcement Issues

• Questions About Penalties – Intent • Should hackers who did not intend to do damage or harm be punished differently than those with criminal intentions?

– Age • Should underage hackers receive a different penalty than adult hackers?

– Damage Done • Should the penalty correspond to the actual damage done or the potential for damage?

Ask Yourself

• How might the products or devices that you design in your next job be misused?

– Prevent unintended uses?

• Product should be easy for authorized users to use and hard for unauthorized users – How to tell the difference?

Privacy Issues

• Spreading information (and disinformation) about you is possible because of computerized databases.

• Medical (HIPAA) and financial (GLBA) information should be confidential.

• Data broker problem - Choicepoint

Protecting Children

• Protection of children on the Internet • Elementary and secondary schools use web-based learning and provide Internet access to children.

• How to protect children from pornography and inappropriate material and activities?

Children and the Internet

• Laws – Communications Decency Act (CDA 1996); – Child Online Protection Act (COPA 1998); – Children’s Online Privacy Protection Act (COPPA). • Filters/parental control devices – Will you be the one to design a parental control filter that works well?

For More Info

• The Center for Democracy and Technology http://www.cdt.org

• The Electronic Frontier Foundation http://www.eff.org

• The Privacy Rights Clearinghouse http://www.privacyrights.org

• Computer Professionals for Social Responsibility http://www.cpsr.org