Table of Contents
![[Note]](file:/C:/Program%20Files/Oxygen%20XML%20Editor%2011/frameworks/docbook/xsl/images/note.png)
|
Introductory reading |
|---|---|
|
Bruce Sterling's short story Maneki Neko (from A Good Old-Fashioned Future, 1998) is about a world where there is little privacy for anyone, which has both good and bad consequences. There's also a vivid picture of a world of total surveillance in William Gibson's (1988) novel Mona Lisa Overdrive. I'd also recommend that you dip into Database Nation (Garfinkel 2000), which exposes the types of fraud and accidental data release that are perpetrated by individuals, businesses and governments. |
The Internet could be described as an information channel, where data of every kind flows. Some of this data will be valuable or sensitive in some ways, and hence needs to be protected as it flows through the Internet's computers. So for example, it would be foolish of us to send credit card information unprotected over the Internet, or to be able to view our medical records over an unprotected link.
There are many ways to protect this data, mostly involving the use of cryptography, in one form or another, though the most important tools are an understanding of the vulnerabilities and the application of common sense. Remember that plain email and web traffic is readable at any point on its journey; all that is required is a packet sniffer - software that decodes the protocols on the network (internet, intranet, whatever).
Identity theft is one of the fastest growing crimes in the UK. Personal information, whether retrieved from rubbish bins, overheard on a mobile phone or taken from insecure transactions from the internet, is proving to be difficult to detect and prevent, largely because people aren't aware how important their personal data is.
Physical security. protecting your computer. Do you allow others to use your computer? Do you allow your computer to memorise passwords to sensitive information?
Data security. protecting the data during storage and transfer. Are you sending information in plain text (e.g. standard email)? Are you using a secure web connection (is SSL enabled)? Are you checking your computer regularly for viruses?
Server & software security. trusting the third party. What is the company's information privacy policy? Are you sure the server belongs to who you think? Is the application you just downloaded sending information about you to its vendor?
Privacy. Ensuring that your data is visible only to those you have permitted. Uses encryption to safeguard data, protecting it from being seen by unauthorised parties.
Integrity. Ensuring that data has not been modified en route . Uses encryption to enclose data in a digital envelope, to indicate that the data has not been tampered with.
Authenticity. Ensuring that the sender of data is verifiable. Uses encryption to assure the recipient of the sender's identity through the use of digital signatures.
Prevention is usually better than cure: encoding a message containing sensitive information reduces the chance that if that message is intercepted, someone will be able to view the information it contains.
Example: Secure Web Servers. As an example, a basic level of security and privacy is provided by most of the commonly used browser through the use of secure servers, using a protocol called SSL (Secure Sockets Layer). This encodes the data traffic between the browser and the webserver, so that eavesdroppers cannot read the contents of the pages being downloaded.
-
Sensitive data (e.g. credit-card details) is encrypted by the brower before sending.
-
Often used by commercial sites, but usually limited to a small group of pages per site, due to overheads involved in maintenance and encryption computations.
-
Look for the key or padlock symbol in Internet Explorer and Firefox...
Remember that this only protects the actual information transfer; data can still be vulnerable at either end of the encrypted transfer.
Examples:
-
Simple cyphers (e.g. a=1, b=2, etc.)
-
DES (Data Encryption Standard) - uses 56-bit keys
Examples:
To understand public key cryptography, imagine the public key as a padlock, and the private key as the padlock's key. Padlocks can generally be easily locked by anyone, but need a key to unlock them. To encrypt a message, the recipient sends out or publishes their padlock, which the sender snaps shut onto the box containing the message (ie encrypts it). The box can then be sent to the recipient, who is able to unlock it with their key. The fundamental advantage that this process has over simple symmetric encryption is that the private key never leaves the recipient, thus solving any problems with key distribution or exchange.
The process of sending an encrypted message is simple:
-
I create a key-pair and publish the public key to a public key-server
-
You download my public key from the key-server, and use it to encrypt a message
-
You send this encrypted message (the ciphertext) to me
-
I use my private key to decrypt the message
As my private key is secret, only I can read the message
Note that you only need to create the key-pair once, which then effectively becomes your “identity” when published to the key servers. Your private key is additionally protected by a passphrase, which you should take great care not to forget; the nature of PGP systems means that if forgotten, the passphrase is not recoverable, and hence the key-pair is useless--leaving any encrypted data completely unreadable.
If the encryption/decryption procedure is reversed, the key-pair can be used to identify and verify the sender of a message.
-
I use my private key to sign a message
-
Anyone can check my signature against my public key
-
Message must be from me, as only I know private key
Digital signature may be combined with encryption, to give secure and authenticated data exchange.
![[Tip]](file:/C:/Program%20Files/Oxygen%20XML%20Editor%2011/frameworks/docbook/xsl/images/tip.png)
|
Further reading... |
|---|---|
|
The Code Book (Singh 1999) has more detail on public key cryptography. |
“...encryption is one of very few powerful technologies that do not seem to have a destructive downside.... About the worst it can do is protect criminals from detection or keep shady electronic transactions secret.” Esther Dyson, Release 2.0 (1997)
Dyson perhaps underestimates the fears that governments have regarding strong cyptography, namely that criminals will be able to communicate freely and securely without fear of eavesdropping.
In the US, cryptographic software was regarded as “munitions” and its export was restricted -- until recently, limited in strength without special licence; though now exportable to “trusted countries” only (i.e. not Libya, Iraq, etc.). In Europe, the debate still ongoing, but the EU is likely to sign up to similar multinational restriction agreements.
In UK, the new Regulation of Investigatory Powers (RIP) Act recently passed into law, giving policing authorities new powers to demand decryption keys, and the right to intercept any electronic communication; it may be used to force ISPs to keep records of their customers' accesses and communications.
Many consider the RIP Act to be one of the most invasive laws ever passed by a democratic government. The section on surrendering decryption keys, for example, places severe penalties on those refusing to reveal their key, whatever the reason - potentially even if it is just forgotten. This highlights the concern that many governments have over the use of strong cryptography.
The key strength of an encryption technology is an indication of how securely it protects data, and hence how much you can trust its protection. In considering any encryption software, the key strength it uses will be a major factor affecting its overall usefulness. It is measured by the length of the key used to encrypt the data:
-
40-bit - “export strength” - breakable within a few minutes given the best available hardware
-
56-bit - US proposed “strong export” - breakable in about twenty hours
-
128-bit - US “domestic strength” - breakable in about a thousand years
-
256-bit or more - unbreakable? At least, not in a feasible time with current levels of computing power.
After the lifting of the export restrictions, most browsers now use high-strength technologies (at least 128-bit), though if you are using an older computer, you may have a browser that uses weaker security. Check your browser's capabilities by going to a secure server and examining the page properties.
For some assymetric encryption methods, longer key lengths are needed to provide equivalent strength, so for RSA encryption, a 3072-bit key is equivalent to a 128-bit symmetric key.[3]
For more statistics on cracking these encryption methods, and a chance to
participate, see
http://www.distributed.net/
, a project which harnesses your
computer's idle time to test the strength of encryption methods. in .
A popular (with governments, that is) solution to the problem is to allow strong cryptography on condition that the private keys are stored in a secure repository, accessible only to police and government, and thus allowing surveillance.
There is strong opposition to this idea, on the grounds that the repository (at a “trusted third party”) may be hacked, compromising everyone's security, or that the system may be abused in other ways.
See also Denning & Barlow in Ludlow (1996) on the “Clipper Chip debate” - an encryption chip which allowed a “back-door” for surveillance. The arguments are similar.
There are also more general problems with the use of cryptography in everyday life. Mobile phones depend on cyptographic algorithms to prevent people listening in - in fact, the DECT system was recently cracked [4], potentially allowing the wireless interception of household calls. Similarly, a weak algorithm in a hardware locking system used widely in cars, garage doors, and other remote entry systems, could potentially allow the development of a 'universal key' for those devices[5].
Where the Internet is concerned, legislation is often the weakest form of protection. Since international boundaries are relatively meaningless, there are difficulties in defining the jurisdiction of courts.
The Computer Misuse Act 1990 was designed to deter hackers -- see Ayres (1999).
There are several types of offence covered by this act, including:
-
Hacking. -- breaking into computer systems without authorisation
-
Cracking. -- breaking or removing copy-protection on software
-
Phreaking. -- exploring communications (esp. telephone) networks to gain free access, calls or information
But with all computer misuse, the general rule is that prevention is better than cure--secure computer systems, passwords and cryptography provide a better solution than after-the-event laws and punishments, which should be considered only as a last resort.
|
|
Note |
|---|---|
|
The term “hacker” can also mean just someone who programs in a particular way, or who just enjoys tinkering with computers; in some circles I'd describe myself as a hacker, though I don't attempt to break into computer systems (except my own!). Many hackers (in the legitimate sense) have campaigned for the term “cracker” to be used universally for anyone involved in illegitimate activity involving computers. I list the terms as above since that's how the Computer Misuse Act defined them. |
-
viruses - most common form of attack
-
denial of service attacks
-
trojans (or trojan horses)
-
brute-force and social engineering password attacks
-
port scanning and spoofing
-
phishing
-
ransomware
![[Warning]](file:/C:/Program%20Files/Oxygen%20XML%20Editor%2011/frameworks/docbook/xsl/images/warning.png)
|
Staying safe... |
|---|---|
|
Use a virus checker, and make sure you update it regularly. Keep your system files and applications up to date (e.g. with Windows/Office Update). |
This is a method of luring an unsuspecting user into giving out their username and password for a secure web resource, usually a bank or credit card account. Ebay and PayPal are particularly susceptible to this type of attack.
-
usually achieved by creating a website identical to the secure site
-
user is sent email requesting them to log in, and providing a link to the bogus site
-
when user logs in, password is stored and used to access the account by the attacker
-
difficult to guard against, particularly if using HTML email
Currently no law specifically against this, though some experts think this may come under the Computer Misuse Act, and may also be testable under trademark laws (passing off as another's web site).
A form of trojan that has been around since 1989 (as the “PC CYBORG” trojan), this type of malware is becoming more common. It infects the target computer by encrypting the owner's personal files. The victim is then contacted and offered a key to decrypt the files in exchange for cash or valuable information (see [Bridges2008]).
Whilst the effects of early variants of this type of virus were relatively easy to decrypt, the latest sightings are more worrying, with more complex encryption algorithms and longer key lengths being used. [6]
|
|
Note |
|---|---|
|
See also the section on security in MIT2114/2214 “The Internet”, which also looks at spyware and other forms of intrusion. |
Many people (especially governments) wish to have some method of restricting the content of providers in both traditional and digital media. In May 1998, OFTEL (Office of Telecommunications) expressed concerns over the difficulties of regulating the ever-changing digital media, when it published evidence given to an inquiry by the Select Committee on Culture, Media and Sport. A European Green Paper discussing these problems was published in 1997.
Examples of Singapore, Australia and China:
-
Controlling and monitoring what is available to local users
-
Restricting access to “undesirable” resources
-
See, for example, EFA: Internet Censorship Laws in Australia
Organisations and individuals are also often keen to restrict content (for example, the university, schools, parents, etc.
Motivations for restricting content are varied - political, financial, moral - and the controls are often extremely subjective (what is a “bad” website?).
See also Chapter 1, Education and Research .
Often, the best way to safeguard information is to fence it in, using a firewall. This is a way of organising a company network so that all external traffic goes through a single computer, which can act as a filter to prevent an unwanted flow of information. Everything behind the firewall is protected from the outside world, the Internet at large, because the firewall host prevents unwanted or unknown data packets from entering the internal network, often called the intranet. Firewalls are often also used to prevent employees from accessing non-work-related Internet resources, restricting them only to the resources available within the intranet, or perhaps a predetermined selection of web sites.
The use of a personal firewall (such as ZoneAlarm, or the firewall built into Windows XP or Vista) on your own computer can often reveal unwanted data movements in both directions. It works by checking all incoming and outgoing data types, and reports anything unusual, which you can then allow (if you know what has initiated it) or block (if you're not sure).
You may not realise it, but your personal details are a valuable asset. In a world where businesses are increasingly looking to target individuals more effectively, data about those individuals is in demand. Buying and selling lists of email addresses and demographic details is big business, and it's now common for companies to trade “free” software for personal information. You should consider carefully what the company is likely to do with that information before you give it to them.
The concept of data protection exists mainly to protect an individual's personal data held by a third party, and governs how that data can be stored and accessed. A typical example is credit information used by banks and retailers to check an individual's credit-worthiness.
It's important to note that what is being protected is not the data itself, but the subject of the data; the individual. The data protection act gives the individual the right to access their data, no matter where it is stored.
The original Data Protection Act of 1986 was designed to protect personal data stored by companies and organisations from being misused. The 1998 Data Protection Act strengthened this to conform to the European Data Directive. Details of the European Data Protection Act can be found at the Europa website.
The UK Data Protection Registrar issues guidelines covering the law in Britain, and including the Data Protection Act 1998, which came into effect on 1 March 2000, and the Privacy and Electronic Communications (EC Directive) Regulations 2003. See the Information Commissioner's website for more information.
The University's Data Protection Officer has produced leaflets outlining your rights to your data: for further information, see the University web pages on Data Protection.
The Freedom of Information Act 2000 also extends the rights of citizens to gain access to the operation and decision-making processes of all public bodies, including universities.
But perhaps the greatest threat to privacy is of our own making. We are happy to divulge so much personal information now, in the interests of sharing experiences with friends and family on Facebook, or upload videos and photographs of our children to Flickr or YouTube, without thinking about the implications. Even something as innocuous as sharing your family tree online can have potential consequences (does your bank ask you for your mother's maiden name as a "security" question?).
For example, the recent changes to Facebook's security policy were widely criticised, as their 'simplification' encouraged wider sharing and made it more difficult to control access to personal data[7]. It's in the interests of those running the site that you share as much information as possible, so the defaults will always encourage sharing.
It's also clear how much the social networking companies value your personal data when you try to remove information. An art project in Italy (Seppukoo) encourages Facebook users to "commit virtual suicide" by unfriending all their contacts. Upset by the implications of this, Facebook has blocked their IP addresses and sent a Cease and Desist letter to the organisers, requesting the removal of the site[8].
Of course, the real conundrum of the Internet is that information is both ephemeral (appearing and disappearing in an instant) and persistent (forever online, and copied to who-knows-where). We're trusting unknown companies and individuals with our most personal details, which may be used against us in the future.
A good collection of articles detailing the opinions and all sides in these issues can be found in High Noon on the Electronic Frontier (Ludlow 1996), especially parts I and II. Although these are rather dated, they still give insights into the mind of the computer criminal.
There is a more detailed discussion of privacy, with numerous case studies, in Database Nation (Garfinkel 2000). Bruce Schneier has a blog which is an excellent commentary on current security issues, and complements his books, Secrets and Lies (2000) and Beyond Fear (2003).
For an overview of all aspects of commercial cryptographic systems, there are some excellent articles on the RSA and PGP websites.
A number of government bodies issue guidelines on computer and internet misuse, including Ofcom, the DTI (e-security and e-communications), etc.
Relevant legislation has been cited within the text, and is collected in the bibliography under Acts of Parliament.
A number of journals are available in this area, including Computers and Security, Computer Law and Security Report [Elsevier ScienceDirect], Journal of Information, Law and Technology [online]
[3] See [Kaliski2003] for a full discussion.
[6] The Register, 24 July 2006
http://www.theregister.co.uk/2006/07/24/ransomware/
[8] See article in Daily Online Examiner