Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Computer Security Peter Reiher March 9, 2017

Published byLesley Hensley Modified over 7 years ago

Similar presentations

Presentation on theme: "Privacy Computer Security Peter Reiher March 9, 2017"— Presentation transcript:

1 Privacy Computer Security Peter Reiher March 9, 2017

2 Privacy Data privacy issues Network privacy issues
Some privacy solutions

3 What Is Privacy? The ability to keep certain information secret
Usually one’s own information But also information that is “in your custody” Includes ongoing information about what you’re doing

4 Privacy and Computers Much sensitive information currently kept on computers Which are increasingly networked Often stored in large databases Huge repositories of privacy time bombs We don’t know where our information is

5 Privacy and Our Network Operations
Lots of stuff goes on over the Internet Banking and other commerce Health care Romance and sex Family issues Personal identity information We used to regard this stuff as private Is it private any more?

6 Threat to Computer Privacy
Cleartext transmission of data Poor security allows remote users to access our data Sites we visit save information on us Multiple sites can combine information Governmental snooping Location privacy Insider threats in various places

7 Some Specific Privacy Problems
Poorly secured databases that are remotely accessible Or are stored on hackable computers Data mining by companies we interact with Eavesdropping on network communications by governments Insiders improperly accessing information Cell phone/mobile computer-based location tracking

8 Do Users Care About Privacy?
Evidence suggests yes, but . . . Not necessarily in the way researchers think E.g., data suggests teenagers aren’t worried about privacy from hackers They worry about privacy from their parents One must consider the actual privacy goals of users in protecting privacy

9 Data Privacy Issues My data is stored somewhere
Can I control who can use it/see it? Can I even know who’s got it? How do I protect a set of private data? While still allowing some use? Will data mining divulge data “through the back door”?

10 Privacy of Personal Data
Who owns data about you? What if it’s really personal data? Social security number, DoB, your DNA record? What if it’s data someone gathered about you? Your Google history or shopping records Does it matter how they got it?

11 Protecting Data Sets If my company has (legitimately) a bunch of personal data, What can I/should I do to protect it? Given that I probably also need to use it? If I fail, how do I know that? And what remedies do I have?

12 Options for Protecting Data
Careful system design Limited access to the database Networked or otherwise Full logging and careful auditing Store only encrypted data But what about when it must be used? Key issues

13 Data Mining and Privacy
Data mining allows users to extract models from databases Based on aggregated information Often data mining allowed when direct extraction isn’t Unless handled carefully, attackers can use mining to deduce record values

14 Waze Targeted Tracking Attack
Wang, MobiSys 2016

15 An Example of the Problem
Netflix released a large database of user rankings of films Anonymized, but each user had one random identity Clever researchers correlated the database with IMDB rankings Which weren’t anonymized Allowed them to match IMDB names to Netflix random identities

16 NETFLIX ATTACK 8 movie ratings to uniquely identify 99% records
User Movie Rating 1234 Ex Machina 3/5 Inside Out 4/5 The Big Short 5/5 Brokeback Mountain User Movie Rating rborke Ex Machina 8/10 The Big Short 10/10 Inside Out 6/10 User 1234 = is rborke 8 movie ratings to uniquely identify 99% records Narayanan 2008 16

17 Insider Threats and Privacy
Often insiders need access to private data Under some circumstances But they might abuse that access How can we determine when they misbehave? What can we do?

18 Local Examples Over 120 UCLA medical center employees improperly viewed celebrities’ medical records Between Two accidental postings of private UCLA medical data in 2011 UCLA is far from the only offender

19 Encryption and Privacy
Properly encrypted data can only be read by those who have the key In most cases And assuming proper cryptography is hazardous So why isn’t keeping data encrypted the privacy solution?

20 Problems With Data Encryption for Privacy
Who’s got the key? How well have they protected the key? If I’m not storing my data, how sure am I that encryption was applied? How can the data be used when encrypted? If I decrypt for use, what then?

21 A Recent Case Yahoo lost 450,000 user IDs and passwords in July 2012
The passwords weren’t encrypted Much less salted Password file clearly wasn’t well protected, either Who else is storing your personal data unencrypted?

22 Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption With good encryption, data values not readable So what’s the problem?

23 Traffic Analysis Problems
Sometimes desirable to hide that you’re talking to someone else That can be deduced even if the data itself cannot How can you hide that? In the Internet of today?

24 A Cautionary Example VoIP traffic is commonly encrypted
Researchers recently showed that they could understand what was being said Despite the encryption Without breaking the encryption Without obtaining the key

25 How Did They Do That? Lots of sophisticated data analysis based on understanding human speech And how the application worked In essence, use size of encrypted packets and interarrival time With enough analysis, got conversation about half right

26 Location Privacy Mobile devices often communicate while on the move
Often providing information about their location Perhaps detailed information Maybe just hints This can be used to track our movements

27 Cellphones and Location
Provider knows what cell tower you’re using With some effort, can pinpoint you more accurately In US, law enforcement can get that information just by asking Except in California

28 Other Electronic Communications and Location
Easy to localize user based on hearing wireless signals Many devices contain GPS nowadays Often possible to get the GPS coordinates from that device Bugging a car with a GPS receiver not allowed without warrant For now . . .

29 Implications of Location Privacy Problems
Anyone with access to location data can know where we go Allowing government surveillance Or a private detective following your moves Or a maniac stalker figuring out where to ambush you . . .

30 Another Location Privacy Scenario
Many parents like to know where their children are Used to be extremely difficult Give them a smart phone with the right app and it’s trivial Good or bad?

31 A Bit of Irony To a large extent, Internet communications provide a lot of privacy “On the Internet, no one knows you’re a dog.” But it’s somewhat illusory Unless you’re a criminal

32 Why Isn’t the Internet Private?
All messages tagged with sender’s IP address With sufficient legal authority, there are reliable mappings of IP to machine ISP can do it without that authority Doesn’t indicate who was using the machine But owner is generally liable

33 Web Privacy Where we visit with our browsers reveals a lot about us
Advertisers and other merchants really want that information Maybe we don’t want to give it to them Or to others But there are many technologies to allow tracking Even to sites the tracker doesn’t control

34 Do Not Track Wouldn’t it be nice if we could ensure that web sites don’t track us? Enter the Do Not Track standard A configurable option in your web browser Which, by enabling, you might think prevents you from being tracked

35 The Problems With Do Not Track
First, it’s voluntary Web server is supposed to honor it But will they? Second, and worse, it doesn’t mean what you think it means Based on current definitions of the option

36 What Do Not Track Really Means
What it really means is “I’ll track you anyway” “But I won’t provide you anything helpful based on the tracking” So they know what you’re doing And they do whatever they want with that data But you don’t see targeted ads So what’s the point of Do Not Track? A good question

37 Some Privacy Solutions
The Scott McNealy solution “Get over it.” Data encryption for privacy Steganography Anonymizers Onion routing Privacy-preserving data mining Preserving location privacy

38 Data Encryption for Privacy
Store private data in encrypted form If the encrypted version is divulged, attacker might not be able to use it Assuming strong crypto And careful key management Particularly important for data on devices that are easily stolen Portable computers, smart phones, flash drives

39 A Fundamental Issue Entities usually keep sensitive data because they want to process it They can’t process encrypted data So they can usually decrypt it If the attacker can get the decrypted version, you lose Limits the benefit of crypto for privacy

40 Full Disk Encryption A useful solution for data on portable computers
Some laws regard such encrypted data as “safe” But only if key not available to a thief So where did you get that key?

41 Homomorphic Cryptography
An emerging research branch of cryptography Allows processing of encrypted data Without ever decrypting it Successfully demonstrated, with important restrictions Generally too performance-expensive for practical use, so far

42 Anonymizers Network sites that accept requests of various kinds from outsiders Then submit those requests Under their own or fake identity Responses returned to the original requestor A NAT box is a poor man’s anonymizer

43 The Problem With Anonymizers
The entity running it knows who’s who Either can use that information himself Or can be fooled/compelled/hacked to divulge it to others Generally not a reliable source of real anonymity

44 An Early Example A remailer service in Finland
Concealed the actual address of the sender By receiving the mail and resending it under its own address Court order required owner of service to provide a real address After which he shut down the service

45 Onion Routing Meant to handle issue of people knowing who you’re talking to Basic idea is to conceal sources and destinations By sending lots of crypo-protected packets between lots of places Each packet goes through multiple hops

46 A Little More Detail A group of nodes agree to be onion routers
Users obtain crypto keys for those nodes Plan is that many users send many packets through the onion routers Concealing who’s really talking

47 Sending an Onion-Routed Packet
Encrypt the packet using the destination’s key Wrap that with another packet to another router Encrypted with that router’s key Iterate a bunch of times

48 In Diagram Form Source Destination Onion routers

49 What’s Really in the Packet
An unencrypted header to allow delivery to

50 Delivering the Message

51 What’s Been Achieved? Nobody improper read the message
Nobody knows who sent the message Except the receiver Nobody knows who received the message Except the sender Assuming you got it all right

52 Issues for Onion Routing
Proper use of keys Traffic analysis Overheads Multiple hops Multiple encryptions

53 Tor The most popular onion routing system
Widely available on the Internet Using some of the original onion routing software Significantly altered to handle various security problems Usable today, if you want to IETF is investigating standard for Tor

54 Why Hasn’t Tor Solved This Privacy Problem?
First, the limitations of onion routing Plus usability issues Tor’s as good as it gets, but isn’t that easy to use Can’t help if a national government disapproves China and other nations have prohibited Tor’s use

55 Can’t I Surreptitiously Run Tor?
Can’t I get around government restrictions by just not telling them? No Tor routers must know each others’ identities Traffic behavior of Tor routers “glows in the dark” Tor developers keep trying

56 Privacy-Preserving Data Mining
Allow users access to aggregate statistics But don’t allow them to deduce individual statistics How to stop that?

57 Approaches to Privacy for Data Mining
Perturbation Add noise to sensitive value Blocking Don’t let aggregate query see sensitive value Sampling Randomly sample only part of data

58 Preserving Location Privacy
Can we prevent people from knowing where we are? Given that we carry mobile communications devices And that we might want location- specific services ourselves

59 Location-Tracking Services
Services that get reports on our mobile device’s position Probably sent from that device Often useful But sometimes we don’t want them turned on So, turn them off then

60 But . . . What if we turn it off just before entering a “sensitive area”? And turn it back on right after we leave? Might someone deduce that we spent the time in that area? Very probably

61 Handling Location Inferencing
Need to obscure that a user probably entered a particular area Can reduce update rate Reducing certainty of travel Or bundle together areas Increasing uncertainty of which was entered

62 So Can We Have Location Privacy?
Not clear An intellectual race between those seeking to obscure things And those seeking to analyze them Other privacy technologies (like Tor) have the same characteristic

63 Two people at London Bridge
Query: Are you at London Bridge? Yes or no? Generate random bits (key K) and XOR with answer (encrypted data E). Send K and E Keys go to Aggregator K Encrypted data go to Aggregator E Each Aggregator XORs the others results Yes K 1 Aggregator K 1 E 1 1 Yes K 1 1 1 1 1 E 1 1 No K 1 1 1 1 E 1 1 Two people at London Bridge Aggregator E Anonymity set size=3

64 L locations mapping to L bits
How many people are at? London Bridge Tower Bridge Buckingham Palace 1 1 1 N Rows 1 2 ….. L 1 1 Announce at Buckingham Palace L locations mapping to L bits

65 Haystack mechanism provides privacy by answering 'yes' multiple times
How many people are at? London Bridge Tower Bridge Buckingham Palace 1 2 ….. L Privately report both London Bridge and Buckingham Palace 1 1* * indicates actual location Haystack mechanism provides privacy by answering 'yes' multiple times

66 Privately report only Buckingham Palace
How many people are at? London Bridge Tower Bridge Buckingham Palace 1 2 ….. L Privately report only Buckingham Palace 1* * indicates actual location Haystack mechanism also provides privacy by NOT answering 'yes' for actual location

67 (L) Buckingham Palace = 5 - Noise(ε) ≈ 1
2 ….. L Aggregation 1* 1 1 2 ….. L (1) London Bridge = 4 - Noise(ε) ≈ 3 (2) Tower Bridge 3 - Noise(ε) ≈ 1 (L) Buckingham Palace = 5 - Noise(ε) ≈ 1 1* 1 1 2 ….. L 0* 1 1 2 ….. L 1 1* 1 2 ….. L 1 1* * indicates actual location

68 The NSA and Privacy 2013 revelations about NSA spying programs changed conversation on privacy The NSA is more heavily involved in surveillance than previously believed What are they doing and what does that mean for privacy?

69 Conclusion Privacy is a difficult problem in computer systems
Good tools are lacking Or are expensive/cumbersome Hard to get cooperation of others Probably an area where legal assistance is required

Download ppt "Privacy Computer Security Peter Reiher March 9, 2017"

Similar presentations

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
James Tam Computer Security Concepts covered Malicious computer programs Malicious computer use Security measures.

James Tam Computer Security Concepts covered Malicious computer programs Malicious computer use Security measures.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
1 Securing Information Transmission by Redundancy Jun LiPeter ReiherGerald Popek Computer Science Department UCLA NISS Conference October 21, 1999.

1 Securing Information Transmission by Redundancy Jun LiPeter ReiherGerald Popek Computer Science Department UCLA NISS Conference October 21, 1999.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.

Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.

Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
Lecture 16 Page 1 CS 136, Fall 2014 Privacy Computer Security Peter Reiher December 11, 2014.

Lecture 16 Page 1 CS 136, Fall 2014 Privacy Computer Security Peter Reiher December 11, 2014.
Lecture 17 Page 1 CS 236 Online Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption –With good encryption,

Lecture 17 Page 1 CS 236 Online Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption –With good encryption,
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Lecture 17 Page 1 CS 236 Online Privacy CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 17 Page 1 CS 236 Online Privacy CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.

Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
Lecture 12 Page 1 CS 236 Online Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts.

Lecture 12 Page 1 CS 236 Online Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.

Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
Lecture 6 Page 1 CS 236, Spring 2008 Privacy and Anonymity CS 236 Advanced Computer Security Peter Reiher May 6, 2008.

Lecture 6 Page 1 CS 236, Spring 2008 Privacy and Anonymity CS 236 Advanced Computer Security Peter Reiher May 6, 2008.
Lecture 17 Page 1 CS 236 Online Onion Routing Meant to handle issue of people knowing who you’re talking to Basic idea is to conceal sources and destinations.

Lecture 17 Page 1 CS 236 Online Onion Routing Meant to handle issue of people knowing who you’re talking to Basic idea is to conceal sources and destinations.

Similar presentations

Ads by Google