Security, Privacy and Crime

Presented byAbhishek Sharma

Overview:

• HCI – Human Computer Interaction• Security

• Importance of Security• Hacking• Human players in Computer Security

• Privacy• Privacy and HCI

• Crime• Cyber Crime

HCI

• It is large field in its own right. It roots were in human factors and the design and evaluation of “man-machine” interfaces for airplanes and other complex and potentially dangerous mechanical systems.

Importance of Security:

Computers and internet are becoming pervasive.

Consequence of being online.

It has become a part of product design, developing and deployment.

Importance of Security:

There are even organizations which

provide “Security as a service”

We need to know how computer attacks are performed.

Hacking

Clever programmer. Modification of a program/device to

give user access to features that were otherwise unavailable to them.

Hacking

Its usually a technical activity.SCRIPT KIDDIES

Attacking Methods:

Intrusion

Physical Intrusion usually internal employees eg., booting with floppy or

taking the system part physically

System Intrusion low level privilages Exploit un-patched security vulnerabilities.

Attacking Methods:

Remote Intrusion: Valid account names/Cracking weak passwords Exploiting common security vulnerabilities (buffer overflow).

What it takes for an attack?

1. Need to carry out some information gathering on the target.

2. Plan their way into the system.3. Reduce chance of getting caught.

During all these procedures, Network traffice would look normal.

Pattern they follow:

1. Foot printing. Getting complete profile and security arrangements

Information of interest including the technology the use (like internet, intranet, remote access)

Security policies and procedures.

2. Network Enumeration. Attacker tries to find out domain names and associated

Networks related.

Pattern they follow….

3. DNS Interrogation. After NE is done , query the DNS.

Revealing info about the organizations. Zone Transfer Mechanism. Leak of private DNS information.

4.Network Reconnaissance. Identifying the potential target.

Try to map network topologies and identify paths. Eg: trace route program

Pattern they follow….

5. Scanning Knocking the walls.

Which systems are alive and reachable? Ping sweeps, port scans, automatic discovery tools. At this point IDS warns, but not yet attacked.

Unauthorized Access:1. Acquiring passwords. 2. Clear Text Sniffing. There is no encryption of passwords with protocols

like telnet, FTP, HTTP. Easy for attackers to eavesdrop using network

protocol analyzers to obtain password..

3. Encryption sniffing. How about encrypted passwords? Decryption using dictionary, brute force attack

Unauthorized Access:

4. Replay attack. No need to decrypt. Reprogram the client software.

5. Password file stealing. /etc/passwd in Unix SAM in WinNT Steal these files and run cracking programs.

6. Observation. Usage of long and difficult to guess passwords. Attackers with physical access. Shoulder surfing.

Unauthorized Access:

7. Social Engineering. Cracking techniques that rely on weakness in users

ie., admin, operators. Calling up systems operator posing as a field service technician

with urgent access problem.

8. Software Bugs. Vulnerabilities brought by bugs in S/W

Buffer overflow are found by buffer vulnerabilities on certain programs. Searching for these bugs directly. Examining every place the program prompts for input and trying to

overflow it with random data.

What’s the need to learn?

Does it help? Yes… Developing more efficient ways to

protect the system.

Motives:

49% -- discovery learning, challenge, knowledge and pleasure

24% -- recognition, excitement (of doing something illegal) 27% -- self-gratification, addiction,

espionage, theft and profit.

Addiction and curiosity.

How have they grown over the Years??

1st Generation: Talented techies, programmers and Scientists

(mostly from MIT )

2nd Generation: Forward thinking to recognize the potential of computer niche.

3rd Generation: Young people who used PC and entertainment value of PC and

began developing games(illegal copying,cracking the copy right protection)

…contd

4th Generation:

Criminal Activity Claim that motivation was curiosity/hunger for knowledge.

Types of Hackers:White Hack: Focusing on securing IT systems. Have clearly defined code of ethics. Improve discovered security breaches. ….Tim-Berners Lee…..

Grey Hat: no personnel gain, no malicious intentions. testing and monitoring.Black Hat : crackers/they are criminals. maintain knowledge of vulnerabilities. Doesn’t reveal to general public/manufacturing for corrections.

What needs to be done?

Intrinsically and Globally imperfect.There are many holes(not just technical ones)

They also stem from bad-security practices and procedures.

Educating the users, Security Administrators

Securing the Environment

Human Players in Computer Security

• Protectors

• Attackers

• Users

• Double Agents

Discussion….

Whom to blame?

Who should be liable? Should government step in and regulate? Is it upto the individual computer users and

companies to stay on top of technology?

Should we blame the software industry for selling insecure products?

Whom to blame?

Lack of liability? Building a security product with no liability is of no

use.

Eg., There are different rules and regulations in the

situation of drug release. But Are there any regulations and rules in a

Software Release??

Privacy : Introduction

• It is the ability of an ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively.

• It can be a key aspect of the user experience with computers, online systems, and new technologies

Privacy and HCI

• HCI has already been introduced, along with its core concerns of improving ease of use and overall user experience.

• Privacy, though it is a broad term in compare to HCI, but in simple it is “the ability of an individual to control the terms under which their personal information is acquired and used”

Important points in Privacy

• It is based on information and the effectiveness of individuals in controlling its flow.

• Like security, concern risk, its perception, and its management.

• It is about control, trust and power in social situation and so rapidly implies

Relevant HCI Research Streams

• Basic Design Consideration

• People interact with & through systems

• Individuals differ in capabilities

• Role of HCI in next-generation architectures

Usability Engineering

1. While valued, privacy is not the users’ primary task.

2. Designs must encompass many different types of users.

3. Privacy raises the stakes.4. Systems must respond to the legal and

regulatory environment.

Computer-Supported Cooperative Work

• An important stream of HCI research.

• Starting in late 1980s, CSCW began as a counter-effort to consider collaborative computer use.

CRIME

• In field of computer , crime is referred as Cyber Crime.

• It involves a computer and a network.

• Computers may and may not play as an instrumental.

Categories

• Crime that target computer networks and devices directly.

• Crime facilitated by computer networks and devices, the primary target of which is independent of computer or device.

Cyber-Crime

• It is more or less related to hacking.• Computer-Skilled people initiate

attack.• No-boundaries limitation• It is really hard to catch such

criminals.• Governments form different countries

joining hand to fight against it.