Lecture 07 - Societal Security PDF
Document Details
Uploaded by HardWorkingAestheticism
Technical University of Munich
2024
Jens Grossklags
Tags
Summary
This lecture, titled 'IT and Society, Lecture 7: Security – Societal Issues', is a presentation on societal security issues, covering topics ranging from surveillance to cybersecurity. The lecture, designed for a postgraduate audience, is delivered by Prof. Jens Grossklags at the Technical University of Munich on May 27, 2024.
Full Transcript
IT and Society Lecture 7: Security – Societal Issues Prof. Jens Grossklags, Ph.D. Professorship of Cyber Trust Department of Computer Science School of Computation, Information and Technology Technical University of Munich May 27, 2024 Recap – Summary of Theory ISMS for risk-driven information...
IT and Society Lecture 7: Security – Societal Issues Prof. Jens Grossklags, Ph.D. Professorship of Cyber Trust Department of Computer Science School of Computation, Information and Technology Technical University of Munich May 27, 2024 Recap – Summary of Theory ISMS for risk-driven information security management: Selection and implementation of controls is based on risk assessment – Continuous improvement should correspond with changing (risk) environment – Documentation-centered approach – Built-in performance evaluation (process & controls) Applicability of 27K series of standards – Generic, adoptable, flexible – Domain and expert know-how necessary – Requirements in the standards scale with different security needs – Applicable outside ICT and operations Certification schema available and increasingly used in practice 2 Recap – Security in Organizations Many high-quality IT security research projects, but too little data-driven collaboration with industry and policy actors Science of security management: Scientifically validated approach to prioritize security measures is missing, but needed 3 Lecture 7 Security in Society 4 “Balancing“ (National) Security and Privacy A pipe dream? [Definition of pipe dream = a fantastic or illusory hope, plan, or story] What is the role of nation states after September 11, 2001? 5 “In the absence of the right to privacy, there can be no true freedom of expression and opinion, and therefore no effective democracy.” Dilma Rousseff, former President of Brazil (2013 speech at the UN) 6 United States/Five Eyes Efforts since the early 2000s to ‘master the Internet’ by the NSA -- and the Five Eyes (more generally) Our knowledge about diverse efforts has improved (temporarily): Ed Snowden and other whistleblowers leaked information about the capabilities and methods of Western intelligence services – Five Eyes: U.S., Canada, U.K, Australia, New Zealand 7 Addendum: NSA History Largely unknown until 1982 – Historical overview by James Bamford – Obtained information through Freedom of Information Act (FOIA) requests; from libraries, informal sources etc. – April 2001: NSA hosted a book- signing event for Bamford 8 Programs: Prism NSA codename for an access channel that had been provided to the FBI to conduct (warranted) wiretaps – U.S. law permits U.S. citizens to be wiretapped provided an agency convinces a court to issue a warrant, based on ‘probable cause’ that they were up to no good under supervision of the Foreign Intelligence Surveillance Court (FISC) Concern arises here due to scale and scope Important note: Foreigners can be wiretapped freely – All an intelligence analyst had to do is click on a tab indicating the believe that someone was a non-U.S. person – Inquiry is routed automatically via FBI infrastructure and “content” appears on analyst’s workstation What content? 9 Vast amount of application-level Internet traffic runs through the United States Backbones of many leading Internet companies are involved 10 Programs: Telecommunications AT&T provided the NSA with access to billions of communications records — including emails and phone call data — as they passed through its domestic network system in the U.S. The report also found that the company installed surveillance equipment in at least 17 of its Internet hubs on U.S. soil, had its engineers test surveillance technology invented by the NSA, and even aided the organization in carrying out a court order permitting the wiretapping of online communications at United Nations headquarters in New York. – Already early evidence (on AT&T) based on whistleblower Mark Klein in 2006 Verizon ordered by FISC to hand over all call data records https://www.pbs.org/wgbh/frontline/article/how-att-helped-the-nsa-spy-on-millions/ 11 Programs: Tempora (U.K. program) To collect intelligence from international fiber-optic cables – Essentially more powerful version of Echelon, which tapped the Intelsat satellite network, keeping voice calls on tape while making metadata available for searching so that analysts could select traffic to or from phone numbers of interest [Duncan Campbell, journalist, 1988] Example Cornwall region: 200 transatlantic fibers were tapped and 46 could be collected at any one time up to 21Pb a day ‘massive volume reduction’ needed – Use of ‘selectors’ for search: use of 10000s of selectors to sift through 600 Million ‘telephone events’ – European Court of Human Rights (2018) ruled bundle of such programs “unlawful and incompatible with the conditions necessary for a democratic society” Consequences? See: https://www.wired.co.uk/article/uk-mass-surveillance-echr-ruling 12 Programs: Muscular (U.K./U.S.) Collection of data as it flowed between the data centers of large service firms such as Yahoo and Google – Data may be encrypted using SSL on the way to the service’s front end, but it then often flowed in the clear between each company’s data centers Snowden: Many Internet communications that appear to be encrypted aren’t really – Modern websites use content delivery networks (CDNs), e.g., performance – While the web traffic is encrypted from the user’s laptop or phone to the CDN’s point of presence at their ISP, it isn’t encrypted on the backhaul unless websites pay extra Trend towards end-to-end encryption (also via CDNs) 13 Who can spot the smiley? 14 Programs: Special Collection Service Various strategies, e.g., to implant collection equipment in foreign telecommunications providers, Internet exchanges and government facilities Tempest monitoring: Collection of information leaked by the electromagnetic emissions from computer monitors and other equipment – Now Tempest standards for shielding electronic devices Supply-chain tampering: Manipulate purchased products – Example: Crypto AG https://www.spiegel.de/spiegel/print/d-9088423.html (in German) https://www.bbc.com/news/uk-33676028 15 Research Examples 16 Programs: Longhaul, Quantum Focus on encrypted communications – E.g., attacks against the 1024-bit prime used by most VPNs and many TLS connections with Diffie-Hellman key exchange possible? – See research: „Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (Adrian et al., 2015, CCS) 17 Tools: Xkeyscore Focus on collected results: Distributed database enabling an analyst to search collected data remotely and assemble the results – Emails, SMS, chats, address book entries, browsing histories – Example: ‘Show me all encrypted Word documents from country X’ Focus on target discovery: – Example: ‘Show me all the exploitable machines in country X’ 18 Hacking Tools: Computer and Network Exploitation Hacking tools used by the NSA and its allies – Snowden papers reveal an internal “store” where analysts can get a variety of tools – Series of leaks in 2016–2017 by the Shadow Brokers disclosed a number of actual NSA malware samples, used by hackers of the NSA’s Tailored Access Operations team to launch attacks – Some of these tools were repurposed to launch the NotPetya worm and Wannacry 19 Relied on the EternalBlue exploit https://protonmail.com/blog/nsa-ransomware-nhs-cyberattack/ 20 Responsible Disclosure? Microsoft press release Wake-up call needed! https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/ 21 Realistic? Vision/Goal: To be adopted by governments 22 Remark on International Relations “The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” How many of the strategies, which we discussed so far, are used for economic purposes? How much credence do you give the announcement above? https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states 23 Example: Role of Major Technology Companies in International Relations Example Apple: – Store personal data of Apple’s Chinese customers on computer servers run by a state-owned Chinese firm – Apple abandoned encryption technology on other products in China Another long and complicated story: Google Search in China But certainly not just problematic in the U.S./China context Apple: https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html Google: https://www.technologyreview.com/2018/12/19/138307/how-google-took-on-china-and-lost/ 24 Troubling Role of Specialized Private Security Technology Firms Developers of malware to be used by nation states against terrorism and other actors Prominent examples: – NSO Group, Israel – Hacking Team, Italy – Gamma Group, UK Question: How well can deployment be controlled? 25 Case Study: Nutrition Activism Spyware found on phones of leaders of nutrition activism groups in Mexico – Compromised via Phishing – Spyware from NSO Group – Confirmed by Citizen Lab (University of Toronto) NSO “claims to sell its spyware only to law enforcement agencies to track terrorists, criminals and drug lords. NSO executives point to technical safeguards that prevent clients from sharing its spy tools. […] the company had no knowledge of the tracking of health researchers and advocates inside Mexico.” https://www.nytimes.com/2017/02/11/technology/hack-mexico-soda-tax-advocates.html 26 Phishing messages Recipient: Director of nutrition policy at Mexico’s National Institute of Public Health 27 Control Such Spyware? “This is one of the most brazen cases of abuse we have ever seen,” said John Scott-Railton, a senior researcher at Citizen Lab. “It points to a total breakdown of government oversight in Mexico, and a complete failure of due diligence by the NSO Group.” https://citizenlab.ca/ 28 Where is the Outrage? Privacy and Security For the People! Collective action is hard to achieve. See lecture on societal privacy. 29 Street protests against surveillance practices (2013) 30 https://www.spiegel.de/politik/deutschland/10-000-menschen-protestieren-gegen-nsa-ueberwachung-a-913513.html 31 Nothing-to-Hide Argument “The argument that no privacy problem exists if a person has nothing to hide is frequently made in connection with many privacy issues. When the government engages in surveillance, many people believe that there is no threat to privacy unless the government uncovers unlawful activity, in which case a person has no legitimate justification to claim that it remain private.” Argument brought forward by politicians, government officials, but also individuals 32 Strong Form of the Argument Security is the strongest argument for government surveillance According to the strong form of the argument: “The security interest in detecting, investigating, and preventing terrorist attacks is very high and outweighs whatever minimal or moderate privacy interests law-abiding citizens may have.” (Solove article) 33 Important Opposing View Nothing-to-hide argument is an anti-social statement Privacy should not be treated as something to hide, but as something to protect Discussion of goals: – Balancing privacy against security? or rather: – Balancing freedom against control? 34 „ Opposing View (2) Potential for various forms of abuse of government surveillance Similar to: “I don’t care what happens, so long as it doesn’t happen to me.“ – Rejecting privacy as an egoistic and anti-social act – No solidarity and „dog-eat-dog society“ 36 Poetic form of a 1946 post-war confessional prose by the German Lutheran pastor Martin Niemöller (1892–1984) 37 Related Context: Censorship & Internet Filtering 38 Internet Filtering Motivations for state-directed Internet filtering include those with: – Specific emphasis on economics: tax, copyright, intellectual property – Specific emphasis on children: child pornography, violence – Specific emphasis on other relevant content categories Cultural: pornography and gambling Political: dissidents and independent media Security: (cyber)terrorism and hacking Nart Villeneuve, Citizen Lab 39 Filtering Approaches – Technology National Filtering Systems (e.g., Great Firewall of China) Distributed Filtering Systems Temporary Filtering (and DoS/DDoS Attacks) Application Level approaches Lots of diversity. Not a comprehensive list. 40 Accountability & Transparency Most countries that filter are unable or do not want to publicly answer the following questions: – What are the blocking criteria? – Is there a review process? – What is the policy on collateral blocking? – Is there a grievance mechanism? – How can designations be changed if there is miscategorization? – How are Internet users informed that they are attempting to access prohibited content? Nart Villeneuve, Citizen Lab 41 Freedom House 2018 rating lower scores are better Category: Internet Freedom Scores + Reports Some reports published since 1973 https://web.archive.org/web/20190328041642/https://freedomhouse.org/report/freedom-net/2018/turkey 42 (Archived copy from archive.org) (reversed the score) Higher scores are now better 2020 rating https://freedomhouse.org/country/turkey/freedom-net/2020 (Reports contains detailed analysis; not just scores) 43 From Filtering to Censorship Often countries that filter the Internet target content that is specific to the country itself and is in the local language Censored websites generally include human rights organizations, independent media, oppositions groups or political parties, and religious conversion or spiritual groups Sites that contain content opposed to or dissenting from the views of the current government are most often the targets of filtering Control over information begins to move from filtering into overt political censorship 44 Collateral Impact No games with Kanter shown in Turkey 45 Involvement of Private Entities Placing restriction on freedom of speech in a non- transparent way: – Often ceding to commercial entities the responsibility of placing limitations on freedom of speech through tools that are sheltered from close public scrutiny because of intellectual property protections – Collateral Impact: Blocking access to content that was never intended to be blocked 46 Mission Creep Empirical Question: Regardless of the initial reason for implementing Internet filtering, one can argue that there is increasing pressure to expand “Opportunity knocks only once, its use once the filtering infrastructure is in place. but temptation leans on the doorbell.” Empirical Question: Governments are tempted to use it as a tool of political censorship or as a technological “quick fix” to problems that stem from larger social and political issues. 47 Takeaways Significant efforts being done towards implementing data collection and processing in the name of national security Similar efforts undertaken in many countries regarding Internet filtering and censorship Many challenges which are hard to resolve: – Grand challenges: Impact on civil liberties – More well-defined challenges: Like responsible disclosure 48 That was it for today. The End.