INF529: Security and Privacy In Informatics Exam and More on “Social” Networks Prof. Clifford Neuman Lecture 7 24 February 2017 OHE 100C INF529: Security and Privacy In Informatics EXAM IN PROGRESS 12:00 – 2:00 PM Prof. Clifford Neuman Lecture 7 24 February 2017 OHE 100C Course Outline • • • • • • • • • • • • • Overview of informatics privacy What data is out there and how is it used Technical means of protection Identification, Authentication, Audit The right of or expectation of privacy Social Networks and the social contract Measuring Privacy Big data – Privacy Considerations Criminal law, National Security, and Privacy Civil law and privacy International law and conflict across jurisdictions The Internet of Things The future – What can we do Presentations • • • • • • • • • • • • 3/3 Social Networks & Privacy - Mariam Bubshait and Muaz Alkhalidi 3/3 Big Data and Data Mining Haibo Zhang and Mengen Song 3/10 Criminal Investigations and National Security Andrew Gronski 3/24 Private Browsing Aparna Himmatramka 3/24 Mapping and Ride Sharing (Transportation) Surabhi Subramanya 3/31 Cloud and Cloud Services Krishna Mohan 4/7 Internet of Things Apurv Tiwari 4/14 Smart Grids and Energy Systems Sahil Mohamed 4/14 International Law and Secrity and Privacy - Abdullah Binkulaib 4/21 Balancing Privacy with Usability and Functionality Akash Mukherjee 4/28 Consumer misconceptions about privacy - Kshitija Godse 4/28 The Future of Privacy - Mohammad AlSubaie Online Game Privacy Material prepared by Christopher Radoumis (INF529 Student spring 2016) 4 Why Care • Industry Perspective • Player - investment of time, money and emotion; professional player • Provider - healthy -> longevity -> profitable • Tech Perspective (As software on Internet) • Experience and implications widely applicable • Social Perspective (As virtual world linked with real world) • Huge amount of real-time interaction • Virtual economy where real world profit can be made • Attractive to hackers, cheaters, even criminals • Example: WOW Auction House Hack • Legal Perspective • Lack of laws and regulations Material prepared by Jing Lin and Christopher Radoumis (INF529 Student spring 2016) Online Game Privacy What is the expectation of privacy in online games? • Any identifiable information given or entered is expected to be confidential and secure within the scope of the game or service – Some games release more identifiable information than others Privacy works within two factors in online games • Securing – Protecting online identity • Obscuring – Allowing nearly anonymous communication (ie, Recent news of terrorists using online games to communicate and recruit) Material prepared by Christopher Radoumis (INF529 Student spring 2016) Types of private information (Cont’d) Material prepared by Christopher Radoumis (INF529 Student spring 2016) Information Gathering • The level of privacy expected by any online gamer needs to be only as strong as what that gamer has allowed to be online. • Previous slide shows a gamer-tag, and a LOT of information gathered from other games, or social media sites. • This is all information freely available online and is found with only a single gamer-tag, and can eventually reveal information the gamer doesn’t want anyone to see Material prepared by Christopher Radoumis (INF529 Student spring 2016) Information Gathering (Cont’d) • Online games have VoIP • This gives gamers the ability to talk to the people they play with • – Can also be used to gather information. • – Vulnerable children may give out identifiable information, or malicious users can have private communication. Material prepared by Christopher Radoumis (INF529 Student spring 2016) Private and Secure • Online games are Client – Server based • Information is stored on the server side for monitoring and auditing • Recent news of NSA connecting to online game networks to survey and gather intelligence. • While intention was to catch illegal activity, many people were outraged by the invasion of privacy by the government – Eventually resulted in 0 counter-terrorist activities Material prepared by Christopher Radoumis (INF529 Student spring 2016) Information Leaks • 2006 – Second Life breached releasing 650,000 • 2011 – PlayStation Network hacked – 77 million accounts compromised • 2014 – PSN and Xbox Live DDoS • 2014 – Microsoft releases 3,000 names, gamer tags, email, and birthdays of people who voted in an online ‘Xbox Awards’ poll Material prepared by Christopher Radoumis (INF529 Student spring 2016) Information Leaks (Cont’d) • 2014 – Anonymous releases 13,000 records of CC, Names.. VPNCyberGhost, UbiSoft, VCC, Brazzers, UFC TV, PSN, XBL Gamers, Twitch TV, Amazon, Hulu Plus, Dell, Walmart, (EA) Games • 2015 – Microsoft releases private keys of *.xboxlive.com in Microsoft Patch Tuesday update • 2015 – 1,800 Minecraft credentials leaked Material prepared by Christopher Radoumis (INF529 Student spring 2016) More security Issues • • • • • • • • • Copy Protection – Illegally downloaded games Hacked Client Machines – non game related Packet Sniffing - MitM Social Network Abuse Hacked Accounts DDoS on Server systems – LizardSquad on PSN Internal Misuse – Poor handling Backups – Recovery after attacks Cheat Detection – Client detection Material prepared by Christopher Radoumis (INF529 Student spring 2016) Privacy Settings • Many games include configurable privacy settings • For Example: Xbox One. • Adult – Everyone can see your activity Microsoft can use your video app history to improve your experiences. • Teen – Only friends can see activity. If 13 or younger, need an adult to manage restrictions • Child – Need a parent to add friends, can only see friends. Material prepared by Christopher Radoumis (INF529 Student spring 2016) Privacy Settings (Cont’d) • In all cases, Microsoft stores application and exercise history • Privacy settings enforce at a low technical level • Sort of Mandatory Access Control • Only enforces what the user can see/do, not what the client/server can see/do Material prepared by Christopher Radoumis (INF529 Student spring 2016) Privacy Settings (Cont’d) • Privacy settings do not control release of information • Virus/Malware installed on PCs can keylog/send private credentials/information Material prepared by Christopher Radoumis (INF529 Student spring 2016) Why privacy is important • The purpose of video games is to escape reality for a while, interact in a world that could never exist, and drive expensive cars off bridges while shooting uzis. • There shouldn’t be a concern of identity theft, or botnet takeover when playing video games • Privacy needs to be maintained by the content creator, server side administrators and the user. Material prepared by Christopher Radoumis (INF529 Student spring 2016) Maintaining Privacy • Use different gamer-tags for different games • Don’t link any personally identifiable information in profiles unless for credit card information. • Even then, might as well use a gift card • Be mindful of what is posted in game forums. • Frequent password changes • Dual factor authentication where available • Use a separate e-mail address for game sign on • One that doesn’t contain address books or contacts Material prepared by Christopher Radoumis (INF529 Student spring 2016) Maintaining Privacy (Cont’d) • If not making in-game purchases, don’t link your credit card (ie, Candy Crush…) • Maintain good security practices on the device used to play games (ie, Anti-virus software…) • Don’t reveal identifiable information during chats, or VoIP • Can’t always rely on the game companies to maintain privacy, so take responsibility of what you can control Material prepared by Christopher Radoumis (INF529 Student spring 2016) Current Events Aparna Himmatramka – Akash Mukherjee -. http://www.securityweek.com/netflix-releases-open-source-security-tool-stethoscope Haibo Zhang -. Netflix released an open source security tool called "Stethoscope", which analyzes users' electronic devices and gives security recommendations. Stethoscope does not have data store, but implement data source as plugins, and thereby allowing users to add new inputs by developing plugins. Abdullah B. –. http://www.securityweek.com/new-filecoder-macos-ransomware-surfaces Mengchen Song - A newly discovered ransomware targeting macOS destroys encryption keys before sending them to its apparently inexperienced developer. The new macOS-targeting crypto-ransomware is effective enough to prevent the victims from accessing their files. 20 Current Events Krishna Mohan Sathi – http://seekingalpha.com/article/4049024-federal-judge-defends-apples-touch-id-privacy-protection Sahil Mohamed The government had requested the court to grant permission to eliminate the privacy protection afforded by Apple on regards that some suspect activities show that the Apple device is being used for child pornography. The judge declined the petition and denied access to the phone. (related https://thestack.com/security/2017/02/23/judge-rules-against-forced-fingerprinting/ Judge rules against forced fingerprinting) http://www.securityweek.com/these-were-top-threats-targeting-healthcare-firms-q4-2016 Andrew Gronski –. Healthcare providers were the most attacked industry in in Q4 of 2016, however 4 out of 5 of the top attacks on these providers were ransomware with only 1 being a means to find sensitive information. Muaz M. Alkhalidi –. https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data/ Apurv Tiwari -. Leak of sensitive data like passwords, cookies, authentication tokens to spill in plaintext from its customers’ websites. Other events: https://www.cyberscoop.com/cellebrite-iphone-6-ufed-samsung-galaxy-facebook-messenger-snapchat/ Cellbright can now unlock iPhone 6 https://qz.com/917790/amazon-claims-first-amendment-rights-for-alexa/ Amazon argues that Alexa is protected by first amendment in murder trial 21 Current Events Surabhi Subramanya – This is Mariam Fahad Bubshait - Kshitija Godse – Mohammad Alsubaie – x https://nakedsecurity.sophos.com/2017/02/23/how-much-does-facebook-really-know-about-you-and-is-it-right/amp/ Matthew Jackoski - Tools have been developed to analyze Facebook data and show what connections can be drawn from profiles (although it is not always accurate). Data Selfie is one tool that monitors what a user does on Facebook and shows what links a user clicks on while on Facebook. Stalkscan is another tool that analyzes relationships based off of public Facebook data. It can determine "colleagues”, "schoolmates", etc. 22
© Copyright 2025 Paperzz