Download   Report
  1. law, govt and politics
  2. legal issues
  3. civl rights
  4. privacy

Great ideas, big data and little privacy?

Great ideas, big data
and little privacy?
Bart Preneel
iMinds and COSIC KU Leuven
2
3
NSA calls the iPhone users public 'zombies'
who pay for their own surveillance
4
Snowden revelations
• NSA: “Collect it all, know it all, exploit it all”
• most capabilities could have been extrapolated from open sources
• But still…
• massive scale and impact
• redundancy: at least 3 methods to get to Google’s data
• many other countries collaborated (beyond five eyes): economy of
scale
• industry collaboration through bribery, security letters,
5
Snowden revelations (2)
• Most spectacular: active defense
• networks
• Quantum insertion: answer before the legitimate website
• FoxAcid: specific malware
• devices
• supply chain subversion
• Translation in human terms: complete control of networks and
systems, including bridging the air gaps
• No longer deniable
6
Lessons learned
• Never underestimate a motivated, well-funded and competent
attacker
• Pervasive surveillance requires pervasive collection and active
attacks (also on innocent bystanders)
• active attacks undermine integrity of and trust in computing
infrastructure
• Economics of scale play a central role:
• it is not about the US or US/UK or even five eyes
• other nations have or are developing similar
capabilities
• organized crime and terrorists working on this too
7
The state of cybersecurity
• Governments are undermining ICT systems rather than
improving cybersecurity (and part of industry is helping)
• Problems at network level
•
•
•
•
end-to-end deployment of encryption
meta data: IP address, location, …
network protocols such as BGP, DNS
Problems at system level:
•
•
•
secure execution and update
supply chain security
0-day market
8
IoT security risks
•
More pervasive and intrusive: building, car, body
•
•
•
•
low cost
larger attack surface
harder to update
Security
•
•
•
•
bringing down the grid
hacking cars and drones
burglary
hacking medical devices
9
OWASP IoT top 10 2014
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
•
•
•
•
•
•
•
•
•
•
1 Insecure Web Interface
2 Insufficient Authentication/Authorization
3 Insecure Network Services
4 Lack of Transport Encryption
5 Privacy Concerns
6 Insecure Cloud Interface
7 Insecure Mobile Interface
8 Insufficient Security Configurability
9 Insecure Software/Firmware
10 Poor Physical Security
10
IoT privacy nightmare?
•
•
•
What is privacy?
What are the limitations of the current approach?
What are the risks?
HP IoT study: 90% of devices collected at least one
piece of personal information via the device, the cloud
or its mobile application
11
What is privacy?
• Abstract and subjective concept, hard to define
• Depends on cultural aspects, scientific discipline,
stakeholder, context
• Conflicts are inherent
discretion
transparency
harmony
social control
12
Legal approach
• Data controller: trusted
• Limited purpose: can be hard to define
• Consent: how will this work in IoT?
transparency
discretionIrish privacy
commissioner
here
harmony
social control
13
Privacy problems
•
•
•
•
•
•
Data breaches
Profiling
Discrimination
Manipulation
Prediction
Mass surveillance
14
Architecture is politics [Mitch Kaipor’93]
Need to rethink centralized architectures with massive storage of raw data (designed for
advertising/search/cost)
Avoid single point of trust that becomes single point of failure
15
Governance and Architectures:
Back to principles
• Data minimization through infrastructure
• Minimum disclosure: avoid centralized massive
amounts of data
• “cryptomagic”
• local computations with proof of security
• centralized storage but encrypted under local key (can still
do computations!)
16
Open Solutions
Open source solutions with effective governance
• who adds code
• who does code reviews
17
Conclusions
•
•
•
•
•
IoT technologies bring major privacy and security risks
•
we cannot afford to continue the “deploy now and fix later” model
Need to rethink everything
•
architectures: where is the data?
•
building blocks
•
deployment (including supply chain)
•
update mechanisms
Need open solutions with open audit
Support: legislation (economic incentives) and non-proliferation treaties
Essential to maintain our European sovereignty and values
18
CONTACT DETAILS
Bart Preneel, iMinds and COSIC KU Leuven
ADDRESS:
WEBSITE:
EMAIL:
TELEPHONE:
Kasteelpark Arenberg 10 Bus 2452,
3000 Leuven
homes.esat.kuleuven.be/~preneel/
[email protected]
+32 16 321148
www.facebook.com/iminds
@iminds
19
THANK YOU FOR YOUR TIME
VOITTAVA KYBERSTRATEGIA Jarno Limnéll

VOITTAVA KYBERSTRATEGIA Jarno Limnéll

(IoT) Security doesn’t matter

(IoT) Security doesn’t matter

Privacy Act Data Cover Sheet DOCUMENTS ENCLOSED ARE SUBJECT

Privacy Act Data Cover Sheet DOCUMENTS ENCLOSED ARE SUBJECT

How the Internet of Things (IoT) Will Reshape Facility

How the Internet of Things (IoT) Will Reshape Facility

“From Morse Codes to the Internet of Things

“From Morse Codes to the Internet of Things

Privacy Policy - cretronix.co.uk

Privacy Policy - cretronix.co.uk

Fall 2014/2015 IS 493 Syllabus Instructor: Dr. Saad Alaboodi Office

Fall 2014/2015 IS 493 Syllabus Instructor: Dr. Saad Alaboodi Office

NETWORKED SOCIETY - The future of telecom

NETWORKED SOCIETY - The future of telecom

Corporate Factsheet - L&T Technology Services

Corporate Factsheet - L&T Technology Services

Demographic Form - Joplin Eye Laser Center

Demographic Form - Joplin Eye Laser Center

IoT Live Schedule

IoT Live Schedule

IoT - Cloud Security Alliance

IoT - Cloud Security Alliance

abcdocz.com

© Copyright 2024