Security Issues.doc

CS 105 Course Outline SECURITY ISSUES (Fred Geldon)I. Covert Government surveillanceA. Fourth Amendment“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”B. WiretapsFederal Communications Act of 1934 banned interception without consentSpecifically allowed (with warrant) in Omnibus Crime Control and Safe Streets Act of 1968 Wiretapping regulations extended to electronic communications by Electronic Communications Privacy Act of 1986Test: Is there reasonable expectation of privacy? C. Operation Shamrock in WWII - NSAContinuation of World War II interception of international telegramsD. Communications Assistance for Law Enforcement Act of 1994 (CALEA)Telecommunications equipment must be designed to allow government (with court order) to intercept telephone communications, trace$500 Million authorized for modification of HW, SWInformation services (“Voice Over IP”) exempt from design requirement E. USA PATRIOT Act(Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) (October 26, 2001)1. Greater authority to monitor communicationsGreater powers to regulate banksGreater border controlsBut 2. Pen registers on Web browsers – reveal URLRoving surveillanceSearches and seizures without warrantsWarrants issued without showing of probable causeService providers (ISP’s) can be required to provide subscribers’ web browsing info, email.Libraries - fighting disclosure of borrowing information3. FBI claims law enforcement benefits Charges, convictions ButAre attacks prevented Wrongful charges and abuses “Sunset” provisions renewed in 20054. Extraterritorial application? – can prosecute if internet communications go through US (as most do) and is illegal under US law (even if not under law of home country).F. Government misuse of personal data. 1. There are 2000 government databases, with valid uses: law enforcement, public safety, eligibility fraud.2. But is “Big Brother” watching you? Is “Big Brother” trustworthy? – higher standards because it is coercive. “Enemies list,” profiling (NCIC), PATRIOT Act issues 3. Total Information Awareness Proposed by Defense Advanced Research Projects Agency (DARPA)Goal: identify terrorists by looking for patterns in dataLarge security and privacy risks4. CAPPS II – aborted program for vast airlines screening system/data mining system II. Identity and PrivacyA. Identity TheftMisuse of another person’s identity Credit card fraud #1 type of identity theftEase of opening accounts contributes to problem10 million victims in 2004 aloneHow – mailboxes, Dumpster diving, Shoulder surfing, Skimmers (wedges) to get credit card number, PhishingB. Social Security NumbersSocial Security cards first issued 1936Originally used only for SS purposesUse of SSN has gradually increasedSSN is a poor identification numberNot uniqueRarely checkedNo error-detecting capabilityC. National ID CardWould reduce illegal entry to U.S.Would prevent illegal aliens from workingWould reduce crimeOther democratic countries have national ID cardsButNo card guarantees identification, and no biometric-based system is 100% accurateMakes government data mining simplerMake law-abiding people more vulnerable to fraud and indiscretionsD. REAL ID Act of 2005New licenses must be issued by end of 2008Will be required to open bank account, fly on commercial airplane, or receive government serviceRequires applicants to supply 4 different IDsWill probably contain a biometric identifierConsequencesBetter identification means better law enforcementPeople won’t be able to change identitiesCentralized databases could lead to more identity theftIII. EncryptionA – Why do we need it? Vulnerability of internet transmissions - internet originally designed as communications medium for research, so openness was built into architecture. Sensitivity of data, e-commerce, data storage Threats to security – hacking, etc. But encryption can also mask criminal activityB – Traditional, symmetric encryptionSingle key used to encrypt and decrypt a messageBoth sender and receiver must have the key or code bookProblem: How does sender get key to receiver?If bad guy gets key, security is broken One-to-one: How to extend to multi-party marketplace?C – Public Key Cryptography (PKI) Assymmetric encryptionEach person has key pair: public and privateTo send R a message, encrypt it with R’s public keyOnly R can decrypt message with R’s private keyOnly S can encrypt signature with S’s private key (。