The reality of the Web is that you will never be totally safe – you will take damage. The question is, how are you going to deal with it?
Managing Director, Extratelligence
The TIM Lecture Series is hosted by the Technology Innovation Management (TIM) program at Carleton University in Ottawa, Canada. The lectures provide a forum to promote the transfer of knowledge between university research to technology company executives and entrepreneurs as well as research and development personnel. Readers are encouraged to share related insights or provide feedback on the presentation or the TIM Lecture Series, including recommendations of future speakers.
The first TIM lecture of 2014 was presented by Arnold Kwong, Managing Director of Extratelligence, whose lecture described aspects of his organization's research into web infections and protections over a 15-year period. The event was held at Carleton University on February 27th, 2014.
Kwong began the lecture by describing the key concept underlying the research effort at Extratelligence, which examines emerging threats against computers, networks, and infrastructure by new techniques and attack vectors using the analogy of biological infections and public health to use as a source of methodological treatment and mathematical models for computer-based agents that cause disruption or damage. Over time, the research has explored the strategy, protocols, and futures involved with ongoing countermeasures, conduct of technical practitioners, and the behaviour of the immersive Internet environment we now live in.
Threats, targets, threat vectors, infectious agents, and infections
In the parlance of the research, the process of looking at Internet-based problems, commonly referred to as “viruses”, “malware”, “Trojans”, and the like, considers perpetrators, targets, threat vectors, infectious agents, and infections.
The key lessons learned from the research are:
- The infections must be treated like a long-term public health problem.
- Infections will continue to occur.
- There are no "magic bullet" cures for infected software and hardware.
- There are not even techniques that will substantially reduce vulnerabilities.
- "Good behaviour" is not enough to protect you from infections.
- Infections will spread with astonishing speed on the Internet.
- There is no "magic immunity" from infections – even "disconnected" systems can be compromised.
- Damage from infections cannot be completely contained by prior planning or techniques.
In the instance of data privacy, the research developed a nomenclature of data privacy breaches, meaning that the data is under the access, control, or administration of other, unintended enterprises or people. This nomenclature has at least two dimensions: i) intentional (i.e., it was given up knowingly) and ii) unintentional (i.e., it was given up unknowingly or without anyone asking). Furthermore, the breach may be "active", meaning the is transmitted out from a source, or "passive", meaning the data was generated with or without the owner's knowledge.
The key lessons learned about data privacy are:
- A little paranoia is a good thing.
- You living your life will cause data to "seep" – and make money for somebody.
- Convenience often trumps privacy in real life.
- People will make money by collecting and monetizing your privacy.
- You do not have to be a target to have data collected.
- Staying "safe" on the Internet is not protective.
- Being "off the net" does not mean you have control over information about you.
However, individuals can mitigate their risk through constant vigilance and by not "oversharing" their data. Where possible, individuals should create an use "virtual personas" rather than reveal their own data. Similarly, they should also avoid using other people's computers (e.g., for Google logins). In addition, individuals can take the following technical steps:
1. Firewalls: install and maintain firewalls.
2. Anti-spam and anti-virus solutions: install them and keep them up to date.
3. Web browsers
- Use https where possible (SSL/TLS) (EFF HTTPS Everywhere add-on).
- Set "Do Not Track" everywhere.
- Close your browser(s) immediately after use (e.g., IE/Safari/Firefox/Opera/Webkit/Chrome/Dolphin).
- Do not allow third-party cookies (Ghostery, Better Privacy), location-tracking, "active" scripting, or "XSS".
- Do not save passwords or use automated form filling.
- Clear your caches, cookies, and history frequently (i.e., more often than daily).
- Use anonymizer software (e.g., TOR, Privoxy).
- Subscribe to "text only" emails whenever possible.
- Use multiple accounts (i.e., specialized to a persona) and consider throwaway accounts for transient interests.
- Consider whether you really need to use your real identity for a given interaction or whether a virtual persona will be sufficient.
- Trust organizations and individuals, but not by default.
- Change your passwords irregularly and often.
- Use Internet coffee shops infrequently.
- Do not install Java.
In the instance of data security (i.e., the ability to control data and related knowledge of it), consider the following properties and examples related to licence numbers:
- Existence: Do they have a license number? How many?
- Access: Can you provide the license number? Can you create one?
- Location: Can you find the license number?
- Content: What is the license number?
- Integrity: Is the license number the same?
- Status: Is the license number current?
- Manipulation: Can you change the license number?
- Format: Can you obtain an unencrypted license?
The key lessons learned about data security are:
- The key threat vector is the individual themselves.
- Data security cannot be completely assured while the data is useful and used.
- Threats can occur to data in motion, data at rest, and data in process.
- Connections expose data to more threats – and the more useful the data, the more connections.
- If it is on a shared server for others to access, they probably will access it.
- If it is on the public cloud, the public (and the government) can read it.
- Encryption is only what you make of it – and its processes. Most organizations have very poorly organized cryptographic controls.
- Answering a subpoena may be difficult depending on who knows enough to understand the questions.
- The legal process driving technical process is always very expensive.
- New infections cannot be guessed ahead of time. The flaws in code may not be obvious even upon inspection.
- New infection routes may be unknowable when systems and protocols are put in place. Who would have guessed that a flip cam could be infectious?
- New infection damage is hard to find. Most systems do not maintain enough integrity information to detect damage.
Kwong ended the presentation with predictions for the future from the Extratelligence:
- There will be a $30 million "Chip and PIN" card theft in European Union in the next 18 months (i.e., similar to Target in North America.)
- There will be a theoretical crypto-analytic attack on transport layer security (TSL) 1.2 before the end on 2014.
- There will be a real-time (non man-in-the-middle) crack on TSL 1.2 before the end of 2015 using commercially available hardware with key sizes less than 256 bits.
- The Advanced Encryption Standard (AES) 256 will be cracked by using commercially available hardware before the end of 2016 after a new "Snowden-style" leak.
- An effort will be made to revise and strengthen certificate authority (CA) processing, which will fail to be accepted before 2017.
- A distributed denial-of-service (DDoS) attack will exceed 1Tb/sec by mid 2016.
- Two major email marketers (i.e., spammers) will be caught and blacklisted by mid 2016. Spam levels will drop 50% on the Internet for three weeks and then return to their previous levels.
- A major infection will break out, affecting systems with more than 1 million web sites before 2016.
In the discussions that followed each portion of the presentation, audience members shared the lessons they learned from the presentation and injected their own knowledge and experience into the conversation.
The audience identified the following key takeaways from the presentation:
- Current approaches are too expensive and do not work. We need a new way of thinking.
- There is a parallel between the Internet and human biological systems: you can recover from some infections, but others will kill you.
- Our desire for convenience overcomes our reluctance to give up our data. So, in most cases, people are giving up security and privacy because they choose to; they are weighing the risks and rewards of their economic and emotional interests.
- Others are making value off your data, so there must be value there for you.
- The single largest threat to our security is the lack of education about the nature of current threats and the levels of risk we face.
- We need to raise the general level of awareness. And, for each of us, it begins at home – recognizing the vulnerabilities of our home computers, for example.
- Being "off the net" is not enough – you are still vulnerable because others hold data about you.
Finally, the audience was asked to identify practical actions that can be taken at a local level to address the problem presented by the speaker. The audience identified the following next steps:
- Seek out analogies from other domains; apply tools and frameworks from those domains to the domain of cybersecurity.
- Develop a multidisciplinary course at Carleton University. (This step is already underway as part of the activities of the VENUS Cybersecurity Corporation: [Bailetti et al., 2013], and is scheduled for Summer 2014)
- Connect successful local entrepreneurs with up-and-coming entrepreneurs in the cybersecurity domain. Include presentations about each participants future vision of a secure Internet.
- Characterize existing business models for cybersecurity and identify opportunities for new business models.
- Leverage local pools of relevant security expertise (e.g., data analytics in Ottawa)