Download Privacy Considerations - Computer Secrity Classes

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
page
79
page
80
page
81
page
82
Document related concepts
no text concepts found
Transcript 
INF529:
Security and Privacy
In Informatics
Social Networks
Big Data
Prof. Clifford Neuman
Lecture 8
3 March 2017
OHE 100C
Course Outline
•
•
•
•
•
•
•
•
•
•
•
•
•
Overview of informatics privacy
What data is out there and how is it used
Technical means of protection
Identification, Authentication, Audit
The right of or expectation of privacy
Social Networks and the social contract
Big data – Privacy Considerations
Measuring Privacy
Criminal law, National Security, and Privacy
Civil law and privacy
International law and conflict across jurisdictions
The Internet of Things
The future – What can we do
Presentations
•
•
•
•
•
•
•
•
•
•
•
•
3/3 Social Networks & Privacy - Mariam Bubshait and Muaz Alkhalidi
3/3 Big Data and Data Mining Haibo Zhang and Mengen Song
3/10 Criminal Investigations and National Security Andrew Gronski
3/24 Private Browsing Aparna Himmatramka
3/24 Mapping and Ride Sharing (Transportation) Surabhi Subramanya
3/31 Cloud and Cloud Services Krishna Mohan
4/7 Internet of Things Apurv Tiwari
4/14 Smart Grids and Energy Systems Sahil Mohamed
4/14 International Law and Secrity and Privacy - Abdullah Binkulaib
4/21 Balancing Privacy with Usability and Functionality Akash Mukherjee
4/28 Consumer misconceptions about privacy - Kshitija Godse
4/28 The Future of Privacy - Mohammad AlSubaie
Social Networks Privacy
The User Side
Mariam Bubshait
Outline
• What kind of information out there
• What can be done
• Statistics
• Privacy protections
• Geographic location tags
• Tools overview
• Experiment
• Legislations
• Recommendations
What kind of information are out there?
• Name
• Phone number
• Email address
• Connections
• Geo-location
• Posts
• Pictures
• And more
What can be done?
• Identity theft
• Impersonation
• Stalking
• Robbery
Statistics
• 81% of Internet related crimes involve a social networking site
• 78% of burglars have used Facebook, Twitter, Foursquare and Google
Street-view to select their victims
• 54% of burglars were alerted to empty houses because people
posted their travel plans and their statuses on social media.
• 50% of child sex offenders admitted obtaining information about the
victim from their social networking profile.
Privacy Protections
• Two factor authentication
• False log in attempts identification
• Private/public account option
• Geo-location on/off option
• Find by e-mail on/off option
The problem is that most social networking sites use the opt out
approach for many of their features
How much online privacy protection should be provided by the sites
themselves? It is the personal responsibility of the user to monitor
what information is uploaded and shown
Geographic Location Tags
• Geo-location tagging in social media over the past five years has
revolutionized how its users share information with their followers by
attaching their exact location to their posts.
• the geo-location settings on smartphones are easily turned on and
forgotten about, which increases the information leakage and this
automation service gives the most cause for concern regarding the
disclosure of private information
Tools overview
Tool 1: Streamd.in
• Streamd.in is a mobile application that displays tweets based on the
geographical location details that is attached to each tweet.
• Each tweet on the map is represented by the user’s profile picture
• It allows filtering of tweets on the map by picture, user or specific
keywords, which enables the user to narrow searches to avoid being
overloaded with tweets that are of no interest
Tool 2: Creepy
• Creepy is a social media aggregation program that gathers geolocation information from the social network platforms; Twitter,
Instagram, Flickr, and Google+.
• It provides all the geographical information needed to target a user
on Google maps regardless of whether they do or do not have public
accounts.
Experiment:
finding the target
Experiment:
Analyzing target’s
behavior
Experiment:
Analyzing target’s
behavior
Experiment:
Analyzing target’s
behavior
Experiment:
Analyzing target’s
behavior
Experiment:
Analyzing target’s
behavior
Experiment:
• With the information that has been gathered on the target, it is quite
clear that the use of geo-location tagging increases the risk of being a
victim of stalking or even burglary. It was relatively easy to obtain
addresses for the target’s work and home residence.
• the contents of individual tweets often gives away a lot more
information than the user intended
Legislations
• Location Privacy Protection Act:
• The Location Privacy Protection Act of 2015 would prohibit companies from
collecting or disclosing geolocation information from an electronic
communications device without the user's consent. It provides exceptions
for parents tracking their children, emergency services, law enforcement,
and other cases.
• The bill would also prohibit development and distribution of "stalking apps,"
establish an Anti-Stalking Fund at the Department of Justice, and take other
steps to prevent geolocation-enabled violence against women.
• Bill Status
• On November 10, 2015, Senator Al Franken (D-MN) reintroduced this
legislation for the 114th Congress. The bill was referred to the judiciary
committee
Recommendations
• Social media applications/sites should opt in some of its features
• Users should avoid using an actual self profile picture
• Users should limit the use of geo-location feature in any social media
application
• Users should avoid connecting their social media accounts together
• Users should be selective on what they post on social media
References
• Welter A, Social Media and Crime, Crime Wire. URL:
http://www.instantcheckmate.com/crimewire/social-media-and-crime2/#prettyPhoto
• Gan D, Jenkins L, Social Networking Privacy—Who’s Stalking You?, Future
Internet, July 2015, 67-93.
• Geolocation Privacy Legislation, URL: http://www.gps.gov/policy/legislation/gpsact/
• Creepy, the Geolocation Information Aggregator. URL:
http://resources.infosecinstitute.com/creepy/#gref
Thank You
Questions?
Privacy Policies in Social
Media Networks
Prepared by: Muaz Alkhalidi
M.S. in Cyber Security Engineering candidate
Outline
• Introduction
• Why a Privacy Policy is Important?
• Types of Social Networks
• Types of Users’ Information
• How the Information are Used?
• Who Can Access the Information?
• Anonymity in Social Networks
• Privacy Policy Updates
• Account Deletion and Information Retention
• How to be Safe?
Introduction
• What’s a Privacy Policy?
“A Statement that declares a firm's or website's policy on
collecting and releasing information about a visitor. It usually declares
what specific information is collected and whether it is kept
confidential or shared with or sold to other firms, researchers or
sellers.” Business Dictionary.
• Privacy Policy vs. Terms of Use
Why a Privacy Policy is Important?
• Identify what information are collected.
• Explain how the information are used and/or shared.
• Set users’ privacy expectations.
• Comply with local and international laws and regulations.
• Protect the Company/Website legally.
• “Information used with user’s consent”
Types of Social Networks
• Personal Networks
• Status Update Networks
• Location Networks
• Content-Sharing Networks
• Shared-interest Networks
Types Users’ Information
• Information shared by the user
• During account set-up
•
•
•
•
•
•
•
•
Name
Email Address
Phone Number
DoB
Age
Gender
Personal Photo
Billing Information
• While using the service
•
•
•
•
•
Posts, comments and “likes”
Tags and mentions
Relations and friendships
Videos and photos
Traveling and Check-ins
Types Users’ Information
• Information gathered about the user
•
•
•
•
•
•
•
•
•
•
Devices and IP addresses
Log Information
Direct Messages
Location
Cookies
Facial recognition
Browsing and viewing history
Purchase history
Online Behavior
Metadata
Types Users’ Information
How the Information are used?
• Improving Services
• Advertising
• Domain Administration
• External Processing
• Legal Reasons
Who Can Access the Information?
• Advertisers
• Third-Party and Service Providers
• Government and Law Enforcement Agencies
• Creditors
• Affiliate Companies
• New Owners
Who Can Access the Information?
Who Can Access the Information?
Anonymity on Social Networks
• Data Aggregation
• De-Identification
• Non-Personally Identifying Information
• Can the shared information become personally identifiable?
Privacy Policy Updates
• Updates may be only posted on the website
• Some state that notices/emails will be send to users
• Does it matter if you agree or not?
Account Deletion and Information Retention
Social Media Network
Retention Period (Days)
Facebook
90
Instagram
Not Specified
WhatsApp
Not Specified
Twitter
30
Snapchat
30
Google
Not Specified
Pinterest
Not Specified
LinkedIn
30 days to delete or de-personalize if not needed
Account Deletion and Information Retention
How to Be Safe?
• Avoid using Personal Identifiable Information (PII)
• Set up a secondary email account
• Use a Virtual Private Network (VPN)
• Accept and follow friends who you know personally
• Disable location services
• Limit Apps access to your phone’s contacts, calendars, …etc.
• Understand your privacy rights and options
• Protect your account (strong password, two-factor authentication)
Conclusion
• A privacy policy identifies what information will be collected, used
and/or shared with others.
• Provides a legal cover to the companies/websites.
• Your information can be shared by you or collected by others.
• Information are shared with multiple parties for different purposes.
• Different information about you are collected from different services.
• Privacy Policies are updated continuously (especially after
acquisitions).
• Once you share your information, it may be there for ever.
• If it’s secret, don’t share it!
Thank you 
References
• Business Dictionary
http://www.businessdictionary.com/definition/privacy-policy.html
• Facebook Data Policy https://www.facebook.com/about/privacy
• Foursquare Labs, Inc. Privacy https://foursquare.com/legal/privacy
• Google Privacy Policy
http://www.google.com/policies/privacy/#infochoices
• Instagram Privacy Policy
https://www.instagram.com/about/legal/privacy/
• LinkedIn Privacy Policy https://www.linkedin.com/legal/privacy-policy
References
• Pinterest Privacy Policy https://about.pinterest.com/en/privacypolicy
• Snapchat Privacy Policy https://www.snap.com/enUS/privacy/privacy-policy/
• Tumbler Privacy Policy https://www.tumblr.com/policy/en/privacy
• Twitter Privacy Policy https://twitter.com/privacy?lang=en
• WhatsApp Privacy Policy https://www.whatsapp.com/legal/
• YouTube Privacy Guidelines
https://www.youtube.com/t/privacy_guidelines
INF529:
Security and Privacy in Informatics
Big Data and Data Mining
M.S. Candidate Haibo Zhang
3 March 2017
OHE100C
Outline
•
•
•
•
•
•
•
•
What is Big Data
Why is it important
Who uses it
How it works
Steps of data mining
Privacy Consideration
What can be obtained from you
How to protect your data
46
What is Big Data
• Big data is a term that describes the large volume of data – both
structured and unstructured – that inundates a business on a day-today basis. But it’s not the amount of data that’s important. It’s what
organizations do with the data that matters. Big data can be
analyzed for insights that lead to better decisions and strategic
business moves.
47
Why is it important
• cost reductions
• time reductions
• new product development and optimized
offerings
• smart decision making
48
Who uses it
• Banking
- finding new and innovative ways to manage big data
- understand customers and boost their satisfaction
- minimize risk and fraud
49
Who uses it
• Education
- identify at-risk students
- make sure students are making adequate progress
- implement a better system for evaluation and support
of teachers and principals
50
Who uses it
• Government
-
managing utilities
running agencies
dealing with traffic congestion
preventing crime
51
Who uses it
• Health Care
- patient records
- treatment plans
- prescription information
52
Who uses it
• Manufacturing
- solve problems faster
- make more agile business decisions
53
Who uses it
• Retail
- the best way to market to customers
- the most effective way to handle transactions
- the most strategic way to bring back lapsed business
54
Who uses it
• Case study:
One classic example of the success of big data is the success of House
of Cards. Netflix, the distributor of this TV show, collects data from its
users and analyze those data. For example, they analyze what kind of
show or movie did the users watch, share, and subscribe, therefore
make inference about which type of show, which director and actors will
be preferred by the users. That's how the director and actors of house
of cards are decided. Then, they use algorithm to rank and recommend
shows to the users, and most of the time, users will like it.
55
How it works
• Data mining
- Data mining is the process of analyzing data from
different perspectives and summarizing it into useful
information.
56
Steps of data mining
57
Privacy Consideration
• Do you want others to use your data without
your permission?
-
No
The concern over how big data is used is causing concern with
consumers. According to a survey, about 49% of the consumers
are less willing to share their personal information. Many
consumers are now aware about the dangers of sharing their
personal information and the security issues involved by
consenting to the sharing of their personal information online.
58
Privacy Consideration
• Little privacy in the age of big data
-
Big data increases the risk. For one thing, big data breaches will
be big breaches. For another, the more information you have, the
more likely it is that it includes personal or sensitive information.
Sources of information vary greatly, allowing multiple
opportunities for infiltration. And finally, distributed computing,
which is the only way to process the massive quantity of “big
data”, opens up additional opportunities for data breaches.
59
Privacy Consideration
• Can you avoid being a part of big data?
-
No
Your Cookie is the first target
60
What can be obtained from you
•
•
•
•
•
•
•
Browsers’ history (Google, Yahoo)
Relations (Facebook)
Shopping history (Bank)
Locations (cell phones, cameras)
Time to resign (Workday)
What questions you have asked (Siri, Cortana)
Mood (Facebook)
61
How to protect your privacy
• Effective bills
- Consumer Privacy Bill of Rights by U.S.
- The Data Protection Regulation by EU
62
How to protect your data
• Do Not Track
- This is a kind of function published by W3C. The function is
added in many browsers as a option, which specified those
browsers can only store and use users’ information with their
permissions.
63
How to protect your data
• Users’ education
-
Be careful what you post online
Do not provide your personal information
Keeping eyes on unknown websites and emails.
Firewalls and antivirus.
Using fuzzy passwords.
Cleaning trails.
64
Privacy vulnerabilities in Big Data
Mengchen Song
Main areas for risk
• Personal data protection
Existing methods of protecting the identity of individuals may no longer be
sufficient in the era of Big Data
• Financial liabilities
The full extent of any financial liabilities for Big Data practices
is unknown and at present unquantifiable
• Ethical dilemmas
New ethical dilemmas are being created by the analysis of Big Data
Concerns
• Lack of Designed Security
• Anonymity Concerns
• Big Data Diversity is Complex
• Data Breaches Are Now Common
• Security Spending Still Low
• Big Data Skills Gap
• Data Brokers
10 Big Data Analytics Privacy Problems
• Privacy breaches and embarrassments
• Anonymization could become impossible
• Data masking could be defeated to reveal personal information
• Unethical actions based on interpretations
• Big data analytics are not 100% accurate
• Discrimination
• Few legal protections exist for the involved individuals
• Big data will probably exist forever
• Concerns for e-discovery
• Making patents and copyrights irrelevant
Invasion
• Discrimination
• An embarrassment of breaches
• Goodbye anonymity
• Government exemptions
• Your data gets brokered
Attack mode
• Decryption
Crack weak passwords or default username and password
• Privilege promotion
Raise permission accessible to the system
• Exploit the vulnerability
Exploit vulnerabilities in unused and unwanted database
services and features
• For non-patched database vulnerabilities
• SQL injection
• Steal a backup (unencrypted)
Xcode backdoor
• Download compiler from unreliable third party
• Inject virus into development software
• Monitor and upload personal privacy from device
Tumblr leakage
• Account and password divulge
• Decrypt encryption algorithm with SHA-1 by hackers
• Download user personal information and file from website
Privacy and Big Data
Required reading:
Big Data and the Future of Privacy
Epic.org
Will Democracy Survive Big Data and Artificial Intelligence?
Scientific American – 25 February 2017
"Muslim registries", Big Data and Human Rights
Amnesty International – 27 February 2017.
What is Big Data
Processing of large and
complex data sets.
– Often with multiple
structures.
– Data is mined to find trends,
relationships, and
correlations.
• Danger
– By combining information
from multiple sources more
can be inferred than
specifically disclosed.
Inferences are imprecise
• The algorithms learn
discrimination
What Data Mining Can Tell Us
Quite a lot, and
acting on that
information can
cause problems.
Can algorithms illegally discriminate
CNBC – and Whitehouse report
But when it comes to systems that help make such
decisions, the methods applied may not always
seem fair and just to some, according to a panel of
social researchers who study the impact of big data
on public and society.
The panel that included a mix of policy researchers,
technologists, and journalists, discussed ways in
which big data—while enhancing our ability to make
evidence-based decisions—does so by inadvertently
setting rules and processes that may be inherently
biased and discriminatory.
The rules, in this case, are algorithms, a set of
mathematical procedures coded to achieve a
particular goal. Critics argue these algorithms may
perpetuate biases and reinforce built-in assumptions.
Also
http://www.nextgov.com/big-data/2017/02/cfpb-wants-know-how-alternative-data-changes-creditscores/135695/
Current Events
http://thehackernews.com/2017/02/password-manager-apps.html?m=1
Aparna Himmatramka – 9 password manager applications on Android platform find to have critical vulnerabilities that
affected all its users and seemed to have compromised all its stored credentials.
http://bgr.com/2017/02/23/alexa-privacy-first-amendment/
Akash Mukherjee - Amazon claims Alexa's speech fall under First Amendment, and they are not compelled to hand over
that data to law enforcement unless there is some transparent evidence. (I listed this one last week)
http://www.securityweek.com/forged-cookie-attack-affected-32-million-yahoo-users
Haibo Zhang -Over the past years, Yahoo has suffered from forged cookie attack. In 2004, 500 million accounts was
stolen and the people who did this forged cookies that allow them to log into these account without password. An
investigation revealed that 32 million accounts have been affected by this incident.
http://www.securityweek.com/backdoor-found-dbltek-gsm-gateways
Mengchen Song - Researchers at Trustwave have identified a backdoor in GSM gateways manufactured by Hong Kongbased voice over IP (VoIP) solutions provider DBL Technology.
http://www.securityweek.com/google-expands-safe-browsing-protection-macos
Kshitija Godse – Google is enabling safer browsing experiences by improving defenses against unwanted software and
malware targeting macOS. Safe Browsing is broadening its protection of macOS devices.
79
Current Events
http://themindunleashed.com/2017/03/end-privacy-photos.html
Surabhi Subramanya – how a Russian Photography and Art student Egor Tsvetkov, conducted an experiment
called "Your Face is Big Data" in an attempt to show that the media we have shared on social networks is enough
to identify us. -- He took pictures of 100 random people in the Moscow subway. Most of them were buried in their
phones so they didn't even realize that they were being photographed. Through the facial recognition application
he created (called "FindFace"), he was able to identify 70% of the photographed people on the social
network “Vkontakte” (“InTouch”), which is more popular in Russia than Facebook.
https://threatpost.com/childrens-voice-messages-leaked-in-cloudpets-database-breach/123956/
Mariam Fahad Bubshait - Personal information of almost half a million users of CloudPets have been compromised
due to very weak security measures such as; no authentication applied on accessing the database and minimal
password requirements for users, which made this very easy to be compromised by hackers.
https://www.aclu.org/blog/speak-freely/trump-administration-threatening-publicly-release-private-data-immigrants-and
Mohammad Alsubaie – The Trump administration is threatening to publicly release the private data of immigrants
and foreign visitors. With this sensitive data being shared between government agencies, not only the privacy is
affected, the security of all immigrant will be demolished as well.
http://www.securityweek.com/researchers-uncover-sophisticated-fileless-attack
Muaz M. Alkhalidi – Researchers Uncover Sophisticated, Fileless Attack: Researchers at Talos, Cisco's security
arm, discovered a new non-malware attack designed to bypass anti-malware defense and use PowerShell to load
the malicious code with writing any file to disk.
80
Current Events
http://thehackernews.com/2017/03/fcc-ajit-pai-net-neutrality.html
Matthew Jackoski - The privacy rules that were approved by the FCC last October, which restricted an ISP’s ability
to share online data with third parties without the consent of the user, have been suspended by the new FCC
chairman Ajit Pai.
Krishna Mohan Sathi – x
Sahil Mohamed - x
Andrew Gronski – x
Apurv Tiwari - x
Abdullah Binkulaib. – x
81
Related documents
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Computer Science 9616b, Fall 2016 Project Description Your project
Computer Science 9616b, Fall 2016 Project Description Your project
Donor Privacy Policy
Donor Privacy Policy
Privacy Policy This privacy policy discloses the privacy practices for
Privacy Policy This privacy policy discloses the privacy practices for
DIRECT MARKETING
DIRECT MARKETING
Data Privacy and Security
Data Privacy and Security
References
References
Making Private Data Useful
Making Private Data Useful
THOMAS ARKLE III, DDS, MSD, PA
THOMAS ARKLE III, DDS, MSD, PA
THE USE OF THE INTERNET IN DIRECT MARKETING
THE USE OF THE INTERNET IN DIRECT MARKETING
here - Cumberland Family Medical Centers
here - Cumberland Family Medical Centers