Lecture33 - The University of Texas at Dallas

Download Report

Transcript Lecture33 - The University of Texas at Dallas

Data and Applications Security
Developments and Directions
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Emerging Security Technologies
Biometrics
Digital Forensics
December 2011
Outline
 Digital Identity Management
 Identity Theft Management
 Digital Forensics
 Digital Watermarking
 Risk Analysis
 Economic Analysis
 Secure Electronic Voting Machines
 Biometrics
 Other Applications
Digital Identity Management
 Digital identity is the identity that a user has to access an
electronic resource
 A person could have multiple identities
- A physician could have an identity to access medical
resources and another to access his bank accounts
 Digital identity management is about managing the multiple
identities
- Manage databases that store and retrieve identities
- Resolve conflicts and heterogeneity
- Make associations
- Provide security
 Ontology management for identity management is an
emerging research area
Digital Identity Management - II
 Federated Identity Management
- Corporations work with each other across organizational
boundaries with the concept of federated identity
- Each corporation has its own identity and may belong to
multiple federations
Individual identity management within an organization
and federated identity management across organizations
 Technologies for identity management
- Database management, data mining, ontology
management, federated computing
-
Identity Theft Management
 Need for secure identity management
- Ease the burden of managing numerous identities
- Prevent misuse of identity: preventing identity theft
 Identity theft is stealing another person’s digital identity
 Techniques for preventing identity thefts include
- Access control, Encryption, Digital Signatures
- A merchant encrypts the data and signs with the public
-
key of the recipient
Recipient decrypts with his private key
Digital Forensics
 Digital forensics is about the investigation of Cyber crime
 Follows the procedures established for Forensic medicine
 The steps include the following:
- When a computer crime occurs, law enforcement officials
-
who are cyber crime experts gather every piece of
evidence including information from the crime scene (i.e.
from the computer)
Gather profiles of terrorists
Use history information
Carry out analysis
Digital Forensics - II
 Digital Forensics Techniques
- Intrusion detection
- Data Mining
- Analyzing log files
- Use criminal profiling and develop a psychological
profiling
- Analyze email messages
 Lawyers, Psychologists, Sociologists, Crime investigators
and Technologists have to worm together
 International Journal of Digital Evidence is a useful source
Steganography and Digital Watermarking
 Steganography is about hiding information within other
information
- E.g., hidden information is the message that terrorist may
be sending to their pees in different parts of the worlds
- Information may be hidden in valid texts, images, films
etc.
- Difficult to be detected by the unsuspecting human
 Steganalysis is about developing techniques that can analyze
text, images, video and detect hidden messages
- May use data mining techniques to detect hidden patters
 Steganograophy makes the task of the Cyber crime expert
difficult as he/she ahs to analyze for hidden information
- Communication protocols are being developed
Steganography and Digital Watermarking - II
 Digital water marking is about inserting information without
being detected for valid purposes
- It has applications in copyright protection
- A manufacturer may use digital watermarking to copyright
a particular music or video without being noticed
- When music is copies and copyright is violated, one can
detect two the real owner is by examining the copyright
embedded in the music or video
Risk/Cost Analysis
 Analyzing risks
- Before installing a secure system or a network one needs to
conduct a risk analysis study
- What are the threats? What are the risks?
 Various types of risk analysis methods
- Quantitative approach: Events are ranked in the order of risks
and decisions are made based on then risks
Qualitative approach: estimates are used for risks
 Security vs Cost
- If risks are high and damage is significant then it may be worth
the cost of incorporating security; If risks and damage are not
high, then security may be an additional cost burden
 Economists and technologists need to work together
- Develop cost models; Cost vs. Risk/Threat study
Secure Electronic Voting Machines
 We are slowly migrating to electronic voting machines
 Current electronic machines have many security
vulnerabilities
 A person can log into the system multiple times from different
parts of the country and cast his/her vote
 Insufficient techniques for ensuring that a person can vote
only once
 The systems may be attacked and compromised
 Solutions are being developed
 Johns Hopkins University is one of the leaders in the field of
secure electronic voting machines
Biometrics
 Early Identication and Authentication (I&A) systems, were
based on passwords
 Recently physical characteristics of a person are being sued
for identification
- Fingerprinting
- Facial features
- Iris scans
- Blood circulation
- Facial expressions
 Biometrics techniques will provide access not only to
computers but also to building and homes
 Other Applications
Data Mining for Biometrics
 Determine the data to be analyzed
- Data may be stored in biometric databases
- Data may be text, images, video, etc.
 Data may be grouped using classification techniques
 As new data arrives determine the group this data belongs to
- Pattern matching, Classification
 Determine what the new data is depending on the prior
examples and experiments
 Determine whether the new data is abnormal or normal
behavior
 Challenge: False positives, False negatives
Secure Biometrics
 Biometrics systems have to be secure
 Need to study the attacks for biometrics systems
 Facial features may be modified:
- E.g., One can access by inserting another person’s
features
Attacks on biometric databases is a major concern
 Challenge is to develop a secure biometric systems
-
Other Applications
 Email security
- Encryption
- Filtering
- Data mining
 Benchmarking
- Benchmarks for secure queries and transactions
 Simulation and performance studies
 Security for machine translation and text summarization
 Covert channel analysis
 Robotics security
- Need to ensure policies are enforced correctly when
operating robots
Introduction to Biometrics
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Introduction to Biometrics
Outline
 Introduction to Biometrics
- What is Biometrics?
- What is the Process?
- Why Biometrics?
 Biometrics Resources
 What is Secure Biometrics
 Revisiting Topics to be covered
 Some exploratory research areas
 Some useful reference books
What is Biometrics?
 Biometrics are automated methods of recognizing a person
based on a physiological or behavioral characteristic
 Features measured: Face, Fingerprints, Hand geometry,
handwriting, Iris, Retinal, Vein and Voice
 Identification and personal certification solutions for highly
secure applications
 Numerous applications: medical, financial, child care,
computer access etc.
What is the Process?
 Three-steps: Capture-Process-Verification
 Capture: A raw biometric is captured by a sensing device
such as fingerprint scanner or video camera
 Process: The distinguishing characteristics are extracted
from the raw biometrics sample and converted into a
processed biometric identifier record
Called biometric sample or template
 Verification and Identification
- Matching the enrolled biometric sample against a single
record; is the person really what he claims to be?
Matching a biometric sample against a database of
identifiers
-
Why Biometrics?
 Biometrics replaces Traditional Authentication Methods
 Provides better security
 More convenient
 Better accountability
 Applications on Fraud detection and Fraud deterrence
 Dual purpose
- Cyber Security and National Security
Why Biometrics? (Continued)
 Authentication mechanisms often used are User ID and
Passwords
 However password mechanisms have vulnerabilities
- Stealing passwords etc.
 Biometrics systems are less prone to attacks
 Need sophisticated techniques for attacks
- Cannot steal facial features and fingerprints
- Need sophisticated image processing techniques for
modifying facial features
Why Biometrics? (Continued)
 Biometrics systems are more convenient
 Need not have multiple passwords or difficult passwords
- E.g., characters, numbers and special symbols
- Need not remember passwords
 Need not carry any cards or tokens
 Better accountability
- Can determine who accessed the system with less
complexity
Why Biometrics? (Concluded)
 Dual Purpose
- Cyber Security and National Security
 Access to computer systems and networks
 Fraud detection
- Who has intruded the system?
- Who has entered the building
- Surveillance and monitoring
 Fraud Deterrence
- Because of biometrics systems, people are nervous to
-
commit crimes
Stealing from supermarkets and shops, etc.
Biometrics Resources
 Biometrics Consortium is the major resource
- www.biometrics.org
 Another Resource
- http://www.biometricsinfo.org/
 Has Information on
- Who is doing what
 Academia,
-
Industry and Government
White papers on Biometrics technologies
 Fingerprint detection, facial recognition, Iris scanning,
----
Biometrics Resources: What is academia doing?
 Michigan State University
- Developing algorithms for fingerprint detection, etc.
 West Virginia University
- Forensic identification initiative
 San Jose State University
- Mathematical concepts
Biometrics Resources: What is Industry doing?
 Focus is on building faster and cheaper devices
 More accuracy, less false positives and negatives
 Incorporating biometrics into mobile devices, Smartcards
 Biometrics in healthcare: delivering medication to correct
patients
 Biometrics in child care: Children are picked up by those
authorized
 Protecting digital content
- Ensuring that voice and video are not altered
Vendors: http://www.biometricsinfo.org/vendors.htm
Biometrics Resources: What is Government
doing?
 NSA (National Security Agency)
- Research on protecting critical information systems
 DoD (Department of Defense)
- Biometrics Management Office
- Provide Armed forces access to Biometrics systems for
combat operations
 DHS (Department of Homeland Security; Immigration and
Nationalization Service)
- Biometrics technologies at Airports
 NIST (National Institute of Standards and Technologies)
Major player in Biometrics
-
Activities of NIST
 Measurements, Testing and Standards is NIST’s mission
 Focus on Biometrics Standards
 Activities
- Biometrics Consortium
- Common Biometric Exchange File Format
- Biometric Interoperability, Performance and Assurance
-
Working Group
BioAPI Consortium
Various Standards
Activities of NIST (Continued)
 Biometrics Consortium is the Government focal point for
research, development and testing of Biometric products and
technologies
 Common Biometric Exchange File Format is a product of the
consortium to develop common fingerprint template formats
 Biometrics Interoperability working group promotes common
definitions and concepts for exchanging information between
national and international partners
 BioAPI consortium develops common Application
Programming Interfaces for biometrics technologies
Activities of NIST (Concluded)
 NIST is developing standards for the following:
- Finger image format for data Interchange
- Face image format for data interchange
- Iris image format for data interchange
- Signature image format for data interchange
 NIST is working with International standards organizations for
joint standards
- ISO (International Standards Organization)
What is Secure Biometrics?
 Study the attacks of biometrics systems
- Modifying fingerprints
- Modifying facial features
 Develop a security policy and model for the system
- Application independent and Application specific policies
- Enforce Security constraints
 Entire
face is classified but the nose can be displayed
- Develop a formal model
- Formalize the policy
 Design the system and identify security critical components
- Reference monitor for biometrics systems
Security Vulnerabilities
 Type 1 attack: present fake biometric such a synthetic
biometric
 Type 2 attack: Submit a previously intercepted biometric data:
replay
 Type 3 attack: Compromising the feature extractor module to
give results desired by attacker
 Type 4 attack: Replace the genuine feature values produced
by the system by fake values desired by attacker
 Type 5 attack: Produce a high number of matching results
 Type 6 attack: Attack the template database: add templates,
modify templates etc.
Security and Privacy for Biometrics
 Privacy of the Individuals have to be protected
 CNN News Release: August 29, 2005
- Distorting Biometrics Enhances Security and Privacy
- Biometric data converted to numerical strings by
-
mathematical algorithm for later use
If the mathematical templates are stolen could be
dangerous
Researchers have developed method to alter the images
in a defined and repeated way
Hackers steal the distortion not the original face or
fingerprint
Digital Forensics
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Outline
 Introduction
 Applications
- Law enforcement, Human resources, Other
 Services
 Benefits
 Using the evidence
 Conclusion
Digital Forensics
 Digital forensics is about the investigation of crime including
using digital/computer methods
 More formally: “Digital forensics, also known as computer
forensics, involved the preservation, identification, extraction,
and documentation of computer evidence stored as data or
magnetically encoded information”, by John Vacca
 Digital evidence may be used to analyze cyber crime (e.g.
Worms and virus), physical crime (e.g., homicide) or crime
committed through the use of computers (e.g., child
pornography)
Relationship to Intrusion Detection, Firewalls,
Honeypots
 They all work together with Digital forensics techniques
 Intrusion detection
- Techniques to detect network and host intrusions
 Firewalls
- Monitors traffic going to and from and organization
 Honeypots
- Set up to attract the hacker or enemy; Trap
 Digital forensics
- Once the attack has occurred or crime committed need to
decide who committed the crime
Computer Crime
 Computers are attacked – Cyber crime
- Computer Virus
 Computers are used to commit a crime
- E.g., child predators, Embezzlement, Fraud
 Computers are used to solve a crime
 FBI’s workload: Recent survey
- 74% of their efforts on white collar crimes such as
-
healthcare fraud, financial fraud etc.
Remaining 26% of efforts spread across all other areas
such as murder and child pornography
Source: 2003 Computer Crime and Security Survey, FBI
Objective and Priority
 Objective of Computer Forensics
- To recovery, analyze and present computer based
material in such a way that is it usable as evidence in a
court of law
Note that the definition is the following: “computer
forensics, involves the preservation, identification,
extraction, and documentation of computer evidence
stored as data or magnetically encoded information”, by
John Vacca
 Priority
- Main priority is with forensics procedures, rules of
evidence and legal processes; computers are secondary
- Therefore accuracy is crucial
-
Accuracy vs Speed
 Tradeoffs between accuracy and speed
- E.g., Taking 4 courses in a semester vs. 2 courses; more
likely to get Bs and not As
Writing a report in a hurry means likely less accurate
 Accuracy: Integrity and Security of the evidence is crucial
- No shortcuts, need to maintain high standards
 Speed may have to be sacrificed for accuracy.
- But try to do it as fast as you can provided you do not
compromise accuracy
-
The Job of a Forensics Specialist
 Determine the systems from which evidence is collected
 Protect the systems from which evidence is collected
 Discover the files and recover the data
 Get the data ready for analysis
 Carry out an analysis of the data
 Produce a report
 Provide expert consultation and/or testimony?
Applications: Law Enforcement
 Important for the evidence to be handled by a forensic expert;
else it may get tainted
 Need to choose an expert carefully
What is his/her previous experience? Has he/she worked
on prior cases? Has he/she testified in court? What is
his/her training? Is he CISSP certified?
 Forensic expert will be scrutinized/cross examined by the
defense lawyers
 Defense lawyers may have their own possibly highly paid
experts?
-
Applications: Human Resources
 To help the employer
- What web sites visited?
- What files downloaded
- Have attempts been made to conceal the evidence or
fabricate the evidence
- Emails sent/received
 To help the employee
- Emails sent by employer – harassment
Notes on discrimination
- Deleted files by employer
-
Applications: Other
 Supporting criminals
- Gangs using computer forensics to find out about
members and subsequently determine their whereabouts
 Support rogue governments and terrorists
- Terrorists using computer forensics to find out about
what we (the good guys) are doing
 We and the law enforcement have to be one step ahead of the
bad guys
 Understand the mind of the criminal
Services
 Data Services
- Seizure, Duplication and preservation, recovery
 Document and Media
- Document searched, Media conversion
 Expert witness
 Service options
 Other services
Data Services
 Data Seizure
- The expert should assist the law enforcement official in
collecting the data.
Need to identify the disks that contain the data
 Data Duplication and Preservation
- Data absolutely cannot be contaminated
- Copy of the data has to be made and need to work with
the copy and keep the original in a safe place
 Data Recovery
- Once the device is seized (either local or remote) need to
use appropriate tools to recover the data
-
Data Services: Finding Hidden Data
 When files are deleted, usually they can be recovered
 The files are marked as deleted, but they are still residing in
the disk until they are overwritten
 Files may also be hidden in different parts of the disk
 The challenge is to piece the different part of the file together
to recover the original file
 There is research on using statistical methods for file
recovery
 http://www.cramsession.com/articles/files/finding-hiddendata---how-9172003-1401.asp
 http://www.devtarget.org/downloads/ca616-seufertwolfgarten-assignment2.pdf
Document and Media Services
 Document Searches
- Efficient search of numerous documents
- Check for keywords and correlations
 Media Conversion
- Legacy devices may contain unreadable data. This data
-
ahs to be converted using appropriate conversion tools
Should be placed in appropriate storage for analysis
Expert Witness Services
 Expert should explain computer terms and complicated processes in
an easy to understand manner to law enforcement, lawyers, judges
and jury
- Computer technologists and lawyers speak different languages
 Expertise
- Computer knowledge and expertise in computer systems,
storage
- Knowledge on interacting with lawyers, criminology
- Domain knowledge such as embezzlement, child exploitation
 Should the expert witness and the forencis specialist be one and the
same?
Service Options
 Should provide various types of services
- Standard, Emergency, Priority, Weekend After hours
services
 Onsite/Offsite services
 Cost and risks – major consideration
 Example: Computer Forensics Services Corporation
- http://www.computer-forensic.com/
- As stated in the above web site, this company provides
“expert, court approved, High Tech Investigations,
litigation support and IT Consulting.” They also
"Preserve, identify, extract, document and interpret
computer data. It is often more of an art than a science,
but as in any discipline, computer forensic specialists
follow clear, well-defined methodologies and procedures.”
Other Services
 Computer forensics data analysis for criminal and civil
investigations/litigations
 Analysis of company computers to determine employee
activity
If he/she conducting his own business and/or
downloading pornography
- Surveillance for suspicious event detection
 Produce timely reports
-
Benefits of using Professional services
 Protecting the evidence
- Should prevent from damage and corruption
 Secure the evidence
- Store in a
secure place, also use encryption technologies
such as public/private keys
 Ensure that the evidence is not harmed by virus
 Document clearly who handled the data and when - auditing
 Cleint/Attoney privilege
 Freeze the scene of the crime – do not contaminate or change
Using the Evidence:
Criminal and Civil Proceedings
 Criminal prosecutors
 Civil litigation attorneys – harassment, discrimination,
embezzlement, divorce
 Insurance companies
 Computer forensics specialists to help corporations and
lawyers
 Law enforcement officials
 Individuals to sue a company
 Also defense attorneys, and “the bad guys”
Issues and Problems that could occur
 Computer Evidence MUST be
- Authentic: not tampered with
- Accurate: have high integrity
- Complete: no missing points
- Convincing: no holes
- Conform: rules and regulations
- Handle change: data may be volatile and time sensitive
- Handle technology changes: tapes to disks; MAC to PC
- Human readable: Binary to words
Legal tests
 Countries with a common law tradition
- UK, US, Possibly Canada, Australia, New Zealand
 Real evidence
- Comes from an inanimate object and can be examined by
the court
 Testimonial evidence
- Live witness when cross examined
 Hearsay
Wiki entry “Hearsay in English law and Hearsay in United
States law, a legal principle concerning the admission of
evidence through repetition of out-of-court statements”
 Are the following admissible in court?
- Data mining results, emails, printed documents
-
Traditional Forensics vs Computer Forensics
 Traditional Forensics
- Materials tested and testing methods usually do not
change rapidly
Blood, DNA, Drug, Explosive, Fabric
 Computer Forensics
- Material tested and testing methods may change rapidly
- We did not have web logs in back in 1990
- We did not have RAID storage in 1980
-
Conclusion
 Important to have experts for computer forensics evidence
gathering and analysis
 Important to secure the evidence: authenticity, completeness,
integrity
 Important to have the proper tools for analysis
 Important to apply the correct legal tests
 Computer forencis can be used to benefit both the “good and
bad guys”
 Need to be several steps smarter than the enemy