What TC Can and Can’t DoSlide 2Slide 3What is Privacy?Security v. PrivacyDebate on AttributionPrivacy is Not the Only ConcernYou Are Being TrackedYou Are Being TrackedWhy Should You Care?Aggregation of DataAnonymization of DataTraffic AnalysisInformation for Traffic AnalysisNetwork Trace SharingSanitizationAttack ClassesGuarantee that EK is safe Yes because it is stored in and used by hw onlyNo because it can be obtained if someone has physical access but this can be detected by user or remote system (tamper bit is set in TPM)Guarantee that no keys can be compromisedNo, keys that go to OS and are used by sw can still be compromisedGuarantee that applications cannot be changed or compromisedNo, I can only detect compromise by comparing hashes of apps in hwWhat TC Can and Can’t DoGuarantee that no rootkits can reside on the systemNo, but we can detect compromise by comparing hashes of OS files in hwGuarantee that applications cannot interfere with each otherYes, due to OS separationGuarantee data safety on diskYes, we can encrypt data separately for each virtual system and we can encrypt the whole diskNo, because encryption happens in swWhat TC Can and Can’t DoPrivacyWhat is Privacy? Privacy is about PIIIt is primarily a policy issuePrivacy is an issue of user educationoMake sure users are aware of the potential use of the information they provideoGive the user controlPrivacy is a security issueoSecurity is needed to implement the policySecurity v. Privacy Sometimes conflictingoMany security technologies depend on identificationoMany approaches to privacy depend on hiding one’s identitySometimes supportiveoPrivacy depends on protecting PII (personally identifiable information)oPoor security makes it more difficult to protect such informationDebate on Attribution How much low level information should be kept to help track down cyber attacksoSuch information can be used to breach privacy assurancesoHow long can such data be keptPrivacy is Not the Only ConcernBusiness ConcernsoDisclosing Information we think of as privacy-related can divulge business plans▪Mergers▪Product plans▪InvestigationsSome “private” information is used for authenticationoSSNoCredit card numbersYou Are Being Tracked LocationoFrom IP addressoFrom Cell PhonesoFrom RFIDInterests, Purchase History, Political/Religious AffiliationsoFrom RFIDoFrom transaction detailsoFrom network and server tracesYou Are Being Tracked AssociatesoFrom network, phone, email recordsoFrom location based informationHealth InformationoFrom PurchasesoFrom location based informationoFrom web historyAren’t the only ones that need to be concerned about privacy the ones that are doing things that they shouldn’t?Consider the following:oUse of information outside original contextCertain information may be omittedoImplications may be mis-representedoInference of data that is sensitiveoData can be used for manipulationWhy Should You Care?Aggregation of Data Consider whether it is safe to release information in aggregateoSuch information is presumably no longer personally identifiableoBut given partial information, it is sometimes possible to derive other information by combining it with the aggregated data.Anonymization of Data Consider whether it is safe to release information that has been stripped of so called personal identifiersoSuch information is presumably no longer personally identifiable•What is important is not just anonymity, but linkability•If I can link multiple queries, I might be able to infer the identity of the person issuing the query through one query, at which point, all anonymity is lostTraffic Analysis Even when specifics of communication are hidden, the mere knowledge of communication between parties provides useful information to an adversaryoE.g. pending mergers or acquisitionsoRelationships between entitiesoCreated visibility of the structure of an organizationsoAllows some inference about interestsInformation for Traffic Analysis Lists of the web sites you visitEmail logsPhone recordsPerhaps you expose the linkages through web sites like linked inConsider what information remains in the clear when you design security protocolsNetwork Trace SharingResearchers need network data oTo validate their solutionsoTo mine and understand trendsSharing network data creates necessary diversityoEnables generalization of resultsoCreates a lot of privacy concernsoVery few public traffic trace archives(CAIDA, WIDE, LBNL, ITA, PREDICT, CRAWDAD, MIT DARPA)SanitizationRemove or obscure (anonymize) sensitive dataoRemove packet contents and application headersoAnonymize IP addressesPositional - anonymize in order of appearance. Inconsistent and lose information about networksCryptographic - anonymize by encrypting with a key. Consistent but still lose information about networks.Prefix-preserving - cryptographic approach is applied to portions of IP separately to preserve network information.Sanitization loses a lot of data - application headers, contents, IP addressesoThis is acceptable for some research but not for allSanitized data still has sensitive informationAttack ClassesPassive attackeroObserve publicly released traceoUse some public or private auxiliary information to infer private dataActive attackeroInsert traffic during trace collectionoIdentify this traffic later in public traceThis creates an auxiliary information channelCan learn what method was used to obscure private dataCan verify presence or absence of data items with same/similar values in other recordsoProvider cannot identify injected trafficCovert channel
View Full Document