Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

ICT security and Open Data

899 vues

Publié le

Should we care about ICT security if processed data are open? Of course - there is no threat of stealing the data because they are not confidential, but security is not only about confidentiality. During my speech I will demonstrate some scenarios which could have significant impact, despite the fact that processed data are open. I will also show what should be taken into consideration in terms of ICT security when we would like to implement "Open Data" project.

Presentation from Digital Baltic Conference

Publié dans : Internet
  • Soyez le premier à commenter

ICT security and Open Data

  1. 1. ICT Security and Open Data Should we care? Wojciech Dworakowski
  2. 2. 2 Who am I?
  3. 3. 3 Agenda Open Data systems IT security risks  by examples What is security? How to achieve it?
  4. 4. Source: http://news.softpedia.com/ 4 Polish Ministry of Work and Social Policy (2008) Defacement Źródło: http://www.dawidd.master.pl/ Źródło: http://www.niebezpiecznik.pl
  5. 5. 5 Malware serving User visiting infected website can be attacked Example: „Nearly 100 Thai Government websites were hacked and used to serve malware last month. More than 500 distinct attacks were launched from these websites” Source: http://news.netcraft.com/archives/2014/05/06/thai-government-websites-infested- with-malware.html
  6. 6. 6 Malware hosting Source: W.Dworakowski, SecuRing
  7. 7. 7 Impact Loss of reputation Loss of users’ trust Loss of PageRank
  8. 8. 8 Denial of service DDoS (Distributed Denial of Service) Ex: Latvia (2008), South Korea (2009), Ukraine (2014) • Multiple connections from around the world • Relatively easy to launch • Difficult to fight and expensive to protect
  9. 9. 9 Is it difficult?
  10. 10. 10 Too Open Data Source: http://news.bbc.co.uk/2/hi/technology/8533641.stm
  11. 11. 11 Was it difficult? 7,4 mln tax records leaked ~ 120 GB of tax data „Hacking” script: for i in {1..7500000}; do wget http://www2.vid.gov.lv/eds/Pages/GetDuf.aspx?id=$i; done
  12. 12. 12 Unauthorized modification of data System for recruitment to high schools in Poland Possibility to modify candidate’s grades Source: niebezpiecznik.pl
  13. 13. 13 Unauthorized modification of data Consider more sensitive systems, e.g.: • Legal Register of Companies • Statistical data • National election results (realtime)
  14. 14. 14 Data mining scraping Polish Land Registry
  15. 15. 15 Data scraping Access to: • Property data • Owners’ data (including ID, address) • Mortgage data (amount, bank, date) But… user has to: • Know register number • Enter captcha Incremental with one control digit Could be bypassed (in the past) or human solved (about 2$ / 1000 captchas)
  16. 16. 16 18722717 indexed land registers. Collected data: 31066649 plots, 1628061 buildings, 6812230 premises. About 7 EUR / record
  17. 17. 17 Deanonymization & Re-identification Statistical methods of analysis Finding unique user „fingerprint” Corelation with other datasets 87% of US citizens has unique combination of: gender, ZIP, date of birth* * Latanya Sweeney, Uniqueness of Simple Demographics in the U.S. Population http://www.citeulike.org/user/burd/article/5822736
  18. 18. 18 Example Anonymized hospital data Voter registration list • Name • Address • Gender • ZIP • Birth date Massachusetts Governor William Weld  6 people has it’s birth date  3 of them were men  Only 1 with Cambridge ZIP • Medical procedures • Gender • ZIP • Birth date From Latanya Sweeney research paper: Uniqueness of Simple Demographics in the U.S. Population http://www.citeulike.org/user/burd/article/5822736
  19. 19. How to lower security risks?
  20. 20. 20 We can politely ask ;) "We would like to ask those who would like to deface this Open Data [website], Open Data is your data. This is the public’s data about you, so I don’t think it’s in the interest of the Filipinos to damage the information that we have.” Presidential Spokesperson Edwin Lacierda Source: http://www.rappler.com/nation/48454-hackers-open-data
  21. 21. 21 Cost of software bugs Project definition Development Design Maintenance Deployment Verify requirements Define security requirements Security testing
  22. 22. 22 What does it mean „secure”? Each system is different Not all risks are equally important • Website defacement / Malware serving • Denial of service • Data confidentiality breach • Unauthorized data modification • Data scrapping • Deanonymization / re-identification • …
  23. 23. 23 How to define security? Who? How? Why? Attack scenarios Attacker Goals  Who can attack our system?  Why? What is motivation?  How attackers can achieve their goals?
  24. 24. 24 How to define security? Who? How? Why? Attack scenarios Attacker Goals Countermeasures  What should be done to stop those attacks?  Security requirements
  25. 25. 25 Summary 1. Define security requirements 2. Check them during design & development 3. Test security before deployment
  26. 26. 26 Summary Examples of risks to consider: • Website defacement / malware serving • Denial of service • Data confidentiality breach • Unauthorized data modification • Data scrapping • Deanonymization / re-identification
  27. 27. 27 Open data security Should we care? http://www.securing.pl e-mail: info@securing.pl Jontkowa Górka 14a 30-224 Kraków tel. (12) 4252575 fax. (12) 4252593 Wojciech Dworakowski wojciech.dworakowski@securing.pl tel. 506 184 550

×