Announcements

1
Announcements

• Hacker Challenge is now called Security
  Challenge, since we arent really hacking
  anything and since some people flip out whenever
  they hear the word hacker.
• Two new targets to locate and gather information
  on.
• UNC policy forbids penetration by unauthorized
  users, so dont overstep the boundaries
• Based on the word of someone outside of UNC who
  looked at last weeks Powerpoint, I was accused
  of hacking and encouranging hacking.

2
More announcements

• The part about SSNs and PIDs was my attempt to
  make you aware of just how often important data
  is mishandled in real life
• University Counsels office suggests that this is
  a violation of campus privacy policy. However,
  posession of someones SSN is by no means a
  crime, and as we pointed out, the PID is a public
  ID, so I wonder what they are talking about?
• I would still like you to keep your eyes out for
  sensitive information and tell the class when and
  where you came across it.

3
Missing slide

• During hacker talk, forgot to mention
  conferences
• H2K2 (H2K4 now?)
• DefCon
• Blackhat
• Many others (see WWW for details on all)

4
INLS 187

• September 16, 2004
• Security and Privacy Policy

5
Policy

• A policy is a plan of action for tackling
  political issues the 7 Ps
• Setting standards for action
• Trying to predict and control outcomes
• Trade-offs always exist
• Even as few as three people can never seem to
  agree reliably
• But setting policies help us know what to do

6
Security Policy

• Great importance of having written policies in
  place during crisis situations
• Written policies are as important as a written
  Constitution, otherwise people start making
  things up as they go (and the Constitution is a
  set of policies and expectations for good
  government)
• Defines expectations of acceptable use, what
  constitutes abuse, and how issues will be
  resolved
• Auditing/testing requires something to check
  against

7
The Rainbow Series

• An assortment of books about computing with
  nicknames based on the color of their cover.
• The Trusted Computer System Evaluation Criteria
  was referred to as "The Orange Book".
• Rainbow Series Library (thanks, Joel)

8
Rainbow Series

• Guidelines for Formal Verification Systems
  (Purple Book)
• A Guide to Understanding Trusted Facility
  Management (Brown Book)
• Trusted Product Evaluations (Bright blue book)
• A guide to Understanding Audit in Trusted Systems
  (Tan Book)

9
Orange Book

• TCSEC (Trusted Computer System Evaluation
  Criteria commonly called the "Orange Book")
• A standard for computer security that was issued
  by the US government.
• Used in the United States
• Canada used their own CTCPEC
• Europe and several other countries used the
  competing ITSEC standard.
• All have now been superseded by the Common
  Criteria.

10
Orange Book

• TCSEC was issued by the United States Government
  National Computer Security Council (an arm of the
  U.S. National Security Agency) as "Trusted
  Computer System Evaluation Criteria, DOD standard
  5200.28-STD, December 1985".
• Standards are importantcan also be a weakness
  though

11
TCSEC

• Four levels, A, B, C, and D. Each level adds more
  features and requirements
• D is a non-secure system.
• C1 requires user log-on, but allows group ID.
• C2 requires individual log-on with password and
  an audit mechanism. (Most Unix implementations
  are roughly C1, and can be upgraded to about C2
  without excessive pain).

12
TCSEC

• Levels B and A provide mandatory control. Access
  is based on standard Department of Defense
  clearances
• B1 requires DoD clearance levels.
• B2 guarantees the path between the user and the
  security system and provides assurances that the
  system can be tested and clearances cannot be
  downgraded.
• B3 requires that the system is characterised by a
  mathematical model that must be viable.
• A1 requires a system characterized by a
  mathematical model that can be proven

13
Verification of an OS

• Using modeling languages, it is possible to
  mathematically prove that algorithms used in your
  OS are secure
• State machines
• VHDL
• Proof-carrying code
• Really just another part of requirements
  validation process

14
Common Criteria

• The Common Criteria (CC) is an international
  standard (ISO 15408) for computer security.
• Created to allow users to specify their security
  requirements, allow developers to specify the
  security attributes of their products, and allow
  evaluators to determine if products actually meet
  their claims.

15
Common Criteria

• CC was produced by unifying ITSEC, TCSEC and
  CTCPEC,
• standards, so that companies selling computer
  products for defence or intelligence use would
  only need to have them evaluated against one set
  of standards.
• Developed by the governments of the UK, France,
  the Netherlands, Germany, the US, and Canada.

16
Common Criteria

• Defined are a set of potential security
  requirements, divided into functional
  requirements and assurance requirements.
• Defines two kinds of documents that can be built
  using this common set
• Protection Profiles (PPs). A PP is a document
  created by a user or user community, and
  identifies user security requirements.
• Security Targets (STs). An ST is a document,
  typically created by a system developer, that
  identifies the security capabilities of a
  particular product. An ST may claim to implement
  zero or more PPs.

17
Generating a security policy

• Turnkey solutions Information Shield
• InfoEdge
• All kinds of policies at the SANS Institute

18
What ones did you find?

• Discuss the homework reading assignment

19
Privacy Policy

• The 4th ammendment to the US constitution The
  right of the people to be secure in their
  persons, houses, papers, and effects, against
  unreasonable searches and seizures, shall not be
  violated, and no warrants shall issue, but upon
  probable cause, supported by oath or affirmation,
  and particularly describing the place to be
  searched, and the persons or things to be seized.
  
• Privacy the right to be let alone Cooley 1888
• No actual mention of privacy in US Constitution,
  but there is judicial precedent

20
Privacy Policies

• Commonly seen on corporate govt. websites
• Explain to users how their data will be handled
• Use of cookies
• Third party/secondary uses of info
• Informed consent
• Contact information
• Not really supposed to be legalese
• Privacy Policy Example

21
Why implement a privacy policy?

• The privacy of an individual's personal data is
  one of the top concerns of Web users, government,
  and the media. Opinion surveys consistently show
  that these concerns about privacy are a leading
  impediment to the further growth of Web-based
  commerce.

22
What policies did you find?

• Discuss privacy policies

23
P3P

• The Platform for Privacy Preferences
• Lorrie Cranor of Carnegie-Mellon
• Nothing to do with P2P
• XML schema and tool suite that helps you generate
  machine-readable and human-readable privacy
  policies
• Web browsers now have built-in P3P capabilities

24
Why P3P?

• Initial efforts by Web sites to publicly disclose
  their privacy policies have had some impact,
  these policies are often difficult for users to
  locate and understand, too lengthy to read, and
  change frequently without notice.
• People need automated solutions.
• Need for a global standard.

25
P3P
26
P3P

• Specification
• How to deploy (last slide)
• IBM alphaworks P3P Policy Editor
• P3P Toolbox website