TOW

NGAS:

INFO

RMATIO

N SECURIT

Y 

WEEK 2

013

7/ 1

0/ 2

01

3

WHY HACKERS HACK?

• For material benefits

• For status

• For vengence (justice?)

• For fun

• For nothing

• For goodnessPhoto from Google

WHAT HACKERS DO

• White hat, black hat

• Targeted or for all

• Security exploits

• From virus to malware

• Social engineering: phishing, baiting

• Botnets

• DDOS

• From PC to mobile

DAILY BAD NEWS

IT CAN BE WORSE: STUXNET (2010)

Graphic from IEEE Spectrum

STUXNET • Targeting critical infrastructure

• State-backed (American and Israeli intelligence)

• Targeting Iranian nuclear facilities

• Spread via Microsoft Windows

• Targets Siemens industrial control systems – controlling, monitoring these systems

• Spread via malware or infiltratinga loaded USB stick

HELLO, E

DWARD

SNOWDEN

…G

OO

DB

YE

WHO IS HE?

• Born June 21, 1983

• High school dropout

• Worked for NSA, then CIA, then employed by subcontractor Booz Allen Hamilton, working in NSA again

• Salary: roughly US$200,000 (“took a pay cut to get back in NSA”)

• Lived in Hawaii before coming to Hong Kong on May 20, 2013

• Left Hong Kong on June 23, 2013 to Moscow, Russia

FIRST, IT WAS VERIZON…

• First revealed by the Guardian (UK), NSA granted a court order under FISA (Foreign Intelligence Surveillance Act) of unlimited access to obtain Verizon phone data

• Is it “legal”?

AND THEN, THERE WAS PRISM

• A "clandestine mass electronic surveillance data mining program" since 2007, after the passage of the “Protect America Act” under the Bush administration

• PRISM is "the number one source of raw intelligence used for NSA analytic reports", and it accounts for 91% of the NSA's Internet traffic acquired under FISA section 702 authority

MORE OF SNOWDEN’S REVELATIONS• More secret programs to be revealed…• 4 surveillance programs (US)•MAINWAY •MARINA• NUCLEON • PRISM

• Collecting and analyzing meta data on the internet (i.e. emails) and telecom (i.e. call logs)

• Other released programs• Evil Olive – broadening the scope of data collecting• Shell Trumpet – another similar program revealed• EU and its alliance were one of the top targets

WHAT ABOUT OTHER COUNTRIES? British – Tempora (sharing information with

the US) France – "collects signals from devices in

France, and communications abroad” Germany – Providing intercepted data to the

NSA Russia – SORM, another surveillance

programs China? Others?

SNOWDEN ON HONG KONG

• Why he chose to come to Hong Kong?

• He told SCMP: • Hacking into computers/servers in HK and China• At least several hundred times (>61,000 times globally)• University, public officials, students, businesses• Undersea cables

WORK IN COUNCIL

- June 15 rallyoutside USCG

- June 19: followup on urgent oral question; amendment passed on “building a safe city”;adjournment motion debate on cyber security

- Letter to CE, SecurityBureau and PCPD

- June 26 Written questionon government response

- Forum on Infosec with securityprofessionals

- July 17: Amendment on motion debate

THE DEMANDS

• Seeking response from the US government•HKSARG sent a letter to the US government on June 21 – no answer

• Concrete measures to improve information security measures and awareness of local users and SMEs

• Revive the Interdepartmental Working Group on Computer-Related Crime to review and propose new cross-departmental measures

GOVERNMENT’S RESPONSE

• No problem, it’s all fine – “we are not aware of any problems”

• Repeating: •OGCIO’s infosec website•HKCERT• Police’s Cyber Security Center

• Interdepartmental WG on cyber security? No. • Everything is fine. Really.

何必，只顧政治化？

原文： — 《天下烏鴉一般黑 如何平衡國家安全、個人私隱和通訊自由》http://rthk.hk/mediadigest/20130715_76_123001.html

What are the implications?

WHAT NEXT?

• The US or other governments can view almost everything they want

• Can we still trust the Internet and cloud computing?

• Brazil’s President is pushing new legislation to force Internet providers to store data locally gathered in Brazil

• But is it practicable?

Brazilian President Dilma Rousseff

IS FISA JUST AND FAIR?

FISA (Foreign Intelligence Surveillance Act)

• Repeatedly enforced after 911 attacks

• Said to be for monitoring foreign threats in the US

• But the truth is that it allows surveillance on global citizens, and even Americans

IS FISA JUST AND FAIR?

• The United Nations Human Rights Commission recently discussed about regulating surveillance technology on global citizens

• Suggest to advance international human rights obligations on privacy

WHAT SHOULD WE DO?

• World class information securitycapabilities in HK• Highest density of CISSPs in the world

• SMEs and individuals do not appreciate the importance of information security• Education• Protection from “basic hacking” as a start• Set targets to reduce botnets?

• Legal or regulatory measures?

THANK YO

U!

Charles MokLegislative Councilor (Information Technology)

charles@charlesmok.hkwww.charlesmok.hkFacebook: Charles Mok BTwitter: @charlesmok