Upload
charles-mok
View
404
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Presentation to Towngas employees in the inaugural talk of its 2013 Information Security Week activity
Citation preview
TOW
NGAS:
INFO
RMATIO
N SECURIT
Y
WEEK 2
013
7/ 1
0/ 2
01
3
WHY HACKERS HACK?
• For material benefits
• For status
• For vengence (justice?)
• For fun
• For nothing
• For goodnessPhoto from Google
WHAT HACKERS DO
• White hat, black hat
• Targeted or for all
• Security exploits
• From virus to malware
• Social engineering: phishing, baiting
• Botnets
• DDOS
• From PC to mobile
DAILY BAD NEWS
IT CAN BE WORSE: STUXNET (2010)
Graphic from IEEE Spectrum
STUXNET • Targeting critical infrastructure
• State-backed (American and Israeli intelligence)
• Targeting Iranian nuclear facilities
• Spread via Microsoft Windows
• Targets Siemens industrial control systems – controlling, monitoring these systems
• Spread via malware or infiltratinga loaded USB stick
HELLO, E
DWARD
SNOWDEN
…G
OO
DB
YE
WHO IS HE?
• Born June 21, 1983
• High school dropout
• Worked for NSA, then CIA, then employed by subcontractor Booz Allen Hamilton, working in NSA again
• Salary: roughly US$200,000 (“took a pay cut to get back in NSA”)
• Lived in Hawaii before coming to Hong Kong on May 20, 2013
• Left Hong Kong on June 23, 2013 to Moscow, Russia
FIRST, IT WAS VERIZON…
• First revealed by the Guardian (UK), NSA granted a court order under FISA (Foreign Intelligence Surveillance Act) of unlimited access to obtain Verizon phone data
• Is it “legal”?
AND THEN, THERE WAS PRISM
• A "clandestine mass electronic surveillance data mining program" since 2007, after the passage of the “Protect America Act” under the Bush administration
• PRISM is "the number one source of raw intelligence used for NSA analytic reports", and it accounts for 91% of the NSA's Internet traffic acquired under FISA section 702 authority
MORE OF SNOWDEN’S REVELATIONS• More secret programs to be revealed…• 4 surveillance programs (US)•MAINWAY •MARINA• NUCLEON • PRISM
• Collecting and analyzing meta data on the internet (i.e. emails) and telecom (i.e. call logs)
• Other released programs• Evil Olive – broadening the scope of data collecting• Shell Trumpet – another similar program revealed• EU and its alliance were one of the top targets
WHAT ABOUT OTHER COUNTRIES? British – Tempora (sharing information with
the US) France – "collects signals from devices in
France, and communications abroad” Germany – Providing intercepted data to the
NSA Russia – SORM, another surveillance
programs China? Others?
SNOWDEN ON HONG KONG
• Why he chose to come to Hong Kong?
• He told SCMP: • Hacking into computers/servers in HK and China• At least several hundred times (>61,000 times globally)• University, public officials, students, businesses• Undersea cables
WORK IN COUNCIL
- June 15 rallyoutside USCG
- June 19: followup on urgent oral question; amendment passed on “building a safe city”;adjournment motion debate on cyber security
- Letter to CE, SecurityBureau and PCPD
- June 26 Written questionon government response
- Forum on Infosec with securityprofessionals
- July 17: Amendment on motion debate
THE DEMANDS
• Seeking response from the US government•HKSARG sent a letter to the US government on June 21 – no answer
• Concrete measures to improve information security measures and awareness of local users and SMEs
• Revive the Interdepartmental Working Group on Computer-Related Crime to review and propose new cross-departmental measures
GOVERNMENT’S RESPONSE
• No problem, it’s all fine – “we are not aware of any problems”
• Repeating: •OGCIO’s infosec website•HKCERT• Police’s Cyber Security Center
• Interdepartmental WG on cyber security? No. • Everything is fine. Really.
何必,只顧政治化?
原文: — 《天下烏鴉一般黑 如何平衡國家安全、個人私隱和通訊自由》http://rthk.hk/mediadigest/20130715_76_123001.html
What are the implications?
WHAT NEXT?
• The US or other governments can view almost everything they want
• Can we still trust the Internet and cloud computing?
• Brazil’s President is pushing new legislation to force Internet providers to store data locally gathered in Brazil
• But is it practicable?
Brazilian President Dilma Rousseff
IS FISA JUST AND FAIR?
FISA (Foreign Intelligence Surveillance Act)
• Repeatedly enforced after 911 attacks
• Said to be for monitoring foreign threats in the US
• But the truth is that it allows surveillance on global citizens, and even Americans
IS FISA JUST AND FAIR?
• The United Nations Human Rights Commission recently discussed about regulating surveillance technology on global citizens
• Suggest to advance international human rights obligations on privacy
WHAT SHOULD WE DO?
• World class information securitycapabilities in HK• Highest density of CISSPs in the world
• SMEs and individuals do not appreciate the importance of information security• Education• Protection from “basic hacking” as a start• Set targets to reduce botnets?
• Legal or regulatory measures?
THANK YO
U!
Charles MokLegislative Councilor (Information Technology)
[email protected]: Charles Mok BTwitter: @charlesmok