Big Data & Security Edgar Weippl SBA Research
Security Challenges Confidentiality Cloud storage (e.g. Dropbox) Authentication (e.g. WhatsApp) Open data vs. unintended data leaks Availability Dependability on infrastructure Complex and hidden dependability Integrity incomplete data, entry errors, processing, sensors, social media, latency of information, deception, modeling approximations,
Privacy won t work 1. My data should not have an impact on the results released. 2. One should learn nothing about me. Ad 1) then the results have no utility. Ad 2) even if you do share your data, the trend is true for you.
Privacy that might work Weaker assumption: Differential Privacy Given result R can anyone guess which possible world it came from? Result R Prob (R) = A A B Prob (R) = B Possible world with MY data Possible world without my data
Risks Small Data Intake Age Total Priors Gender Race Source: Richard Berk, The Role of Race in Forecasts of Violent Crime, Race Soc. Probl. Dec 2009; 1(4): 231-242, DOI 10.1007/s12552-009-9017-z http://wwwstat.wharton.upenn.edu/~berkr/race%20copy. pdf
Future Attribute Screening Technology (FAST) Crimethink - Facecrime Science-fiction concept of 'pre-crime', in which security services can detect someone's intention to commit a crime. DHS has claimed accuracy rates of around 70%. Really? Minority Report Source: Sharon Weinberger, Terrorist 'precrime' detector field tested in United States, online 27 May 2011, Nature, doi:10.1038/news.2011.323
Looking for terrorists Let s assume we have an analysis tool with 98 % sensitivity and 99% specificity. Our software flags a person as a possible terrorists. Heavily armed you enter the apartment. How likely is that you really have a terrorist looking into barrel of your gun? a. 98 % (sensitivity)? b. 99 % (specificity)? c. None of the above? ~ 100 / 5.000.000 ~ 1 / 50.000
Statistics refresher 500 Mio people 100 terrorists 499 999 900 innocent people 2 terrorists are not found 98 terrorists are found Approx. 5 Mio innocent people are interrogated by police They were lucky
This will never happen Auffällig sei der Gebrauch von Fachbegriffen wie Gentrifizierung, heißt es in den Akten. An jenem Sommertag vor einem Jahr ist es schon morgens um 7 Uhr sehr warm. Holm läuft halbnackt durch die Wohnung, als Polizisten mit gezogenen Waffen hereinstürmen und ihn zu Boden werfen. Source: Hannes Heine, Man weiß jetzt, was Gentrifizierung ist, Der Tagesspiegel Berlin, 1.8.2008, http://www.tagesspiegel.de/berlin/stadtsoziologe-andrej-holm-man-weiss-jetzt-was-gentrifizierungist/1826246.html
Ever think you re being watched? It isn t the consumers job to know what they want. Source: Steve Lohr, Can Apple Find More Hits Without Its Tastemaker? The New York Times, Jan 18, 2011 Market research is very good at determining consumer preferences among products that currently exist. Source: Peter Noel Murray, How Steve Jobs Knew What You Wanted, Psychology Today, Oct 13, 2011, http://www.psychologytoday.com/blog/inside-theconsumer-mind/201110/how-steve-jobs-knewwhat-you-wanted
WhatsApp Sebastian Schrittwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texting you? evaluating the security of smartphone messaging applications. In Network and Distributed System Security Symposium (NDSS 2012), 2 2012.
Man-in-the-Middle
CERTIFICATES?
Authentication
In Reality
Even Worse Code = Hi!
Completely Stealthy
WowTalk
Status Messages
https://s.whatsapp.net/client/ iphone/u.php?cc=countrycode&me=p honenumber&s=statusmessage
Enumeration Attack
Enumeration Attack
Enumeration Attack
On vacation Sleeping At work... Bleh. Missing my love! Heartbroken Nicaragua in 4 days!! On my way to Ireland at work but not doing shit I m never drinking again
WhatsApp ebuddy XMS WowTalk Viber HeyTell Forfone Voypi Tango EasyTalk
Results
Contact Edgar Weippl eweippl@sba-research.org