How to be safe in the cloud • “Facts” about NSA/Snowden/Prism • data classification Guideline to Safe use of “Cloud”: • choosing and using Cloud • open source, alternative services • what Aalto can offer for cloud users Brazilian President Dilma Rousseff Without the right of privacy, there is no real freedom of speech or freedom of opinion, and so there is no actual democracy,” Tomi Järvinen – IT-Security specialist Aalto IT https://twitter.com/tomppaj Snowden’s bomb 6/5/2013 ”Prism” Facts are based on several news papers, Financial2 times, Guardian, New york times, collection of all major news stories: https://docs.google.com/spreadsheet/pub?key=0Al2LIEgoNIx2dFNCb3dTS1c5Y2ZkQWNzVUc5UkNFeEE&output=html Hot topic 2013, Snowden & NSA Claim: Only to prevent terrorism.. Nonsense.. Snowden:these programs were never about terrorism: they're about economic spying, social control, and diplomatic manipulation. So, who are the targets? Angela Merkel, Israeli PM, EU's competition commissioner, UN headquarter, German government buildings, Brazillian oil company Petrobras, heads of institutions that provide humanitarian and financial help to Africa, Médecins du Monde, energy and finance ministries.. And naturally all internet users..(Facebook, Google, Yahoo..) Doesn’t sound like terrorists.. Facts are based on several news papers, Financial times, Guardian, New york times, collection of all major news stories: https://docs.google.com/spreadsheet/pub?key=0Al2LIEgoNIx2dFNCb3dTS1c5Y2ZkQWNzVUc5UkNFeEE&output=html 3 Hot topic 2013, Snowden & NSA Claim: Only few people have access to confidential data Nonsense.. CIA official and principal at Booz Allen: Of the 4.9 million people (government, organizations, contractors) with clearance to access "confidential and secret" government information, 1.1 million, or 21 percent, work for outside contractors, according to a report from Clapper's office. Of the 1.4 million who have the higher "top secret" access, 483,000, or 34 %, work for contractors. Facts are based on several news papers, Financial times, Guardian, New york times, collection of all major news stories: https://docs.google.com/spreadsheet/pub?key=0Al2LIEgoNIx2dFNCb3dTS1c5Y2ZkQWNzVUc5UkNFeEE&output=html 4 Hot topic 2013, Snowden & NSA Claim: They cannot collect all traffic from all users and keep it Nonsense For example NSA Utah data center (estimations): 5 million storage systems running roughly 1.25 billion, 4-terabyte hard drives,” . Latest estimation 5 Zettabytes (1 Zettabyte whole world one year internet use) 1 Gb = 960 minutes of music, 1 Zettabyte = 2 billion years of music. http://foxnewsinsider.com/2013/06/07/how-much-zettabyte-nsa-utah-facility-can-hold-immense-amount-data 5 Hot topic 2013, Snowden & NSA Claim: It is just Metadata Nonsense (US persons it seems to be mostly just metadata) 120 billion cellular calls from all over the world every month, Email, Chat - video, voice, Videos, Stored data, VoIP, Filer transfers, Video Conferencing, Notifications of target activity, logins, Online Social Networking, etc. From US legal point of view there is nothing wrong with this, if target is non-US person. (FISA Amendments Act, Patriot Act) ------- Few academic researchers using Intelius, Google search, and three initial sources associated 91% of the "metadata" to real persons. https://cyberlaw.stanford.edu/blog/2013/11/what%27s-in-your-metadata http://webpolicy.org/2013/12/23/metaphone-the-nsas-got-your-number/ http://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29#Extent_of_surveillance 6 Why should I care about NSA etc? • presumption of guilt vs. modern law presumption of innocence. • false positives • nobody knows about future, Bruce Schneir: it is not about “nothing to hide” – it’s that we have everything to lose • transferring power to security organisations • the loss of personal data control • misuse, enormous overcollecting will lead to misuse, sooner or later. By government or individuals. There is huge money making possibilities One false positive case, David Mery entered to the subway wearing a jacket in warm weather, an algorithm monitoring the CCTV Dacid suspicious. The police arrested him, and checked his flat. Though he was never convicted of a crime, Mery is still on file as a potential terrorist eight years later, and can't get a visa to travel abroad. http://www.theguardian.com/technology/blog/2013/jun/14/nsa-prism big question, do you need to trust over 1 M persons? or just very few Sweden FRA 700 employees A” UK GCHQ 4000 employees USA NSA 40 000 own employees 483,000 Contractor employees Google, Microsoft, Amazon, Facebook, Dropbox…and their contractors. http://projects.washingtonpost.com/top-secret-america http://www.worldpolicy.org/blog/2013/08/09/what-nsa-can-learn-sweden http://www.designbuild-network.com/projects/gchq/ 8 http://www.microsoft.com/online/legal/v2/en-us/MOS_PTC_Third_Parties.htm Summary about revelations, Think about you and your work • Some nationalities might be interesting • If you are travelling a lot • If you work with military projects or something innovative, or valuable • Political reasons • Co-operation with external corporations If you are planning to be politician, nobel winner or some other ”VIP” take into consider that lot of people might have access to your whole online life. But Cloud is Still Great! Next, guideline to SafeCloud! accessible from everywhere “pay only typically via for what browser you use” elastic resources scalable There is a lot what you can do to keep yourself and your data safe! Data classification? Data classification is mandatory when organization is moving to cloud services in larger scale. Aalto university has new data classification policy. (president decision 731/00.00.02/2013) Policy provide guideline for separating public data from classified data and separate detailed handling guide. There is six month period of transition, at the moment university IT is building new services for handling classified data. Data classification policy specifies all organization data, determining its security class (public, internal, confidential or secret), and then assigning it to a categories. During spring 2014 there will be trainings about classification. https://inside.aalto.fi/pages/viewpage.action?pageId=30032716 First , think about your data Basic rule is that cloud services are only for ”Public data”, meaning all the data what is NOT ”Classified” (confidential, internal, ST levels) in the policy. Examples of classified data: • study attainments, student evaluations • research plans, development work (unpublished) • published intellectual property • unpublished patents • HR and employment • medical • financial • technology and telecommunications data (usage, log data) • security information • confidential business information • trade secrets • financial, tax, and insurance records Full list in Data Classification policy https://inside.aalto.fi/pages/viewpage.action?pageId=30032716 Second, your privacy? Privacy, If you like to keep your privacy, hide yourself and your device • use "alias”, create web-identity, or several like :Teemu courseX2012, • use Android device with “Anonymous” account, like [email protected] • use anonymity services, VPN & Anonymous proxy • optimize your Browser privacy settings, (in any browser this doesn’t clear all) • F-Secure Freedome, http://freedome.f-secure.com/en/home.html • technical solution - https://www.whonix.org/wiki/Main_Page Whonix is an operating system focused on anonymity, privacy and security You will lose a lot of functionality but think which one is more important for you? Privacy or active online life with your real identity. (In organization network and with organization device options are limited) 13 Third, security (1) • you cannot get anything “back” • services may claim ownership of the information • “free” services often collect and disclose information to third parties such as advertisers or collaboration partners. So, think what you share Trend micro • malicious links, think before clicking • think where you buy from • "fakeware / scareware“, think before buying • be accurate, how and what you write • please do not comment on behalf of the University, unless it belongs to the job description :) • be careful, and specially with Android - > http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/android- malware/android-risk-mitigation.aspx 14 Third, security (2) • keep your password / username combination in safe, if the worst happens (serious illness, even death, or matters related to legislation) • material may be financially or because of some other reason valuable (university or relatives, e.g. script, photos, new 7 brothers:) • use different password and user id, mnemonic?, software like "KeePass“ http://keepass.info/ for password management • keep copies of everything on your own computer • do not accept all friend requests! • store files securely with encryption http://www.makeuseof.com/tag/5-ways-to-securely-encrypt-your-files-in-the- cloud/ 15 Fourth, choose the right service (1) • three basic models: Free – Advertisement – Freemium (business) • free service (often end up to advertisement or freemium model) • advertisement:, what is the motivation of the service provider? – money, money, money (Typical services, Google, Facebook) • Freemium, light free version, full with paying something (example Yammer) • and, stay focused, service for one purpose usually fits the user needs better and lasts longer – users learn how to use – service does what it is supposed to