RESPONSIBLE - Research and Engineering on Security and Privacy Of Networks and Systems for Ireland and a Better onLine Environment
2018-04-24: I'm doing some zmap measurements using
this host as the source of probes. Any problems with that - please just contact me
stephen.farrell@cs.tcd.ie.
Details of that published so far are here.
We're a loose collective of folks in Ireland interested in security
and privacy. We have a charter and we held
a workshop (at which we took notes).
Charter, September 2017
It is in the interests of all stakeholders in the Internet (Fixed, Mobile,
of Things) in Ireland that its security and privacy properties be well
understood and improved. Perhaps the most important stakeholder is now the
average citizen, whose privacy, safety and general well-being is being
increasingly impacted by technological advances. We wish to address these
issues by carrying out research, probing for weaknesses, and issuing
occasional advisories and recommendations.
In the absence of a “Geneva Convention” around the issues of cyber-warfare,
and the fact of being the subject of external threat, we feel it
appropriate to work within the context of the island of Ireland, and our
local laws. Therefore ours is a local organisation. However we will be
happy to work with like-minded organisations in other jurisdictions.
Our group consists of academics, researchers, employees of big and small
companies, those involved in Internet Infrastructure civil society, and
from government. We believe that by pooling our resources we can form a
“critical mass” in terms of expertise and thus be more likely to succeed in
having useful local impact.
We particularly welcome members of the security services and law
enforcement. We respect your valid interest in these matters. As a group we
will always respect the rule of law, and will at all times operate within
the existing law (while remaining free to lobby for changes in the law
through the normal democratic processes).
We will at all times adhere to the principles of “responsible disclosure” -
see
https://en.wikipedia.org/wiki/Responsible_disclosure.
Therefore
although we may probe for vulnerabilities without prior notice, our
intention is to help identify and fix them, not to exploit them for gain,
notoriety, publicity, or just because we can.
We’re a “semi-open” group – we intend the results of our work to be public
whenever possible, but we will do our work via a moderated mailing list. If
you’re interested in participating, please feel free to contact
mailto:stephen.farrell@cs.tcd.ie
RESPONSIBLE Workshop - Research and Engineering on Security and Privacy Of Networks and Systems for Ireland and a Better onLine Environment
201700907, v0.999, stephen.farrell@cs.tcd.ie
Many thanks to our generous sponsors: |
|
|
|
If you're interested in this activity, feel free to send us
an
emailto
Slides used on the day of the w/s
Ireland has a thriving ICT environment, both commercial and academic, but yet
lags many countries in terms of the availability of expertise in the
security and privacy space. While the history that lead us to this point is
understandable, and while that was not a hugely pressing problem in the past,
given today's risk profile, the lack of local critical-mass collections of
expertise could turn out to be hugely damaging for the people of Ireland,
if it leads to our systems and networks being more vulnerable or
privacy-unfriendly than others.
The RESPONSIBLE workshop is the next step in an effort to marshall the existing
talents and efforts from Irish-based industry, government, civil society and
academia in order to start to build a sustainable above-critical-mass
collection of people interested in collaborating to improve the local (and
global) security and privacy properties of the networks and systems on which we
all depend more and more, both for the benefit of those operating such systems
and networks, but also for the benefit of the people of Ireland and beyond.
Background/Overview:
Since April, one of the workshop organisers (SF) has had meetings about doing
local work on Internet security and privacy with folks from a varied set of
organisations (listed below). The main hypothesis being that Irish academia
alone lacks critical mass to do significantly impactful and sustained work in
this space, and that industry, government and civil society involvement is
necessary in order to achieve that critical mass and have worthwhile impact
locally and more broadly. Bringing together the varied interests and expertise
of people in all those areas should also help to improve any work done and help
towards sustainable efforts in this space. This workshop is aiming to take the
output of that set of meetings to the next level where we identify sets of
people and topics on which to work... and then start that work.
Organisations who've taken meetings so far (in alpha order):
Cisco,
Citibank,
DCENR,
Dell,
DRI,
Enterprise Ireland,
Google,
Heanet.
IBM,
IEDR,
INEX,
Intel,
Miracl,
NUIG,
NUIM,
Office of the Data Protection Commissioner,
TCD,
UCD.
Note that nothing here claims to represent the opinions of those organisations,
or the people in those meetings -
everything here is just anonymised reporting of topics in which people
expressed interest. If you're not on the above list, but would like to
chat to figure out your level of interest in this please do feel
free to contact the organisers, we'd
be delighted to chat with more folks in advance of the workshop.
Meetings were held using so-called "Chatham House rule" so that we can report
on the topics in which folks are interested but have agreed to not identify who is
interested in which topics (nor more generally, who said what:-). People can
feel free to be more open about things according to their tastes. The Chatham
House rule makes it easier for some people to be more open, so is worthwhile at
this stage in this effort. (Workshop participants can collectively decide to
use this rule or not.)
Most of the meetings so far have indicated interest in doing some local,
co-operative work in the security and privacy space, though of course not
everyone is interested in everything, and different people and organistions
will need to work in
different ways.
Discussions so far indicate three broad buckets into which
specific topics seem to fit:
- Bucket1 - Communications and systems security and privacy
- Bucket2 - Patterns and measurement
- Bucket3 - Advice and best current practices (BCPs)
Some of the topics in each bucket can seem fairly mundane, but can also in fact
lead to interesting research questions. And not all impactful work needs to, or
ought, require advancing on the state of the art.
Note that the buckets above categorise problem spaces, so while a good
few people were interested in e.g. IoT issues or cryptocurrencies/blockchain,
technology-specific things like that are less visible at this point,
even if they remain important.
Workshop Logistics
Scope:
The main criterion for possible work being interesting is that topics should be such that
it is credible that work done in Ireland can move the needle locally in a useful
manner, relating to Internet security and privacy. If topics are globally
interesting too, that's great.
The results of work done are intended to be public - so this is not dealing
with operational data and hopefully generally with less sensitive data
(though there may be some sharing of sensitive data for research purposes of
course). Rather than do operational work, the goal is more to develop e.g.
proofs of concept that can later be used by ops folks.
Workshop Organisation:
The workshop is sponsored by the SFI-funded CONNECT centre and IEDR. There is no cost to attend,
but attendance is by invite only. Additional sponsorship is
welcome, if interested contact the organisers.
The way to structure further work is a topic for discussion at the
workshop. For example, we may want to identify an existing organisation
of some sort under whose umbrella we can locate ourselves, so
as to avoid having to develop new IPR rules etc.
As stated, the workshop is invite only, there is no need for submissions or position
papers, but position papers are welcome.
Note that the agenda will not
consist of a set of paper-presentations, but will be developed by the TPC
to try encourage attendees to reach the workshop goals. (IOW, more
chat, less PPT:-) We are happy to discuss construction of the agenda
on the workshop mailing list.
Our goal is that people who'd actually want to, and actually do, work
on relevant topics attend - so not their bosses mostly:-)
If you'd like to attend please
contact the organisers. A position
paper would be welcome (1-2 pages of PDF or text ideally). Position
papers received will be circulated to the mailing list. If you
are happy for your position paper to be linked to the workshop
web site, please indicate that
when sending.
No formal proceedings will be produced, but attendees will be
subscribed to the workshop mailing list by the TPC
and (links to) all notes, presentations and position papers will be
posted to that list. Materials received by September 1st will be
sent to the mailing list ahead of the workshop.
We will follow Chatham House rule for the workshop, unless the
attendees decide to be more open at the start of the event.
Workshop organisers/TPC:
- Stephen Farrell, TCD, stephen.farrell@cs.tcd.ie
- Mike Scott, MIRACL, mike.scott@miracl.com
Collective email for TPC: responsible-tpc@scss.tcd.ie
Potential work/discussion topics:
The list below is (a brief synopsis of) a subset of the specific problems
identified during the meetings mentioned above on which people might like to work.
Identifying details have been elided and the lists are in alphabetical
order. Clearly, addressing all of these topics in the near future would
not be realistic, so progress will require that the workshop attendees
are able to prioritise and hopefully agree on the set of next steps.
Bucket1 - Communications and systems security and privacy
- Better local security in a BYOD world
- Carrying out example risk analyses of local systems/infrastructure
- Dealing with new security technologies in current and legacy systems (e.g. performance and network management impacts of increased encryption)
- Developing/piloting privacy-sensitive non-commercial local sharing for DDoS mitigation and malware detection
- Improving back-end transparency in a locally significant manner
- Low-cost forensics for SMEs and others
- Methods for integrating post-quantum cryptography into protocols/applications used locally
- Piloting local authentication infrastructure (PKI/2FA)
- Piloting new security and privacy technologies locally, e.g. DNS privacy
- Reproducible/curated builds/mirrors of open-source technologies for local use, possibly SME focused
- Securing local IoT testbeds/pilots/demonstrators
- What can replace outmoded concepts of "consent" locally?
- Whitehat hacking/testing of devices used/considered-for-use locally with responsible disclosure route back to vendors/users if appropriate/possible
- Privacy by design for data analytics
Bucket2 - Patterns and measurement
- Audit tools to help detect local instances of PII
- Audits of data using current BCP security mechanisms that could be vulnerable in the presence of a quantum computer
- Automating production of locally useful evidence as part of incident handling
- Developing meta-data guidelines so holders of (large) data-sets can share (or interface with one another) in a more privacy sensitive manner respecting the wishes of data holders/subjects and in accordance with local regulation
- Local co-operative network intrusion detection
- Local detection of unwanted surveillance devices (IMSI catchers, MitM boxen)
- Local impact of analog sensing (video,audio etc.) on security and privacy
- Local surveys (e.g. zmap of HTTP/TLS,SMTP/STARTTLS, AS112 etc.) with some kind of responsible disclosure route back to asset holders with detected issues
- Mechanisms e.g. public ledgers/blockchain to support governance of the large-data meta-data just mentioned
- Measurements (e.g. of data set) aiming to provide empirical evidence of (non)compliance with local laws
- Measuring local IoT deployments, e.g. to scan for vulnerabilities
- Uses of, or acquisition of, passive DNS locally
Bucket3 - Advice and best current practices (BCPs)
- Advice and training for local law enforcement
- BCPs for local SMEs on dealing with privacy and security
- Locally, what do we consider provides "consent"
- Minimising impedence mismatch between technology deployments and regulation
- Personal infosec/privacy training for legislators
- Provide advice on policy and appliation impacts of current and near-future cryptographic mechanisms
- Providing advice to help avoid common damagine attacks, e.g. ransomware and Wordpress hacks and measuring the efficacy of such advice when offered
- Technical aspects of dealing locally with current and upcoming EU directives, helping gov.ie and similar folks understand the consequences of possible regulatory actions,
- What does (not) constitute local critical infrastructure?
Workshop goals:
Main goal1: Find 2-3 feasible projects on which attendees want to, and do,
start work. ("Start" might mean write proposal, or just go do work,
depending, with a preference for the latter.)
Main goal2: Figure out what structure
might suit making progress on those identified topics, and longer-term.
Sub-goal: Connect people in Irish government, industry, academia and civil society
interested in Internet and systems security and privacy to foster effective,
impactful research and learning on topics with measurable benefit to Ireland
and more generally.
Long-term goal: Build a sustainable collaboration on relevantly-scoped
topics.
Short-term goal: Decide how to organise for the next while, if the workshop is a success.
Day 1:
- 1100-1200: Lunch for those who asked!
- 1200-1300: gather/get laptop sorted/lunch
- 1300-1315: Opening/intro/scope/logistics (Stephen Farrell, TCD)
- 1315-1330: Attendee intros - ~1 minute per person, a few folks at a time
- 1330-1430: Overview of problem space presentation/discussion (Stephen Farrell, TCD)
- 1430-1500: Coffee
- 1500-1515: Attendee intros - ~1 minute per person, a few folks at a time
- 1515-1600: Technical pressie#1 - "A summary of security-related network measurements" (David Malone, NUIM)
- 1600-1615: Attendee intros - ~1 minute per person, a few folks at a time
- 1616-1700: Technical pressie#2 - "Selling Crypto - an experience of developing crypto in Ireland. (Mike Scott, MIRACL)
- 1700-1715: Bio-break/coffee
- 1715-1745: Unconference planning for day 2
Day 1+:
- 1800-late: Pub, Kennedy's for food/bev/chat
Day 2:
- 0900-0930: Day 2 plan review
- 0930-1030: Separate interest parties (maybe 3x)
- 1030-1100: Coffee
- 1100-1200: Summarise plans for work
- 1200-1230: Wrap-up/further actions/meetings
- 1230: End/lunch/maybe more pub
RESPONSIBLE Workshop - Research and Engineering on Security and Privacy Of Networks and Systems for Ireland and a Better onLine Environment - Meeting Notes
Agenda
Day 1:
1100-1200: Lunch for those who asked!
1200-1300: gather/get laptop sorted/lunch
1300-1315: Opening/intro/scope/logistics (Stephen Farrell, TCD)
1315-1330: Attendee intros - ~1 minute per person, a few folks at a time
1330-1430: Overview of problem space presentation/discussion (Stephen Farrell, TCD)
1430-1500: Coffee
1500-1515: Attendee intros - ~1 minute per person, a few folks at a time
1515-1600: Technical pressie#1 - "A summary of security-related network measurements" (David Malone, NUIM)
1600-1615: Attendee intros - ~1 minute per person, a few folks at a time
1616-1700: Technical pressie#2 - "Selling Crypto - an experience of developing crypto in Ireland. (Mike Scott, MIRACL)
1700-1715: Bio-break/coffee
1715-1745: Unconference planning for day 2
Day 1+:
1800-late: Pub, Kennedy's for food/bev/chat
Day 2:
0900-0930: Day 2 plan review
0930-1030: Separate interest parties (maybe 3x)
1030-1100: Coffee
1100-1200: Summarise plans for work
1200-1230: Wrap-up/further actions/meetings
1230: End/lunch/maybe more pub
Notes - Day 1
Logistics, Stephen Farrell, TCD
- Kicking off about 13:00
- Introduction
- Thanks for coming, sponsors,
- Will be at Kennedy's this evening
- WiFi - check the wall
- Web page at responsible.ie - we have a mailing list
- Chatham House Rules
- Please interrupt!
- Prizes will be given in pub (18:00-late).
Participant Intros (part 1)
Scoping, Stephen Farrell, TCD
Slides
- Overview of Problems
- IoT, Data Leaks,
- Do you have data?
- GDPR requirements - do people delete?
- Implementation Issues
- buffer overflows,
- Post-quantum cryptography
- What data might be vulnerable if we had quantum computer in 10yrs?
- Regulation
- GDPR, NIS directive (see UCD),
- need to define reportable incidents,
- need to define critical infrastructure,
- Regulation of AI and Algorithms,
- Counter terrorism vs. privacy tension,
- Would be good to have discussion on requirements.
- Pervasive Monitoring is an attack (RFC 7258).
- Old dependable (buffer overflows, SQL injection, no wordpress updates, ...)
- Local way to help people with this?
- Agree that?
- Internet and systems security worth improving.
- There is expertise in Ireland to work on this, but without critical mass
- Can we work on problems of local significance to make ourselves more effective? E.g. could we look at TLS upgrading?
- Loads of expertise - how do you get people talking? Getting groups together good. Want to get people doing things and not just talking.
- We want to find common interests today, where we can make progress and have a local impact.
- What would Information Systems angle be?
- A lot of standards and people turning them into marketable products.
- List of three buckets (see w/s page)
- Quick intro to passive DNS
- Advice or BCPs?
- Mismatch between what technology does and regulation requires.
- Could we define any student projects that might be helpful.
- Willing to give it a go.
Participant Intros (part 2)
A summary of security related network measurements - David Malone
Slides
- Picked out things gaining on around measurement which people may be interested in
- Conferences for network measurement results: IMC PAM TMA SIGCOMM, USenix Sec, IEEE SS&P, NDSS
- Tried to pick out things people doing across these
- Packet Processing Frameworks
- BPF - in kernel monitoring, do we want to analyse
- PF_RING - ket packets out of kernel faster, allow data to be split over several processors for analysis
- DPDK/netmap - higher level at network cards rather than kernel,
- Others, tcpdump, shark, radiator for WiFi, usbdump
- People in Connect writing code to get data of base stations but not in common use
- Scanning
- nmap nc zmap - scan the whole network pretty quickly, knows how to spread packet out
- scanned 65536 hosts in 10s
- somoone buit a search engine - https://censys.io
- All the tools are there to do meaningful analysis
- How many people are using TLS
- You can add yourself to a blacklist not to be scanneRIPE Atlas
- Scamper - more sophisticated
- Measurment Infrastructure
- Looking glasses - trace route,
- Moved on - the ring - a group of engineers from RIPE, you donate a VM and get SSH access etc,.
- Passive Network Telescopes - monitor DDOD events,
- if you do a random scan it appears as attack from address block
- Your see swathes of traffic when there is an attack
- RIPE Atlas
- series of RIPE atlas probes -10,000 small computer which they provide and use to take measurments
e.g., Response times from different parts of Europe
- Measurment conferences
- If you run a node to get credits
- CAIDA ARC
- Topology measurments
- Raspberry Pi based
- Facebook adds
- Place a Facebook add and see how many users look at your page e.g. DNSSec
- Mechanical Turk
- IPv6
- goole sees 20%
- Ireland 10%
- Eircom IPv6 by default
- Getting logfiles HEANET to see who was using IPv6
- Google supporting with services - perhaps provides them cutomer profiling data
- Routing
- Problem for measurment
- If you send out packets who can get them from you
- source addresses of an attacker often spoofed
- Spammers hijack an AS to some spamming and vanish and none knows what to do.
- DNSSEC
- Significant interest
- Server/client side.. who signs, what algo, who verifies.?
- deployment challenges - EDNS0 for large responses
- Someone asked what XXX but it doesn't exist - NSEC
- Other - anycast
- TLS/SSL
- Who is issuing what CERT
- COMODO - who is issuing for my domain https://crt.sh/
- Attacks n keys - data available - really interesting analysis can be done
- New devices, not much entropy,First thing when turned on is generate prime which is likely to overlap - 1 in 32k
- Network Censorship
- Understand the Great wall of China
- What parts of the internet are dropped in which order
- What key words are being stopped and correlating
- ToR deanonymisation
- Modern Mobile /App /Web infrastructure
- Compare the query you get to the query expected
- What are mobile operators middle boxes doing
- how to find PII
- how to apps behave
- Sites which you can use to look other sites e.g. cross scripting attacks
- Interesting high level measurments
- Deanonymisation of bitcoin transactions
- Injections to see where money is being spent
- Analysis of fake news - corellation of sources e.g. blogger at Russia time
- Doxing - personal attack to get your PII and provide
- Who gets email. what happens to stolen email addresses
- https://www.w3.org/WAI/ER/tools/ maybe another project
- SF Summary : There is lots of technology / capability already to get started. We could look at government sites and analyse characteristics
Selling Crypto - an experience of developing crypto in Ireland, Mike Scott, MIRACL
No slides. (Thanks Mike!)
Notes - Day 2
Topics to pursue...
We discussed some and came up with a prioritised list of
stuff we'll really do, starting this year:
- measurement campaign - web and mail servers, DNS
- Alex, Stephen, Tom, Dave,Tony, AIT/Brian Lee?
- easy start: censys a/c, geoip list(s)
- Stephen to start mail thread
- mobile h/s traffic on-device VPN and off-device @ VPN or @ router/AP
- Doug, Tony (eduroam or other), Maria
- https://www.icsi.berkeley.edu/icsi/projects/networking/haystack
- Doug to send mail
- PII studies
- Caroline, Maria (Stephen as an ignorant helper) Michael M, - test for "privacy paradox" over time longitudinal study
- Designing such a study is a project in itself -
- Maybe talk to Tilda http://www.tilda.ie ,
- Growing Up in Ireland http://www.esri.ie/growing-up-in-ireland/
- http://oxis.oii.ox.ac.uk/research/methodology/
- Maria to send mail
- Building PoC of Personalised but more private services
- Doug, Maria to chat
- Doug to send mail
And a list of other stuff we'd like to do (more aspirational, no hard actions for now)
-
device investigation
- Card survey - NFC cards Dave (NFC reader HOWTO) NFCTools/Android, mag stripe
- Android NFC tag reader: NFC tools
- Dave & Caroline may write project paragraph (Peter also interested in this, i.e. NFC and smartcard investigation))
- https://plus.google.com/+DavidMalone/posts/9y6uL4U8dBZ
- Caroline
- Dispatched from and sold by Amazon. Gift-wrap available.
- Standalone NFC reader/writer accessory
- Owners of the original Nintendo 3DS, Nintendo 3DS XL and Nintendo 2DS can use the NFC reader/writer accessory to enjoy amiibo functionality
- Tap an amiibo figure or card to the NFC Reader/Writer (while playing compatible software) and you will uncover surprising new features
-
"smart" meters
- Water meters
- Bob Shorten/UCD, has car charging kit
-
medical devices - need more/other people in room?
-
"smart" home (ikea,nest, phillps hue...) as used for assisted living
- what traffic emerges? there exists data in Dundalk, casala Rob Boyd?
- https://www.dkit.ie/tags/casala
- Caroline, Peter, Maria
How might we organise?
General agreement that the name is good and sends the right impression - Responsible - the name works! lets use it
Mike to update responsible site with paragraph/charter - to be sent to mailing list by 26/09/2017
No fancy website - If someone wants something there mail Stephen
How do we want to operate in the future?
- Be public with mailing list vs semi-open? Semi-open more likely to fit with private sector mindset?
- Work to be carried out on Mailing list
- Mailing list closed and access managed by Stephen/Mike
- Stephen will moderate the mailing list in the short-term and police non-member incoming emails.
- On joining the group or mailing list, by invitation at the moment.
- We're interested in consumers of outputs, genuinely interested parties and possible contributers.
- Meeting minutes to be distributed and agreed upon.
- Setup alias for info-at-responsible.ie that goes to Stephen/David
- Note: that mail a/c switched off 2022-08-11, see below for new contact point.
Open or Closed?
- We would like our work to be more open than less open?
- Proceed for now as semi-open until work is produced.
- Work should tend towards being open rather than closed.
- Agree to make findings public on the website.
- Also need to be 'responsible' with findings, i.e. try let asset-owner know first, etc.
- General tone of output should be one of responsibility, doing something good/useful. Something that an interested party could approach easily.
- Look for a standard/good protocol for releasing findings.
(Can't find a standard, but wikipedia outlines principles https://en.wikipedia.org/wiki/Responsible_disclosure)
- People yell if they dont want something to be shared
- Talk on mailing list.
- Getting more involvement from commercial folks.
Future meetings? Twice per year?
- Next meeting provionally hosted by HEANET early next year (Tony Gray offered to host, maybe half-day meeting.)
Aspirations/"visions":
- In distant future maybe we'd evolvee into something like chaos computer club (CCC) https://www.google.ie/search?client=safari&rls=en&q=chaos+computer+club&ie=UTF-8&oe=UTF-8&gws_rd=cr&dcr=0&ei=Gbe3Wf3nG6SbgAblvrOQBQ. - a white-hat organisation that entities consult from time to time on security.
- Also, look at ways to get money, from any sources, private compaines, SFI, Enterprise Ireland.
- Private funding - help each other to get money to do work
- If we find a vulnerability, we will be responsible - bring to attention of vulnerable party to fix first..
- Getting more operator/commercial input would be good- how to we become more friendly. How do we appear 'friendly' towards compainies/commercial.
- Vision to be translatable to ....co.uk. .fr, .de. The internet soc may be a route to something like that.
Consider folding ourseleves into the local ISOC Ireland chapter?
- ISOC as an umbrella under which we continue? Folks were explicitly happy with that.
Victory declared, meeting closed.