cos 125 day 10. agenda capstone projects proposals over due timing of deliverables is 10% of grade...
Post on 21-Dec-2015
213 views
TRANSCRIPT
COS 125
DAY 10
Agenda
Capstone Projects Proposals Over Due Timing of deliverables is 10% of Grade Missing 9 out of 17
Quiz two covering the rest of the HITW text will be on Feb 17 Same format as before Extra credit question on Privacy
Today Shopping and Doing Business on the Internet and Protecting Yourself on the Internet
Next week we will begin doing Web pages
Intranets
Intranets are private Internets limited to a specific organizational needs
Has many of the same applications as the Internet
Segmented away from the Internet by firewalls We’ll discuss firewalls later May allow VPN access through firewalls
Picture Source: http://www.iimahd.ernet.in/~jajoo/intranet/intro/images/firewall.gif
Intranets applications
Internal e-mail Databases Scheduling Collaboration tools
Groupware Chat & IM Whiteboards Videoconferencing Document management
VPN’s
Virtual Private Networks Encrypted traffic that travels in
“tunnels” between encryption & decryption devices
VPN’s
http://static.howstuffworks.com/flash/vpn-site.swf
Shopping on the Internet
Shopping on the Internet involves many technologies Databases Encryption Cookies eWallets HTML
How Online Shopping works
Demo from Learn The Net Steps
Find the product you want Database and search technologies
Fill out order form with Personal Info and Credit Card info Data is encrypted and sent to eMerchant
eMerchant verifies Credit Card and info electronically SET and other protocols
eMerchant confirms orders to customer By e-mail
EMerchant contacts distribution center to ship product UPS, FedEx or USPS
How Cookies Work
A cookie is a small text file written by a web server to your hard drive Look for a cookies directory on your PC
The web server that wrote the cookie can read and or modify the cookie (so can sophisticated Hackers)
They are used to track users
Cookies
Advantages Allows you to auto-login to site Keeps you from entering your info all the times Helps eMerchant do business
Disadvantage Cookies stay on PC and don’t follow the user Spy-ware! (discuss later) Other people can see your info
Cookie from my PC
Online shopping carts
Requires login to site Data store in Database at the
eMerchant site EMerchant creates a cookie on your PC
As you add stuff to you cart, your cookie gets modified
When you are ready to “check out” you cookie is read and then erased after you have placed the order
How Electronic Wallets Work
Online equivalent of a real wallet Store information
Personal Credit Cards
Encrypted When you need info on online you
“open” your wallet and provide the information
Not widely supported
Online auctions
One of the mostly successful eCommerce business models Ebay.com Ubid.com
Works like a regular auctions except everything is done Virtually
Online Auction Guide
Protecting yourself on the Internet
One of the most talked about subjects in the last few years
Great demand for Internet Security Specialists
Prompted the need for a new field of study Information Assurance New Program of Study at UMFK
Is the Internet SAFE?
Dangers Hackers
Worms, viruses, Trojans, DOS & DDOS Privacy
Snooping Spy ware
Criminal Phishers Internet fraud Con Men (Dot Con) Pedophiles and perverts
Questions Do these things only happen on the Internet? Is online better or worse than offline?
How Firewalls Work
Firewall check Packets in and out of Networks Decide which packets go through and
which don’t Work in both directions Only one part of Security
Firewalls
Attack Prevention System
Corporate Network
HardenedClient PC
Hardened ServerWith Permissions
Internet
Attacker
AttackMessage
AttackMessage
Firewall
XStops MostAttack Messages
How Personal Firewalls work
Software version of a standard Hardware firewall
Controls packets in and out of one PC in much the same way as a Hardware Firewall does
Personal Firewalls
Many available—some free Not all work!
Even if is a good firewall…a bad configuration makes it “leaky”
My recommendation is Free
Sygate Personal Firewall Not Free (around $60)
Norton Internet Security
How Hackers Hack
Many Techniques Social Engineering
Get someone to give you their password Cracking
Guessing passwords A six letter password (no caps)
> 300 million possibilities Merriam-Webster's citation files, which were begun in the 1880s, now contain 15.7
million examples of words used in context and cover all aspects of the English vocabulary.
http://www.m-w.com/help/faq/words_in.htm Buffer Overflows
Getting code to run on other PCs Load a Trojan or BackDoor
Snoop and Sniff Steal data
Denial of Service (DOS) Crash or cripple a Computer from another computer
Distributed Denial of Service (DDOS) Crash or cripple a Computer from multiple distributed computers
DOS attacks
Kill the PC with one packet Exploits problem in O/S
Teardrop WinNuke
Kill the PC with lots of packets Smurf Frag Tribal Flood Network
SMURF Attack
Image from www.circlemudd.org
Attacks Requiring Protection
Denial-of-Service (DoS) Attacks Make the system unavailable (crash it or make
it run very slowly) by sending one message or a stream of messages. Loss of availability
Single Message DOS Attack(Crashes the Victim)
Server Attacker
Attacks Requiring Protection
Denial-of-Service (DoS) Attacks Make the system unusable (crash it or make it
run very slowly) by sending one message or a stream of messages. Loss of availability.
Message Stream DOS Attack(Overloads the Victim)
Server Attacker
Distributed Denial-of-Service Attacks
Distributed DOS (DDoS) Attack:Messages Come from Many Sources
Server
DoS Attack Packets
DoS Attack PacketsComputer with
Zombie
Computer withZombie
Attacker
AttackCommand
AttackCommand
Attacks Requiring Protection Malicious Content
Viruses Infect files
propagate by executing infected program Payloads may be destructive
Worms propagate by themselves
Trojan horses appear to be one thing, such as a game, but
actually are malicious Snakes:
combine worm with virus, Trojan horses, and other attacks
Trojan’s and BackDoors
The trick is get the a backdoor (unauthorized entry) on a machine
Easy way Get the user to load it himself Cracked Software (WAREZ) Free Software (KAZAA)
Hard Way Get a password Create a buffer overflow
Microsoft can teach you how Most Common Trojans and backdoors
SubSeven ServU Netbus Back Orifice
If have download cracked software (illegal) or have loaded KAZAA chances are that you have been hacked!
I get at least one of these a day.
Snoop and Sniff
How Viruses Work
Getting Rid of Viruses
Get a good Virus Projection Software Free (not Recommended)
Anti-Vir Avast AVG
Not Free Norton AntiVirus MacAfee
Update definition files often
How Worms work
Worms are pieces of software that self replicate over networks
“Choke” networks Famous Worms
Morris worm – the first worm Code Red – went after IIS servers Melissa – e-mail worm Slammer - SQL worm Blaster – Windows RPC worm MyDoom – another e-mail worm that creates a
BackDoor on your computer
Privacy Issues
Cookie Problems WebTracking Web BUGs
Clear Gifs technology Passports Spyware
Cookie Invasion
Cookie can be used to monitor your web behavior Tracking cookies Used by Internet Marketing agencies
like Doubleclick Why --- Consumer Profiling
You go to yahoo and search for “stereo”
All of a sudden you see a pop-up ad for Crutchfield.com
Web Tracking
Web tracking is used to for the same reasons –Profiling
Instead on monitoring on the User Side all Monitoring is done on the server side Monitors packets Read web logs
Web Tracking report
Web Logs
Web Bugs
Web Bugs are used to gather information about a users From “bugging” a room
Down by embedding a piece of code monitoring software in a image link Works on WebPages and HTML e-mail Often called Clear gifs
Small 1X1 pixels Transparent Made so that uses don’t see them
Every Time the Web Bugs is loaded it gathers info about the user that activated the web bug and sends it off to a remote server
DoubleClick Clear GIFs
Passports
Internet Passports are a user allowed Authentication and data collection tool Used to prove identity Sued to collect data
Tied to a specific browser on a specific PC not the user If someone uses your PC it can make believe
he is you Can be used on Multiple web sites Not widely used
Spyware
Software that sits on your computer Monitors everything that you do and sends out reports to
Marketing agencies Usually ties to a POP-UP server
Top Spyware I-Look Up CoolWebSearch N-CASE GATOR DoubleClick
If you have ever loaded up ICQ Loaded on your PC you have Spyware
If you have ever had KAZAA loaded on your PC you have Spyware
If you have loaded Quicken or TurboTax you have Spyware C-Dilla
Getting Rid of it all!
Keeping Your PC Spyware Free Michael P. Matis © 2004 UMM Information Technology Instructions Software
Crypto, Digital Signature and Digital Certificates
Cryptography provides security by using encryption Ensures privacy
Digital Signatures are just like a real signature DCMA makes them just as legally binding as a
signed paper document Digital Certificates uses Cryptographic
techniques to prove Identity
Digital Signature
SenderReceiver
DS Plaintext
Add Digital Signature to Each MessageProvides Message-by-Message Authentication
Encrypted for Confidentiality
Digital Signature: Sender
DS
Plaintext
MD
Hash
Sign (Encrypt) MD withSender’s Private Key
To Create the Digital Signature:
1. Hash the plaintext to create
a brief message digest; This is
NOT the digital signature
2. Sign (encrypt) the message
digest with the sender’s private
key to create the digital
Signature
Digital Signature
SenderEncrypts Receiver
Decrypts
Send Plaintext plus Digital SignatureEncrypted with Symmetric Session Key
DS Plaintext
Transmission
Digital Signature: Receiver
DSReceived Plaintext
MDMD
1.Hash
2.Decrypt withTrue Party’sPublic Key
3.Are they Equal?
1. Hash the receivedplaintext with the samehashing algorithm the
sender used. This givesthe message digest
2. Decrypt the digitalsignature with the sender’spublic key. This also should
give the message digest.
3. If the two match, the message is authenticated;The sender has the true
Party’s private key
Public Key Deception Impostor
“I am the True Person.”
“Here is TP’s public key.” (Sends Impostor’s public key)
“Here is authenticationbased on TP’s private key.”
(Really Impostor’s private key)
Decryption of message from Verifierencrypted with Impostor’s public key,
so Impostor can decrypt it
Verifier
Must authenticate True Person.
Believes now has TP’s public key
Believes True Personis authenticated
based on Impostor’s public key
“True Person,here is a message encrypted
with your public key.”
CriticalDeception
Digital Certificates Digital certificates are electronic documents
that give the true party’s name and public key
Applicants claiming to be the true party have their authentication methods tested by this public key
If they are not the true party, they cannot use the true party’s private key and so will not be authenticated
Digital certificates follow the X.509 Standard
Digital Signatures and Digital Certificates
Public key authentication requires both a digital signature and a digital certificate to give the public key needed to test the digital signature
DS Plaintext
Applicant
Verifier
Certificate Authority
DigitalCertificate:True Party’sPublic Key
Government Invasions of Privacy?
Internet Wire Taps FBI has the ability to tap into your Internet Traffic FBI has DragonWare which contains three parts:
Carnivore - A Windows NT/2000-based system that captures the information
Packeteer - No official information released, but presumably an application for reassembling packets into cohesive messages or Web pages
Coolminer - No official information released, but presumably an application for extrapolating and analyzing data found in the messages
FBI’s Carnivore http://www.epic.org/privacy/carnivore/
foia_documents.html More on Carnivore
http://computer.howstuffworks.com/carnivore.htm
Carnivore
Work Place Snooping
Workplaces have similar Techniques available to them Often ties to an “acceptable Use policy”
you had to sign when you went to work Generally, if the the e-mail account and
Internet access was made available to you by your employer in order to do you work, they have a legal right to monitor your use of it
Parental Controls
How do you prevent Children from wandering into the “seedy” side of the Internet?
By Creating Laws? The Communication Decency Act was
ruled unconstitutional by the US Supreme Court on “Freedom of Speech issues”
Jurisdiction Problems
Parental Controls Software
Many Companies make Internet filtering Software that doesn’t allow access to “bad” sites How do you tell if a site is “Bad”?
Known bad Sites Bad words in URL or Content
Keeping Kids Safe http://www.kiks.org/
Free Software http://www.we-blocker.com/