COS 125

DAY 10

Agenda

Capstone Projects Proposals Over Due Timing of deliverables is 10% of Grade Missing 9 out of 17

Quiz two covering the rest of the HITW text will be on Feb 17 Same format as before Extra credit question on Privacy

Today Shopping and Doing Business on the Internet and Protecting Yourself on the Internet

Next week we will begin doing Web pages

Intranets

Intranets are private Internets limited to a specific organizational needs

Has many of the same applications as the Internet

Segmented away from the Internet by firewalls We’ll discuss firewalls later May allow VPN access through firewalls

Picture Source: http://www.iimahd.ernet.in/~jajoo/intranet/intro/images/firewall.gif

Intranets applications

Internal e-mail Databases Scheduling Collaboration tools

Groupware Chat & IM Whiteboards Videoconferencing Document management

VPN’s

Virtual Private Networks Encrypted traffic that travels in

“tunnels” between encryption & decryption devices

VPN’s

http://static.howstuffworks.com/flash/vpn-site.swf

Shopping on the Internet

Shopping on the Internet involves many technologies Databases Encryption Cookies eWallets HTML

How Online Shopping works

Demo from Learn The Net Steps

Find the product you want Database and search technologies

Fill out order form with Personal Info and Credit Card info Data is encrypted and sent to eMerchant

eMerchant verifies Credit Card and info electronically SET and other protocols

eMerchant confirms orders to customer By e-mail

EMerchant contacts distribution center to ship product UPS, FedEx or USPS

How Cookies Work

A cookie is a small text file written by a web server to your hard drive Look for a cookies directory on your PC

The web server that wrote the cookie can read and or modify the cookie (so can sophisticated Hackers)

They are used to track users

Cookies

Advantages Allows you to auto-login to site Keeps you from entering your info all the times Helps eMerchant do business

Disadvantage Cookies stay on PC and don’t follow the user Spy-ware! (discuss later) Other people can see your info

Cookie from my PC

Online shopping carts

Requires login to site Data store in Database at the

eMerchant site EMerchant creates a cookie on your PC

As you add stuff to you cart, your cookie gets modified

When you are ready to “check out” you cookie is read and then erased after you have placed the order

How Electronic Wallets Work

Online equivalent of a real wallet Store information

Personal Credit Cards

Encrypted When you need info on online you

“open” your wallet and provide the information

Not widely supported

Online auctions

One of the mostly successful eCommerce business models Ebay.com Ubid.com

Works like a regular auctions except everything is done Virtually

Online Auction Guide

Protecting yourself on the Internet

One of the most talked about subjects in the last few years

Great demand for Internet Security Specialists

Prompted the need for a new field of study Information Assurance New Program of Study at UMFK

Is the Internet SAFE?

Dangers Hackers

Worms, viruses, Trojans, DOS & DDOS Privacy

Snooping Spy ware

Criminal Phishers Internet fraud Con Men (Dot Con) Pedophiles and perverts

Questions Do these things only happen on the Internet? Is online better or worse than offline?

How Firewalls Work

Firewall check Packets in and out of Networks Decide which packets go through and

which don’t Work in both directions Only one part of Security

Firewalls

Attack Prevention System

Corporate Network

HardenedClient PC

Hardened ServerWith Permissions

Internet

Attacker

AttackMessage

AttackMessage

Firewall

XStops MostAttack Messages

How Personal Firewalls work

Software version of a standard Hardware firewall

Controls packets in and out of one PC in much the same way as a Hardware Firewall does

Personal Firewalls

Many available—some free Not all work!

Even if is a good firewall…a bad configuration makes it “leaky”

My recommendation is Free

Sygate Personal Firewall Not Free (around $60)

Norton Internet Security

How Hackers Hack

Many Techniques Social Engineering

Get someone to give you their password Cracking

Guessing passwords A six letter password (no caps)

> 300 million possibilities Merriam-Webster's citation files, which were begun in the 1880s, now contain 15.7

million examples of words used in context and cover all aspects of the English vocabulary.

http://www.m-w.com/help/faq/words_in.htm Buffer Overflows

Getting code to run on other PCs Load a Trojan or BackDoor

Snoop and Sniff Steal data

Denial of Service (DOS) Crash or cripple a Computer from another computer

Distributed Denial of Service (DDOS) Crash or cripple a Computer from multiple distributed computers

DOS attacks

Kill the PC with one packet Exploits problem in O/S

Teardrop WinNuke

Kill the PC with lots of packets Smurf Frag Tribal Flood Network

SMURF Attack

Image from www.circlemudd.org

Attacks Requiring Protection

Denial-of-Service (DoS) Attacks Make the system unavailable (crash it or make

it run very slowly) by sending one message or a stream of messages. Loss of availability

Single Message DOS Attack(Crashes the Victim)

Server Attacker

Attacks Requiring Protection

Denial-of-Service (DoS) Attacks Make the system unusable (crash it or make it

run very slowly) by sending one message or a stream of messages. Loss of availability.

Message Stream DOS Attack(Overloads the Victim)

Server Attacker

Distributed Denial-of-Service Attacks

Distributed DOS (DDoS) Attack:Messages Come from Many Sources

Server

DoS Attack Packets

DoS Attack PacketsComputer with

Zombie

Computer withZombie

Attacker

AttackCommand

AttackCommand

Attacks Requiring Protection Malicious Content

Viruses Infect files

propagate by executing infected program Payloads may be destructive

Worms propagate by themselves

Trojan horses appear to be one thing, such as a game, but

actually are malicious Snakes:

combine worm with virus, Trojan horses, and other attacks

Trojan’s and BackDoors

The trick is get the a backdoor (unauthorized entry) on a machine

Easy way Get the user to load it himself Cracked Software (WAREZ) Free Software (KAZAA)

Hard Way Get a password Create a buffer overflow

Microsoft can teach you how Most Common Trojans and backdoors

SubSeven ServU Netbus Back Orifice

If have download cracked software (illegal) or have loaded KAZAA chances are that you have been hacked!

I get at least one of these a day.

Snoop and Sniff

How Viruses Work

Getting Rid of Viruses

Get a good Virus Projection Software Free (not Recommended)

Anti-Vir Avast AVG

Not Free Norton AntiVirus MacAfee

Update definition files often

How Worms work

Worms are pieces of software that self replicate over networks

“Choke” networks Famous Worms

Morris worm – the first worm Code Red – went after IIS servers Melissa – e-mail worm Slammer - SQL worm Blaster – Windows RPC worm MyDoom – another e-mail worm that creates a

BackDoor on your computer

Privacy Issues

Cookie Problems WebTracking Web BUGs

Clear Gifs technology Passports Spyware

Cookie Invasion

Cookie can be used to monitor your web behavior Tracking cookies Used by Internet Marketing agencies

like Doubleclick Why --- Consumer Profiling

You go to yahoo and search for “stereo”

All of a sudden you see a pop-up ad for Crutchfield.com

Web Tracking

Web tracking is used to for the same reasons –Profiling

Instead on monitoring on the User Side all Monitoring is done on the server side Monitors packets Read web logs

Web Tracking report

Web Logs

Web Bugs

Web Bugs are used to gather information about a users From “bugging” a room

Down by embedding a piece of code monitoring software in a image link Works on WebPages and HTML e-mail Often called Clear gifs

Small 1X1 pixels Transparent Made so that uses don’t see them

Every Time the Web Bugs is loaded it gathers info about the user that activated the web bug and sends it off to a remote server

DoubleClick Clear GIFs

Passports

Internet Passports are a user allowed Authentication and data collection tool Used to prove identity Sued to collect data

Tied to a specific browser on a specific PC not the user If someone uses your PC it can make believe

he is you Can be used on Multiple web sites Not widely used

Spyware

Software that sits on your computer Monitors everything that you do and sends out reports to

Marketing agencies Usually ties to a POP-UP server

Top Spyware I-Look Up CoolWebSearch N-CASE GATOR DoubleClick

If you have ever loaded up ICQ Loaded on your PC you have Spyware

If you have ever had KAZAA loaded on your PC you have Spyware

If you have loaded Quicken or TurboTax you have Spyware C-Dilla

Getting Rid of it all!

Keeping Your PC Spyware Free Michael P. Matis © 2004 UMM Information Technology Instructions Software

Crypto, Digital Signature and Digital Certificates

Cryptography provides security by using encryption Ensures privacy

Digital Signatures are just like a real signature DCMA makes them just as legally binding as a

signed paper document Digital Certificates uses Cryptographic

techniques to prove Identity

Digital Signature

SenderReceiver

DS Plaintext

Add Digital Signature to Each MessageProvides Message-by-Message Authentication

Encrypted for Confidentiality

Digital Signature: Sender

DS

Plaintext

MD

Hash

Sign (Encrypt) MD withSender’s Private Key

To Create the Digital Signature:

1. Hash the plaintext to create

a brief message digest; This is

NOT the digital signature

2. Sign (encrypt) the message

digest with the sender’s private

key to create the digital

Signature

Digital Signature

SenderEncrypts Receiver

Decrypts

Send Plaintext plus Digital SignatureEncrypted with Symmetric Session Key

DS Plaintext

Transmission

Digital Signature: Receiver

DSReceived Plaintext

MDMD

1.Hash

2.Decrypt withTrue Party’sPublic Key

3.Are they Equal?

1. Hash the receivedplaintext with the samehashing algorithm the

sender used. This givesthe message digest

2. Decrypt the digitalsignature with the sender’spublic key. This also should

give the message digest.

3. If the two match, the message is authenticated;The sender has the true

Party’s private key

Public Key Deception Impostor

“I am the True Person.”

“Here is TP’s public key.” (Sends Impostor’s public key)

“Here is authenticationbased on TP’s private key.”

(Really Impostor’s private key)

Decryption of message from Verifierencrypted with Impostor’s public key,

so Impostor can decrypt it

Verifier

Must authenticate True Person.

Believes now has TP’s public key

Believes True Personis authenticated

based on Impostor’s public key

“True Person,here is a message encrypted

with your public key.”

CriticalDeception

Digital Certificates Digital certificates are electronic documents

that give the true party’s name and public key

Applicants claiming to be the true party have their authentication methods tested by this public key

If they are not the true party, they cannot use the true party’s private key and so will not be authenticated

Digital certificates follow the X.509 Standard

Digital Signatures and Digital Certificates

Public key authentication requires both a digital signature and a digital certificate to give the public key needed to test the digital signature

DS Plaintext

Applicant

Verifier

Certificate Authority

DigitalCertificate:True Party’sPublic Key

Government Invasions of Privacy?

Internet Wire Taps FBI has the ability to tap into your Internet Traffic FBI has DragonWare which contains three parts:

Carnivore - A Windows NT/2000-based system that captures the information

Packeteer - No official information released, but presumably an application for reassembling packets into cohesive messages or Web pages

Coolminer - No official information released, but presumably an application for extrapolating and analyzing data found in the messages

FBI’s Carnivore http://www.epic.org/privacy/carnivore/

foia_documents.html More on Carnivore

http://computer.howstuffworks.com/carnivore.htm

Carnivore

Work Place Snooping

Workplaces have similar Techniques available to them Often ties to an “acceptable Use policy”

you had to sign when you went to work Generally, if the the e-mail account and

Internet access was made available to you by your employer in order to do you work, they have a legal right to monitor your use of it

Parental Controls

How do you prevent Children from wandering into the “seedy” side of the Internet?

By Creating Laws? The Communication Decency Act was

ruled unconstitutional by the US Supreme Court on “Freedom of Speech issues”

Jurisdiction Problems

Parental Controls Software

Many Companies make Internet filtering Software that doesn’t allow access to “bad” sites How do you tell if a site is “Bad”?

Known bad Sites Bad words in URL or Content

Keeping Kids Safe http://www.kiks.org/

Free Software http://www.we-blocker.com/