COS 125 DAY 10
Agenda Capstone Projects Proposals Over Due Timing of deliverables is 10% of Grade Missing 9 out of 17 Quiz two covering the rest of the HITW text will be on Feb 17 Same format as before Extra credit question on Privacy Today Shopping and Doing Business on the Internet and Protecting Yourself on the Internet Next week we will begin doing Web pages
Intranets Intranets are private Internets limited to a specific organizational needs Has many of the same applications as the Internet Segmented away from the Internet by firewalls We’ll discuss firewalls later May allow VPN access through firewalls Picture Source:
Intranets applications Internal Databases Scheduling Collaboration tools Groupware Chat & IM Whiteboards Videoconferencing Document management
VPN’s Virtual Private Networks Encrypted traffic that travels in “tunnels” between encryption & decryption devices
VPN’s
Shopping on the Internet Shopping on the Internet involves many technologies Databases Encryption Cookies eWallets HTML
How Online Shopping works Demo from Learn The Net Demo from Learn The Net Steps Find the product you want Database and search technologies Fill out order form with Personal Info and Credit Card info Data is encrypted and sent to eMerchant eMerchant verifies Credit Card and info electronically SET and other protocols eMerchant confirms orders to customer By EMerchant contacts distribution center to ship product UPS, FedEx or USPS
How Cookies Work A cookie is a small text file written by a web server to your hard drive Look for a cookies directory on your PC The web server that wrote the cookie can read and or modify the cookie (so can sophisticated Hackers) They are used to track users
Cookies Advantages Allows you to auto-login to site Keeps you from entering your info all the times Helps eMerchant do business Disadvantage Cookies stay on PC and don’t follow the user Spy-ware! (discuss later) Other people can see your info Cookie from my PC
Online shopping carts Requires login to site Data store in Database at the eMerchant site EMerchant creates a cookie on your PC As you add stuff to you cart, your cookie gets modified When you are ready to “check out” you cookie is read and then erased after you have placed the order
How Electronic Wallets Work Online equivalent of a real wallet Store information Personal Credit Cards Encrypted When you need info on online you “open” your wallet and provide the information Not widely supported
Online auctions One of the mostly successful eCommerce business models Ebay.com Ubid.com Works like a regular auctions except everything is done Virtually Online Auction Guide Online Auction Guide
Protecting yourself on the Internet One of the most talked about subjects in the last few years Great demand for Internet Security Specialists Prompted the need for a new field of study Information Assurance New Program of Study at UMFKProgram of Study at UMFK
Is the Internet SAFE? Dangers Hackers Worms, viruses, Trojans, DOS & DDOS Privacy Snooping Spy ware Criminal Phishers Internet fraud Con Men (Dot Con) Pedophiles and perverts Questions Do these things only happen on the Internet? Is online better or worse than offline?
How Firewalls Work Firewall check Packets in and out of Networks Decide which packets go through and which don’t Work in both directions Only one part of Security
Firewalls Attack Prevention System Corporate Network Hardened Client PC Hardened Server With Permissions Internet Attacker Attack Message Attack Message Firewall X Stops Most Attack Messages
How Personal Firewalls work Software version of a standard Hardware firewall Controls packets in and out of one PC in much the same way as a Hardware Firewall does
Personal Firewalls Many available—some free Not all work! Even if is a good firewall…a bad configuration makes it “leaky” My recommendation is Free Sygate Personal Firewall Sygate Personal Firewall Not Free (around $60) Norton Internet Security Norton Internet Security
How Hackers Hack Many Techniques Social Engineering Get someone to give you their password Cracking Guessing passwords A six letter password (no caps) > 300 million possibilities Merriam-Webster's citation files, which were begun in the 1880s, now contain 15.7 million examples of words used in context and cover all aspects of the English vocabulary. Buffer Overflows Getting code to run on other PCs Load a Trojan or BackDoor Snoop and Sniff Steal data Denial of Service (DOS) Crash or cripple a Computer from another computer Distributed Denial of Service (DDOS) Crash or cripple a Computer from multiple distributed computers
DOS attacks Kill the PC with one packet Exploits problem in O/S Teardrop WinNuke Kill the PC with lots of packets Smurf Frag Tribal Flood Network
SMURF Attack Image from
Attacks Requiring Protection Denial-of-Service (DoS) Attacks Make the system unavailable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability Single Message DOS Attack (Crashes the Victim) ServerAttacker
Attacks Requiring Protection Denial-of-Service (DoS) Attacks Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability. Message Stream DOS Attack (Overloads the Victim) ServerAttacker
Distributed Denial-of-Service Attacks Distributed DOS (DDoS) Attack: Messages Come from Many Sources Server DoS Attack Packets Computer with Zombie Computer with Zombie Attacker Attack Command Attack Command
Attacks Requiring Protection Malicious Content Viruses Infect files propagate by executing infected program Payloads may be destructive Worms propagate by themselves Trojan horses appear to be one thing, such as a game, but actually are malicious Snakes: combine worm with virus, Trojan horses, and other attacks
Trojan’s and BackDoors The trick is get the a backdoor (unauthorized entry) on a machine Easy way Get the user to load it himself Cracked Software (WAREZ) Free Software (KAZAA) Hard Way Get a password Create a buffer overflow Microsoft can teach you how Most Common Trojans and backdoors SubSeven ServU Netbus Back Orifice If have download cracked software (illegal) or have loaded KAZAA chances are that you have been hacked!
I get at least one of these a day.
Snoop and Sniff
How Viruses Work
Getting Rid of Viruses Get a good Virus Projection Software Free (not Recommended) Anti-Vir Anti-Vir Avast Avast AVG AVG Not Free Norton AntiVirus Norton AntiVirus MacAfee MacAfee Update definition files often
How Worms work Worms are pieces of software that self replicate over networks “Choke” networks Famous Worms Morris worm – the first worm Code Red – went after IIS servers Melissa – worm Slammer - SQL worm Blaster – Windows RPC worm MyDoom – another worm that creates a BackDoor on your computer
Privacy Issues Cookie Problems WebTracking Web BUGs Clear Gifs technology Passports Spyware
Cookie Invasion Cookie can be used to monitor your web behavior Tracking cookies Used by Internet Marketing agencies like Doubleclick Why --- Consumer Profiling You go to yahoo and search for “stereo” All of a sudden you see a pop-up ad for Crutchfield.com
Web Tracking Web tracking is used to for the same reasons –Profiling Instead on monitoring on the User Side all Monitoring is done on the server side Monitors packets Read web logs
Web Tracking report
Web Logs
Web Bugs Web Bugs are used to gather information about a users From “bugging” a room Down by embedding a piece of code monitoring software in a image link Works on WebPages and HTML Often called Clear gifs Small 1X1 pixels Transparent Made so that uses don’t see them Every Time the Web Bugs is loaded it gathers info about the user that activated the web bug and sends it off to a remote server
DoubleClick Clear GIFs
Passports Internet Passports are a user allowed Authentication and data collection tool Used to prove identity Sued to collect data Tied to a specific browser on a specific PC not the user If someone uses your PC it can make believe he is you Can be used on Multiple web sites Not widely used
Spyware Software that sits on your computer Monitors everything that you do and sends out reports to Marketing agencies Usually ties to a POP-UP server Top Spyware I-Look Up CoolWebSearch N-CASE GATOR DoubleClick If you have ever loaded up ICQ Loaded on your PC you have Spyware If you have ever had KAZAA loaded on your PC you have Spyware If you have loaded Quicken or TurboTax you have Spyware C-Dilla
Getting Rid of it all! Keeping Your PC Spyware Free Michael P. Matis © 2004 UMM Information Technology Instructions Software
Crypto, Digital Signature and Digital Certificates Cryptography provides security by using encryption Ensures privacy Digital Signatures are just like a real signature DCMA makes them just as legally binding as a signed paper document Digital Certificates uses Cryptographic techniques to prove Identity
Digital Signature Sender Receiver DSPlaintext Add Digital Signature to Each Message Provides Message-by-Message Authentication Encrypted for Confidentiality
Digital Signature: Sender DS Plaintext MD Hash Sign (Encrypt) MD with Sender’s Private Key To Create the Digital Signature: 1.Hash the plaintext to create a brief message digest; This is NOT the digital signature 2. Sign (encrypt) the message digest with the sender’s private key to create the digital Signature
Digital Signature Sender Encrypts Receiver Decrypts Send Plaintext plus Digital Signature Encrypted with Symmetric Session Key DSPlaintext Transmission
Digital Signature: Receiver DSReceived Plaintext MD 1. Hash 2. Decrypt with True Party’s Public Key 3. Are they Equal? 1. Hash the received plaintext with the same hashing algorithm the sender used. This gives the message digest 2. Decrypt the digital signature with the sender’s public key. This also should give the message digest. 3. If the two match, the message is authenticated; The sender has the true Party’s private key
Public Key Deception Impostor “I am the True Person.” “Here is TP’s public key.” (Sends Impostor’s public key) “Here is authentication based on TP’s private key.” (Really Impostor’s private key) Decryption of message from Verifier encrypted with Impostor’s public key, so Impostor can decrypt it Verifier Must authenticate True Person. Believes now has TP’s public key Believes True Person is authenticated based on Impostor’s public key “True Person, here is a message encrypted with your public key.” Critical Deception
Digital Certificates Digital certificates are electronic documents that give the true party’s name and public key Applicants claiming to be the true party have their authentication methods tested by this public key If they are not the true party, they cannot use the true party’s private key and so will not be authenticated Digital certificates follow the X.509 Standard
Digital Signatures and Digital Certificates Public key authentication requires both a digital signature and a digital certificate to give the public key needed to test the digital signature DSPlaintext Applicant Verifier Certificate Authority Digital Certificate: True Party’s Public Key
Government Invasions of Privacy? Internet Wire Taps FBI has the ability to tap into your Internet Traffic FBI has DragonWare which contains three parts: Carnivore - A Windows NT/2000-based system that captures the information Packeteer - No official information released, but presumably an application for reassembling packets into cohesive messages or Web pagespackets Coolminer - No official information released, but presumably an application for extrapolating and analyzing data found in the messages FBI’s Carnivore ml ml More on Carnivore
Carnivore
Work Place Snooping Workplaces have similar Techniques available to them Often ties to an “acceptable Use policy” you had to sign when you went to work Generally, if the the account and Internet access was made available to you by your employer in order to do you work, they have a legal right to monitor your use of it
Parental Controls How do you prevent Children from wandering into the “seedy” side of the Internet? By Creating Laws? The Communication Decency Act was ruled unconstitutional by the US Supreme Court on “Freedom of Speech issues” Jurisdiction Problems
Parental Controls Software Many Companies make Internet filtering Software that doesn’t allow access to “bad” sites How do you tell if a site is “Bad”? Known bad Sites Bad words in URL or Content Keeping Kids Safe Free Software / /