Identity Theft

• shoulder surfing - look over your shoulder when computing in lab or public to get ID and password.
• spyware - software that gathers information about your computer usage without your knowledge and transmits that information to the thief. It can, for instance, collect keystrokes as you type in credit card info or ID and passwords. Also has harmless uses for advertising.
• spoofing - email or web site that appears legitimate but is not.
  • programmer write program that displays fake login window that looks real. After you enter your ID and password, it stores or communicates them, gives you an "incorrect password" message, then launches the real login window. (I did this once for fun to surprise a fellow programmer. After he logged in I had it print some fake messages to make him think his work had been deleted)
  • phishing (not to be confused with the jam band Phish) is the modern variation of spoofing . Email that pretends to be from bank/EBay/PayPal/whoever requests that you verify account information online and provides a link. The link as displayed may appear legit, but clicking it takes you to fraudulent site. Email reader may display real URL when you hover mouse over the link. Usually the real URL has numeric IP address (e.g. 223.29.147.9) instead of server name.
  • fraudulent business on the web that will request credit card information for purchase. Your liability limited to $50 but consider the additional hassles.
• other non-technical methods, like dumpster-diving to find discarded but unshredded credit card solicitations.

Malicious software: malware

• viruses : has become a catch-all term
  • original meaning: malware that requires an agent or action to replicate
  • typically arrives via email, and is harmless until activated
  • effects may range from harmless (humorous display) to annoying (sends itself to everyone in your address book) to devastating (wipes out your hard drive)
  • platform-specific, usually targeted to Microsoft OS or applications due to near-monopoly
• worms
  • self-replicating without intervention
  • can spread worldwide in minutes
  • exploit buffer overflow vulnerability that many programs have
    • program and data co-exist in memory as binary
    • buffer is data storage set aside to hold input
    • input deliberately crafted to be longer than buffer - overflow
    • the overflow replaces the current program with a new one that carries out malicious behavior
  • first Internet worm was in 1988, released by Cornell student Robert Morris
• trojan horses - trusted program that also performs malicious function. Spyware is an example -- you download and install a freeware or shareware program that includes the spyware component. It may spread itself as a virus does.

  Name comes from story (possibly mythical) about Greek siege of Troy. A large wooden horse, filled with Greek soldiers, was left at the gates of Troy as a "peace offering". The Trojans brought it in then proceeded to celebrate. After they had passed out drunk, the soldiers climbed out of the horse, opened the city gates, and the remaining Greek army entered and conquered Troy.

• denial of service (DOS) attacks - such attacks target Web servers. Massive numbers of faked client requests targeted at the same server are generated very rapidly. The server can't keep up and the service becomes unavailable to legitimate clients (users).
• distributed denial of service (DDOS) attacks - a DOS attack that comes from many different clients simultaneously. Frequently they come from zombies, everyday networked computers like yours and mine that have been infected with the DDOS software without our knowledge. Zombies are also used to distribute spam, phishing messages, etc.
• hacking - purists call it cracking - exploiting security weaknesses to break into a network or computer system for mischievous or malicious purposes. Hackers are often caught through use of a honey pot, an attractive decoy that lures the hacker in.

How do you get malware?

• email attachments
• software that you download and install may contain virus or trojan horse
• "drive-by download" downloaded without your knowledge (clicking on pop-up or visiting malicious website)
• executable code (macro) in MS Office documents
• Internet port scan

How can you prevent this?

• Install and use antivirus software service, with frequent or automatic updates
• Install and use firewall software (organization servers use firewall hardware too)
• Your ISP may provide these as a benefit or at extra cost
• Windows XP Service Pack 2 and Vista have beefed up security and firewall included.
• Don't make your folders and devices open to sharing. If you use P2P file-sharing applications, folders containing your files will be open to sharing so other peers can download from you.
• Be cautious when installing free downloaded software
• Don't open email attachments from strangers
• Be cautious of unexpected email attachments even from those you know (message could have been produced by virus)

User authentication methods restrict access based on:

• something you know (password, ID, special information such as childhood pet's name). Problematic; people do not design passwords well (use common or easily guessed words)
• something you have (smart card, device with ever-changing password, flash key)
• physical attribute- biometrics (fingerprint, retinal scan, facial structure)

Secure Internet transmission of sensitive data

When a web page prompts you to enter sensitive information, look at the protocol part of the URL (upper left corner of browser window). If it is https:// then the information will be encrypted for transmission, using a secure transmission service called Secure Sockets Layer (SSL). If it is regular http://, do not continue the transaction online. You can also look for the lock icon (for Internet Explorer 7 and Firefox, it appears on the right edge of the URL box)

Cryptography

• substitution - substitute one character for another
• transposition - scramble the order of characters

There are two basic strategies concerning keys

• secret key (aka symmetric) cryptography is where both sender and intended receiver must know the key and no one else. The "same" key is used to both encrypt and decrypt
• public key (aka asymmetric) cryptography is where there is both a public key, which everyone knows, and a private key, which only its owner knows. The public key, which is used to encrypt, is different than the private key, which is used to decrypt. First developed in the 1970s.

One of the oldest known ciphers (encryption schemes) is Caesar Cipher

• private key cryptography
• uses substitution only
• alphabetic substitution is based on rotational shift.
• two part key: direction and number of positions to shift
• Example cipher: if encrypted by right shift 3, A is replaced by D, B replaced by E, ... Z replaced by C.
• Example message using that cipher: HDVB WR EUHDN
• not secure since it can be broken by brute force (limited number of possible keys)
• How to be sure that both sender and receiver know the key, but no one else does? This is weakness of any private key cipher.

Modern ciphers are based on RSA or variation

• public key cryptography
• named after last initials of the 3 people who developed it
• commonly used variation is PGP (Pretty Good Privacy)
• Each person (entity) has two keys that are used in combination:
  • A public key that anyone can know
  • A private key that only that person can know
• Here's how it works, to securely transmit from Alice to Bob.
  • Alice has public key E_Alice and private key D_Alice
  • Bob has public key E_Bob and private key D_Bob
  • Alice encrypts the message using public key E_Bob and sends it
  • Bob receives the message and decrypts it using private key D_Bob
• Can also use it for digital signature. How can Bob be sure the message really came from Alice, and not from Carol?
  • Alice encrypts the message as above
  • Alice then applies her private key D_Alice before transmitting
  • When Bob receives the message, he first applies Alice's public key E_Alice
  • The E will undo the D, just like the D will undo the E
  • If the message had come from someone other than Alice, it would not work

E-commerce simply would not be possible without public key cryptography! HTTPS (see previous topic above) is based on it also.

Criminals and terrorists also benefit, since no one can read their encrypted messages

Other issues we will not get to

• VoIP (Voice over IP) Internet-based telephone services such as skype (www.skype.com)
• government rights to "wiretap" VoIP
• email privacy: company rights to read employee email, ISP rights to read subscribers email
• e-voting security issues
• fair use, Sony Betamax case, "substantial non-infringing use", Grokster case
• Digital Millennium Copyright Act
• DeCSS
• steganography
• professional code of ethics, such as ACM (www.acm.org/constitution/code.html)
• autonomous systems