Video! American Express commercial (Seinfeld with Superman)
Short review of last week: what kind of multimedia is this?
There is video and sound, so its a video file format
You can usually tell by the file extension what kind of format it is
.mov - Quicktime movie
SWF = vector format ("lossless resize"), interactive (beyond play/pause)
One more shockwave demonstration!
created by a Harvard student last year
linked to via the website
The first on a 2 part lecture series on Security.
Its hard to pick up a technical paper (or even cnn.com) without seeing topics related to computer security.
3 articles that have been published on cnn.com:
"Starbucks loses 4 laptops with employee data" (4 Nov 2006)
"Apple: Some iPods infected with virus" (18 Oct 2006)
"Crooks hijack online brokerage accounts" (13 Oct 2006)
These are just in the past few weeks!
Tonight we'll talk about topics related to security to help understand terminology and threats that exist
An email popular a year or two ago contained a zip file and was signed by the "Harvard.edu team"
it had a lure of officialness
the zip file was password protected - enhancing the feeling of authenticity
It was actually a trojan horse!
If you've bought someone on the Internet you've filled out a form on a webpage to enter in your information
What are the precautions when visiting a site with a form?
Is it mainstream? (a website you've heard of)
There is an option to instead call the company directly to give them the credit card information
How many people are concerned of using your credit card on the Internet?
Someone could steal your credit card number
Just like someone might wiretap a telephone, suppose someone was "sniffing" the connection between your computer and buy.com
Hopefully this doesn't happen!
But if it does, there are still ways we can protect ourselves
A small padlock icon showing in one corner of your browser might indicate that the site is secure and is encrypting the data from your computer to the server
Some web creators like to put padlocks on their sites to imply that its secure. However, anyone can do this on their own site so its not necessarily indicative
A secure URL will start with https:// and not http://
This means its using SSL (a means of encrypting the information)
So, its possible that someone can still sniff the 0s and 1s between you and the online shop, but it will look like gibberish to the sniffer if the data is properly encrypted.
Man in the middle attack - Its possible to create a server that pretends to be a server (and a client) such that your computer connects to it, relays encrypted information to it, it is decrypted by the malicious server, saved, and re-encrypted before being forwarded to the online shop
Computers were not designed to be inherently secure, so even if you type a credit card number in a secure site, its possible that the number is stored somewhere in RAM
Although this is difficult to get to and we don't have to worry about it being accessed directly, its possible using Spyware to harvest this information from a computer
If Spyware is running, it can save what you type (including credit card numbers, passwords, etc) and send it to a person
You don't have control over what software is installed on public machines (internet kiosks, Harvard computer labs, etc) so it may not be wise to log in to your Bank's site, for example, as there may be spyware on the machine
The credit card data you send to an online shop may save your credit card number (for convenience - if you visit the site multiple times it may remember your number to make it easier next time)
If someone were to steal one of the company's machines, its possible to harvest any saved credit card
However, if the company automatically takes that credit card information and encrypts it before saving it, then this may be even more secure than going to a store and buying with your credit card there (because of the human element)
Should you be buying things over the Internet?
There are often relatively few humans involved (which may be more secure)
Software defenses against spyware
Even if your credit card number is stolen, the credit card company will usually help protect you from fraud (report it!)
Yes, there are not many legitimate reasons not to purchase things over the Internet if you visit online resellers that use SSL encryption
A file that a website that you have visited saves on your computer so that a website can remember some information
Only the website that saves the cookie may read it.
Can store random numbers, usernames, your name, your preferences
When you log in to Amazon.com it usually remembers your email address (this is saved in a cookie)
Why is it not sufficient for a website to remember the IP?
IPs may change on a daily, weekly basis
two computers can appear to have the same IP (home routers share one public IP address with many computers in the home)
Instead of storing your password, they tend to save a big unique random number.
The website can remember this number and thus find you and log you back in to the site without saving your password
So, why are cookies bad?
In a webpage, you can get data from more than one source (for example, when you go to cnn.com it shows the news from CNN and ads from their ad partners)
So, if the ad partner is prevalent on the web (Ad.com, for example) then every time the cookie for ad.com is returned, that company may be able to track your habits on the web
What other data besides cookies can computers store?
Its not cost effective to save the entirety of every email ever sent, but its possible to remember "who did David email?"
The website that you visit knows that you visited it (it logs your IP address and the time, pages you visited)
Google Toolbar submits the sites that you visit so as to better help direct your searches, but this does mean that the sites that you had visited are remembered
We ran our own data analysis on the logs from last year, and see that there is a huge spike in requests to the E-1 website around the end of October, 2005. Why? Exam!
Among the things we can determine from our logs:
the most popular hours of the day
we know percentages of how many domains visit
but we also know the domain name of every person that visits
Example: one person made up almost 10% of our traffic.
We also know the most popular searches that led to users finding out sites
examples: "podcast" "harvard e 1" "cscie1" "www.twinkies project.com"
What browsers people people are using
What operating systems people are using
How would we be able to figure out from a fully qualified domain name who it is?
For example, if we wanted to know who that person was that made up 10% of the requests
We could email the class asking everyone to reply to it
Now we have all of the IP addresses of everyone in the class (in every email, the IP address of your computer is embedded in the 'header' of the email)
If we sent an HTML based email with the E-1 logo (the E-1 logo is saved on our servers).
when you open the email, the email client obtains the logo from the server
Then your IP address is now recorded by our logs
How can you protect against these violations of these problems?
Passwords - ubiquitous in computer security
How many of you use birthdates, easy words, sequential numbers, etc
To make a secure password you should:
mix letters and numbers
mix upper and lowercase (if the password is case sensitive)
use special punctuation symbols
do not use any words in the dictionary!
do not substitute letters that look like numbers and vice versa (0 for o, L for '1', e for '3', etc etc)
Many people tend to use the same password (because its difficult to remember many different passwords for different websites) - but if you get one password then you get access to everything!
WEP - Wired Equivalency Protocol. Broken! do not use
WPA - more secure (WPA2 even more secure) than WEP
There exists software to crack WEP passwords. Within minutes, (literally minutes), the password can be cracked and allow access to the wireless access point
Wired solutions are fairly secure, but now wireless solutions are not as secure
What is it?
An outside person gets access to a system that they are not welcome to and obtain information or disrupt the information
It used to be a positive connotation
At MIT, a hack means a non-destructive modification to the campus for fun (dressing the dome as R2D2, placing a fake police car on top of the dome)
Its a hardware password that requests a password before booting the machine
Still easily overcome by connecting a jumper on the motherboard
How many have received an email from "Citibank" asking you to verify your account information - even if you don't have an account with them?
You may have seen them from Citibank, Paypal, Bank of the west.
In one particular phishing attack, the email asked users to visit www.bankofthevvest.com
Notice that it does not say Bank of the West! It says Bank of the VVest (double V instead of w)
They would pull up this site, and it appeared to be legitimate so they would enter their login information and be tricked into giving their account information to malicious users
How can we prevent this?
Call the company directly (although the person on the other line may not know what you are talking about)
Go directly to the website - do not use the link in the email, but type it yourself
What's a good trick for checking the real website itself?
Use Google to find the company
Typically it will show the most credible and legitimate results (its not always the first result in the list)
Google bombing - tricking Google into giving false results (try searching Google for "miserable failure")
What are some ways we can detect a phishing attack?
"I don't have an account with this company!"
Poor grammar and spelling (very common!)
Is it sent specifically to you, or to many people?
The greeting: "Dear customer," (if I had an account with them, they should know my name)
The URL is also poorly formed and can be a trick
It is possible to show a link with text that does not represent where the link points
To create a link (more in HTML lectures), we write:
This would show a link that makes it seem like it points to ETrade but instead links to fastmortgage.com
Why is there gibberish in these emails, why are subject lines misspelled?
"Re+move y*ur e mail:"
Its an attempt to fool naive spam filters that might be trying to filter based on keywords alone
Can destroy your computer
A piece of software in hopes of doing something bad
It can infect your computer if you use a CD, open an email with an attachment
Generally requires human interaction for a virus to infect the machine - it cannot infect your machine simply by reading the email
Never, ever! Open a .exe that was emailed to you.
Anti-virus software tries to detect the code that it recognizes as a threat and will try to remove only the malicious code
Scarier than viruses, because it doesn't require a human intervention to propagate
It can jump from computer-to-computer if only you are connected to the Internet
Most viruses and worms don't do anything - usually buggy and do not work properly
Tries to "spy" on your computer
Being used to harvest email address, passwords, upload files to other websites
Usually has to be installed by a user
Example: using a volunteer's machine for a quick disinfection
Never download anti-spyware software that is shown to you via a webpage - only download the software recommended to you via a friend
"Immunize" - protect Internet Explorer from various types of attacks from websites
"Search and Destroy" - it is searching for 52,708 forms of spyware known as of this writing
AVG - free anti virus software
really gives you finer control over what spyware you might want to remove from your computer
helps remove difficult spyware
Shows every file that is run at your computer's start up (even beyond what is in the "Startup" folder in the Program Files).
If you really want good protection, you will often be presented with false positives, which then turns the judgement from the program to the user.