* Video! American Express commercial (Seinfeld with Superman)
wedge Short review of last week: what kind of multimedia is this?
* There is video and sound, so its a video file format
* You can usually tell by the file extension what kind of format it is
* .mov - Quicktime movie
* SWF = vector format ("lossless resize"), interactive (beyond play/pause)
wedge One more shockwave demonstration!
* created by a Harvard student last year
* linked to via the website
* The first on a 2 part lecture series on Security.
* Its hard to pick up a technical paper (or even cnn.com) without seeing topics related to computer security.
wedge 3 articles that have been published on cnn.com:
* "Starbucks loses 4 laptops with employee data" (4 Nov 2006)
* "Apple: Some iPods infected with virus" (18 Oct 2006)
* "Crooks hijack online brokerage accounts" (13 Oct 2006)
* These are just in the past few weeks!
* Tonight we'll talk about topics related to security to help understand terminology and threats that exist
wedge An email popular a year or two ago contained a zip file and was signed by the "Harvard.edu team"
* it had a lure of officialness
* the zip file was password protected - enhancing the feeling of authenticity
* It was actually a trojan horse!
wedge Forms
* If you've bought someone on the Internet you've filled out a form on a webpage to enter in your information
wedge What are the precautions when visiting a site with a form?
* Is it mainstream? (a website you've heard of)
* There is an option to instead call the company directly to give them the credit card information
wedge How many people are concerned of using your credit card on the Internet?
* Many
* Someone could steal your credit card number
wedge Just like someone might wiretap a telephone, suppose someone was "sniffing" the connection between your computer and buy.com
* Hopefully this doesn't happen!
* But if it does, there are still ways we can protect ourselves
* A small padlock icon showing in one corner of your browser might indicate that the site is secure and is encrypting the data from your computer to the server
* Some web creators like to put padlocks on their sites to imply that its secure. However, anyone can do this on their own site so its not necessarily indicative
* A secure URL will start with https:// and not http://
* This means its using SSL (a means of encrypting the information)
* So, its possible that someone can still sniff the 0s and 1s between you and the online shop, but it will look like gibberish to the sniffer if the data is properly encrypted.
* Man in the middle attack - Its possible to create a server that pretends to be a server (and a client) such that your computer connects to it, relays encrypted information to it, it is decrypted by the malicious server, saved, and re-encrypted before being forwarded to the online shop
wedge Computers were not designed to be inherently secure, so even if you type a credit card number in a secure site, its possible that the number is stored somewhere in RAM
* Although this is difficult to get to and we don't have to worry about it being accessed directly, its possible using Spyware to harvest this information from a computer
* If Spyware is running, it can save what you type (including credit card numbers, passwords, etc) and send it to a person
* You don't have control over what software is installed on public machines (internet kiosks, Harvard computer labs, etc) so it may not be wise to log in to your Bank's site, for example, as there may be spyware on the machine
wedge The credit card data you send to an online shop may save your credit card number (for convenience - if you visit the site multiple times it may remember your number to make it easier next time)
* If someone were to steal one of the company's machines, its possible to harvest any saved credit card
* However, if the company automatically takes that credit card information and encrypts it before saving it, then this may be even more secure than going to a store and buying with your credit card there (because of the human element)
wedge Should you be buying things over the Internet?
* There are often relatively few humans involved (which may be more secure)
* Software defenses against spyware
* Even if your credit card number is stolen, the credit card company will usually help protect you from fraud (report it!)
* Yes, there are not many legitimate reasons not to purchase things over the Internet if you visit online resellers that use SSL encryption
wedge Cookies
* A file that a website that you have visited saves on your computer so that a website can remember some information
* Only the website that saves the cookie may read it.
wedge Can store random numbers, usernames, your name, your preferences
* When you log in to Amazon.com it usually remembers your email address (this is saved in a cookie)
wedge Why is it not sufficient for a website to remember the IP?
* IPs may change on a daily, weekly basis
* two computers can appear to have the same IP (home routers share one public IP address with many computers in the home)
wedge Instead of storing your password, they tend to save a big unique random number.
* The website can remember this number and thus find you and log you back in to the site without saving your password
wedge So, why are cookies bad?
* In a webpage, you can get data from more than one source (for example, when you go to cnn.com it shows the news from CNN and ads from their ad partners)
* So, if the ad partner is prevalent on the web (Ad.com, for example) then every time the cookie for ad.com is returned, that company may be able to track your habits on the web
wedge What other data besides cookies can computers store?
* Its not cost effective to save the entirety of every email ever sent, but its possible to remember "who did David email?"
* The website that you visit knows that you visited it (it logs your IP address and the time, pages you visited)
* Google Toolbar submits the sites that you visit so as to better help direct your searches, but this does mean that the sites that you had visited are remembered
* We ran our own data analysis on the logs from last year, and see that there is a huge spike in requests to the E-1 website around the end of October, 2005. Why? Exam!
wedge Among the things we can determine from our logs:
* the most popular hours of the day
* we know percentages of how many domains visit
wedge but we also know the domain name of every person that visits
* Example: one person made up almost 10% of our traffic.
wedge We also know the most popular searches that led to users finding out sites
* examples: "podcast" "harvard e 1" "cscie1" "www.twinkies project.com"
* What browsers people people are using
* What operating systems people are using
wedge How would we be able to figure out from a fully qualified domain name who it is?
* For example, if we wanted to know who that person was that made up 10% of the requests
wedge We could email the class asking everyone to reply to it
* Now we have all of the IP addresses of everyone in the class (in every email, the IP address of your computer is embedded in the 'header' of the email)
wedge If we sent an HTML based email with the E-1 logo (the E-1 logo is saved on our servers).
* when you open the email, the email client obtains the logo from the server
* Then your IP address is now recorded by our logs
wedge How can you protect against these violations of these problems?
wedge Passwords - ubiquitous in computer security
* How many of you use birthdates, easy words, sequential numbers, etc
wedge To make a secure password you should:
* mix letters and numbers
* mix upper and lowercase (if the password is case sensitive)
* use special punctuation symbols
* do not use any words in the dictionary!
* do not substitute letters that look like numbers and vice versa (0 for o, L for '1', e for '3', etc etc)
* Many people tend to use the same password (because its difficult to remember many different passwords for different websites) - but if you get one password then you get access to everything!
wedge Wireless security:
* WEP - Wired Equivalency Protocol. Broken! do not use
* WPA - more secure (WPA2 even more secure) than WEP
* There exists software to crack WEP passwords. Within minutes, (literally minutes), the password can be cracked and allow access to the wireless access point
* Wired solutions are fairly secure, but now wireless solutions are not as secure
wedge Hacking
wedge What is it?
* An outside person gets access to a system that they are not welcome to and obtain information or disrupt the information
wedge It used to be a positive connotation
* At MIT, a hack means a non-destructive modification to the campus for fun (dressing the dome as R2D2, placing a fake police car on top of the dome)
wedge BIOS Password
* Its a hardware password that requests a password before booting the machine
* Still easily overcome by connecting a jumper on the motherboard
wedge Phishing
wedge How many have received an email from "Citibank" asking you to verify your account information - even if you don't have an account with them?
* You may have seen them from Citibank, Paypal, Bank of the west.
wedge In one particular phishing attack, the email asked users to visit www.bankofthevvest.com
* Notice that it does not say Bank of the West! It says Bank of the VVest (double V instead of w)
* They would pull up this site, and it appeared to be legitimate so they would enter their login information and be tricked into giving their account information to malicious users
wedge How can we prevent this?
* Call the company directly (although the person on the other line may not know what you are talking about)
* Go directly to the website - do not use the link in the email, but type it yourself
wedge What's a good trick for checking the real website itself?
* Use Google to find the company
wedge Typically it will show the most credible and legitimate results (its not always the first result in the list)
* Google bombing - tricking Google into giving false results (try searching Google for "miserable failure")
wedge What are some ways we can detect a phishing attack?
* "I don't have an account with this company!"
* Poor grammar and spelling (very common!)
* Aesthetic strangeness
* Is it sent specifically to you, or to many people?
* The greeting: "Dear customer," (if I had an account with them, they should know my name)
wedge The URL is also poorly formed and can be a trick
* It is possible to show a link with text that does not represent where the link points
* To create a link (more in HTML lectures), we write:
* <a href="http://fastmortgage.com/">http://www.etrade.com/</a>
* This would show a link that makes it seem like it points to ETrade but instead links to fastmortgage.com
wedge Spam
wedge Why is there gibberish in these emails, why are subject lines misspelled?
* "Re+move y*ur e mail:"
* Its an attempt to fool naive spam filters that might be trying to filter based on keywords alone
wedge Virus
* Can destroy your computer
wedge A piece of software in hopes of doing something bad
* It can infect your computer if you use a CD, open an email with an attachment
* Generally requires human interaction for a virus to infect the machine - it cannot infect your machine simply by reading the email
* Never, ever! Open a .exe that was emailed to you.
* Anti-virus software tries to detect the code that it recognizes as a threat and will try to remove only the malicious code
wedge Worms
* Scarier than viruses, because it doesn't require a human intervention to propagate
* It can jump from computer-to-computer if only you are connected to the Internet
* Most viruses and worms don't do anything - usually buggy and do not work properly
wedge Spyware
* Tries to "spy" on your computer
* Being used to harvest email address, passwords, upload files to other websites
* Usually has to be installed by a user
wedge Example: using a volunteer's machine for a quick disinfection
wedge Spybot
* Never download anti-spyware software that is shown to you via a webpage - only download the software recommended to you via a friend
* "Immunize" - protect Internet Explorer from various types of attacks from websites
* "Search and Destroy" - it is searching for 52,708 forms of spyware known as of this writing
* AVG - free anti virus software
wedge HijackThis
* really gives you finer control over what spyware you might want to remove from your computer
* helps remove difficult spyware
* Shows every file that is run at your computer's start up (even beyond what is in the "Startup" folder in the Program Files).
* If you really want good protection, you will often be presented with false positives, which then turns the judgement from the program to the user.