Video! American Express commercial (Seinfeld with Superman)

Short review of last week: what kind of multimedia is this?

There is video and sound, so its a video file format

You can usually tell by the file extension what kind of format it is

.mov - Quicktime movie

SWF = vector format ("lossless resize"), interactive (beyond play/pause)

One more shockwave demonstration!

created by a Harvard student last year

linked to via the website

The first on a 2 part lecture series on Security.

Its hard to pick up a technical paper (or even cnn.com) without seeing topics related to computer security.

3 articles that have been published on cnn.com:

"Starbucks loses 4 laptops with employee data" (4 Nov 2006)

"Apple: Some iPods infected with virus" (18 Oct 2006)

"Crooks hijack online brokerage accounts" (13 Oct 2006)

These are just in the past few weeks!

Tonight we'll talk about topics related to security to help understand terminology and threats that exist

An email popular a year or two ago contained a zip file and was signed by the "Harvard.edu team"

it had a lure of officialness

the zip file was password protected - enhancing the feeling of authenticity

It was actually a trojan horse!

Forms

If you've bought someone on the Internet you've filled out a form on a webpage to enter in your information

What are the precautions when visiting a site with a form?

Is it mainstream? (a website you've heard of)

There is an option to instead call the company directly to give them the credit card information

How many people are concerned of using your credit card on the Internet?

Many

Someone could steal your credit card number

Just like someone might wiretap a telephone, suppose someone was "sniffing" the connection between your computer and buy.com

Hopefully this doesn't happen!

But if it does, there are still ways we can protect ourselves

A small padlock icon showing in one corner of your browser might indicate that the site is secure and is encrypting the data from your computer to the server

Some web creators like to put padlocks on their sites to imply that its secure. However, anyone can do this on their own site so its not necessarily indicative

A secure URL will start with https:// and not http://

This means its using SSL (a means of encrypting the information)

So, its possible that someone can still sniff the 0s and 1s between you and the online shop, but it will look like gibberish to the sniffer if the data is properly encrypted.

Man in the middle attack - Its possible to create a server that pretends to be a server (and a client) such that your computer connects to it, relays encrypted information to it, it is decrypted by the malicious server, saved, and re-encrypted before being forwarded to the online shop

Computers were not designed to be inherently secure, so even if you type a credit card number in a secure site, its possible that the number is stored somewhere in RAM

Although this is difficult to get to and we don't have to worry about it being accessed directly, its possible using Spyware to harvest this information from a computer

If Spyware is running, it can save what you type (including credit card numbers, passwords, etc) and send it to a person

You don't have control over what software is installed on public machines (internet kiosks, Harvard computer labs, etc) so it may not be wise to log in to your Bank's site, for example, as there may be spyware on the machine

The credit card data you send to an online shop may save your credit card number (for convenience - if you visit the site multiple times it may remember your number to make it easier next time)

If someone were to steal one of the company's machines, its possible to harvest any saved credit card

However, if the company automatically takes that credit card information and encrypts it before saving it, then this may be even more secure than going to a store and buying with your credit card there (because of the human element)

Should you be buying things over the Internet?

There are often relatively few humans involved (which may be more secure)

Software defenses against spyware

Even if your credit card number is stolen, the credit card company will usually help protect you from fraud (report it!)

Yes, there are not many legitimate reasons not to purchase things over the Internet if you visit online resellers that use SSL encryption

A file that a website that you have visited saves on your computer so that a website can remember some information

Only the website that saves the cookie may read it.

Can store random numbers, usernames, your name, your preferences

When you log in to Amazon.com it usually remembers your email address (this is saved in a cookie)

Why is it not sufficient for a website to remember the IP?

IPs may change on a daily, weekly basis

two computers can appear to have the same IP (home routers share one public IP address with many computers in the home)

Instead of storing your password, they tend to save a big unique random number.

The website can remember this number and thus find you and log you back in to the site without saving your password

So, why are cookies bad?

In a webpage, you can get data from more than one source (for example, when you go to cnn.com it shows the news from CNN and ads from their ad partners)

So, if the ad partner is prevalent on the web (Ad.com, for example) then every time the cookie for ad.com is returned, that company may be able to track your habits on the web

What other data besides cookies can computers store?

Its not cost effective to save the entirety of every email ever sent, but its possible to remember "who did David email?"

The website that you visit knows that you visited it (it logs your IP address and the time, pages you visited)

Google Toolbar submits the sites that you visit so as to better help direct your searches, but this does mean that the sites that you had visited are remembered

We ran our own data analysis on the logs from last year, and see that there is a huge spike in requests to the E-1 website around the end of October, 2005. Why? Exam!

Among the things we can determine from our logs:

the most popular hours of the day

we know percentages of how many domains visit

but we also know the domain name of every person that visits

Example: one person made up almost 10% of our traffic.

We also know the most popular searches that led to users finding out sites

examples: "podcast" "harvard e 1" "cscie1" "www.twinkies project.com"

What browsers people people are using

What operating systems people are using

How would we be able to figure out from a fully qualified domain name who it is?

For example, if we wanted to know who that person was that made up 10% of the requests

We could email the class asking everyone to reply to it

Now we have all of the IP addresses of everyone in the class (in every email, the IP address of your computer is embedded in the 'header' of the email)

If we sent an HTML based email with the E-1 logo (the E-1 logo is saved on our servers).

when you open the email, the email client obtains the logo from the server

Then your IP address is now recorded by our logs

How can you protect against these violations of these problems?

Passwords - ubiquitous in computer security

How many of you use birthdates, easy words, sequential numbers, etc

To make a secure password you should:

mix letters and numbers

mix upper and lowercase (if the password is case sensitive)

use special punctuation symbols

do not use any words in the dictionary!

do not substitute letters that look like numbers and vice versa (0 for o, L for '1', e for '3', etc etc)

Many people tend to use the same password (because its difficult to remember many different passwords for different websites) - but if you get one password then you get access to everything!

Wireless security:

WEP - Wired Equivalency Protocol. Broken! do not use

WPA - more secure (WPA2 even more secure) than WEP

There exists software to crack WEP passwords. Within minutes, (literally minutes), the password can be cracked and allow access to the wireless access point

Wired solutions are fairly secure, but now wireless solutions are not as secure

Hacking

What is it?

An outside person gets access to a system that they are not welcome to and obtain information or disrupt the information

It used to be a positive connotation

At MIT, a hack means a non-destructive modification to the campus for fun (dressing the dome as R2D2, placing a fake police car on top of the dome)

BIOS Password

Its a hardware password that requests a password before booting the machine

Still easily overcome by connecting a jumper on the motherboard

Phishing

How many have received an email from "Citibank" asking you to verify your account information - even if you don't have an account with them?

You may have seen them from Citibank, Paypal, Bank of the west.

In one particular phishing attack, the email asked users to visit www.bankofthevvest.com

Notice that it does not say Bank of the West! It says Bank of the VVest (double V instead of w)

They would pull up this site, and it appeared to be legitimate so they would enter their login information and be tricked into giving their account information to malicious users

How can we prevent this?

Call the company directly (although the person on the other line may not know what you are talking about)

Go directly to the website - do not use the link in the email, but type it yourself

What's a good trick for checking the real website itself?

Use Google to find the company

Typically it will show the most credible and legitimate results (its not always the first result in the list)

Google bombing - tricking Google into giving false results (try searching Google for "miserable failure")

What are some ways we can detect a phishing attack?

"I don't have an account with this company!"

Poor grammar and spelling (very common!)

Aesthetic strangeness

Is it sent specifically to you, or to many people?

The greeting: "Dear customer," (if I had an account with them, they should know my name)

The URL is also poorly formed and can be a trick

It is possible to show a link with text that does not represent where the link points

To create a link (more in HTML lectures), we write:

<a href="http://fastmortgage.com/">http://www.etrade.com/</a>

This would show a link that makes it seem like it points to ETrade but instead links to fastmortgage.com

Spam

Why is there gibberish in these emails, why are subject lines misspelled?

"Re+move y*ur e mail:"

Its an attempt to fool naive spam filters that might be trying to filter based on keywords alone

Virus

Can destroy your computer

A piece of software in hopes of doing something bad

It can infect your computer if you use a CD, open an email with an attachment

Generally requires human interaction for a virus to infect the machine - it cannot infect your machine simply by reading the email

Never, ever! Open a .exe that was emailed to you.

Anti-virus software tries to detect the code that it recognizes as a threat and will try to remove only the malicious code

Worms

Scarier than viruses, because it doesn't require a human intervention to propagate

It can jump from computer-to-computer if only you are connected to the Internet

Most viruses and worms don't do anything - usually buggy and do not work properly

Spyware

Tries to "spy" on your computer

Being used to harvest email address, passwords, upload files to other websites

Usually has to be installed by a user

Example: using a volunteer's machine for a quick disinfection

Spybot

Never download anti-spyware software that is shown to you via a webpage - only download the software recommended to you via a friend

"Immunize" - protect Internet Explorer from various types of attacks from websites

"Search and Destroy" - it is searching for 52,708 forms of spyware known as of this writing

AVG - free anti virus software

HijackThis

really gives you finer control over what spyware you might want to remove from your computer

helps remove difficult spyware

Shows every file that is run at your computer's start up (even beyond what is in the "Startup" folder in the Program Files).

If you really want good protection, you will often be presented with false positives, which then turns the judgement from the program to the user.