Chapter12

advertisement
Overview

Two of the most popular uses of the
Internet are:
o Electronic mail
o The World Wide Web
By default, both offer almost no protection
for the privacy, integrity, and authenticity
of information
 A number of security mechanisms have
been developed for each

o SSL, Java

Still many risks for users
Chapter 12  Email and WWW Threats
1
E-mail Fraud/Scams

Many dishonest individuals utilize the wide reach
and relative anonymity of the Internet to offer:
o Miracle health products
o Sure-fire investment strategies
o Lucrative business opportunities (and other get-rich-
quick schemes)
o Vacation packages that sound a lot better than they
really are
o Collectible items that are much less valuable than the
buyer is led to believe
o Credit repair (and other) services that charge a hefty
fee to do what anyone can do themselves for free
Chapter 12  Email and WWW Threats
2
The Original Ponzi Scheme
Boston, 1920
 Charles K. Ponzi begins issuing notes for a
postal reply coupon business

o Promises a fifty percent return in forty-five
days
Initial investors receive their profits and
word spreads
 Ponzi begins to receive millions of dollars
from thousands of investors

Chapter 12  Email and WWW Threats
3
The Original Ponzi Scheme
(cont)

After several months it is revealed that:
o Ponzi was not investing the money he collected in postal
reply coupons
o Ponzi was using the money coming in from new investors
to pay off previously issued notes as they came due




Ponzi ran out of money trying to satisfy the
ensuing flood of redemption requests
Many investors were left holding worthless notes
Ponzi eventually went to jail for larceny and fraud
Scams in which the promise of fabulous returns is
used to draw in new investors thereby financing
the paying of old investors are called a Ponzi
schemes
Chapter 12  Email and WWW Threats
4
Pyramid Schemes

A pyramid scheme is a scam in which people:
o Pay a small amount of money to the people who joined
previously
o Receive money from the people who join after them

Example:
o Bob receives an e-mail containing the names and
addresses of ten people
o Bob is instructed to:





Send each person on the list one dollar
Delete the person at the top of the list
Shift all people on the list up one position
Add himself in the last position
Send a copy of the newly created letter to ten friends
Chapter 12  Email and WWW Threats
5
Pyramid Schemes (cont)

Supposedly:
o Bob’s ten friends will each:
 Send Bob a dollar (Bob receives 10 dollars)
 Send out a copy of the letter to ten friends each with
Bob’s name in the ninth position and their name in the
tenth position
o One hundred friends of Bob’s friends will each
send Bob a dollar (Bob receives 100 dollars)
o Etc.
o By the time Bob’s name works its way to the top
of the list and is removed, Bob will have
received more than one billion dollars
Chapter 12  Email and WWW Threats
6
Pyramid Schemes (cont)

Pyramid schemes:
o Do not work (for the vast majority of
participants)
 Every dollar gained by one person must be paid by
another person
 If anyone makes a substantial amount of money
through a pyramid scheme then a large number of
other participants must lose money
o Are illegal in many countries

Example: “Make Money Fast”
o “Hi, my name is Dave Rhodes…”
Chapter 12  Email and WWW Threats
7
Forged E-mail

Carol can forge a realistic-looking e-mail messages for Bob that
appears to have come from Alice, Bob’s boss:
To: Bob@company-x.com
From: Alice@company-x.com
Subject: Information for our new consultant
Hi Bob,
We have recently hired Carol as a consultant to analyze our business
operations and recommend potential areas for cost savings. Therefore,
please send copies of your budget reports for the last six months to
her at carol@carol.com so that she can begin analysis of your division.
Thanks.
Alice
Chapter 12  Email and WWW Threats
8
Exploiting SMTP to Send Forged Email



The Simple Mail Transport Protocol (SMTP) is
fairly straightforward and completely text-based
Most SMTP servers listen on TCP port 25
The client to establish a connection with the
server (probably using TELNET):
mail.carol.com% telnet
telnet> open mail.company-x.com 25
Trying 128.112.17.1...
Connected to mail.company-x.com.
Escape character is '^]'.
Chapter 12  Email and WWW Threats
9
Forged E-mail (cont)

The server replies with either a 220 message to
indicate that the server is ready, or an error code
if there is a problem:
220 mail.company-x.com ESMTP Sendmail
8.9.3+Sun/8.9.1; Fri, 29 Jun 2001 14:17:09 -0400
(EDT)

The server waits for the client to send a HELO
message
Chapter 12  Email and WWW Threats
10
Forged E-mail (cont)

The client sends the HELO message:
HELO mail.carol.com

The server responds with a hello message:
250 mail.company-x.com, hello mail.carol.com,
pleased to meet you
Chapter 12  Email and WWW Threats
11
Forged E-mail (cont)


The client and the server are now connected and
the server is waiting for the client to transfer one
or more e-mail messages
The client specifying the address of the sender in
a MAIL FROM message:
MAIL FROM: alice@company-x.com

The server replies:
250 <alice@company-x.com>…Sender OK
Chapter 12  Email and WWW Threats
12
Forged E-mail (cont)

The client sends a RCPT TO message indicating
the address of the recipient:
RCPT TO: bob@company-x.com

The server acknowledges the receiver:
250 <bob@company-x.com>... Recipient OK
Chapter 12  Email and WWW Threats
13
Forged E-mail (cont)

The client then sends the DATA command to
signal its readiness to transmit the e-mail
message:
DATA

And the server replies:
354 Enter mail, end with "." on a line by itself
Chapter 12  Email and WWW Threats
14
Forged E-mail (cont)

The client enters the headers and body of the (forged) email message:
To: bob@company-x.com
From: alice@company-x.com
Subject: Information for our new consultant
Hi Bob,
We have recently hired Carol as a consultant to analyze our
business operations and recommend potential areas for cost
savings. Therefore, please send copies of your budget reports for
the last six months to her at carol@carol.com so that she can begin
analysis of your division. Thanks.
Alice
Chapter
12  Email and WWW Threats
15
Forged E-mail (cont)

The server notifies the client that the message
has been accepted for delivery:
250 Message accepted for delivery

The client could then transfer additional e-mail
messages, or close the connection:
quit
Chapter 12  Email and WWW Threats
16
Forged E-mail (cont)

Uses:
o To make it more difficult to track and
prosecute those who send fraudulent offers
through e-mail
o To make e-mail appear to originate from a wellknown or authoritative source
o Spam
Chapter 12  Email and WWW Threats
17
Spam
 Spam
is unsolicited, commercial
offers that arrive via e-mail
o The response rate to unsolicited
advertisements is very low
o So spammers send their offers to tens
or hundreds of thousands of people in
hopes of receiving a few hundred replies
Chapter 12  Email and WWW Threats
18
Spam vs. Junk Mail

Most junk mail is sent by reputable firms
and contains legitimate (if unwanted)
offers whereas most spam is sent by
dishonest individuals and contains offers
concerning:
o Get-rich-quick schemes
o Pirated software
o Other questionable or outright illegal products
Chapter 12  Email and WWW Threats
19
Spam vs. Junk Mail (cont)
Spam costs the sender nothing
 Spam introduces costs on the victims:

o Lost time
o Annoyance
o ISPs must pass on the costs to their customers
of transferring, processing, and storing spam
 Can account for one quarter (or more) of the e-mail
volume
Chapter 12  Email and WWW Threats
20
Dealing With Spam



Technical solutions: many users and ISPs utilize
filters to try to discard spam before having to
deal with it
Self-regulation: organizations (e.g. the Direct
Marketing Association) set standards for their
members regarding appropriate behavior when
engaging in direct marketing
Legislative: many groups lobbying for anti-spam
laws
o Title 47, Section 227 of the U.S. Code prohibits the use
of “any telephone facsimile machine, computer, or other
device to send an unsolicited advertisement to a
Chapter 12
 Email and facsimile
WWW Threats
21
telephone
machine.”
Mail Bombs

A mail bomb is:
o A denial-of-service attack
o An attacker sends a large amount of email to an individual
or a system in a short period of time

Effects:
o Can fill up a user’s (or even a system’s) storage space for
incoming email
o Can keep a host busy processing e-mail messages so that
it has little time to do anything else
Chapter 12  Email and WWW Threats
22
Carnivore


Carnivore is a controversial surveillance tool developed by
the FBI in order to monitor Internet-based communications
by suspected criminals
Similar to wiretaps which the FBI has been performing for
decades:
o FBI must convince a judge that they have probable cause to
believe that the individual is engaged in illegal behavior
o Judge may issue court order allowing surveillance (stipulates a
set period of time)
o The FBI, with the help of phone companies, can record and
monitor the phone conversations of individuals covered by the
order
o The FBI argues that wiretaps are vitally important to its ability
to protect the public and prosecute criminals
Chapter 12  Email and WWW Threats
23
Carnivore (cont)

Designed to allow the FBI to record and monitor
all Internet communications of a suspected
criminal
o Requires a court order
o Help of Internet Service Providers

Can be configured to monitor only those Internet
communications specifically authorized by a court
order
o E-mail messages
o Chat sessions
o Bulletin board postings
o Etc.
Chapter 12  Email and WWW Threats
24
Using Carnivore
The ISP identifies an access point through which
all of the suspect’s data flows but hopefully
contains little or no data for other users
 The FBI attaches a tapping device at the access
point.
 The tapping device sends an exact copy of all data
that passes through the access point to an FBI
collection system
 The data is passed through a filter which discards
any data not authorized by the court order, and
the remaining data is written to permanent
storage
media
for
analysis
Chapter
12  Email
and WWW
Threats
25

The Controversy of
Carnivore
Mistrust of the FBI
 FBI refuses to release the source code
 May be able to exploited by hackers either
to escape detection or to spy on other
Internet users
 May be misused by FBI or ISP personnel

o Different from traditional wiretaps: ease of
automation of the collection and analysis of
data
Chapter 12  Email and WWW Threats
26
E-mail Threats - Summary
 E-mail
threats include:
o Fraud/scams
o Forgery
o Spam
o Mail bombs
o Carnivore
Chapter 12  Email and WWW Threats
27
WWW Threats

There are many risks associated with the
World Wide Web:
o Credit card fraud/abuse
o Content hijacking
o Hostile content
o Cookies

Many users do not understand the dangers
Chapter 12  Email and WWW Threats
28
The Web and Mass
Communication

In the past the ability reach a large audience was
limited to:
o The rich (owners of publishing companies, radio stations,
television stations, etc.)
o Their employees
 Subject to editorial control
 Must share in profits

The Web now makes it possible for almost anyone
to reach a large audience
o Benefits
o Dangers
 Contents of messages
 Accuracy
Chapter 12  Email and WWW Threats
29
Fraud on the Web

Scams:
o Many of the same ones circulated via e-mail

Credit card fraud
o Theft of credit card information on the
Internet
o Theft of credit card information from a
merchant’s database
o Abuse of credit card information by a
merchant/employee
Chapter 12  Email and WWW Threats
30
Content Hijacking
Content hijacking - one site steals content
from another
 Stolen content

o Graphics
o Information
o Web pages

Impersonation
o Mistyped URLs
o Misleading links
Chapter 12  Email and WWW Threats
31
Content Hijacking - Example




April, 2000 - a web page was created that
resembled the Bloomberg news site
The page contained a false “news release”
reporting that a certain company was about to be
acquired for much more than its current share
price
A link to this page was posted on several webbased message boards devoted to discussion of
the company’s stock
The URL in the link referred to the page by its IP
address rather than by its domain name, but many
readers did not notice
Chapter 12  Email and WWW Threats
32
Content Hijacking – Example
(cont)



Many people read the story and immediately
bought the stock in order to profit from the rise
in price that would result from the acquisition
The price of the stock rose quickly and then
plummeted a few hours later when the hoax was
discovered
The perpetrator(s) of this scam:
o Probably bought stock in the company prior to posting
the false information
o Probably sold in the first few hours for a huge profit

Many of the investors who were fooled by the
fake story suffered large losses
Chapter 12  Email and WWW Threats
33
Hostile Content

Hostile content on the Web is design to
annoy or assail an unsuspecting victim:
o Recursive frames bug
o Popup windows
o Flaws in implementations of the Java Virtual
Machine
o Plug-in programs
Chapter 12  Email and WWW Threats
34
Cookies



A cookie is a small amount of information that a server
sends to a browser which is stored on the client’s computer
Every time a browser makes a request to a server the
browser checks the stored cookie list and sends any cookies
from that server along with the request
Uses:
o Maintain persistent state
o Customize web pages to a client’s preferences

Protection mechanisms:
o Browser will only send a cookie to the site from
which it originated
Chapter 12  Email and WWW Threats
35
Cookies - Format

Format:
Set-Cookie: NAME=VALUE; expires=DATE;
path=PATH; domain=DOMAIN_NAME; secure
Set-cookie – tag (required)
 Name field – identifier (required)
 Expires – expiration date (optional)

o Expired cookies will not be sent by the browser
Chapter 12  Email and WWW Threats
36
Cookies – Domain Field

Domain field - allows the browser to determine to
which hosts a cookie can be sent (optional)
o Defaults to the name of the server from which the
cookie originated (e.g. www.carol.com)
o Servers can set the domain field in a cookie (e.g.
carol.com)
 Browser checks domain field in cookies (e.g. won’t accept
bob.com in a cookie from www.carol.com)
o Browser uses the domain field to determine which
cookie(s) to send to a server
 The suffix of the domain name of the server must match
the domain specified in the cookie
o Example: DOMAIN = carol.com
 www.carol.com, c1.carol.com, c1.foo.carol.com
Chapter 12  Email and WWW Threats
37
Cookies – Path Field

Path field - restrict which pages at a
particular site will cause a cookie to be
sent by the browser
o Cookie must first pass domain checking
o A prefix of the path must appear in the URL in
order for the cookie to be sent
o Defaults to /
o Example: PATH =/carol
 http://www.carol.com/carol/index.html = send cookie
 http://www.carol.com/bob/index.html = do not send
cookie
Chapter 12  Email and WWW Threats
38
Cookies – Secure Field

Secure field – specifies a “secure” cookie
o Defaults to false
o If set, tells the browser that the cookie should
only be sent if there is a secure (e.g. SSL)
connection between the client and the server
Chapter 12  Email and WWW Threats
39
A CGI Script that Sends a
Cookie
Chapter 12  Email and WWW Threats
40
Accepting or Rejecting
Cookies

Most browsers allow the user to set
options to:
o Accept all cookies without consulting the user
o Ask the user before accepting a cookie
o Reject all cookies
Chapter 12  Email and WWW Threats
41
The Privacy Risks of Cookies

Spying by employers/coworkers
o Cookies identify many of the sites that the user has
visited
o Anyone with access to the machine can examine the
user’s browsing habits

User profiling by advertisers
o Site places ads (served by its own servers) on a wide
variety of other sites
o Cookies are used to track how many times the company’s
ads are displayed on each site and how often users click
on the ads
o The company to advertise on sites where their ads tend
to be well received and not on sites where their ads fare
poorly
Chapter
 Email
and WWW
o 12
The
company
canThreats
also build elaborate profiles of users 42
WWW Threats - Summary
 WWW
o
o
o
o
threats include:
Credit card fraud/abuse
Content Hijacking
Hostile content
Cookies
 Many
users do not understand these
dangers
Chapter 12  Email and WWW Threats
43
Download