Overview Two of the most popular uses of the Internet are: o Electronic mail o The World Wide Web By default, both offer almost no protection for the privacy, integrity, and authenticity of information A number of security mechanisms have been developed for each o SSL, Java Still many risks for users Chapter 12 Email and WWW Threats 1 E-mail Fraud/Scams Many dishonest individuals utilize the wide reach and relative anonymity of the Internet to offer: o Miracle health products o Sure-fire investment strategies o Lucrative business opportunities (and other get-rich- quick schemes) o Vacation packages that sound a lot better than they really are o Collectible items that are much less valuable than the buyer is led to believe o Credit repair (and other) services that charge a hefty fee to do what anyone can do themselves for free Chapter 12 Email and WWW Threats 2 The Original Ponzi Scheme Boston, 1920 Charles K. Ponzi begins issuing notes for a postal reply coupon business o Promises a fifty percent return in forty-five days Initial investors receive their profits and word spreads Ponzi begins to receive millions of dollars from thousands of investors Chapter 12 Email and WWW Threats 3 The Original Ponzi Scheme (cont) After several months it is revealed that: o Ponzi was not investing the money he collected in postal reply coupons o Ponzi was using the money coming in from new investors to pay off previously issued notes as they came due Ponzi ran out of money trying to satisfy the ensuing flood of redemption requests Many investors were left holding worthless notes Ponzi eventually went to jail for larceny and fraud Scams in which the promise of fabulous returns is used to draw in new investors thereby financing the paying of old investors are called a Ponzi schemes Chapter 12 Email and WWW Threats 4 Pyramid Schemes A pyramid scheme is a scam in which people: o Pay a small amount of money to the people who joined previously o Receive money from the people who join after them Example: o Bob receives an e-mail containing the names and addresses of ten people o Bob is instructed to: Send each person on the list one dollar Delete the person at the top of the list Shift all people on the list up one position Add himself in the last position Send a copy of the newly created letter to ten friends Chapter 12 Email and WWW Threats 5 Pyramid Schemes (cont) Supposedly: o Bob’s ten friends will each: Send Bob a dollar (Bob receives 10 dollars) Send out a copy of the letter to ten friends each with Bob’s name in the ninth position and their name in the tenth position o One hundred friends of Bob’s friends will each send Bob a dollar (Bob receives 100 dollars) o Etc. o By the time Bob’s name works its way to the top of the list and is removed, Bob will have received more than one billion dollars Chapter 12 Email and WWW Threats 6 Pyramid Schemes (cont) Pyramid schemes: o Do not work (for the vast majority of participants) Every dollar gained by one person must be paid by another person If anyone makes a substantial amount of money through a pyramid scheme then a large number of other participants must lose money o Are illegal in many countries Example: “Make Money Fast” o “Hi, my name is Dave Rhodes…” Chapter 12 Email and WWW Threats 7 Forged E-mail Carol can forge a realistic-looking e-mail messages for Bob that appears to have come from Alice, Bob’s boss: To: Bob@company-x.com From: Alice@company-x.com Subject: Information for our new consultant Hi Bob, We have recently hired Carol as a consultant to analyze our business operations and recommend potential areas for cost savings. Therefore, please send copies of your budget reports for the last six months to her at carol@carol.com so that she can begin analysis of your division. Thanks. Alice Chapter 12 Email and WWW Threats 8 Exploiting SMTP to Send Forged Email The Simple Mail Transport Protocol (SMTP) is fairly straightforward and completely text-based Most SMTP servers listen on TCP port 25 The client to establish a connection with the server (probably using TELNET): mail.carol.com% telnet telnet> open mail.company-x.com 25 Trying 128.112.17.1... Connected to mail.company-x.com. Escape character is '^]'. Chapter 12 Email and WWW Threats 9 Forged E-mail (cont) The server replies with either a 220 message to indicate that the server is ready, or an error code if there is a problem: 220 mail.company-x.com ESMTP Sendmail 8.9.3+Sun/8.9.1; Fri, 29 Jun 2001 14:17:09 -0400 (EDT) The server waits for the client to send a HELO message Chapter 12 Email and WWW Threats 10 Forged E-mail (cont) The client sends the HELO message: HELO mail.carol.com The server responds with a hello message: 250 mail.company-x.com, hello mail.carol.com, pleased to meet you Chapter 12 Email and WWW Threats 11 Forged E-mail (cont) The client and the server are now connected and the server is waiting for the client to transfer one or more e-mail messages The client specifying the address of the sender in a MAIL FROM message: MAIL FROM: alice@company-x.com The server replies: 250 <alice@company-x.com>…Sender OK Chapter 12 Email and WWW Threats 12 Forged E-mail (cont) The client sends a RCPT TO message indicating the address of the recipient: RCPT TO: bob@company-x.com The server acknowledges the receiver: 250 <bob@company-x.com>... Recipient OK Chapter 12 Email and WWW Threats 13 Forged E-mail (cont) The client then sends the DATA command to signal its readiness to transmit the e-mail message: DATA And the server replies: 354 Enter mail, end with "." on a line by itself Chapter 12 Email and WWW Threats 14 Forged E-mail (cont) The client enters the headers and body of the (forged) email message: To: bob@company-x.com From: alice@company-x.com Subject: Information for our new consultant Hi Bob, We have recently hired Carol as a consultant to analyze our business operations and recommend potential areas for cost savings. Therefore, please send copies of your budget reports for the last six months to her at carol@carol.com so that she can begin analysis of your division. Thanks. Alice Chapter 12 Email and WWW Threats 15 Forged E-mail (cont) The server notifies the client that the message has been accepted for delivery: 250 Message accepted for delivery The client could then transfer additional e-mail messages, or close the connection: quit Chapter 12 Email and WWW Threats 16 Forged E-mail (cont) Uses: o To make it more difficult to track and prosecute those who send fraudulent offers through e-mail o To make e-mail appear to originate from a wellknown or authoritative source o Spam Chapter 12 Email and WWW Threats 17 Spam Spam is unsolicited, commercial offers that arrive via e-mail o The response rate to unsolicited advertisements is very low o So spammers send their offers to tens or hundreds of thousands of people in hopes of receiving a few hundred replies Chapter 12 Email and WWW Threats 18 Spam vs. Junk Mail Most junk mail is sent by reputable firms and contains legitimate (if unwanted) offers whereas most spam is sent by dishonest individuals and contains offers concerning: o Get-rich-quick schemes o Pirated software o Other questionable or outright illegal products Chapter 12 Email and WWW Threats 19 Spam vs. Junk Mail (cont) Spam costs the sender nothing Spam introduces costs on the victims: o Lost time o Annoyance o ISPs must pass on the costs to their customers of transferring, processing, and storing spam Can account for one quarter (or more) of the e-mail volume Chapter 12 Email and WWW Threats 20 Dealing With Spam Technical solutions: many users and ISPs utilize filters to try to discard spam before having to deal with it Self-regulation: organizations (e.g. the Direct Marketing Association) set standards for their members regarding appropriate behavior when engaging in direct marketing Legislative: many groups lobbying for anti-spam laws o Title 47, Section 227 of the U.S. Code prohibits the use of “any telephone facsimile machine, computer, or other device to send an unsolicited advertisement to a Chapter 12 Email and facsimile WWW Threats 21 telephone machine.” Mail Bombs A mail bomb is: o A denial-of-service attack o An attacker sends a large amount of email to an individual or a system in a short period of time Effects: o Can fill up a user’s (or even a system’s) storage space for incoming email o Can keep a host busy processing e-mail messages so that it has little time to do anything else Chapter 12 Email and WWW Threats 22 Carnivore Carnivore is a controversial surveillance tool developed by the FBI in order to monitor Internet-based communications by suspected criminals Similar to wiretaps which the FBI has been performing for decades: o FBI must convince a judge that they have probable cause to believe that the individual is engaged in illegal behavior o Judge may issue court order allowing surveillance (stipulates a set period of time) o The FBI, with the help of phone companies, can record and monitor the phone conversations of individuals covered by the order o The FBI argues that wiretaps are vitally important to its ability to protect the public and prosecute criminals Chapter 12 Email and WWW Threats 23 Carnivore (cont) Designed to allow the FBI to record and monitor all Internet communications of a suspected criminal o Requires a court order o Help of Internet Service Providers Can be configured to monitor only those Internet communications specifically authorized by a court order o E-mail messages o Chat sessions o Bulletin board postings o Etc. Chapter 12 Email and WWW Threats 24 Using Carnivore The ISP identifies an access point through which all of the suspect’s data flows but hopefully contains little or no data for other users The FBI attaches a tapping device at the access point. The tapping device sends an exact copy of all data that passes through the access point to an FBI collection system The data is passed through a filter which discards any data not authorized by the court order, and the remaining data is written to permanent storage media for analysis Chapter 12 Email and WWW Threats 25 The Controversy of Carnivore Mistrust of the FBI FBI refuses to release the source code May be able to exploited by hackers either to escape detection or to spy on other Internet users May be misused by FBI or ISP personnel o Different from traditional wiretaps: ease of automation of the collection and analysis of data Chapter 12 Email and WWW Threats 26 E-mail Threats - Summary E-mail threats include: o Fraud/scams o Forgery o Spam o Mail bombs o Carnivore Chapter 12 Email and WWW Threats 27 WWW Threats There are many risks associated with the World Wide Web: o Credit card fraud/abuse o Content hijacking o Hostile content o Cookies Many users do not understand the dangers Chapter 12 Email and WWW Threats 28 The Web and Mass Communication In the past the ability reach a large audience was limited to: o The rich (owners of publishing companies, radio stations, television stations, etc.) o Their employees Subject to editorial control Must share in profits The Web now makes it possible for almost anyone to reach a large audience o Benefits o Dangers Contents of messages Accuracy Chapter 12 Email and WWW Threats 29 Fraud on the Web Scams: o Many of the same ones circulated via e-mail Credit card fraud o Theft of credit card information on the Internet o Theft of credit card information from a merchant’s database o Abuse of credit card information by a merchant/employee Chapter 12 Email and WWW Threats 30 Content Hijacking Content hijacking - one site steals content from another Stolen content o Graphics o Information o Web pages Impersonation o Mistyped URLs o Misleading links Chapter 12 Email and WWW Threats 31 Content Hijacking - Example April, 2000 - a web page was created that resembled the Bloomberg news site The page contained a false “news release” reporting that a certain company was about to be acquired for much more than its current share price A link to this page was posted on several webbased message boards devoted to discussion of the company’s stock The URL in the link referred to the page by its IP address rather than by its domain name, but many readers did not notice Chapter 12 Email and WWW Threats 32 Content Hijacking – Example (cont) Many people read the story and immediately bought the stock in order to profit from the rise in price that would result from the acquisition The price of the stock rose quickly and then plummeted a few hours later when the hoax was discovered The perpetrator(s) of this scam: o Probably bought stock in the company prior to posting the false information o Probably sold in the first few hours for a huge profit Many of the investors who were fooled by the fake story suffered large losses Chapter 12 Email and WWW Threats 33 Hostile Content Hostile content on the Web is design to annoy or assail an unsuspecting victim: o Recursive frames bug o Popup windows o Flaws in implementations of the Java Virtual Machine o Plug-in programs Chapter 12 Email and WWW Threats 34 Cookies A cookie is a small amount of information that a server sends to a browser which is stored on the client’s computer Every time a browser makes a request to a server the browser checks the stored cookie list and sends any cookies from that server along with the request Uses: o Maintain persistent state o Customize web pages to a client’s preferences Protection mechanisms: o Browser will only send a cookie to the site from which it originated Chapter 12 Email and WWW Threats 35 Cookies - Format Format: Set-Cookie: NAME=VALUE; expires=DATE; path=PATH; domain=DOMAIN_NAME; secure Set-cookie – tag (required) Name field – identifier (required) Expires – expiration date (optional) o Expired cookies will not be sent by the browser Chapter 12 Email and WWW Threats 36 Cookies – Domain Field Domain field - allows the browser to determine to which hosts a cookie can be sent (optional) o Defaults to the name of the server from which the cookie originated (e.g. www.carol.com) o Servers can set the domain field in a cookie (e.g. carol.com) Browser checks domain field in cookies (e.g. won’t accept bob.com in a cookie from www.carol.com) o Browser uses the domain field to determine which cookie(s) to send to a server The suffix of the domain name of the server must match the domain specified in the cookie o Example: DOMAIN = carol.com www.carol.com, c1.carol.com, c1.foo.carol.com Chapter 12 Email and WWW Threats 37 Cookies – Path Field Path field - restrict which pages at a particular site will cause a cookie to be sent by the browser o Cookie must first pass domain checking o A prefix of the path must appear in the URL in order for the cookie to be sent o Defaults to / o Example: PATH =/carol http://www.carol.com/carol/index.html = send cookie http://www.carol.com/bob/index.html = do not send cookie Chapter 12 Email and WWW Threats 38 Cookies – Secure Field Secure field – specifies a “secure” cookie o Defaults to false o If set, tells the browser that the cookie should only be sent if there is a secure (e.g. SSL) connection between the client and the server Chapter 12 Email and WWW Threats 39 A CGI Script that Sends a Cookie Chapter 12 Email and WWW Threats 40 Accepting or Rejecting Cookies Most browsers allow the user to set options to: o Accept all cookies without consulting the user o Ask the user before accepting a cookie o Reject all cookies Chapter 12 Email and WWW Threats 41 The Privacy Risks of Cookies Spying by employers/coworkers o Cookies identify many of the sites that the user has visited o Anyone with access to the machine can examine the user’s browsing habits User profiling by advertisers o Site places ads (served by its own servers) on a wide variety of other sites o Cookies are used to track how many times the company’s ads are displayed on each site and how often users click on the ads o The company to advertise on sites where their ads tend to be well received and not on sites where their ads fare poorly Chapter Email and WWW o 12 The company canThreats also build elaborate profiles of users 42 WWW Threats - Summary WWW o o o o threats include: Credit card fraud/abuse Content Hijacking Hostile content Cookies Many users do not understand these dangers Chapter 12 Email and WWW Threats 43