Security and Protection
CS 110
Fall 2005
Security Risks




More data is being stored than ever
before
More people/organizations “touch”
the data
The “key” to unlock that data isn’t
particularly strong
Communication networks are
relatively open
Data Storage

Who “owns” your data?

Amazon, Experian, Blue Cross
• How do they share your data?

What other data is captured?

Web visits, music playback, cell phone
tracking
• Where does that data go?
• What unique identifiers are stored?
Data Protection

What “keys” protect your data?
• Social Security Number
• Mother’s maiden name
• Birthdate
• Pin
• Encryption keys

Remember the DVD key was stolen
Data Handling

More companies handle data
• Are they trustworthy?
• What standards do they have?
• Can I sign a privacy agreement and
assume all subcontracting companies
follow the same privacy rules?
• How to point blame?
• Who can you sue?
Communication Networks

Easy to “sniff” communications
• TCP/IP packets are transparent


What’s in them?
But, TCP/IP packets follow indeterminate
routes
• Programs residing on your computer
can capture typing and steal passwords

Even very secure devices have been
hacked
Some technical details

Protection in your computer
• A hierarchy of privileges


Email should never be able to reboot your
machine
Excel should not launch programs
• Limits damage
• Limits power

Exceptions are everywhere: email does
launch Microsoft Word
Some technical details

Protection in your computer
• Some files are supposed to be for
“system use” only
• Consider changing the file that contains
the name of your home web site
• Consider changing “notepad” to a
program that deletes all files
Some technical details

Protection in your computer
• Some data in RAM should also be
protected
• People attack programs that have the
most permission to write to RAM
• People try to sneak past the write
protections, buffer overflow
Some technical details

Protection in your computer
• What does your computer do with all
those packets addressed to your IP
address and coming in through the
cable modem / DSL ?
• First, allocated to one of 65535 ports



Your web browser “listens” for packets on a
specific port
Your music sharing software communicates
on a specific port
Packets for unused ports should be dumped
Some technical details

Protection outside your computer
• A firewall only permits packets to enter
your computer if they are legitimate

Even if a secret program is awaiting
instructions on port 1003, the firewall will
cut packets off before entering computer
Some technical details

Protection outside your computer
• Internet routers are generally well
protected




They don’t let others rewrite your packets?
They don’t let other read your packets?
They ensure your packets are delivered
quickly?
They ensure your packets are ever
delivered?
What’s Malware?

General term is malware (for
"malicious software")
• Any program or file harmful to a
computer user

Includes
• Computer viruses
• Worms
• Trojan horses, including

Adware, Spyware
Viruses

Programs that attach themselves to
another program to gain access to
your machine
• They may do nothing on your machine
or they may destroy all your files
• The viruses seek to use your machine
as a launching point to infect other
machines
Worms

Like a virus but they are selfcontained programs (they don’t need
a host)
Adware

Some programs are “free” but they
support their costs by sending ads to
your machine
Related to advertising




Many web sites have advertising
A few big advertising agencies serve
all these sites
These agencies embed tracking
codes in the ads that you encounter
on each site
Data obtained from these ads
creates the most comprehensive
view of where you go on the web
Spyware



You download a music player
The music player includes an
additional program that is installed
and runs continuously
This program records the websites
you visit and sends them to a
database
How Bad Is It? (Bad!)

Fall 2004: Study by AOL and National
Cyber Security Alliance
(www.staysafeonline.info)
• Surveyed 329 PC users, then examined their
PCs

On-line for an avg. of 7 years; 42% intermediate or
expert users
• 85% said they were running anti-virus SW
• 71% said they were updating this weekly
but barely half really were
• 19% of their PCs had viruses
• 80% had spyware on their PCs
• Only 33% running a firewall
Some Things You Must Do!

Install and run antivirus software
• UVa: Free Norton Antivirus!
• Get updated virus definitions weekly!

Keep your PC updated
• Windows: run Windows Update from
Start Menu
• Weekly, even!

Run anti-spyware software
• UVa: Free SpySweeper!
• Non-UVa: decent free versions out
there
Two Sides of the Issue

Technical Dimension
• Better operating systems, browsers
• Better tools to detect, fix and stop
malware

Social Dimension
• Users
easily
• Users
• Users
too trusting, too gullible, too
fooled
engage in risky behavior
do not update SW, don’t use tools
Email Attachments

Definition: A computer file that is
transmitted with an e-mail message
• Convenient way to send files via e-mail

What does the e-mail client do with
them?
• In the bad old days: Could only save it
• Now the attachment is “smart”



Play sound when it arrives
Display image in the e-mail
Display the Web page that’s attached to a
text e-mail
Dangers with Attachments

Attackers take advantage
• An attachment seems safe (to you) but does
something bad
• The “helper” programs have normally assumed
everyone has good intentions
• Example: Word documents can contain
macros



Small bits of programming embedded in the
document
It’s possible to write a nasty macro that runs when
you open the document
E-mail spoofing promotes this problem
• You trust things you wouldn’t normally
E-mail spoofing


You receive e-mail appearing to be
from one source…. But it's actually
from another source
What's the sender’s goal? To trick
you into:
• Sending secure info (password, account
number)
• Running an attachment
• Clicking on a link that runs a program
What makes spoofing possible?

Life was simpler once upon a time…
• Expensive and difficult to put a mailserver on the net (and have
administrator privileges on it)
• Managed by responsible admins:
business, government, universities
• Open standards

Today:
• Easy, cheap, well-understood by
everyone
Phishing



A attempt to gain personal information for
purposes of identity theft, etc.
Faked e-mail messages appear to come
from legitimate, official source
Fool you into divulging personal data such
as
•
•
•
•

account numbers
passwords
credit card numbers
Social Security numbers
No company will ever ask you for
such info by e-mail.
If in doubt, call them or contact them
directly (not by replying)
Phishing
Illustrated

Looks real!
• PayPal logo
• Copyright notice
• Says account may have
been accessed!

Says to click on link
• Appears to be to PayPal
site
• That’s just the text
• Link opens page that
looks like PayPal
• Asks for account info
Let’s Go Phish!

Another example
• Received in January 2005
• Appears to be from “my” bank
The Email
Where The Link Takes Me
The Real Bank’s Page
They Want Info!
E-mail Lessons

Do not open attachments unless you
know what they are
• Antivirus software checks attachments
as you open them!

Suspect spoofing
• Look for anything odd in the message
• Double-check with sender

Phishing: don’t get caught
• Be suspicious. Call the business.
Cookies

Cookies are somewhat controversial
• Websites can used them for legitimate
reasons
• They can be used for the wrong reasons
• In any case, they are a fact of life of
web browsing

Cookies allow a web-server to:
• Track your visits to the site
• Learn and remember info about you
• Store info on your computer
What Is a Cookie?


A small piece of information stored
by your web-browser on your PC
when you visit a site
What’s stored:
• A URL related to the site you visited
• A name/value pair (the information
content)
• (Optional) An expiration date

Why is it a “cookie”?
• An old CS term for a chunk of data used
obscurely
Reminder: Web Browser
and Server Interaction





User types URL or clicks link
Browser sends a get-page request
for that URL to web-server
Web-server finds HTML file (and
related files)
Web-server sends these back to
browser
Browser processes HTML and
displays page
Cookies: Web-servers Store
Some Info on your PC



When sending back a page, server also
sends a cookie
Your browser stores it on your PC
Later, you visit the same site
• You request a page there and your browser
has earlier stored a cookie matching that URL
• Browser sends URL and cookie to web-server
• Web-server processes cookie

May return updated cookies with page
Normally browsing the
web is "stateless"

“Stateless” means “no memory”
• Request a page from a server; it sends it
• Later request a 2nd page; the server sends it
• The webserver doesn't remember anything
connecting these two requests

But, cookies preserve “state.” Server can
connect an early visit with a later visit.
• How? Cookie stored a numeric ID number for
you

FYI, a server does “log” requests
• what page, what IP address, when, browser
• But this can’t identify you uniquely
Cookies Can Be Beneficial

Shopping Carts
• Server creates a cart, stored on the server
• You visit other pages, but a cookie lets the
server know you’re the person who created
that cart

Other personalization
• “Welcome back, Jane Doe!”
• “Items you viewed recently are…”

Recognizing legitimate users for a site
• Register and log-in, but then a cookie means
you don’t have to log-in every time
The Darker Side of Cookies


We assume anonymity on the web,
right?
Do you want someone knowing what
pages you’ve visited?
• Cookies allow a website to track what
you visited on that site
• Are they keeping this private? Selling it?
Do you even know they’re tracking your
visits?
• What are your rights here?
The Darker Side of
Cookies (2)

Personalized ads (e.g. the company
DoubleClick)
• Advertising image on a page is really on
another server
• You click on the image on the ad-server
• It builds up a profile about you over
time
• Deliver ads you want to see

When used for authorization, are
they secure?
You Have Control

You can configure your browser to
handle cookies as you want
Cookies: Should You Worry?

Hard to say…
• Some are quite useful. They allow ecommerce!
• Some are sneaky

Some anti-spyware tools remove
undesirable cookies (some remove
harmless ones)
Where We Are in the Lecture

Email issues
• attachments and email-spoofing
• phishing

Cookies

Web-bugs


Viruses in email
Spyware (including browser hijacks)
What’s a Web Bug?






A graphic image on a Web page or in an
Email message
A link to an external site, not an image
embedded in your message
Designed to monitor who is reading the
Web page or Email message
May be invisible (size 1 pixel by 1 pixel) or
not
Sometimes knowns as a "clear GIFs", "1by-1 GIFs" or "invisible GIFs“
(More info:
http://www.eff.org/Privacy/Marketing/web
_bug.html)
How’s This Work?


Web bug: on some other server
Remember: when a server delivers a
HTML file or an image file, it logs this
• A page or an email can have an image
that’s stored on some external site
• Thus the server there logs delivery of
that image (even if it’s invisible to you)
Examples (in HTML)


<img
src="http://ad.doubleclick.net/ad/pix
el.quicken/NEW" width=1 height=1
border=0>
<img width='1' height='1'
src="http://www.m0.net/m/logopen
02.asp?
vid=3&catid=370153037&email=SMI
THS%40tiac.net" alt=" ">
What Info Can Be Gathered?

Again, the server where the bug lives will
log:
• The IP address of your computer
• The URL of the page that the Web Bug is
located on
• The URL of the Web Bug image
• The time the Web Bug was viewed
• The type of browser that fetched the Web Bug
image

Also possible: Info from any cookie that's
on your machine
Web Bugs on a Web Page

Using personal info in a cookie, ad
companies can track what pages you
view over time
• Stores this info in a database
• Later used to target specific banners
ads for you

How many people view a website
Web Bugs Used in an Email




Tells if and when a message was read
Links email address with the IP address of
machine you read mail on
Within an organization, can tell how often
a message is forwarded and read
In spam:
• How many users have seen the spam message
• Allows spammers to detect valid email
addresses
Web Bugs: Legal, Ethical?




Controversial! Attempt to monitor
you without your knowledge
Legal? Not clearly illegal
They are used on the websites of
legitimate companies
Privacy policies for websites
generally don't mention these
Web Bugs: What can you
do?


You can't easily identify web bugs
New email clients (e.g. Mozilla
Thunderbird) do not display images
in email that are links to files on
external sites (see next slide)
• (Images embedded as part of email
message are OK)
• You can click "Show Images" button
• Also nice not to see some images in
spam

Helps to disable and delete cookies
An Email Client Blocks Remote
Images
Anonymity

Are you really anonymous surfing the
web?
• Someone (corporations and whoever
buys their data) is collecting info on
your browsing

Do we want:
• Tools to “protect” us from this?
• Laws against it?
• Laws that disclose it’s being done and
how the info is used?
• Users to be aware it’s going on? (Yes!)
Where We Are in the Lecture

Email issues
• attachments and email-spoofing
• phishing

Cookies
Web-bugs

Viruses in email

Spyware (including browser hijacks)

Anatomy of a virus

How you can be infected
• By just reading email when…
you do not keep your software updated!
Links in E-mail

The “data format” of Web pages is HTML
• Controls the formatting of a Web page
• Also supports hyperlinks to other pages
• It’s nice when e-mail has this format, right?

A danger:
• Some links can cause a program to run.
• Some download files that run on your system.

An attacker can disguise a link so it looks
harmless (but…)
Virus through a Link in an
Email


Link seems to be to CS dept. (www.cs.virginia.edu)
That’s the text of the link
• It links to someplace else
• An attachment that is disguised so it doesn’t appear
• The small box is the only clue
How Can This Virus Get
Triggered?

Click the link, and it tries to display
the hidden attachment
• Only in some email clients, i.e. older
versions of Outlook
• Note: This vulnerability has been known!
Patches available through Windows
Update!

Click and… Congratulations!
• You’re now infected with a version of the
Netsky virus!
What’s Netsky Do?

A mass-mailing worm
• Harvests email addresses from files on your PC
• Comes with its own mail-server component
• Now a server on your machine that uses the
SMTP protocol to send copies of the virus
directly to others!

You’re infected and contagious
• You’ll be very popular with your friends and
other email contacts!
• But they should have been running antivirus
software, and should have kept their systems
updated.
• (Like you should have been.)
Lessons

Use Windows Update to keep your system
updated
• AKA keep it “patched”

You might consider using software that is
not the major target of virus writers
• Other operating systems (Mac OS, Linux)
• Other email clients, other browsers

And definitely install and run anti-virus
software (next slide)
Solutions

Antivirus Software
• Can scan your system: find and remove
problems
• Usually only viruses. Sometimes spyware too.
• Also, most have real-time protection


Checks e-mail as your read it, as you send it
Checks files as you download them
• Note: Free for UVa users (see later slide)

Important: run “update” on these to get
updated virus definitions
Where We Are in the Lecture

Email issues
• attachments and email-spoofing
• phishing




Cookies
Web-bugs
Viruses in email
Spyware (including
browser hijacks)
Browser Hijack


An extremely nasty adware
Resets homepage to a particular site
• Ads, porn – something you don’t want
• Any change you make doesn’t affect it

Software running on your machine
• Does the usual adware/spyware stuff
• Also changes your browser settings
• Runs when system starts – changes the
settings back
Spyware is a Common
Problem!

Recall earlier study of users:
80% had spyware on their PCs

(What about you?)
Solutions

Anti-spyware software
• Scans your system, removes problems
• Some have real-time protection, most don’t.


Important (again): run “update” on these
to get most recent spyware definitions
Another option: Security Suites ($60-$70)
• Include antivirus, maybe anti-spyware
software
• Also includes a firewall (explained later)
• May include spam filtering, parental control
Getting Software at UVa

ITC Downloads:
http://www.itc.virginia.edu
• Norton Antivirus
• SpySweeper (up to 3 machines)
• Free for UVa users!


This is a wonderful deal for students and
staff.
Don’t be foolish! Please go install these!
• And keep things updated. Practice good habits.
Anti-Virus SW For Your
Non-UVa Friends

Free anti-virus software through websites
• http://housecall.trendmicro.com/
• http://www.pandasoftware.com/activescan/
• These two reviewed recommended by reliable
magazines

These run their program on your PC from
their website
• Scans your system and identifies problem

Does not include real-time protection
Anti-Spyware SW For Your
Non-UVa Friends

Good free utilities to find and remove
spyware
• Lavasoft Adware:
http://www.lavasoftusa.com/
• Spybot Search & Destroy:
http://www.spybot.info


Download, install, and run periodically
Updates:
• Must get updates of definitions for Antivirus
and spyware removal tools
• Often free: use update facility in the tool
SpySweeper in Action
Scanning Your PC
Removing What It Found
The Results
Everything That Looks Like
Spyware Removal Is Not
Spyware Removal
•Email arrives with animated GIF file.
• Click on OK – you’re really clicking
on the web-link associated with that
image. Uh oh.
Final Words


Cookies and web bugs raise privacy
issues
Malware: it’s a nasty world out there!
Protect yourself with:
• Understanding
• Tools (anti-virus SW, anti-spyware SW)

Practice good habits:
• Be suspicious and cautious
• Install, run, and update tools
• Keep your operating system updated