Security and Protection CS 110 Fall 2005 Security Risks More data is being stored than ever before More people/organizations “touch” the data The “key” to unlock that data isn’t particularly strong Communication networks are relatively open Data Storage Who “owns” your data? Amazon, Experian, Blue Cross • How do they share your data? What other data is captured? Web visits, music playback, cell phone tracking • Where does that data go? • What unique identifiers are stored? Data Protection What “keys” protect your data? • Social Security Number • Mother’s maiden name • Birthdate • Pin • Encryption keys Remember the DVD key was stolen Data Handling More companies handle data • Are they trustworthy? • What standards do they have? • Can I sign a privacy agreement and assume all subcontracting companies follow the same privacy rules? • How to point blame? • Who can you sue? Communication Networks Easy to “sniff” communications • TCP/IP packets are transparent What’s in them? But, TCP/IP packets follow indeterminate routes • Programs residing on your computer can capture typing and steal passwords Even very secure devices have been hacked Some technical details Protection in your computer • A hierarchy of privileges Email should never be able to reboot your machine Excel should not launch programs • Limits damage • Limits power Exceptions are everywhere: email does launch Microsoft Word Some technical details Protection in your computer • Some files are supposed to be for “system use” only • Consider changing the file that contains the name of your home web site • Consider changing “notepad” to a program that deletes all files Some technical details Protection in your computer • Some data in RAM should also be protected • People attack programs that have the most permission to write to RAM • People try to sneak past the write protections, buffer overflow Some technical details Protection in your computer • What does your computer do with all those packets addressed to your IP address and coming in through the cable modem / DSL ? • First, allocated to one of 65535 ports Your web browser “listens” for packets on a specific port Your music sharing software communicates on a specific port Packets for unused ports should be dumped Some technical details Protection outside your computer • A firewall only permits packets to enter your computer if they are legitimate Even if a secret program is awaiting instructions on port 1003, the firewall will cut packets off before entering computer Some technical details Protection outside your computer • Internet routers are generally well protected They don’t let others rewrite your packets? They don’t let other read your packets? They ensure your packets are delivered quickly? They ensure your packets are ever delivered? What’s Malware? General term is malware (for "malicious software") • Any program or file harmful to a computer user Includes • Computer viruses • Worms • Trojan horses, including Adware, Spyware Viruses Programs that attach themselves to another program to gain access to your machine • They may do nothing on your machine or they may destroy all your files • The viruses seek to use your machine as a launching point to infect other machines Worms Like a virus but they are selfcontained programs (they don’t need a host) Adware Some programs are “free” but they support their costs by sending ads to your machine Related to advertising Many web sites have advertising A few big advertising agencies serve all these sites These agencies embed tracking codes in the ads that you encounter on each site Data obtained from these ads creates the most comprehensive view of where you go on the web Spyware You download a music player The music player includes an additional program that is installed and runs continuously This program records the websites you visit and sends them to a database How Bad Is It? (Bad!) Fall 2004: Study by AOL and National Cyber Security Alliance (www.staysafeonline.info) • Surveyed 329 PC users, then examined their PCs On-line for an avg. of 7 years; 42% intermediate or expert users • 85% said they were running anti-virus SW • 71% said they were updating this weekly but barely half really were • 19% of their PCs had viruses • 80% had spyware on their PCs • Only 33% running a firewall Some Things You Must Do! Install and run antivirus software • UVa: Free Norton Antivirus! • Get updated virus definitions weekly! Keep your PC updated • Windows: run Windows Update from Start Menu • Weekly, even! Run anti-spyware software • UVa: Free SpySweeper! • Non-UVa: decent free versions out there Two Sides of the Issue Technical Dimension • Better operating systems, browsers • Better tools to detect, fix and stop malware Social Dimension • Users easily • Users • Users too trusting, too gullible, too fooled engage in risky behavior do not update SW, don’t use tools Email Attachments Definition: A computer file that is transmitted with an e-mail message • Convenient way to send files via e-mail What does the e-mail client do with them? • In the bad old days: Could only save it • Now the attachment is “smart” Play sound when it arrives Display image in the e-mail Display the Web page that’s attached to a text e-mail Dangers with Attachments Attackers take advantage • An attachment seems safe (to you) but does something bad • The “helper” programs have normally assumed everyone has good intentions • Example: Word documents can contain macros Small bits of programming embedded in the document It’s possible to write a nasty macro that runs when you open the document E-mail spoofing promotes this problem • You trust things you wouldn’t normally E-mail spoofing You receive e-mail appearing to be from one source…. But it's actually from another source What's the sender’s goal? To trick you into: • Sending secure info (password, account number) • Running an attachment • Clicking on a link that runs a program What makes spoofing possible? Life was simpler once upon a time… • Expensive and difficult to put a mailserver on the net (and have administrator privileges on it) • Managed by responsible admins: business, government, universities • Open standards Today: • Easy, cheap, well-understood by everyone Phishing A attempt to gain personal information for purposes of identity theft, etc. Faked e-mail messages appear to come from legitimate, official source Fool you into divulging personal data such as • • • • account numbers passwords credit card numbers Social Security numbers No company will ever ask you for such info by e-mail. If in doubt, call them or contact them directly (not by replying) Phishing Illustrated Looks real! • PayPal logo • Copyright notice • Says account may have been accessed! Says to click on link • Appears to be to PayPal site • That’s just the text • Link opens page that looks like PayPal • Asks for account info Let’s Go Phish! Another example • Received in January 2005 • Appears to be from “my” bank The Email Where The Link Takes Me The Real Bank’s Page They Want Info! E-mail Lessons Do not open attachments unless you know what they are • Antivirus software checks attachments as you open them! Suspect spoofing • Look for anything odd in the message • Double-check with sender Phishing: don’t get caught • Be suspicious. Call the business. Cookies Cookies are somewhat controversial • Websites can used them for legitimate reasons • They can be used for the wrong reasons • In any case, they are a fact of life of web browsing Cookies allow a web-server to: • Track your visits to the site • Learn and remember info about you • Store info on your computer What Is a Cookie? A small piece of information stored by your web-browser on your PC when you visit a site What’s stored: • A URL related to the site you visited • A name/value pair (the information content) • (Optional) An expiration date Why is it a “cookie”? • An old CS term for a chunk of data used obscurely Reminder: Web Browser and Server Interaction User types URL or clicks link Browser sends a get-page request for that URL to web-server Web-server finds HTML file (and related files) Web-server sends these back to browser Browser processes HTML and displays page Cookies: Web-servers Store Some Info on your PC When sending back a page, server also sends a cookie Your browser stores it on your PC Later, you visit the same site • You request a page there and your browser has earlier stored a cookie matching that URL • Browser sends URL and cookie to web-server • Web-server processes cookie May return updated cookies with page Normally browsing the web is "stateless" “Stateless” means “no memory” • Request a page from a server; it sends it • Later request a 2nd page; the server sends it • The webserver doesn't remember anything connecting these two requests But, cookies preserve “state.” Server can connect an early visit with a later visit. • How? Cookie stored a numeric ID number for you FYI, a server does “log” requests • what page, what IP address, when, browser • But this can’t identify you uniquely Cookies Can Be Beneficial Shopping Carts • Server creates a cart, stored on the server • You visit other pages, but a cookie lets the server know you’re the person who created that cart Other personalization • “Welcome back, Jane Doe!” • “Items you viewed recently are…” Recognizing legitimate users for a site • Register and log-in, but then a cookie means you don’t have to log-in every time The Darker Side of Cookies We assume anonymity on the web, right? Do you want someone knowing what pages you’ve visited? • Cookies allow a website to track what you visited on that site • Are they keeping this private? Selling it? Do you even know they’re tracking your visits? • What are your rights here? The Darker Side of Cookies (2) Personalized ads (e.g. the company DoubleClick) • Advertising image on a page is really on another server • You click on the image on the ad-server • It builds up a profile about you over time • Deliver ads you want to see When used for authorization, are they secure? You Have Control You can configure your browser to handle cookies as you want Cookies: Should You Worry? Hard to say… • Some are quite useful. They allow ecommerce! • Some are sneaky Some anti-spyware tools remove undesirable cookies (some remove harmless ones) Where We Are in the Lecture Email issues • attachments and email-spoofing • phishing Cookies Web-bugs Viruses in email Spyware (including browser hijacks) What’s a Web Bug? A graphic image on a Web page or in an Email message A link to an external site, not an image embedded in your message Designed to monitor who is reading the Web page or Email message May be invisible (size 1 pixel by 1 pixel) or not Sometimes knowns as a "clear GIFs", "1by-1 GIFs" or "invisible GIFs“ (More info: http://www.eff.org/Privacy/Marketing/web _bug.html) How’s This Work? Web bug: on some other server Remember: when a server delivers a HTML file or an image file, it logs this • A page or an email can have an image that’s stored on some external site • Thus the server there logs delivery of that image (even if it’s invisible to you) Examples (in HTML) <img src="http://ad.doubleclick.net/ad/pix el.quicken/NEW" width=1 height=1 border=0> <img width='1' height='1' src="http://www.m0.net/m/logopen 02.asp? vid=3&catid=370153037&email=SMI THS%40tiac.net" alt=" "> What Info Can Be Gathered? Again, the server where the bug lives will log: • The IP address of your computer • The URL of the page that the Web Bug is located on • The URL of the Web Bug image • The time the Web Bug was viewed • The type of browser that fetched the Web Bug image Also possible: Info from any cookie that's on your machine Web Bugs on a Web Page Using personal info in a cookie, ad companies can track what pages you view over time • Stores this info in a database • Later used to target specific banners ads for you How many people view a website Web Bugs Used in an Email Tells if and when a message was read Links email address with the IP address of machine you read mail on Within an organization, can tell how often a message is forwarded and read In spam: • How many users have seen the spam message • Allows spammers to detect valid email addresses Web Bugs: Legal, Ethical? Controversial! Attempt to monitor you without your knowledge Legal? Not clearly illegal They are used on the websites of legitimate companies Privacy policies for websites generally don't mention these Web Bugs: What can you do? You can't easily identify web bugs New email clients (e.g. Mozilla Thunderbird) do not display images in email that are links to files on external sites (see next slide) • (Images embedded as part of email message are OK) • You can click "Show Images" button • Also nice not to see some images in spam Helps to disable and delete cookies An Email Client Blocks Remote Images Anonymity Are you really anonymous surfing the web? • Someone (corporations and whoever buys their data) is collecting info on your browsing Do we want: • Tools to “protect” us from this? • Laws against it? • Laws that disclose it’s being done and how the info is used? • Users to be aware it’s going on? (Yes!) Where We Are in the Lecture Email issues • attachments and email-spoofing • phishing Cookies Web-bugs Viruses in email Spyware (including browser hijacks) Anatomy of a virus How you can be infected • By just reading email when… you do not keep your software updated! Links in E-mail The “data format” of Web pages is HTML • Controls the formatting of a Web page • Also supports hyperlinks to other pages • It’s nice when e-mail has this format, right? A danger: • Some links can cause a program to run. • Some download files that run on your system. An attacker can disguise a link so it looks harmless (but…) Virus through a Link in an Email Link seems to be to CS dept. (www.cs.virginia.edu) That’s the text of the link • It links to someplace else • An attachment that is disguised so it doesn’t appear • The small box is the only clue How Can This Virus Get Triggered? Click the link, and it tries to display the hidden attachment • Only in some email clients, i.e. older versions of Outlook • Note: This vulnerability has been known! Patches available through Windows Update! Click and… Congratulations! • You’re now infected with a version of the Netsky virus! What’s Netsky Do? A mass-mailing worm • Harvests email addresses from files on your PC • Comes with its own mail-server component • Now a server on your machine that uses the SMTP protocol to send copies of the virus directly to others! You’re infected and contagious • You’ll be very popular with your friends and other email contacts! • But they should have been running antivirus software, and should have kept their systems updated. • (Like you should have been.) Lessons Use Windows Update to keep your system updated • AKA keep it “patched” You might consider using software that is not the major target of virus writers • Other operating systems (Mac OS, Linux) • Other email clients, other browsers And definitely install and run anti-virus software (next slide) Solutions Antivirus Software • Can scan your system: find and remove problems • Usually only viruses. Sometimes spyware too. • Also, most have real-time protection Checks e-mail as your read it, as you send it Checks files as you download them • Note: Free for UVa users (see later slide) Important: run “update” on these to get updated virus definitions Where We Are in the Lecture Email issues • attachments and email-spoofing • phishing Cookies Web-bugs Viruses in email Spyware (including browser hijacks) Browser Hijack An extremely nasty adware Resets homepage to a particular site • Ads, porn – something you don’t want • Any change you make doesn’t affect it Software running on your machine • Does the usual adware/spyware stuff • Also changes your browser settings • Runs when system starts – changes the settings back Spyware is a Common Problem! Recall earlier study of users: 80% had spyware on their PCs (What about you?) Solutions Anti-spyware software • Scans your system, removes problems • Some have real-time protection, most don’t. Important (again): run “update” on these to get most recent spyware definitions Another option: Security Suites ($60-$70) • Include antivirus, maybe anti-spyware software • Also includes a firewall (explained later) • May include spam filtering, parental control Getting Software at UVa ITC Downloads: http://www.itc.virginia.edu • Norton Antivirus • SpySweeper (up to 3 machines) • Free for UVa users! This is a wonderful deal for students and staff. Don’t be foolish! Please go install these! • And keep things updated. Practice good habits. Anti-Virus SW For Your Non-UVa Friends Free anti-virus software through websites • http://housecall.trendmicro.com/ • http://www.pandasoftware.com/activescan/ • These two reviewed recommended by reliable magazines These run their program on your PC from their website • Scans your system and identifies problem Does not include real-time protection Anti-Spyware SW For Your Non-UVa Friends Good free utilities to find and remove spyware • Lavasoft Adware: http://www.lavasoftusa.com/ • Spybot Search & Destroy: http://www.spybot.info Download, install, and run periodically Updates: • Must get updates of definitions for Antivirus and spyware removal tools • Often free: use update facility in the tool SpySweeper in Action Scanning Your PC Removing What It Found The Results Everything That Looks Like Spyware Removal Is Not Spyware Removal •Email arrives with animated GIF file. • Click on OK – you’re really clicking on the web-link associated with that image. Uh oh. Final Words Cookies and web bugs raise privacy issues Malware: it’s a nasty world out there! Protect yourself with: • Understanding • Tools (anti-virus SW, anti-spyware SW) Practice good habits: • Be suspicious and cautious • Install, run, and update tools • Keep your operating system updated