CS 110
Fall 2005




Adware
Viruses
Worms



Email Spoofing
• falsified sender
Email Phishing
• obfuscate HTML to trick you into submitting private info through deceptive web pages


Openness in desktop computers
• You permit lots of programs to read/write data to your hard drive and memory
• Computer “listens” for packets on many ports of its internet connection
 http, itunes, email, IM, homeDir, …


Programs that monitor the ports for packets are supposed to be failsafe
Flaws are discovered and exploited

Three image-rendering flaws in the
Windows OS could put millions of
Internet-connected users at risk of
PC takeover attacks.
The flaws could be exploited by any software that displays images, including … Outlook, Word, and
Internet Explorer.
http://www.eweek.com/article2/0,1895,1883850,00.asp

The bugs are considered particularly dangerous because users could be at risk merely by browsing to a malicious rigged site with rigged image files, or by displaying images in the preview pane of an e-mail program

Any program that renders WMF or EMF images on the affected systems could be vulnerable to this attack.
An attacker who successfully exploits this vulnerability can take complete control of an affected system

The bulletin also addresses two separate unchecked buffers in the way the OS renders WMF and EMF images.





A similar flaw was detected
The hackers corrupted the banner images of an advertising company
100s of sites used those banners
Microsoft took 90 days (?) to release a “patch” because of the intricate nature of Windows and the extensive testing required




Detect severity of earth quake in first
1.5 seconds
Send immediate warning to San
Francisco
Automatically stop trains and shut down critical systems to protect them
Would you trust it?




Cookies
Web Bugs
More viruses



Cookies are somewhat controversial
• Websites can used them for legitimate reasons
• They can be used for the wrong reasons
• In any case, they are a fact of life of web browsing
Cookies allow a web-server to:
• Track your visits to the site
• Learn and remember info about you
• Store info on your computer http://vreport.capaho.com/demo.html




A small piece of information stored by your web-browser on your PC when you visit a site
What’s stored:
• A URL related to the site you visited
• A name/value pair (the information content)
• (Optional) An expiration date
Why is it a “cookie”?
• An old CS term for a chunk of data used obscurely






User types URL or clicks link
Browser sends a get-page request for that URL to web-server
Web-server finds HTML file (and related files)
Web-server sends these back to browser
Browser processes HTML and displays page





When sending back a page, server also sends a cookie
Your browser stores it on your PC
Later, you visit the same site
• You request a page there and your browser has earlier stored a cookie matching that URL
• Browser sends URL and cookie to web-server
• Web-server processes cookie
May return updated cookies with page




“Stateless” means “no memory”
• Request a page from a server; it sends it
• Later request a 2nd page; the server sends it
• The webserver doesn't remember anything connecting these two requests
But, cookies preserve “state.” Server can connect an early visit with a later visit.
• How? Cookie stored a numeric ID number for you
FYI, a server does “log” requests
• what page, what IP address, when, browser
• But this can’t identify you uniquely




Shopping Carts
• Server creates a cart, stored on the server
• You visit other pages, but a cookie lets the server know you’re the person who created that cart
Other personalization
• “Welcome back, Jane Doe!”
• “Items you viewed recently are…”
Recognizing legitimate users for a site
• Register and log-in, but then a cookie means you don’t have to log-in every time


We assume anonymity on the web, right?

Do you want someone knowing what pages you’ve visited?
• Cookies allow a website to track what you visited on that site
• Are they keeping this private? Selling it?
Do you even know they’re tracking your visits?
• What are your rights here?


Personalized ads (e.g. the company
DoubleClick)
• Advertising image on a page is really on another server
• You click on the image on the ad-server
• It builds up a profile about you over time
• Deliver ads you want to see

When used for authorization, are they secure?


You can configure your browser to handle cookies as you want



Hard to say…
• Some are quite useful. They allow ecommerce!
• Some are sneaky
Some anti-spyware tools remove undesirable cookies (some remove harmless ones)



Email issues
• attachments and email-spoofing
• phishing
Cookies



Viruses in email
Spyware (including browser hijacks)




We know visiting a URL “announces” your presence
If the web page you visit has images, those images can be references to other web pages:
Consider foobar.html at www.foo.com
• foobar.html includes
• <img src=“http://www.virginia.edu/rotunda.gif>




Something that makes your machine execute a get-page request for a site you don’t expect
• The server there logs delivery of that image
May be invisible (hard to see a 1x1 pixel … VIEW SOURCE)
Sometimes known as a "clear GIFs",
"1-by-1 GIFs" or "invisible GIFs“ http://www.eff.org/Privacy/Marketing/web_bug.html


<img src="http://ad.doubleclick.net/ad/pix el.quicken/NEW" width=1 height=1 border=0>

<img width='1' height='1' src="http://www.m0.net/m/logopen
02.asp
? vid=3&catid=370153037&email=SMI
THS%40tiac.net
" alt=" ">



Again, the server where the bug lives will log:
• The IP address of your computer
• The URL of the page that the Web Bug is located on
• The URL of the Web Bug image
• The time the Web Bug was viewed
• The type of browser that fetched the Web Bug image
Also possible: Info from any cookie that's on your machine


Using personal info in a cookie, ad companies can track what pages you view over time
• Stores this info in a database
• Later used to target specific banners ads for you

How many people view a website





Tells if and when a message was read
Links email address with the IP address of machine you read mail on
Within an organization, can tell how often a message is forwarded and read
In spam:
• How many users have seen the spam message
• Allows spammers to detect valid email addresses





Controversial! Attempt to monitor you without your knowledge
Legal? Not clearly illegal
They are used on the websites of legitimate companies
Privacy policies for websites generally don't mention these




You can't easily identify web bugs
New email clients (e.g. Mozilla
Thunderbird) do not display images in email that are links to files on external sites (see next slide)
• (Images embedded as part of email message are OK)
• You can click "Show Images" button
• Also nice not to see some images in spam
Helps to disable and delete cookies



Are you really anonymous surfing the web?
• Someone (corporations and whoever buys their data) is collecting info on your browsing
Do we want:
• Tools to “protect” us from this?
• Laws against it?
• Laws that disclose it’s being done and how the info is used?
• Users to be aware it’s going on? (Yes!)




Email issues
• attachments and email-spoofing
• phishing
Cookies
Web-bugs


Spyware (including browser hijacks)


How you can be infected
• By just reading email when… you do not keep your software updated!




The “data format” of Web pages is HTML
• Controls the formatting of a Web page
• Also supports hyperlinks to other pages
• It’s nice when e-mail has this format, right?
A danger:
• Some links can cause a program to run.
• Some download files that run on your system.
An attacker can disguise a link so it looks harmless (but…)



Link seems to be to CS dept. (www.cs.virginia.edu)
That’s the text of the link
• It links to someplace else
• An attachment that is disguised so it doesn’t appear
• The small box is the only clue



Click the link, and it tries to display the hidden attachment
• Only in some email clients, i.e. older versions of Outlook
• Note: This vulnerability has been known!
Patches available through Windows
Update!
Click and… Congratulations!
• You’re now infected with a version of the
Netsky virus!


A mass-mailing worm
• Harvests email addresses from files on your PC
• Comes with its own mail-server component
• Now a server on your machine that uses the
SMTP protocol to send copies of the virus directly to others!

You’re infected and contagious
• You’ll be very popular with your friends and other email contacts!
• But they should have been running antivirus software, and should have kept their systems updated.
• (Like you should have been.)




Use Windows Update to keep your system updated
• AKA keep it “patched”
You might consider using software that is not the major target of virus writers
• Other operating systems (Mac OS, Linux)
• Other email clients, other browsers
And definitely install and run anti-virus software (next slide)



Antivirus Software
• Can scan your system: find and remove problems
• Usually only viruses. Sometimes spyware too.
• Also, most have real-time protection


Checks e-mail as your read it, as you send it
Checks files as you download them
• Note: Free for UVa users (see later slide)
Important: run “update” on these to get updated virus definitions






Email issues
• attachments and email-spoofing
• phishing
Cookies
Web-bugs
Viruses in email




An extremely nasty adware
Resets homepage to a particular site
• Ads, porn – something you don’t want
• Any change you make doesn’t affect it
Software running on your machine
• Does the usual adware/spyware stuff
• Also changes your browser settings
• Runs when system starts – changes the settings back


Recall earlier study of users:
80% had spyware on their PCs

(What about you?)




Anti-spyware software
• Scans your system, removes problems
• Some have real-time protection, most don’t.
Important (again): run “update” on these to get most recent spyware definitions
Another option: Security Suites ($60-$70)
• Include antivirus, maybe anti-spyware software
• Also includes a firewall
• May include spam filtering, parental control




ITC Downloads: http://www.itc.virginia.edu
• Norton Antivirus
• SpySweeper (up to 3 machines)
• Free for UVa users!
This is a wonderful deal for students and staff.
Don’t be foolish! Please go install these!
• And keep things updated. Practice good habits.




Free anti-virus software through websites
• http://housecall.trendmicro.com/
• http://www.pandasoftware.com/activescan/
• These two reviewed recommended by reliable magazines
These run their program on your PC from their website
• Scans your system and identifies problem
Does not include real-time protection




Good free utilities to find and remove spyware
• Lavasoft Adware: http://www.lavasoftusa.com/
• Spybot Search & Destroy: http://www.spybot.info
Download, install, and run periodically
Updates:
• Must get updates of definitions for Antivirus and spyware removal tools
• Often free: use update facility in the tool

Not
•Email arrives with animated GIF file.
• Click on OK – you’re really clicking on the web-link associated with that image. Uh oh.




Cookies and web bugs raise privacy issues
Malware: it’s a nasty world out there!
Protect yourself with:
• Understanding
• Tools (anti-virus SW, anti-spyware SW)
Practice good habits:
• Be suspicious and cautious
• Install, run, and update tools
• Keep your operating system updated