Rev D 10/21/14 Lecture 7 Security Privacy-definition given in the “Fluency” text The right of people to choose freely under what circumstances and to what extent they will reveal themselves, their attitude, and their behavior to others. Payment of a transaction with a credit card, check,..….ties the purchaser to the item(s) selection. This info can be handled very differently. Levels of privacy 1. No use of information. When the monetary compensation is settled all personal collected info is deleted. 2. Opt-in requires approval by the individual as to the vendors use of the personal info. 3. Opt-out requires a notice by the individual to prevent any use of the info by the store. 4. No limits allows the vendor to do as they please with the collected info as if it is their property. In 1980 the Office of Economic Cooperation and Development (OECD). A 29 member international organization concerned with international trade decided on a set of points defining privacy. The European Union and many other countries adopted these principals as laws. Their privacy laws covered all trade. The US on the other hand has not fully implemented these principals in general law. In only certain specific areas of commerce there is a strict following of these privacy principals. Those countries following the stricter OECD principals are more like level 2. The US follows more level 3. Multinational companies coming out of the US have problems obtaining info collected in Europe. Two major problems do not allow the US companies to move date from an EU country to US. 1. Opt-in vs. Opt-out 1 2. A government office to enforce compliance of privacy laws vs. the depending upon the private sector doing its own policing. Tight privacy drastically affect the marketing industry. Phishing – See http://en.wikipedia.org/wiki/Phishing Is a method of doing identity theft by sending an email requesting personal information. The email appears to come from a reputable organization, but in reality is a fabrication. Cookies http://computer.howstuffworks.com/cookie.htm Definition – A cookie is a text file that a web server can store on a users hard disc. Implementation – 1. First time user accesses a web site with a request for page. 2. Web server sends back page plus a small text file (a cookie) that at the minimum contains an id for that particular computer. If cookies are enabled then the cookie is stored on the users hard disc 3. On further requests by the user of the same web site the cookie is also transmitted. This way the web server knows who is contacting it versus any other user. Allows for the following such advantages to both. a. Shopping carts b. Login Info c. Personalizing site d. Number of different users patronizing site e. Number of times the same user patronizes site Problems 1. Third party cookies are usually done by advertising organizations. A browser only allows the receiving site to see only its own cookies. Yet there is a loophole. An advertising outfit will place links to its ad images or content on the web site being addressed. For the user to down load the 2 full page it has to also access the advertiser’s web site whereby a cookie is also transmitted with the corresponding image. This method allows the advertising organization to define a profile of all the places you have visited where they have their adds placed. Double Click is an example of this. In the Fluency text it is noted that a major security expert testified that in a monitoring of a period of computer transactions he found 10% of them were to double click. This is amazing since his intention was never to access this site. Certainly they were obtaining a good profile of URLs being visited. 2. Different users on same machine. 3. Cookies get erased. 4. Same user on multiple machines. Secure Communication In order to store and transmit information securely we usually encrypt it so that it looks like gibberish. The original text is called plaintext and the encrypted state is cipher text. 1. Passwords entered are usually only encrypted through some type of algorithm. They are then compared with a copy of the true encrypted state. If identical the password is correct. No decryption required in this situation. 2. Private key or symmetric encryption used for very secure transmission. Both sender and recipient have the same private key which is used with the plaintext to produce the cipher text. The reverse, the restoration of the plaintext is done at the recipient’s station through use again of the same private key. Problem a. One has to have this secure key provided to both sides. They are usually located far away. b. A user would have to have a key for every site they need secure transmission. A very early example is Caesar’s cipher – see http://en.wikipedia.org/wiki/Caesar_cipher 3 A more recent method is take the text and convert the plain text into their ascii representation of binary code and then do an xor (exclusive or) of the plaintext binary with the private key. The private key is smaller than the text so there is a continuous xor of the same key with blocks of the code. Suppose I used a 4 bit key such as 1101 Thus a plaintext of 10010001 Encrypt key of 11011101 Produce cipher text of 01001100 Decrypt key of 11011101 Reproduces plaintext 10010001 So we see that the use of the xor function has the property to encrypt and then applying the inverse to decrypt. 3. Public key or asymmetrical encryption is implemented with both a public and a private key. a. Encryption – Public key is provided to all who would communicate with server. The user obtains the servers public key from a Key Distribution Center (KDC) which holds all public keys for the various sites. The user will transmit an encrypted piece of data using this public key. The recipient can decrypt the cipher text using its private key. Of course the public and the private key are related to each other. The recipient’s private key would only work on the cipher text encrypted with its corresponding public key. b. Digital signature – How are we sure we receive info from a party who is whom they say they are? We use what we call a digital signature which also uses public key encryption. Only in this case the encryption is first done by the sender of the document using its private key. The recipient then uses a public key to decrypt for an authentication. c. Trusted certificates – Another question is how do we know this is a valid organization that we can trust. They send us a public key, but they can be a dishonest organization. We have organizations that are listed on our browser as accepted. These organizations are called certificate authority (CA). A web site such as Amazon. Com then pays these 4 organizations to vouch for them. They investigate that the information in the applied certificate is genuinely correct. They then give this approval with their digital signature just like a notary public does. Then when this web site with a secure SSL connection is being requested by a user it sends this document (certificate) to prove its identity just like in the physical world the analogy of a drivers license or a passport. Upon receipt of a certificate the user’s computer checks the following: 1. The current web page URL matches the name site listed on the certificate. 2. The trusted CA listed in the certificate is on the browsers CA database. 3. The certificate’s expiration date is still valid. Not meeting correctly any of the above will produce an error indicated by the browser. It is sometimes worthwhile to check manually the above conditions. 1. See the certificate on a secure connection Left click on lock > View Certificates > Detail 2. See trusted CA data base Left click on Tools > Internet Options > Contents > Certificates > Trusted Root Certification Authorities Last procedure is to confirm the digital signature. See following link. http://en.wikipedia.org/wiki/File:Digital_Signature_diagram.svg 1. Message is hashed (encrypted to look like gibberish). 2. Using a private key the hashed data is encrypted to produce a digital signature. 3. The hashed message with the encrypted signature is transmitted. 4. The receiver using the public key decrypts the encrypted signature producing the original hashed data. 5. Receiver checks that the decrypted signatures hashed data is the same as the received hash data . 5 4. Implementation Public key is very slow in decryption so it is mainly used to provide a. A symmetrical encryption key b. Digital signature Private key encryption is much faster for decryption and therefore is used for text transmission. Large amounts of text allow a hacker to finally figure out the plain text. Tricks used are the frequency of letters or combination of them. Letters most common are in the order of e ta o I n s h r d l u. The most common 3 letter word of course is “the”. Once the plaintext is deciphered the key has been uncovered. 5. Credit Card and Security Card fraud is present because of theft of physical card or the applicable data. Magnetic stripe card specifically used in US (Least Secure) Magnetized data track 2 (Unencrypted) • Name • Card Number • Expiration Date • Customer Verification value CVV1 (To check if card is actually in merchant’s hands) Display on card • Card Number • Right most digit is checksum calculated to confirm integrity of number (eg no mistake made when keyed in) 6 • 5 10 1 3 3 3 Luhn algorithm used 1 2 2 8 8 8 0 0 0 1 1 1 7 14 5 1 1 1 4 8 8 5 5 5 2 4 4 7 7 7 9 18 9 1 1 1 4 8 8 Y Total=1+3+2+8+0+1+5+1+8+5+4+7+9+1+8=63 Y= (sum times 9) mod 10 = (63x9) mod 10 = 567 mod 10= 7 • CVV2 (To check when card is not in merchant’s hands) Authentication • Via Signature Protection • Easily cloned when personal data available Next generation in US is Chip and Signature Globally use Chip and Pin (Most Secure) 6. Malware or Malicious Software a. Virus A virus is a program that embeds itself in another program. Upon running of this program it infects other files in the computer. The virus can do damage or just leaves a signature. Transmitting any infected program to another computer will spread this virus. b. Worm A worm is a piece of malware software that is an independent program. That is it doesn’t require being inside another program to exist and do damage. It spreads to other computers without being transmitted by the user of the initial infected cpu. 7 c. Trojan Trojan programs are a type of virus that does operations unbeknown to the user while running a useful program. An example would be to monitor your keystrokes and thus access passwords. d. Spyware Spyware is installed software that contains undocumented functions. This software usually calls home to inform on your activities. Sometimes they are announced in adware and you get to run free application as long as the spyware is allowed. e. Vendors of Security Software Symantec McAfee Avira AVG AVAST 7. Antivirus Software Check EUROPEAN EXPERT GROUP FOR IT-SECURITY (EICAR) http://www.eicar.org/86-0-Intended-use.html Produced a test virus string which is detected by most virus scanners X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARDANTIVIRUS-TEST-FILE!$H+H* It is also short and simple - in fact, it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long: a. Copy and paste file in note pad b. Save as file in notepad as virustest.html c. What happens? 8 d. Check if there is a quarantine folder with a file there e. Do the same with string: virus test X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARDANTIVIRUS-TEST-FILE!$H+H* f. What happened? 8. Botnets-Internet threat of millions of captured computers a. http://articles.cnn.com/2006-01-31/tech/furst_1_botnets-web-siteclick-fraud?_s=PM:TECH b. DOS denial of service Blackmail sites by sending huge amount of traffic. c. Click fraud. Sets up phony web site and shows large advertising traffic. d. Shows up as a reputable seller as eg an ebay. Rev D 10/21/14 9