Tutorial 9 - Security on the Internet

Tutorial 9 Security on the Internet and the Web

Objectives

Explore the basics of security: secrecy, integrity, and necessity

Find out what hackers and crackers can do and why they do it

Learn about the dangers of online crime, warfare, and terrorism

Investigate how to protect copyrighted materials that are published on the Internet

New Perspectives on The Internet, Seventh Edition—Comprehensive

Objectives

Understand Web client threats and countermeasures

Learn about online communication channel threats and countermeasures

Learn about Web server threats and countermeasures

Find out how to get more information and current updates about online security

Understanding Security Basics: Secrecy, Integrity, and Necessity

Security is broadly defined as the protection of assets from unauthorized access, use, alteration, or destruction

Physical security includes tangible protection devices, such as locks, alarms, fireproof doors, security fences, safes or vaults, and bombproof buildings

Protection of assets using non-physical means is called logical security

Logical security may also be broadly called computer security

Threat : any act or object that endangers an asset

Countermeasure : general name for a procedure, either physical or logical, that recognizes, reduces, or eliminates a threat

Countermeasures can recognize and manage threats or they can eliminate them

An individual or organization can ignore threats that are deemed low risk and less likely to occur when the cost to protect against the threat exceeds the value of the protected asset

Risk Management Model New Perspectives on The Internet, Seventh Edition—Comprehensive

To implement a good security scheme, identify the risk, determine how to protect the affected asset, and calculate the cost of the resources you can allocate to protect the asset

Computer security can be classified into several categories:

Secrecy

Integrity

Necessity

Secrecy prevents unauthorized data disclosure and ensures the authenticity of the data’s source

Integrity prevents unauthorized data modification

Necessity prevents data delays (slowing down the transmission of data) or denials (preventing data from getting to its destinations)

Internet users and businesses with Web sites need to take appropriate countermeasures in each of these three categories to protect themselves and the computers they use to connect to the Internet

Secrecy and Encryption

Encryption : process of coding information using a mathematical algorithm to produce a string of characters that is unreadable

Decryption : process of reversing encrypted text is called

Cipher text : encrypted information

Plain text : unencrypted information

Cryptography : the study of ways to secure information

Private-key encryption ( symmetric encryption ):

Uses a single key that is known by the sender and receiver

Key might be a password or a number generated by a special device

Works well in a highly controlled environment

Private-key (Symmetric) Encryption New Perspectives on The Internet, Seventh Edition—Comprehensive

Public-key encryption ( asymmetric encryption ):

Uses a public key and a private or secret key

Public key is known to everyone

Private or secret key is known only to the person involved in the exchange

Each person has a private key that is secret and a public key that is shared with other users

Messages encrypted with a private key must be decrypted with the public key, and vice versa

Public-key (Asymmetric) Encryption New Perspectives on The Internet, Seventh Edition—Comprehensive

Encryption is considered to be weak or strong based on its algorithm and the number of characters in the encryption key

Algorithm : formula or set of steps to solve a particular problem

Strong keys : keys that are 128 bits long

Most browsers use 128-bit encryption when they are in secure mode; also called strong encryption

Integrity Threats

Integrity threat: unauthorized party has the chance to alter data while it is being transferred over the Internet or while it is stored on a computer

Man-in-the-middle exploit : when the contents of an email are changed to negate the message’s original meeting

The most visible integrity threats have been from Trojan horses, viruses, and worms that attack computers and the programs they run

Integrity Threats

Trojan horse:

Small, potentially harmful, program hidden inside another program

Claims to be a legitimate program that accomplishes some task, but causes harm when the user accesses or downloads the program in which it is hidden

When you execute the program you downloaded (or received via email as an attachment), it secretly launches a separate Trojan horse program

Antivirus software programs and firewalls cannot guarantee that your computer is protected from this type of attack

Be careful not to execute a file that you did not request and download software only from trusted sources

Integrity Threats

Worm :

Self-replicating program usually hidden within another file and then sent as an email attachment

Can replicate itself on a computer or server, but it cannot infect other files

Viruses can spoof the From line of an email message using the name of someone you know

The default filename view setting in Windows hides the filename extension

Many computer security experts recommend that users change this default setting in Windows when possible so you can tell if a file is an executable program

Integrity Threats

Antivirus software can prevent the spread of viruses, worms, and Trojan horses by blocking them from being downloaded from the server

Two vendors that provide a full range of antivirus products are Symantec and McAfee

Integrity Threats

The best defenses against Trojan horses, viruses, and worms are the following:

Display Windows filename extensions so you can determine the type of each file you download

Avoid opening attachments you did not expect (even if they are from known and trusted senders)

Install antivirus programs

Keep antivirus programs updated regularly

Necessity Threats

Necessity occurs when a cracker uses a program to disrupt normal computer processing or, possibly, to deny processing entirely

Packet flooding attack ( denial of service (DoS) attack ):

Occurs when a cracker bombards a server or other computer with messages in an attempt to consume the network’s bandwidth resources

Works by sending such a large number of messages to a Web server that it cannot answer properly

Necessity Threats

Distributed denial of service (DDoS) attack :

Perpetrator uses a large number of computers that each launch a DoS attack on one Web server at the same time

Most DDoS attacks are launched after the attacking computers are infected with Trojan horse programs. Each Trojan horse is coded to open and launch a DoS attack at exactly the same date and time

Zombies : computers “hijacked” by a Trojan horse used to help a DDoS attack

A company can defend its Web server from DoS and DDoS attacks by adding a filter to its Internet connection between the Web server and the router that connects it to the Internet

Online Crime, Warfare, and Terrorism

Most people who use the Internet are honest, hard-working people who use the technology for legitimate purposes

Unfortunately, some people use the Internet for all manner of illegal and unethical purposes

It is important to know about these uses because that knowledge can help prevent such use or limit the damage caused

Hackers, Crackers, and Script Kiddies

Cracker : technologically skilled person who uses his or her skills to obtain unauthorized entry into computers or networks of computers to damage the system’s software, or even the system’s hardware

Computer forensics experts ( ethical hackers ): computer sleuths are hired to probe computers and locate information that can be used in legal proceedings

Hacker :

Dedicated programmer who enjoys writing complex code that tests the limits of technology

Computer professionals consider being called a hacker a compliment; the media and the general public often use the term to describe those who use their skills for ill purposes

White hat hacker and black hat hacker make the distinction between those who use their skills for good and those who use their talents to commit illegal acts

Virus tool kits :

Script-writing programs that allow novices to create their own viruses, worms, and Trojan horses

Menu-driven tools that give almost anyone the ability to generate troublesome programs without the need to write a single line of code

Script kiddies : derisive term coined by crackers with programming skills to describe people who use virus tool kits

Online Theft and Identity Theft

An increasing amount of personal information is stored on the Web by other parties, such as banks, credit card issuers, credit reporting agencies, physician’s offices, hospitals, and government agencies

As more companies store valuable information on computers that are connected to the Internet, opportunities for theft of that information increase

This is especially true when companies lose control of the data they collect on their customers (and other people)

Social Security number

Driver’s license number

Credit card numbers

CW2 numbers (the three- or four-digit security code printed on a credit card)

Passwords (or PINs)

Credit reports

Date of birth

ATM (or debit) card numbers

Telephone calling card numbers

Mortgage (or other loan) information

Telephone numbers

Home address

Employer address

The kinds of personal information that criminals most want to obtain include:

Identity theft : crime in which a thief steals a person’s entire credit record and then uses the victim’s personal information to open bank accounts, new credit cards, and buy expensive goods on credit

By the time the victim finds out that his or her identity has been stolen, the thief is long gone with the cash and the goods

If you are the victim of identity theft, you must act quickly to contact the credit reporting agencies, every financial institution at which you have an account, and the issuer of every credit card you hold

Online Extortion

Some perpetrators threaten to launch DoS attacks against a company unless a “fee” is paid

Many smaller companies simply pay the extortionists and do not even report the crime

Other perpetrators break into a company’s systems, steal confidential information, and then threaten to release the information unless they are paid

Smaller companies are easier targets because they generally do not have strong security in place, but larger organizations are not immune to these attacks

Other Online Crimes

Enforcing laws against distribution of pornographic material online in the United States has been difficult

Difficult question arises regarding which community standards might apply to the sale

International transactions raise even more difficult questions about which laws should determine the legality of the sale

US Supreme Court has ruled that state and local courts can draw the line based on local community standards

Other Online Crimes

A similar issue arises in the case of online gambling

If people in California use their computers to connect to an offshore gambling site, it is unclear where the gambling activity occurs

Several states have passed laws that specifically outlaw Internet gambling, but the ability of those states to enforce laws that limit Internet activities is not yet clear

The US Federal government has outlawed all online gambling activities by its citizens, but enforcement is difficult and the constitutionality of such laws has not been tested

Organized Crime Online

Organized crime ( racketeering ): unlawful activities conducted by a highly organized, disciplined association for profit

Internet has opened new opportunities for organized crime

Large criminal organizations can be efficient perpetrators of identity theft because they can exploit large amounts of personal information (obtained, for example, from a cracker who broke into a company’s Web server) quickly and efficiently

These criminal organizations often sell or trade information that they cannot use immediately to other organized crime entities around the world

Online Espionage, Warfare, and Terrorism

Industrial espionage :

Type of spying in which countries attempt to gain information from private businesses to capture intellectual property that can be taken home and used in industries there

When this information is stored in computers that are connected to the Internet or when it is transmitted via the Internet, it can become the target of online espionage efforts

Many Internet security experts believe that we are at the dawn of a new age of terrorism and warfare that could be carried out or coordinated through the Internet

Copyright & Intellectual Property Threats and Countermeasures

Safeguarding copyright and intellectual property rights are also security issues

Intellectual property threats are a large problem due to the Internet and the relative ease with which one can use existing material without the owner’s permission

It is very simple to reproduce an exact copy of anything you find on the Internet

Many people are naïve or unaware of copyright restrictions that protect intellectual property

Copyright & Intellectual Property Threats and Countermeasures

Digital watermark : process that inserts a digital pattern containing copyright information into a digital image, animation, or audio or video file

Steganography :

Process that hides an encrypted message within different types of files

Can be used to add copyright information to different types of files

Web Client Security

A good place to start is with security on the PCs that RVP has connected to its network and security through that network to the Internet

There are specific security threats and countermeasures for Web clients, the communication channel that connects Web clients to Web servers, and the Web servers themselves

Active Content: Java, JavaScript, and ActiveX

Active content : programs that travel with applications to a browser and execute on the user’s computer

Java applet : program written in the Java programming language that could execute and consume a computer’s resources

JavaScript program : program that could execute on the user’s computer and can run without being compiled

Active Content: Java, JavaScript, and ActiveX

ActiveX components :

Microsoft’s technology for writing small applications that perform some action in Web pages; these components have full access to a computer’s file system

Only work in Internet Explorer and other browsers that use the Internet Explorer code base in some way

Firefox, which does not use any part of the Internet Explorer code base, will not run a beneficial ActiveX component, nor can it be attacked by a malicious ActiveX component

Managing Cookies

A cookie is a small text file that a Web server creates and stores on your computer’s hard drive

Clickstream : the links you click while visiting the Web site

A cookie might store information about your clickstream, the products you purchase, or personal information that you provide to the site

Some cookies are removed automatically when you leave a Web site (a session-only cookie)

Managing Cookies

Many Web sites use cookies to make their sites easier to navigate

A cookie is not a program and it can only store information that you provide to the Web site that creates it

Sometimes you provide the data openly, and at other times, the cookie might silently record your behavior at a Web site

Only the Web site that stored the cookie on your hard drive can read it, and it cannot read other cookies on your hard drive or any other file on your computer

Managing Cookies

Cookies can represent a security threat for some users, especially those who access the site from a public computer

Internet users can control the storage of cookies on their computer’s hard drive by changing their browser’s settings

The best way to prevent another user from gaining access to information is to make sure that you do not leave an electronic trail

Internet Explorer stores cookies in the C:WindowsCookies folder

Firefox stores cookies in a file named cookies.txt on the user’s hard drive

Managing Cookies in Internet Explorer New Perspectives on The Internet, Seventh Edition—Comprehensive

Managing Cookies in Firefox New Perspectives on The Internet, Seventh Edition—Comprehensive

Web Bugs

Web bug ( clear GIF or transparent GIF ): small (one pixel), hidden graphic on a Web page or in an email message designed to work in conjunction with a cookie to obtain information about the person viewing the page or email message and to send the information to a third party

When the user loads the Web page that contains this code, the browser downloads the hidden graphic This process can identify your IP address, the Web site you last visited, and other information about your use of the site in which the clear GIF file has been embedded and record it in the cookie file

Web Bugs New Perspectives on The Internet, Seventh Edition—Comprehensive

Adware and Spyware: Ethical Issues

Adware : general category of software that includes advertisements to help pay for the product in which they appear

In many freeware and shareware programs, adware provides opportunities for developers to offer software at little or no cost to the user

Adware usually does not cause any security threats because the user is aware of the ads and the parties responsible for including them are clearly identified in the programs

Spyware : category of adware in which the user has little control over or knowledge of the ads and other monitoring features it contains

Spyware occurs in situations where a developer has sold ads to a third party or embedded other features in the program

A Web bug is an example of spyware

Usually created by a GIF file, also called a clear GIF

Its actions are hidden from the user

Setting Web browsers to block third-party cookie files is one way to protect computers from the potential privacy violations created by cookies, Web bugs, and spyware

There are many good shareware programs that erase spyware from your computer

These programs, sometimes called ad blockers , search for files written by known spyware

Firewalls

Firewall : software program or hardware device that controls access between two networks, such as a local area network and the Internet or the Internet and a computer

Port : like a door on a computer, it permits traffic to leave and enter a computer

Port scan : occurs when one computer tests all or some of the ports of another computer to determine whether its ports are open, closed, or stealth

Basic Web Client Firewall Architecture New Perspectives on The Internet, Seventh Edition—Comprehensive

Firewalls

Most firewalls prevent traffic from entering the network, but firewalls can also prevent data from leaving the network

This is useful for controlling the activities of hidden programs that are designed to compromise the security of a computer

When you install a new program on your computer, a firewall that provides outgoing protection will notify you if and when the new program tries to access the Internet

Firewalls

Until the recent increase in the number of users with broadband connections to the Internet, corporations used hardware firewalls almost exclusively

Some firewall software programs are available for free or at a very low cost so they are becoming popular with other types of users

Some antivirus programs and Internet suites include basic firewall protection

Communication Channel Security

Encryption is an important part of maintaining security over information that is sent via the Internet

Practical uses of encryption require authentication and identification

Authentication and Digital Certificates

Authentication : general term for the process of correctly verifying the identity of a person or a Web site

Digital certificate : encrypted and password-protected file that contains sufficient information to authenticate and prove a person’s or organization’s identity

Certificate authority : trusted third party that verifies the digital certificate holder’s identity and issues the digital certificate

Authentication and Digital Certificates

A digital certificate is an electronic equivalent of an identification card

Digital ID ( personal certificate ): used to identify a person to other people and to Web sites that are set up to accept digital certificates

Digital ID : an electronic file that you purchase from a certificate authority and install into a program that uses it, such as an email program or a Web browser

Protecting Email Messages

To help maintain the integrity of an email message, you can send the message through a message digest function program ( hash code function program ) to produce a number called a message authentication code ( MAC )

After it receives the MAC, the email program sends the message and matching MAC together to the recipient

The recipient’s email program re-computes the message’s MAC and compares the computed MAC to the received MAC

If they match, the content of the message is unaltered. If they do not match, then the message cannot be trusted

Producing a MAC for a Message New Perspectives on The Internet, Seventh Edition—Comprehensive

Protecting Email Messages

To be useful, the message digest function must exhibit the following characteristics:

It must be impossible or costly to reverse the MAC and produce the original message

MAC should be random

MAC must be unique to the message

You can also protect outgoing email messages with the Secure/Multipurpose Internet Mail Extensions (S/MIME) specification, which when combined with a person’s digital ID provides authentication and encryption to email messages

Phishing Attacks

Phishing : an attack in which thieves “fish” for information

Thieves send email messages to people telling them that their account data at a bank, credit card company, or other company has been compromised

The email message asks the recipients to click a link to go to a Web site and verify the account information

The link is to a spoofed Web site (a Web site that only looks like it belongs to the correct business)

If the recipient enters personal information in a form on the Web site, the thieves can steal that information

Phishing Attacks

The links in phishing emails are usually disguised

One common way to disguise the real URL is to use the “@” sign, which causes the Web server to ignore all characters that precede the “@” and use only the characters that follow

Email links can include JavaScript code that is invisible in most email clients; the link looks like it is going one place, but in fact it directs the mail somewhere else

Web Server Security

Just as digital certificates help protect data sent from one individual to another, server certificates can help protect data sent from and received by a Web server as it performs its task of delivering Web pages to site visitors

Web sites account for the largest percentage of digital certificates in use

Digital Certificates for Web Servers

Server certificate ( SSL Web server certificate ): authenticates a Web site for its users so the user can be confident that the Web site is genuine and not an imposter

Server certificate also ensures that the transfer of data between a user’s computer and the server with the certificate is encrypted so that it is both tamperproof and free from being intercepted

Processing a Web Server Digital Certificate New Perspectives on The Internet, Seventh Edition—Comprehensive

User identification : process of identifying yourself to a computer

Most computer systems implement user identification with user names and passwords; the combination of a user name and password is sometimes called a login

To help keep track of their login information for different computers and Web sites, some people use a program called a password manager , which stores login information in an encrypted form on their computer

Crackers can run programs that create and enter passwords from a dictionary or a list of commonly used passwords

Brute force attack : cracker uses a program to enter character combinations until the system accepts a user name and password, thereby gaining access to the system

User authentication : process of associating a person and his identification with a very high level of assurance

Secure Sockets Layer (SSL)

Secure Sockets Layer ( SSL ): widely used protocol that acts as a separate layer or “secure channel” on top of the TCP/IP Internet protocol

SSL provides a security handshake when a browser and the Web page to which it is connected want to participate in a secure connection

Web pages secured by SSL have URLs that begin with https:// instead of http://

Secure State Indicators New Perspectives on The Internet, Seventh Edition—Comprehensive

Secure Sockets Layer (SSL)

SSL creates a public-key pair so that it can safely transmit data using a private key

The private key is encrypted using public-key encryption and is sent to the browser. Using the private key protects the remainder of the information transfer between the browser and the Web site

Session keys :

Public-key pair created by SSL during a browser session

When the user leaves the secure Web site, the browser discards the session keys

Session keys exist only during a single, active session between a browser and server

Staying Current with Internet and Web Security

CERT Coordination Center :

Federally funded research center operated by the Software Engineering Institute at Carnegie Mellon University

Originally known as the Computer Emergency Response Team

Primary goal is to publish alerts, advisories, and vulnerability reports about current and future Internet security problems it detects and to coordinate communication between software experts

Also works to increase awareness of security problems and issues and to help individuals and organizations improve the security of their computer systems

Staying Current with Internet and Web Security