280 likes | 404 Views
Week 13 - Wednesday. CS363. Last time. What did we talk about last time? Authentication and privacy Data mining and privacy Privacy online. Questions?. Security Presentation. Tom Gorko. Assignment 5. Project 3. Privacy on the Web. Cookies.
E N D
Week 13 - Wednesday CS363
Last time • What did we talk about last time? • Authentication and privacy • Data mining and privacy • Privacy online
Security Presentation Tom Gorko
Cookies • A cookie is a small text file kept on your computer that records data related to web browsing • It was originally intended to avoid the need to log on and store information on websites' servers • Sites can store as many cookies as they want with any data they want (user name and password, credit card numbers, etc.) • Cookies can only be read by the site that originally stored the cookie • The way to get around this is called third-party cookies • Networks of sites can form an alliance in which they cooperate to track all of your visits to sites in the network • DoubleClick is such a network • Tracking where you go online is called online profiling
Web bugs • Only a website you visit can leave a cookie or run JavaScript, right? • Sure, but how many sites do you visit? • Images that are linked to other websites (especially ads) count as visiting other websites • Visiting a single page could store cookies from every ad on the page (and more!) • Web bugs are images that are usually 1 x 1 pixels and clear • They make it impossible to know how many sites could be storing cookies
Spyware • Cookies represent a limited threatbecause they are passive • Spyware is a general term for software that records data about you without you knowing • Sometimes it is installed by accident, along with other software, or through holes in your browser's security • One particular kind of spyware are keystroke loggers, which record your keystrokes • Although spyware came up in the discussion of malicious code, we mention it here because most spyware focuses on monitoring your web access • Spyware is often difficult to remove
Adware • Adware is a form of spyware • It displays ads in pop-up windows or tabs or the main browser window • Adware is usually installed with other software • In these cases, the software is not technically a Trojan horse because you probably agreed to let it run wild on your system • A drive-by installation is a way of tricking a user into installing such software • The dialog boxes you see can be manipulated or distorted so that the Yes and No options are switched or the product claims to be from a reputable source
Shopping on the Internet • There are some good deals on the Internet • But there are shady practices • A typical brick-and-mortar company like McDonald's will sell everyone who comes into the store a cheeseburger for the same price • Online stores may change prices on the fly based on previous browsing or buying histories • Amazon.com had a differential pricing scandal when it was shown that loyal customers paid more in some cases • They have vowed not to do that anymore
Rights online • Let's see how well we know the rules
Interception of E-mail • Regular mail cannot be opened under penalty of federal law • Most people do not encrypt their e-mail using PGP or S/MIME • Typical e-mail transmission: • Alice composes an e-mail on her computer • When she hits send, it goes to her organization's SMTP server • The organization can (and often does) keep a copy or at least scan the e-mail for questionable content • The SMTP sends it out through their ISP • Anyone on the Internet has a chance at grabbing the e-mail • It arrives at Bob's POP server • Bob's organization can record or scan the e-mail • Bob's computer pulls it down from the POP server and reads it
Monitoring of E-mail • Companies and government agencies can legitimately monitor e-mail going to and from their employees • The same is true for students at schools and patrons at libraries • ISPs can monitor all the traffic that goes through them • They have to! Over 90% of the e-mail in the world is spam • You have no expectation of privacy when sending e-mail, ever
E-mail anonymity • Some strategies can be adopted to maintain anonymity: • Sign up for a Gmail, Yahoo, or Hotmail account specifically to send a sensitive message • Remailers are trusted third parties who resend your e-mail under a pseudonym • But the remailer still knows who sent the e-mail • A mixmaster remailer takes it a step further by anonymizing through many layers • Only the first layer knows the sender • Only the last layer knows the receiver
E-mail authenticity • Unless you verify authenticity cryptographically or through some other mechanism, you can't be sure where an e-mail comes from • An e-mail is a series of packets, whose source IP address and from e-mail address can be spoofed • Viruses also can take control of a computer and send e-mails to everyone on an address list • Sometimes they spoof the sender as someone else on the address list so that the virus is harder to track down
RFID tags • Radio frequency identification (RFID) tags are usually small, inexpensive transmitters • They can be attached to almost anything • They can be as small as a grain of sand • Some are passive and need an external signal to power their response • Others have their own power supplies (and greater ranges) • Their transmission range varies from a few centimeters to several meters • They are currently used for: • Toll plaza payments • Some subway passes • Stock and inventory labels in warehouses • Passports and identity cards • Some credit cards with wave-style payment
RFID issues • RFID tags are being put in everything • A tag in your shirt could identify where you bought it and maybe even some unique identifier that could be tied to you in a database • This tag could be scanned as you walk down the street • Some people with rare medical conditions have an RFID implanted in their bodies • The infrastructure does not currently exist to track everyone's movements and activities • As the price goes down for RFID tags and their readers, it is a possibility for the future
Electronic voting • Many polling places throughout the US (and many other countries) use computers to tally votes • Voting systems should: • Keep a voter's choices secret • Allow a voter to vote only once • Be tamperproof • Report votes accurately • Be available through the election period • Keep an audit trail to detect irregularities but still not say how an individual voted
Voting is a mess • It's very hard to engineer a system that you can guarantee only lets someone vote once and yet not keep track of how they voted • The software and hardware design for these systems are generally not publicized • This leaves everything in the hands of Diebold, a company whose chief executive had been a top fundraiser for George W. Bush • Diebold has since spun off its voting machine business • Internet voting will probably increase • Some US and UK elections have used it • Estonia has the largest Internet voting system, which relies on a national ID card that can be verified from home using an inexpensive card reader
VoIP • Voice over IP (VoIP) is a way to make phone calls over the Internet • Many phone companies actually use VoIP transparent to their users • Skype is the market leader in consumer VoIP • VoIP is attractive because long distance costs are essentially zero if you already have high speed Internet • Issues: • ISPs and others can track who you're having phone calls with, even if the audio is encrypted • Skype uses 256 bit AES (but they could have a backdoor to eavesdrop)
Next time… • Intellectual property and information law • Meets Thursday (tomorrow!)
Reminders • Read Chapter 11 • Work on Assignment 5 • Due next Friday before midnight • Keep working on Project 3 Phase 1 • Due Thursday before midnight!