1 / 43

Overview

Overview. Two of the most popular uses of the Internet are: Electronic mail The World Wide Web By default, both offer almost no protection for the privacy, integrity, and authenticity of information A number of security mechanisms have been developed for each SSL, Java

ronda
Download Presentation

Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview • Two of the most popular uses of the Internet are: • Electronic mail • The World Wide Web • By default, both offer almost no protection for the privacy, integrity, and authenticity of information • A number of security mechanisms have been developed for each • SSL, Java • Still many risks for users Chapter 12  Email and WWW Threats 1

  2. E-mail Fraud/Scams • Many dishonest individuals utilize the wide reach and relative anonymity of the Internet to offer: • Miracle health products • Sure-fire investment strategies • Lucrative business opportunities (and other get-rich-quick schemes) • Vacation packages that sound a lot better than they really are • Collectible items that are much less valuable than the buyer is led to believe • Credit repair (and other) services that charge a hefty fee to do what anyone can do themselves for free Chapter 12  Email and WWW Threats 2

  3. The Original Ponzi Scheme • Boston, 1920 • Charles K. Ponzi begins issuing notes for a postal reply coupon business • Promises a fifty percent return in forty-five days • Initial investors receive their profits and word spreads • Ponzi begins to receive millions of dollars from thousands of investors Chapter 12  Email and WWW Threats 3

  4. The Original Ponzi Scheme (cont) • After several months it is revealed that: • Ponzi was not investing the money he collected in postal reply coupons • Ponzi was using the money coming in from new investors to pay off previously issued notes as they came due • Ponzi ran out of money trying to satisfy the ensuing flood of redemption requests • Many investors were left holding worthless notes • Ponzi eventually went to jail for larceny and fraud • Scams in which the promise of fabulous returns is used to draw in new investors thereby financing the paying of old investors are called a Ponzi schemes Chapter 12  Email and WWW Threats 4

  5. Pyramid Schemes • A pyramid scheme is a scam in which people: • Pay a small amount of money to the people who joined previously • Receive money from the people who join after them • Example: • Bob receives an e-mail containing the names and addresses of ten people • Bob is instructed to: • Send each person on the list one dollar • Delete the person at the top of the list • Shift all people on the list up one position • Add himself in the last position • Send a copy of the newly created letter to ten friends Chapter 12  Email and WWW Threats 5

  6. Pyramid Schemes (cont) • Supposedly: • Bob’s ten friends will each: • Send Bob a dollar (Bob receives 10 dollars) • Send out a copy of the letter to ten friends each with Bob’s name in the ninth position and their name in the tenth position • One hundred friends of Bob’s friends will each send Bob a dollar (Bob receives 100 dollars) • Etc. • By the time Bob’s name works its way to the top of the list and is removed, Bob will have received more than one billion dollars Chapter 12  Email and WWW Threats 6

  7. Pyramid Schemes (cont) • Pyramid schemes: • Do not work (for the vast majority of participants) • Every dollar gained by one person must be paid by another person • If anyone makes a substantial amount of money through a pyramid scheme then a large number of other participants must lose money • Are illegal in many countries • Example: “Make Money Fast” • “Hi, my name is Dave Rhodes…” Chapter 12  Email and WWW Threats 7

  8. Forged E-mail • Carol can forge a realistic-looking e-mail messages for Bob that appears to have come from Alice, Bob’s boss: To: Bob@company-x.com From: Alice@company-x.com Subject: Information for our new consultant Hi Bob, We have recently hired Carol as a consultant to analyze our business operations and recommend potential areas for cost savings. Therefore, please send copies of your budget reports for the last six months to her at carol@carol.com so that she can begin analysis of your division. Thanks. Alice Chapter 12  Email and WWW Threats 8

  9. Exploiting SMTP to Send Forged E-mail • The Simple Mail Transport Protocol (SMTP) is fairly straightforward and completely text-based • Most SMTP servers listen on TCP port 25 • The client to establish a connection with the server (probably using TELNET): mail.carol.com% telnet telnet> open mail.company-x.com 25 Trying 128.112.17.1... Connected to mail.company-x.com. Escape character is '^]'. Chapter 12  Email and WWW Threats 9

  10. Forged E-mail (cont) • The server replies with either a 220 message to indicate that the server is ready, or an error code if there is a problem: 220 mail.company-x.com ESMTP Sendmail 8.9.3+Sun/8.9.1; Fri, 29 Jun 2001 14:17:09 -0400 (EDT) • The server waits for the client to send a HELO message Chapter 12  Email and WWW Threats 10

  11. Forged E-mail (cont) • The client sends the HELO message: HELO mail.carol.com • The server responds with a hello message: 250 mail.company-x.com, hello mail.carol.com, pleased to meet you Chapter 12  Email and WWW Threats 11

  12. Forged E-mail (cont) • The client and the server are now connected and the server is waiting for the client to transfer one or more e-mail messages • The client specifying the address of the sender in a MAIL FROM message: MAIL FROM: alice@company-x.com • The server replies: 250 <alice@company-x.com>…Sender OK Chapter 12  Email and WWW Threats 12

  13. Forged E-mail (cont) • The client sends a RCPT TO message indicating the address of the recipient: RCPT TO: bob@company-x.com • The server acknowledges the receiver: 250 <bob@company-x.com>... Recipient OK Chapter 12  Email and WWW Threats 13

  14. Forged E-mail (cont) • The client then sends the DATA command to signal its readiness to transmit the e-mail message: DATA • And the server replies: 354 Enter mail, end with "." on a line by itself Chapter 12  Email and WWW Threats 14

  15. Forged E-mail (cont) • The client enters the headers and body of the (forged) e-mail message: To: bob@company-x.com From: alice@company-x.com Subject: Information for our new consultant Hi Bob, We have recently hired Carol as a consultant to analyze our business operations and recommend potential areas for cost savings. Therefore, please send copies of your budget reports for the last six months to her at carol@carol.com so that she can begin analysis of your division. Thanks. Alice . Chapter 12  Email and WWW Threats 15

  16. Forged E-mail (cont) • The server notifies the client that the message has been accepted for delivery: 250 Message accepted for delivery • The client could then transfer additional e-mail messages, or close the connection: quit Chapter 12  Email and WWW Threats 16

  17. Forged E-mail (cont) • Uses: • To make it more difficult to track and prosecute those who send fraudulent offers through e-mail • To make e-mail appear to originate from a well-known or authoritative source • Spam Chapter 12  Email and WWW Threats 17

  18. Spam • Spam is unsolicited, commercial offers that arrive via e-mail • The response rate to unsolicited advertisements is very low • So spammers send their offers to tens or hundreds of thousands of people in hopes of receiving a few hundred replies Chapter 12  Email and WWW Threats 18

  19. Spam vs. Junk Mail • Most junk mail is sent by reputable firms and contains legitimate (if unwanted) offers whereas most spam is sent by dishonest individuals and contains offers concerning: • Get-rich-quick schemes • Pirated software • Other questionable or outright illegal products Chapter 12  Email and WWW Threats 19

  20. Spam vs. Junk Mail (cont) • Spam costs the sender nothing • Spam introduces costs on the victims: • Lost time • Annoyance • ISPs must pass on the costs to their customers of transferring, processing, and storing spam • Can account for one quarter (or more) of the e-mail volume Chapter 12  Email and WWW Threats 20

  21. Dealing With Spam • Technical solutions: many users and ISPs utilize filters to try to discard spam before having to deal with it • Self-regulation: organizations (e.g. the Direct Marketing Association) set standards for their members regarding appropriate behavior when engaging in direct marketing • Legislative: many groups lobbying for anti-spam laws • Title 47, Section 227 of the U.S. Code prohibits the use of “any telephone facsimile machine, computer, or other device to send an unsolicited advertisement to a telephone facsimile machine.” Chapter 12  Email and WWW Threats 21

  22. Mail Bombs • A mail bomb is: • A denial-of-service attack • An attacker sends a large amount of email to an individual or a system in a short period of time • Effects: • Can fill up a user’s (or even a system’s) storage space for incoming email • Can keep a host busy processing e-mail messages so that it has little time to do anything else Chapter 12  Email and WWW Threats 22

  23. Carnivore • Carnivore is a controversial surveillance tool developed by the FBI in order to monitor Internet-based communications by suspected criminals • Similar to wiretaps which the FBI has been performing for decades: • FBI must convince a judge that they have probable cause to believe that the individual is engaged in illegal behavior • Judge may issue court order allowing surveillance (stipulates a set period of time) • The FBI, with the help of phone companies, can record and monitor the phone conversations of individuals covered by the order • The FBI argues that wiretaps are vitally important to its ability to protect the public and prosecute criminals Chapter 12  Email and WWW Threats 23

  24. Carnivore (cont) • Designed to allow the FBI to record and monitor all Internet communications of a suspected criminal • Requires a court order • Help of Internet Service Providers • Can be configured to monitor only those Internet communications specifically authorized by a court order • E-mail messages • Chat sessions • Bulletin board postings • Etc. Chapter 12  Email and WWW Threats 24

  25. Using Carnivore • The ISP identifies an access point through which all of the suspect’s data flows but hopefully contains little or no data for other users • The FBI attaches a tapping device at the access point. • The tapping device sends an exact copy of all data that passes through the access point to an FBI collection system • The data is passed through a filter which discards any data not authorized by the court order, and the remaining data is written to permanent storage media for analysis Chapter 12  Email and WWW Threats 25

  26. The Controversy of Carnivore • Mistrust of the FBI • FBI refuses to release the source code • May be able to exploited by hackers either to escape detection or to spy on other Internet users • May be misused by FBI or ISP personnel • Different from traditional wiretaps: ease of automation of the collection and analysis of data Chapter 12  Email and WWW Threats 26

  27. E-mail Threats - Summary • E-mail threats include: • Fraud/scams • Forgery • Spam • Mail bombs • Carnivore Chapter 12  Email and WWW Threats 27

  28. WWW Threats • There are many risks associated with the World Wide Web: • Credit card fraud/abuse • Content hijacking • Hostile content • Cookies • Many users do not understand the dangers Chapter 12  Email and WWW Threats 28

  29. The Web and Mass Communication • In the past the ability reach a large audience was limited to: • The rich (owners of publishing companies, radio stations, television stations, etc.) • Their employees • Subject to editorial control • Must share in profits • The Web now makes it possible for almost anyone to reach a large audience • Benefits • Dangers • Contents of messages • Accuracy Chapter 12  Email and WWW Threats 29

  30. Fraud on the Web • Scams: • Many of the same ones circulated via e-mail • Credit card fraud • Theft of credit card information on the Internet • Theft of credit card information from a merchant’s database • Abuse of credit card information by a merchant/employee Chapter 12  Email and WWW Threats 30

  31. Content Hijacking • Content hijacking - one site steals content from another • Stolen content • Graphics • Information • Web pages • Impersonation • Mistyped URLs • Misleading links Chapter 12  Email and WWW Threats 31

  32. Content Hijacking - Example • April, 2000 - a web page was created that resembled the Bloomberg news site • The page contained a false “news release” reporting that a certain company was about to be acquired for much more than its current share price • A link to this page was posted on several web-based message boards devoted to discussion of the company’s stock • The URL in the link referred to the page by its IP address rather than by its domain name, but many readers did not notice Chapter 12  Email and WWW Threats 32

  33. Content Hijacking – Example (cont) • Many people read the story and immediately bought the stock in order to profit from the rise in price that would result from the acquisition • The price of the stock rose quickly and then plummeted a few hours later when the hoax was discovered • The perpetrator(s) of this scam: • Probably bought stock in the company prior to posting the false information • Probably sold in the first few hours for a huge profit • Many of the investors who were fooled by the fake story suffered large losses Chapter 12  Email and WWW Threats 33

  34. Hostile Content • Hostile content on the Web is design to annoy or assail an unsuspecting victim: • Recursive frames bug • Popup windows • Flaws in implementations of the Java Virtual Machine • Plug-in programs Chapter 12  Email and WWW Threats 34

  35. Cookies • A cookie is a small amount of information that a server sends to a browser which is stored on the client’s computer • Every time a browser makes a request to a server the browser checks the stored cookie list and sends any cookies from that server along with the request • Uses: • Maintain persistent state • Customize web pages to a client’s preferences • Protection mechanisms: • Browser will only send a cookie to the site from which it originated Chapter 12  Email and WWW Threats 35

  36. Cookies - Format • Format: Set-Cookie: NAME=VALUE; expires=DATE; path=PATH; domain=DOMAIN_NAME; secure • Set-cookie – tag (required) • Name field – identifier (required) • Expires – expiration date (optional) • Expired cookies will not be sent by the browser Chapter 12  Email and WWW Threats 36

  37. Cookies – Domain Field • Domain field - allows the browser to determine to which hosts a cookie can be sent (optional) • Defaults to the name of the server from which the cookie originated (e.g. www.carol.com) • Servers can set the domain field in a cookie (e.g. carol.com) • Browser checks domain field in cookies (e.g. won’t accept bob.com in a cookie from www.carol.com) • Browser uses the domain field to determine which cookie(s) to send to a server • The suffix of the domain name of the server must match the domain specified in the cookie • Example: DOMAIN = carol.com • www.carol.com, c1.carol.com, c1.foo.carol.com Chapter 12  Email and WWW Threats 37

  38. Cookies – Path Field • Path field - restrict which pages at a particular site will cause a cookie to be sent by the browser • Cookie must first pass domain checking • A prefix of the path must appear in the URL in order for the cookie to be sent • Defaults to / • Example: PATH =/carol • http://www.carol.com/carol/index.html = send cookie • http://www.carol.com/bob/index.html = do not send cookie Chapter 12  Email and WWW Threats 38

  39. Cookies – Secure Field • Secure field – specifies a “secure” cookie • Defaults to false • If set, tells the browser that the cookie should only be sent if there is a secure (e.g. SSL) connection between the client and the server Chapter 12  Email and WWW Threats 39

  40. A CGI Script that Sends a Cookie Chapter 12  Email and WWW Threats 40

  41. Accepting or Rejecting Cookies • Most browsers allow the user to set options to: • Accept all cookies without consulting the user • Ask the user before accepting a cookie • Reject all cookies Chapter 12  Email and WWW Threats 41

  42. The Privacy Risks of Cookies • Spying by employers/coworkers • Cookies identify many of the sites that the user has visited • Anyone with access to the machine can examine the user’s browsing habits • User profiling by advertisers • Site places ads (served by its own servers) on a wide variety of other sites • Cookies are used to track how many times the company’s ads are displayed on each site and how often users click on the ads • The company to advertise on sites where their ads tend to be well received and not on sites where their ads fare poorly • The company can also build elaborate profiles of users Chapter 12  Email and WWW Threats 42

  43. WWW Threats - Summary • WWW threats include: • Credit card fraud/abuse • Content Hijacking • Hostile content • Cookies • Many users do not understand these dangers Chapter 12  Email and WWW Threats 43

More Related