33-1

Internet Safety/Security Issues

33-2

Problems…

E-mail– Worm: a software program that replicates itself throughout the internet,

usually with the goal of generating lots of bogus internet traffic to crash servers via excessive load.

• Web Browsers may have critical vulnerabilities which allow malicious code to be run from a website. Since some email clients support rendering email messages in full HTML, you may be emailed a message with the malicious code inside. When you run it, you could be “infected”

– Solution: stay up to date with the latest Microsoft Security patches!

– Run pine, Mozilla Thunderbird, etc. . .

– Trojan Horse/Virii: software programs that claim to be useful software though also includes malicious instructions

– Email messages are send with executable attachments. Users who don’t know any better run them and become infected.

– Solution: NEVER run strange attachments!

– Phishing: Posing as a legitimate entity, an email directs you to a “spoofed” website where you unwittingly give confidential information to what looks like eBay, Citibank, Paypal, etc...

33-3

Phishers Consider the following email I received to an email address that eBay does not have

on file...Dear valued customer Need Help?

We regret to inform you that your eBay account could be suspended.

To resolve this problems please click here (link is: http://219.239.88.61/images/member/.eBaySuspensionUS/eBaySuspension/signin.ebay.com/aw-cgi/eBayISAPI.dllSignIn-ssPageName-hhsin.php) and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 3-4 days, after this period your account will be terminated.

For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us.

Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to eBay.

Regards,Safeharbor Department eBay, Inc

– I also like this email from “paypal”. Curious again as they don't have this email address on file.

As part of our security measures, we regularly screen activity in the PayPal system. We recently noticed the following issue on your account:

We recently received a report of unauthorized credit card use associated with this account. As a precaution, we have limited access to your PayPal account in order to protect against future unauthorized transactions.

Case ID Number: PP-091-233-629

For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause.

To review your account and some or all of the information that PayPal used to make its decision to limit your account access, please visit the Resolution Center by following the link below:

https://www.paypal.com/cgi-bin/webscr?cmd=login-run (that's what's visible, yet the link is: http://www.securevers.e3z.de/)

If, after reviewing your account information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us"

33-4

Phun with PhishersHello ,Thanks for your mail back concerning the inquiry mail i sent to you. The price,condition also the pics i viewed is okay by me .And my client confirm there is no problem about the price($975 ) ,my client do pays with a {USA}cashier check,he has agreed to mail out as bank cashiers check of $3500. to you on my behalf to cover the shippment fees.About the shippment, that we be taken care by my me & my personal assistant,my personal assistant will be using his shipper to do the quick processing of the shipping of the (1987 Toyota Celica) to my client.So all you are to do after you will received the check in your mail, Just take out your sale amount and refer the remaining money to my shipper immediately through the westernunion or the money gramm outlet so to get the money fast and start the fast arrangement for the pickup of the (1987 Toyota Celica).Since you are the original owner of this item,and i am buying the item directly from you i will like you to write your full name to be on the check,with the mailing address which my client will be using to issued out the check to you.I do wish to trust you by refering the rest balance back to my shipper and also your fast doing to this transaction.I will like to hear fromyou if this is okay by you and you are ready to process ,if you aready to sale your item and promise refering the rest balance to my shipper immediately you received the check so can start the quick arrangement for the pickup. Any body that want to buy this item this item just tell therm that it as been sold. I will like to copmplete this transaction befor the new year. I be at my computer waiting to see your epky to my payment method mailed.THANKS AND MAIL ME BACK WITH YOUR DETAIL AS SOON AS POSSIBLE.

– http://www.ftc.gov

– P-p-p-powerbook! http://www.p-p-p-powerbook.com/

33-5

Email irritantsAvoiding E-mail viruses, worms, and phishing

– Learn to read your email carefully--• look at headers

• don't view images in your email!

• Do you know the sender? Is the sender really who it says?

• Were you expecting an attachment on this email?

• Does the subject make sense considering the sender?

– E.g., “I thought you might enjoy this! ;o)”

– With an attachment of AnnaKournikova.jpg.vbs ......from your grandmother??

• Understand file extensions.

– Scan any attachments for viruses before you run them!• BU will provide you with anti-virus software (PCSC)!

– Try a different mail client (Thunderbird? http://www.mozilla.org)

33-6

SPAM!Spam is really annoying!

– From a survey of workers at Fortune 500 companies conducted by a Wellesley based research company

• In 2003 companies lost (on avg) $874 per employee• In 2004, companies will lose $1,934 per employee

– How?• Workers spend nearly 15 minutes every day dealing with

(on average) 29 spam emails– Some estimates indicate SPAM accounts for >70% of the email

traffic on the entire Internet!– What are the response rates for spam?

• Try 1-2 one-thousandths percent!– So why do it?

• “Spammers” get paid ~$250 to send 500,000 emails

• Spam is spreading to Instant Messenger, as are all the previous “irritants”

33-7

Other Precautions

• Passwords:– Use strong passwords

• Passwords may be guess by automated trial-and-error or brute-force

• Include random numbers, symbols, etc

• Make passwords difficult to guess

• *NEVER* give out your password!

• Backup your files frequently– You never know what might happen

– For whatever reason, if your machine is fouled up, you’ll still have your important data

33-8

Security and Cryptography

33-9

Problems…

• Security/Privacy of Internet Traffic:– I send you my social security number, because you are supposed to

send me my credit report. This we would like to keep this information secure.

• I’m going to email it, is that OK?

• I enter it on a web page is that necessarily OK?

• Do we worry about security in the Postal Network?– When you send a letter to someone, you can be pretty confident that

the postal worker isn’t going to read it.

• The postal network is a trusted organization

– How do you ensure that someone hasn’t read your letter while it was in transit?

33-10

Protecting Data

• Well, packets are like envelopes, are data packets inherently secure?

– HINT: Can we tell if someone has “tampered” with our packet? Does someone need to alter our packet in order to read it?

• Our messages may be intercepted and read– We have no way of knowing that a message has been

read (no signs of tampering)

• Any privacy solution must accept this reality

33-11

Encryption Schemes• We will modify our messages so an eavesdropper will not

understand it– In computer science we call this encryption.

– I will encrypt my data, such that only the intended recipient will be able to understand it

– The recipient will need to decrypt the data in order to make sense of it.

Encryption schemes are considerably older than Computer Science.

– Ciphers are a relatively simple translation mechanism by which characters are shifted to another character.

• Caesar Cipher

• Vigenere Cipher

• Enigma Computer

33-12

The Caesar Cipher• The Caesar Cipher is one of the earliest known encryption

schemes:

"RETURN TO ROME“

would be sent as

"UHWXUQ WR URPH“

and the receiver would return it to the form

"RETURN TO ROME“

33-13

The Caesar Cipher

• How does it work?– The Caesar cipher encrypts by simply shifting each character some number of

characters to the right.

– To decrypt the message, the recipient must know the shift number used above, and will shift each character of the received message the same number characters to the left.

text: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

33-14

Breaking the Caesar Cipher

• So what is the encryption scheme in a Caesar Cipher?

• Each side must know the number of character shifts – we call this a secret key

• How secure is a Caesar Cipher?– How to measure security?

• In the worst case: how much “work” would it take an eavesdropper to understand our original message?

• Let’s say we want to break a Caesar cipher by hand, or with a computer, what do we need to do?

– Method:

– Number of shifts:

– How do you know when you’re done?

33-15

Breaking the Caesar Cipher

• We can be a bit more clever in breaking the Caesar Cipher.– Premise: Naturally, in English, some letters occur more frequently than others.

• We can determine, statistically, the frequency at which various letter appear in a sample of text.

• If we look at the characters that appear frequently in the cipher, we should try shifts that correlate frequently occurring characters to frequently occurring English characters

• So the Caesar Cipher is pretty weak -- Let’s look at a better encryption scheme

33-16

the Vigenere Cipher

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F H H I J K L M N O P Q R S T U V W X Y Z A B C D E F GI I J K L M N O P Q R S T U V W X Y Z A B C D E F G H J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

• Named for Blasé de Vigenere (16th Century, France)

– Each row is a Caesar shift

• The system:– There is a secret key which is a

word.

– Each letter of the message to be encrypted is shifted to the letter in the corresponding position of the key-word

– To decrypt: The receiver look in the column of the key letter of that position, scan down the column for the encrypted character, and write the index letter of that row

33-17

the Vigenere Cipher

A B C D E F G H I J K L M N O P Q R S T U V W X Y ZA A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F H H I J K L M N O P Q R S T U V W X Y Z A B C D E F GI I J K L M N O P Q R S T U V W X Y Z A B C D E F G H J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

• the Vigenere Cipher is essentially the “same thing” as a Caesar cipher

– Except now instead of shifting every character by the same amount, we shift each character by a different amount

– The letter of the Key tells us the shift amount

• Example:– Key: PASSPORT

– Message: ATTACK

– Encrypted: PTLSRY

33-18

Breaking the Vigenere Cipher

• The Vigenere Cipher was considered relatively unbreakable until the 1860’s when Kasiski (Prussia) devised a method to guess at the keywords by spotting repeating character pairs in the encoded message.

– By observing character pairs that occur frequently, (and their distance from each other) one can speculate on the length of the keyword.

– Once the length of the keyword is known, you know how many different shifts are applied to each letter of the message (e.g., a 20 character message with a keyword of length 5 is “only” 5 different Caesar ciphers applied across all the characters)

• From there we can either try all the substitutions and look at the results

• Or use character frequency to try only the most likely results.

33-19

The Enigma Cipher

• During WWII, the German’s used a very sophisticated Cipher, called the Enigma Machine

– The Enigma was actually invented in 1922 and sold commercially in Germany.

– The Enigma Machine shifted characters using a keyboard, three rotors and a “reflector”

• A character would enter the system, and be shifted by the first rotor. That shifted letter would then be shifted again by the second rotor, and shifted again by the third. The character would then hit the reflector, and bounce back through the same rotors in reverse order.

• Each rotor acted as an independent cipher, (a character entered would be output as a different character).

• Each rotor has the ability for 26 different shifts.

33-20

The Enigma Cipher

– Clearly, knowing the settings of the rotors is key to decoding an Enigma message.

• To really complicate matters

– As each letter was typed, the first rotor would shift once.

– When the first rotor had shifted 26 times, the second rotor would shift once.

– The third rotor would shift once when the second rotor had shifted 26 times (like a car odometer).

» In this way, the same character would not have the same encoding throughout the message, nor would there be any obvious predictability in viewing the encoded message.

33-21

The Enigma Cipher

• To decode, Enigma messages were reversible – that is, ME, and EM (with the right rotor settings, of course)

• So, In order to decode a message, a receiver needs knowledge of the initial state of the rotors when the message was started.

– And an enigma machine

– So, each machine operator had to know the what the rotor state would be on each day, and logs were kept of these settings (secret key)

33-22

Breaking The Enigma Cipher

– Imagine guessing via trial and error…

• with three changing rotors, each with 26 possible positions, there are 17,576 possible positions of the rotors

– Eventually, teamwork broke (and re-broke the Enigma)

– Military Enigma’s were modified commercial Enigmas

– Polish mathematicians broke the code (and modified their own Enigma)

– A new modification emerges with double-encoding

– Turing and others devise systems to reduce the number of possible rotor configurations

– An EINS table was generated

– A four wheel Enigma was introduced

– A code book was captured from the U559 U-boat re-enabling interception

33-23

Protecting data• All of these encryption schemes assume that we can

exchange some secret key that allows our recipient to decode the message.

– In these schemes context allows us to decode the messages

– We’re going to relax our problem a “bit”

• Alice wishes to send securely one bit to Bob in absence of private channel.

– private channel is a means of communication that is safe from any eavesdroppers / adversaries

– send securely: to send such that no third party can know what we have sent.

– Our previous examples have been breakable with enough hard work. Instead, we’ll change the problem and try to come up with an “unbreakable” algorithm to solve it.