MKTG 476 SECURITY Lars Perner, Instructor 1 Internet Security Servers Hacking Publicly available information Information storage Intrusion methods

MKTG 476 SECURITY Lars Perner, Instructor 1

Internet SecurityInternet Security

ServersServers HackingHacking Publicly available informationPublicly available information Information storageInformation storage Intrusion methodsIntrusion methods

– PhishingPhishing– PharmingPharming– SpywareSpyware

VirusesViruses SpamSpam Identity theftIdentity theft


Concerns Shared by Firms and Concerns Shared by Firms and ConsumersConsumers

Identity theftIdentity theft Fraudulent use of credit cards or bank Fraudulent use of credit cards or bank

accountsaccounts Loss of privacyLoss of privacy Consumer reluctance to shop online due to Consumer reluctance to shop online due to

fears of fraudfears of fraud Costs of authenticationCosts of authentication


Consumer Privacy ConcernsConsumer Privacy Concerns

Large amounts of consumer Large amounts of consumer information can be bought information can be bought onlineonline

Some information is available to Some information is available to the public through government the public through government offices—e.g.,offices—e.g.,– Real estate ownershipReal estate ownership– Vehicle registrationsVehicle registrations– Licenses (driver’s /professional)Licenses (driver’s /professional)– Personal records—e.g.,Personal records—e.g.,

Marriage divorceMarriage divorce Certain tax liensCertain tax liens Certain criminal recordsCertain criminal records Bankruptcies Bankruptcies

Information inadvertently posted Information inadvertently posted onlineonline

Information posted without Information posted without consent of customerconsent of customer– E.g., employment recordsE.g., employment records– E.g., membership directoriesE.g., membership directories


Consumer Privacy Concerns, Part IIConsumer Privacy Concerns, Part II

Online services Online services combining informationcombining information– Information sold by Information sold by

vendors (e.g., unlisted vendors (e.g., unlisted phone numbers of phone numbers of customers; purchase customers; purchase histories)histories)

– Aggregation of Aggregation of databases (e.g., databases (e.g., combining multiple combining multiple phone directories and phone directories and real-estate recordings)real-estate recordings)

Information that is only Information that is only supposed to be supposed to be available when available when authorizedauthorized– Credit recordsCredit records– MedicalMedical

Some information may Some information may be available only to be available only to certain kinds of userscertain kinds of users


Online Data StorageOnline Data Storage

Types of information stored on customersTypes of information stored on customers– Login, passwordsLogin, passwords– Credit card informationCredit card information– Purchase historiesPurchase histories– Home addressesHome addresses– Other personal infoOther personal info

May or may not have resulted from online May or may not have resulted from online transactions—databases are often transactions—databases are often networked for internal firm usenetworked for internal firm use


““Vulnerable” InformationVulnerable” Information

Social security numbersSocial security numbers Place and date of birth; mother’s maiden Place and date of birth; mother’s maiden

namename Home addressHome address Login and passwordsLogin and passwords Financial informationFinancial information


Data InterceptionData Interception

By employees or others with direct access to By employees or others with direct access to informationinformation

Cyber thieves may attempt to access information Cyber thieves may attempt to access information throughthrough– Phishing/pharmingPhishing/pharming– Host computerHost computer

Log-in through insecure passwordsLog-in through insecure passwords HackingHacking

– Internet trafficInternet traffic– Local networks—especially wireless with limited or no Local networks—especially wireless with limited or no

securitysecurity


Password VulnerabilitiesPassword Vulnerabilities

Disclosure to strangersDisclosure to strangers Theft of databasesTheft of databases PhishingPhishing Use of obvious passwordsUse of obvious passwords

– Common wordsCommon words– Personal information—e.g., phone number, address, Personal information—e.g., phone number, address,

birthdaybirthday

Passwords not frequently changedPasswords not frequently changed Password “sniffers”Password “sniffers”


Some Security MeasuresSome Security Measures

EncryptionEncryption Tracking of IP address of entry into the Tracking of IP address of entry into the

computercomputer Secondary passwordsSecondary passwords Consumer chosen iconConsumer chosen icon

– In e-mailsIn e-mails– At site, once origin IP address is recognizedAt site, once origin IP address is recognized


ServersServers

““Denial of service”Denial of service”– Numerous “requests to Numerous “requests to

identify” are sent to identify” are sent to targeted servertargeted server

– The server may slow The server may slow down or become down or become entirely in accessibleentirely in accessible

– Computers and servers Computers and servers infected through viruses infected through viruses are often targetedare often targeted

– Mostly intended as Mostly intended as “vandalism”“vandalism”

HackingHacking– ““Hackers” break into Hackers” break into

computer systemscomputer systems– PurposesPurposes

Taking on Taking on challenge/political challenge/political expressionexpression

VandalismVandalism Stealing informationStealing information


HackingHacking

Established software has “holes” that are Established software has “holes” that are gradually discoveredgradually discovered

May be able to “crash” sites and access May be able to “crash” sites and access “core dump” files intended for use by “core dump” files intended for use by programmers to identify problemsprogrammers to identify problems

Exploitation of “back doors” left by Exploitation of “back doors” left by programmersprogrammers


PhishingPhishing

Consumer receives an e-Consumer receives an e-mail asking that he or she mail asking that he or she log in to take care of log in to take care of account issuesaccount issues

This e-mail contains a This e-mail contains a legitimate-looking legitimate-looking hyperlink title but the hyperlink title but the actual link is to a take siteactual link is to a take site

1% of consumers are 1% of consumers are estimated to fall for the estimated to fall for the hoaxhoax

The consumer logs into a The consumer logs into a fake site, providing login, fake site, providing login, password, and other infopassword, and other info


Phishing--RemediesPhishing--Remedies

Consumer educationConsumer education Software safeguardsSoftware safeguards

– Warning if the internal link Warning if the internal link does not match the titledoes not match the title Feasible only when the title Feasible only when the title

features an actual addressfeatures an actual address

E-mail filtersE-mail filters– E-mail programsE-mail programs– ServerServer– Anti-virus softwareAnti-virus software

Quick identification of Quick identification of phishing sitesphishing sites– Cooperation with hostCooperation with host– Denial-of-service attacks if Denial-of-service attacks if

neededneeded– Massive entry of fake dataMassive entry of fake data

Tracing of logins based Tracing of logins based from origin of phishing e-from origin of phishing e-mail or sitemail or site


PharmingPharming

The user attempts to go to a The user attempts to go to a legitimate web site address but legitimate web site address but is redirectedis redirected– Through hacking of DNS servers Through hacking of DNS servers

(match domain names with (match domain names with numerical IP address)numerical IP address)

– Through false report of changed Through false report of changed server to DNS registrarserver to DNS registrar

– Malicious code in “trojan horse” or Malicious code in “trojan horse” or virus to redirect trafficvirus to redirect traffic


VirusesViruses

““Malicious code” that attacks a computer toMalicious code” that attacks a computer to– Cause damage (vandalism)Cause damage (vandalism)– Serve as spam or denial of service attack serverServe as spam or denial of service attack server– Transmit dataTransmit data

Spread throughSpread through– Software (as trojan horse or through infection of Software (as trojan horse or through infection of

legitimate software)legitimate software)– E-mail attachmentsE-mail attachments– Online activityOnline activity


Trojan HorsesTrojan Horses

Legitimate-looking Legitimate-looking software intended to software intended to spread malicious codespread malicious code

User downloads User downloads software and once run, software and once run, malicious code is run malicious code is run with results similar to with results similar to those of virusesthose of viruses


““Spyware”Spyware”

Software that sends back user information Software that sends back user information through Internet connectionthrough Internet connection

Legal vs. illegalLegal vs. illegal– Legitimate and authorized by userLegitimate and authorized by user– Non-malicious intent but not authorizedNon-malicious intent but not authorized– MaliciousMalicious

May be spread through program, trojan, or May be spread through program, trojan, or virusvirus


E-mail SpamE-mail Spam

Unsolicited e-mail messagesUnsolicited e-mail messages Unsolicited contacts have always happened Unsolicited contacts have always happened

but telemarketing and bulk mail are more but telemarketing and bulk mail are more expensive than e-mailexpensive than e-mail

Very low response rate but very low cost of Very low response rate but very low cost of distributiondistribution

Usually sent byUsually sent by– Unauthorized vendorsUnauthorized vendors– Fraudulent persons/vendorsFraudulent persons/vendors


Determining When E-mail Is Likely to Determining When E-mail Is Likely to Be WelcomeBe Welcome

Individual vs. mall mailingIndividual vs. mall mailing Established relationship with receiverEstablished relationship with receiver

– Logistical communicationLogistical communication– Offering of new servicesOffering of new services– Promoting services by othersPromoting services by others

Opt-in policiesOpt-in policies


Spam RemediesSpam Remedies

Termination by hostTermination by host– E-mail generally sent E-mail generally sent

through SMTP servers through SMTP servers located at the Internet located at the Internet Service Provider (ISP) siteService Provider (ISP) site

– ProblemsProblems Foreign governments may Foreign governments may

not cooperatenot cooperate Spammer may move on to Spammer may move on to

other addresses quicklyother addresses quickly

Anti-spam programsAnti-spam programs– LocationsLocations

In e-mail serversIn e-mail servers On the user’s computerOn the user’s computer At local serverAt local server

– ProblemsProblems Distinguishing legitimate Distinguishing legitimate

messages from non-messages from non-legitimate legitimate

– Imperfect algorithms Imperfect algorithms

RegulatoryRegulatory– Legal limitsLegal limits– Litigation of offenders in Litigation of offenders in

reachable jurisdictionsreachable jurisdictions

Documents

MKTG 476 SECURITY Lars Perner, Instructor 1 Internet Security Servers Hacking Publicly available information Information storage Intrusion methods