Computer Security

CSCU9B2

CSCU9B2 1

Contents

1.  Passwords 2.  Viruses, Worms, Malware 3.  Phishing and Scams 4.  Personal Information 5.  Online Sense and Safety

CSCU9B2 2

Passwords

password

12345678

welcome

qwerty monkey

ninja

Medium security

@ = a, 1 = l, 4 = A

e.g.

p@55w0rd

Still weak. Easy to guess.

CSCU9B2 3

Passwords, Good •  Not in a dictionary, even when letters replaced with

numbers •  Nothing to do with anything public about you (name,

email, wife, date of birth) •  Different from other sites (at least the important ones) •  Memorable to you

CSCU9B2 4

Examples •  The keys above those that spell your name:

Kevin Swingler = i3f8hw28hro34 Easy to recall, hard to crack

•  Even better done with the shift key down

CSCU9B2 5

Password Encryption •  Passwords stored in databases (for a web site, for

example) should be encrypted

•  Encryption is a one way process –  so encrypted passwords cannot be unencrypted

•  E.g. password = 5f4dcc3b5aa765d61d8327deb882cf99

•  Still, using �password��is not safe – why?

CSCU9B2 6

Let’s See… •  Firstly, I don’t need to steal a database to know that I

should try �password� to log into somebody’s account

•  http://md5.gromweb.com/

•  Reverse look up of MD5 encrypted strings –  Dictionary-based attack –  TRY to reverse encryption in the previous page!

•  Never enter your encrypted password to one of these sites out of curiosity!! -- why?

CSCU9B2 7

Encryption Methods •  MD5 – Commonly used for web passwords as it is

supported by PHP

•  As we just saw, reverse look up is easy as people have computed �rainbow tables�

•  Adding �salt� makes it much harder to use such tables as the encryption depends on a second string (the salt), which can be random –  And will be different for different machines –  Makes dictionary-style attacks much harder

CSCU9B2 8

Secure Hash Algorithm •  A �Hash� is a function that maps one string to another one

•  The United States National Security Agency publishes standards on secure hashing called SHA-0, SHA-1, SHA-2 and SHA-3

•  Even with salt, software for cracking passwords such as Hashcat can crack SHA encoded passwords (hashcat.net) –  But it needs to know the hashed version

CSCU9B2 9

Is Your Password Safe? •  Remarkably, many web sites store passwords

unencrypted

•  One way to tell if a site encrypts passwords is to click the �forgotten password� link.

•  If they send you an email telling you your password, then it was not encrypted

•  If they send you a link enabling you to create a new one –  then it is probably was encrypted

•  (the old one was encrypted with a 1-way encryption)

CSCU9B2 10

And another issue: login security •  How often does a site allow a prospective user to try to log in?

–  Once? Difficult! –  3 to 5 times: OK, but not always enough

•  iPhone: 6 times: see https://support.apple.com/en-gb/HT204306 –  Many times: helpful for people guessing passwords!

•  What should a site do if a password is entered wrongly 4 or 5 times? –  Nothing? –  Disallow logging in for a length of time (e.g. 15 minutes) ? –  Log the attempt as a possible security breach? –  Tell the user (or an administrator, or someone that an attempt is being

made to log in with an account?) –  Force the user to respond to an email?

•  It really depends on the importance of security at that site. –  Highly secure sites will take action!

CSCU9B2 11

Password Security Summary •  Make sure your passwords are not easy to guess or crack

with a dictionary look up •  Use unique passwords for all important sites, change them

occasionally •  Keep a list of passwords in a secure place at home if you

need to – that is better than using the same one for all sites •  Only have your browser remember passwords if you are

very confident about who can use your computer

•  And on the other side, if you are making a site secure using passwords, ensure that failed login attempts are acted on! –  See possibilities earlier

CSCU9B2 12

Security Questions •  Mother’s maiden name, first school etc.

•  The answers needn’t be correct –  in fact it is better if they are made up

•  (as long as you can remember what you said: not always easy) –  as other people can’t find out the real answers and pretend

to be you

CSCU9B2 13

Other Security Measures

CSCU9B2 14

Non-password security •  Biometric systems

–  Rely on user characteristics that are almost impossible to clone

•  Iris recognition •  Fingerprint recognition •  Voiceprint recognition •  Face recognition

–  Plus others

CSCU9B2 15

Picture from Alessio Damato, via Wikipedia CSCU9B2 16

Biometrics pros and cons + Can’t forget the password + Very hard to forge + May change with time, or illness

–  Voiceprint for example, not fingerprint

-  Might tempt some to use very unpleasant forging techniques -  Or even simply to record someone’s voice!

-  Some biometrics have unfortunate connotations -  Fingerprinting, for example.

- Some are not always reliable –  Face recognition in different lighting and with shadows.

CSCU9B2 17

Viruses, Trojans and Worms

•  Viruses:

–  Pieces of code that are downloaded into your computer •  Often inside freeware, or executable mail attachments •  And are generally self-replicating

Infecting other machines as well

–  … and then run programs you don’t want them to

–  For example recording keystrokes, spamming your contacts,…

CSCU9B2 18

Trojans

•  Pieces of software placed inside other pieces of software –  E.g. freeware, executable mail attachments

•  …which perform unwanted actions –  E.g. key logging, enabling access by external (unauthorised)

users, viewing the user’s webcam, … –  Generally not self-replicating

CSCU9B2 19

Computer worms •  Worms are standalone programs that replicate

themselves –  Generally over the network

•  Some simply use up bandwidth –  By spreading throughout the network

•  Generally work by exploiting security “holes” in operating systems –  So keep you OS patched and up-to-date!

CSCU9B2 20

Worms and crawlers •  Web crawlers,

–  Aka web spiders, or automatic indexers

•  Like worms in that they are automated internet traffic –  Generally seeking out web pages and indexing them

•  For search engines etc. –  Generally not pathological

•  Googlebot, Bingbot are two examples

CSCU9B2 21

Phishing and Scams

•  In general, phishing is any method used to extract passwords from people by tricking them into divulging the password

•  Usually by a web site or spam email, but sometimes a phone call

•  Let’s give it a go ….

CSCU9B2 22

Log in to RBS

The RBS web site CSCU9B2 23

Kevin Swingler’s Version

CSCU9B2 24

Two Small Changes … <form action=�getcode.php" method="post"> <input type = text name=code>

CSCU9B2 25

Read the Form <?php

$code=$_POST['code']; print("I have stolen your customer number, it is $code");

?> Let�s try …..

www.cs.stir.ac.uk/~kms/RBS/rbs.html

CSCU9B2 26

Getting People to the Site •  Phishing emails

CSCU9B2 27

Bogus Services •  Let’s say I set up a web site that offers to send people

free samples of beauty products

•  You sign up, giving username, password and email address

•  I promise to send you samples at various intervals in the future

•  I don’t, and you forget about it

•  What have I gained? CSCU9B2 28

Don’t Get Caught •  Don’t follow links in emails, always type the URL or get it

from your browser history or book mark –  Or copy the URL, and look at it in a text editor!

•  Delete emails that are not addressed directly to you

•  Never give passwords over the phone

•  Change your password regularly [?]

CSCU9B2 29

Other Scams

•  Mystery lottery wins, unclaimed wills, dormant bank accounts, Nigerian oil riches, …

•  It�s pretty obvious – if somebody emails you offering you lots of money, it is a scam

•  Let�s look at one in detail, the Advance Fee Fraud, or 419 fraud

CSCU9B2 30

419 Fraud •  Named after the section of Nigerian penal code that

addresses such fraud 1.  Victim is emailed and offered a cut of many millions of

dollars to �house� money in their account 2.  Victim replies (really!) 3.  Victim is asked to pay fees, bribes, taxes, etc. 4.  Money never materialises (surprise!)

CSCU9B2 31

Cost •  Estimates are hard to come by, but the UK National

Fraud Authority estimated in 2011 that direct marketing fraud cost the UK

£3.5 Billion

CSCU9B2 32

Really? Who Falls for it? •  The scams are very hard to believe •  Why wouldn’t the scammers make them more

believable? •  One theory is that you need to be very gullible to fall for

such a scam to the point where you pay money •  Scams are designed to filter out all but the most gullible

(or greedy) •  This saves the scammers a lot of time

CSCU9B2 33

Scam Baiters •  Which leads us to the scam baiters •  Look at

http://www.419eater.com/

•  Run by people who reply to scam emails just to waste the scammers time

CSCU9B2 34

Free Trial Scams •  Free Trial scams offer a free (or very cheap) trial of a

product

•  Often weight loss or beauty

•  If you agree, the small print includes an agreement to receive monthly replacements at high cost unless you cancel –  So if a free trial asks you for a credit card number, or bank details,

be suspicions. Very suspicious.

•  Cancelling is often difficult

CSCU9B2 35

Social Media Safety •  Some people love putting their private details on the

internet and identity thieves love to take it –  Over-sharing

•  Publishing something on line (even a tweet or a Facebook comment) is covered by the same law as publishing anything else: –  Libel –  Incitement –  Threats –  Even poor taste

•  And do you really want everyone to know that you …

CSCU9B2 36

http://www.bbc.co.uk/news/uk-england-merseyside-19863228

CSCU9B2 37 http://www.bbc.co.uk/news/uk-england-18607798 CSCU9B2 38

http://www.bbc.co.uk/news/uk-17512027 CSCU9B2 39

Before You Tweet •  Is it legal? •  Is it defamatory? •  Is it public? •  Do you own it?

•  Would you be happy if it went viral, and everyone knew that you had tweeted this…

CSCU9B2 40

Information about You •  Quite apart from what you personally share on the web

or Facebook or blog or … –  Or tweet

•  There’s other software out there picking up information about you –  Spyware –  Cookies –  Google mail –  Behavioural advertising

CSCU9B2 41

Spyware •  Spyware is a type of virus/trojan that is designed to steal

information from you

•  There are many different forms –  A simple but effective (=dangerous) example is a key-logger,

which sends every key you press to the owners of the spyware –  Credit card numbers and passwords are identifiable in amongst

all the key presses

CSCU9B2 42

Avoiding Spyware •  Spyware is usually not spread like a virus •  The user is often tricked

–  (or agrees due to not reading the user agreement in full) to install the software

•  Does anyone read the full information in the user agreement? –  Some software that you would like to install also installs

software that you don’t want –  Software claims to be one thing, but isn’t, e.g. downloaded

from file sharing service •  Be very careful what you install on your computer •  Internet Explorer is considered to be more

susceptible to attack than other browsers –  But others are susceptible too

CSCU9B2 43

Spyware examples •  Gator eWallet: fills out forms and remembers passwords,

but also tracks internet movements

•  CoolWebSearch takes advantage of Internet Explorer vulnerabilities. Directs traffic to advertisements on Web sites including coolwebsearch.com. Displays pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these sites.

•  HuntBar, Wintools, Adware: track IE ,…

CSCU9B2 44

Finding and Removing it •  Lots of anti-spyware programs exist

–  But some are actually spyware themselves

•  Windows Defender is good, and free

•  Other anti-virus software can also find some spyware

•  If you think you have an infection, make sure your anti-spyware is up to date, disconnect from the internet, restart in safe mode, and run the anti-spyware software

CSCU9B2 45

Web Browser Logging •  Another kind of spyware monitors the web sites that you

visit so that a company can target you with adverts

•  This might be surreptitious, (using spyware), or it might be done using cookies

•  Google does a lot of this – for example it reads your email to target adverts accordingly –  Do you agree with this? Is this ethical? –  You probably have given permission at some point…

CSCU9B2 46

Cookies and Security •  A cookie is a small file that your browser stores on your

computer –  These are easy to create, read etc. with JavaScript

•  It allows web sites to record a few things about you to make your web browsing experience smoother

•  For example, to keep you logged in from page to page, or to recall items you recently looked at in a shop –  Without cookies, a server cannot tell who you are

•  Unless it forces you to log in –  And so cannot personalise its service to you

CSCU9B2 47

Controlling Cookies •  You can turn cookies off all together, but this renders

many sites unusable –  Perhaps that’s a sign not to use them!

•  Well, not really…

•  You can block certain sites, or only allow certain sites to set/use cookies

•  You can delete some or all cookies whenever you want –  See https://kb.iu.edu/d/ajfi for information on cookies in a

number of browsers –  What cookies are set on the browser on this machine? http://www.cs.stir.ac.uk/~lss/CSC9B2/javascript/cookies/readcookies.html

CSCU9B2 48

Find Out More

http://aboutcookies.org/

http://www.cookiecentral.com

CSCU9B2 49

Cookies and Security •  Cookies generally don’t store sensitive information and,

as they reside on your computer, are reasonably private –  Can be a bit strange if several people share an account on one

machine!

•  They are also used by companies to target adverts on web pages

•  There is a European code of practice concerning �Behavioural Advertising�

CSCU9B2 50

Advertising •  Although using the internet is free

–  Equipment costs money –  People need to get money for the time they spend

•  … and internet advertising is one major method of monetising the internet.

•  Advertising pops up on pages, and the owners of these pages may be –  Paid to show adverts –  Paid for each click-through

•  Advertisers want to target their advertising –  But how should they achieve this?

CSCU9B2 51

Your Online Choices http://www.youronlinechoices.eu •  Describes how behavioural advertising works •  Allows you to opt out of it if you want •  Presents seven key principles

CSCU9B2 52

Seven Principles 1.  Notice – transparency about data collection and use practices associated with

behavioural advertising, providing consumers with clear, prominent and contextual notice through multiple mechanisms, including an icon in or around advertisements linked to further information and control mechanisms.

2.  User choice – greater consumer control over behavioural advertising.

3.  Data security – appropriate data security and retention of data collected and used for behavioural advertising purposes.

4.  Sensitive segmentation – limitations on the creation of 'interest segments' to specifically target children and on the collection of sensitive personal data collected and used for behavioural advertising.

5.  Education – for consumers and businesses about behavioural advertising and the self-regulatory Framework.

6.  Compliance and enforcement – mechanisms to ensure the effectiveness of the Framework, including a trading seal to be granted to compliant businesses once independently audited and which demonstrates to other businesses that the holder adheres to the obligations under the Framework.

7.  Review – regular review of the Framework to ensure it evolves with developing technology and business practices.

CSCU9B2 53

Google Tracking •  Google’s Gmail reads your emails and presents adverts

based on their content •  It also shows adverts based on what searches you make •  You can find out what Google �knows� about you on

their Ads preferences page www.google.com/settings/ads/onweb

CSCU9B2 54

CSCU9B2 55

Code Injection •  HTML can contain executable elements

–  JavaScript specifically

•  Many websites also run SQL –  Database query

•  … on the server, and these may be put together by the client

•  On occasions vulnerable websites may have code injected on to them –  Leading to a security breach.

•  Code injection can also occur in other applications as well.

CSCU9B2 56

Code injection and its results

•  Code injection is the exploitation of a computer bug that is caused by processing invalid data.

•  Code injection can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution.

•  The results of a code injection attack can be disastrous. –  Wikipedia.

CSCU9B2 57

Example •  http://en.wikipedia.org/wiki/Cross-site_scripting

–  Look at the Non-persistent exploit example

CSCU9B2 58

Security (yours) summary •  Keep passwords different and hard to guess

–  And if it’s your site, count login attempts!

•  Maintain up to date anti-virus and anti-malware products, keep your firewall on

•  Be careful what you publish, both personal information and illegal content

•  Know how to manage what information is collected and stored about you

CSCU9B2 59