Upload
sammy17
View
229
Download
0
Tags:
Embed Size (px)
Citation preview
C/IL 102
Public cables used to transmit data between computers
Data sent in packets (about 1000 bytes) Packets could be analyzed by other intermediary computers (credit card numbers, etc.)
About as private as a postcard traveling via snail mail◦ Internet Service Providers◦ Employers, etc.
Healthcare professionals No patient info in e-mail
Use Web-based account (example: Yahoo) Secure e-mail through encryption
Networks can be ‘snooped’ Even IM content is not secure
Packet Sniffer
Look Here!
Packet Sniffer
IM◦ IMSecure (ZoneAlarm)◦ Simp (Secway)◦ AIM Pro (AIM)
E-mail and IM◦ PGP Desktop
PGP – Pretty Good Privacy Encryption Security for e-mail and IM ‘Certificates’ are used to digitally sign e-mail
Can secure portions of your hard drive, too! Windows and Mac platform
PC Magazine Article April 2008
Good (tool for network administrators)◦ Analyzes network traffic◦ Detects intrusion attempt
Not-so-good◦ Can be used to ‘snoop’
Browser transmits:◦ IP Address of your machine◦ IP Address of machine responding to request
◦ Operating System of your machine Windows XP, Windows Vista, Linux 7.0.2, Macintosh OS X 10.2.6
◦ Browser you are using Internet Explorer 6 or Mozilla Firefox 4.6 Different HTML tags work with some browsers but not others
IP Address (both sender and receiver) Logs where URL requests come from◦ Usage info (demand for Web pages)
Login Information (logs)◦ When, how long, etc. ◦ Can pinpoint activity on a computer
A small piece of information that a Web site saves on computer when you visit the site
Browser maintains list of cookies
Web site may then determine something about your past involvement at that site◦ It ‘remembers’ you!
Impact on Privacy◦ Advantages
Personalize interactions with Web sites Tailor to preferences and interests
◦ Disadvantages Web Beacons / Web Bugs
Small (1 x 1 pixel) image Tracks references to URL (usage details) Foreign cookies, third-party cookies
Common for commercial Web sites (Ex. Yahoo!) Tracks contacts your computer has with Web sites
Allows e-commerce folks to promote products ($$$$) and refine marketing (through advertising)
Yahoo Privacy Policy◦No two-seater sport car ads for me!
Yahoo Web Beacon Policy◦Yahoo Web Beacons
Could delete cookies from your hard drive, but lose convenience◦ Different from “history” file
Check Privacy Policy of commercial sites◦ How will they use your information?
Check privacy policy of company or ISP whose computer you use
Encrypt data◦ Scramble data so that it can not be read◦ HTTPS – encrypts before data is sent and decrypts when received (Secure Hypertext Transfer Protocol)
Even with Encryption, theft is possible◦ Data obtained before actual encryption◦ Keyboard Sniffer
Monitor Use of Computer and Installed Programs
◦ If you ask browser to record data typed into forms Monitor others using your computer and account information
Encoding information – cryptography◦ Dan Brown’s “DaVinci Code” and “Digital Fortress”
The Caesar Cipher ◦ Julius Caesar encoded messages by replacing each letter with 3rd letter after in alphabet (a=d, b=e, z=c, etc.)
◦ Improve: use cipher alphabet BUT use different shifts for subsequent letters 1st letter = shift by 3 letters 2nd letter = shift by 1 letter 3rd letter = shift by 4 letters Pi = 3.1415926
◦What would ‘Hello’ be?
Public-key systems ◦ Used with modern computer systems◦ Complex mathematical formulas◦ Person wishing to receive messages will publish public key (often 128 bits – larger the key – longer to break) Example:1000 years
◦ Important for e-commerce (secure sites) ◦ PGP – Pretty Good Privacy – protects data in storage, too
Public key is for encryption Private key is for decryption
◦ Debate over public key encryption Terrorists use encryption Yet, needed for e-commerce growth
TLS/SSL – Transport Layer Security/Secure Sockets Layer ◦ Web browsers◦ Protects data in transit over a network
Wireless networks◦ Passwords control what computers and users access network Encryption and Authentication Encryption:
WEP (Wired Equivalency Privacy) Protects against casual snooping No longer recommended – crack in minutes
WPA (Wi-Fi Protected Access) Works with all wireless network adapters but not all older routers or access points
WPA2 (Wi-Fi Protected Access) More Secure than WPA Will not work with some older network adapters
Prevents ‘Piggybacking’ Tapping into someone else’s wireless Internet connection without proper authorization Illegal in some states
NY Times Article 2006
Easily guessed (40-50%) Share passwords Post password next to computer Passwords too short
Use ‘strong’ passwords◦ Mix numbers and letters; mix case◦ The longer the better (6-8 chars or longer) Brute Force – trying every combination until password is determined
◦ Pet, kids and spouse names make bad passwords
◦ Be inconsistent – use different passwords for different sites (I know…hard to do!)
◦ Change passwords often
Google◦ Modify saved search logs after 18 months◦ Will pull cookie ID from record and clear final numbers of IP address
Microsoft MSN◦ Anonymize search logs after 18 months; clear entire IP address
Yahoo◦ Anonymize logs after 3 months (was 13 months)
European Union◦ Discard data after 6 months
In response to AOL release of Internet searches over 3 month period (2006) PC World Article
Yahoo to Scrub Personal Data After 3 Months (Dec. 2008)
Facebook Profiles Personal Information
Search engines have access to public profile information on Facebook◦ “Identity fraudsters and phishers – scammers who pose as one of their target's friends, encouraging them to click on a message that downloads a virus onto a computer – are among the prime candidates for abusing such information.”
Social Engineering issue
10 Privacy Settings Every Facebook User Should Know
No such thing as 100% security :◦ Make sure Operating System is up-to-date (automatic update/service packs)
◦ Use anti-malware programs/Security Suites (update)
◦ Use a bidirectional firewall◦ Use additional anti-spyware scanners (Spybot S&D, Adaware, Windows Defender)
◦ Secure wireless network (WEP/WPA/WPA2)◦ Use unique (strong) passwords ◦ Consider using different browser – Internet Explorer is a popular target (Opera, Firefox)
◦ Use encryption (E-mail, IM - example ‘PGP Desktop’)
◦ Backup important files (ex. storms, hardware failure)
◦ Be mindful of “social engineering” issues ◦ Turn computer OFF when not in use
Anonymize Search Logs Caesar Cipher Certificates Cookies Decryption E-mail / IM Security Encryption Facebook Issues HTTPS IP Address Keyboard Sniffer Packet Sniffer Passwords PGP
Piggybacking Privacy Issues Privacy Policy Public-Key System Routinely Transmitted Info. Security (Steps) Third-party Cookie/ Foreign Cookie
TLS /SSL URL Web Beacon / Web Bug Wireless Security WEP / WPA / WPA2