C/IL 102 Security Controls access to your data

C/IL 102

Security ◦ Controls access to your data◦ Only you and those you designate have access to

data Safety

◦ Process that guarantees the availability of your data

◦ Makes sure data is not lost

Browser transmits:◦ IP Address of your machine◦ IP Address of machine responding to

request◦ Operating System of your machine

Examples: Windows XP, Windows Vista, Linux 7.0.2, Macintosh OS X 10.2.6

◦ Browser you are using Internet Explorer 8 or Mozilla Firefox 3.5.5 Different HTML tags work with some browsers but

not others◦ Other stuff, too

A small piece of information that a Web site saves on computer when you visit the site

Browser maintains list of cookies

Web site may then determine something about your past involvement at that site◦ It ‘remembers’ you!

Impact on Privacy◦ Advantages

Personalize interactions with Web sites Tailor to preferences and interests

◦ Disadvantages Web Beacons / Web Bugs

Small (1 x 1 pixel) image Tracks references to URL (usage details) Foreign cookies, third-party cookies

Common for commercial Web sites (Ex. Yahoo!) Tracks contacts your computer has with Web sites Allows e-commerce folks to promote products ($$$

$) and refine marketing (through advertising)

Yahoo Privacy Policy◦ “Yahoo! displays targeted advertisements based on

personal information. Advertisers (including ad serving companies) may assume that people who interact with, view, or click targeted ads meet the targeting criteria—for example, women ages 18-24 from a particular geographic area.”

Yahoo Web Beacon Policy◦ Yahoo Web Beacons

A Web beacon:◦ Can be detected by viewing the source code of a Web Page ◦ Look for any IMG tags that load from a different server than the rest of

the site.

Could delete cookies from your hard drive, but lose convenience◦ Different from “history” file

Can configure Browser to disable cookies◦ However, many sites will not work properly,

including U of S site (my.scranton.edu) Check Privacy Policy of commercial sites

◦ How will they use your information? Check privacy policy of company or ISP

whose computer you use

Public cables used to transmit data between computers Data sent in packets (about 1000 bytes) Packets could be analyzed by other intermediary

computers (credit card numbers, etc.)

About as private as a postcard traveling via snail mail◦ Internet Service Providers◦ Employers, etc.

Healthcare professionals No patient info in e-mail

Use Web-based account (example: Yahoo) Secure e-mail through encryption

Networks can be ‘snooped’ Even IM content is not secure

Packet Sniffer

Look Here!

Packet Sniffer

Tool for network administrators◦ Allows users to ‘listen’ to network traffic (analyze)◦ Detects intrusion attempt and network problems

(legitimate use) But…

◦ Can be used to ‘snoop’

IM◦ IMSecure (ZoneAlarm)◦ Simp (Secway)◦ AIM Pro (AIM)

E-mail and IM◦ PGP Desktop

PGP – Pretty Good Privacy Encryption Security for e-mail and IM ‘Certificates’ are used to digitally sign e-mail Can secure portions of your hard drive, too! Windows and Mac platform

PC Magazine Article April 2008

Encrypt data◦ Scramble data so that it can not be read as data passes from

computer to computer◦ HTTPS – encrypts before data is sent and decrypts when

received (Secure Hypertext Transfer Protocol) Decrypt data

◦ Unscramble data on receiving end of message

Example: GNU Privacy Guard (Also known as: GPG)◦ It’s free software: available for Windows, Mac, FreeBSD, Linux, etc.

Even with Encryption, theft is possible◦ Data obtained before actual encryption◦ Keyboard Sniffer

Monitor Use of Computer and Installed Programs◦ If you ask browser to record data typed into forms

Monitor others using your computer and account information

Encoding information – cryptography◦ Dan Brown’s “DaVinci Code” and “Digital Fortress”

The Caesar Cipher ◦ Julius Caesar encoded messages by replacing each

letter with 3rd letter after in alphabet (a=d, b=e, z=c, etc.)

◦ Improve: use cipher alphabet BUT use different shifts for subsequent letters 1st letter = shift by 3 letters 2nd letter = shift by 1 letter 3rd letter = shift by 4 letters Pi = 3.1415926

◦ What would ‘Hello’ be?

Public-key systems ◦ Used with modern computer systems◦ Complex mathematical formulas◦ Person wishing to receive messages will publish public key

(often 128 bits – larger the key – longer to break) Example:1000 years

◦ Important for e-commerce (secure sites) ◦ PGP – Pretty Good Privacy – protects data in storage, too

Public key is for encryption Private key is for decryption

◦ Debate over public key encryption Terrorists use encryption Yet, needed for e-commerce growth ‘Key Escrow’ – was proposed, not adopted (key provided to

gov’t) TLS/SSL – Transport Layer Security/Secure Sockets Layer

◦ Web browsers◦ Protects data in transit over a network

Wireless networks◦ Passwords control what computers and users access

network Encryption and Authentication Encryption:

WEP (Wired Equivalency Privacy) Protects against casual snooping No longer recommended – crack in minutes

WPA (Wi-Fi Protected Access) Works with all wireless network adapters but not all

older routers or access points WPA2 (Wi-Fi Protected Access)

More Secure than WPA Will not work with some older network adapters

Prevents ‘Piggybacking’ Tapping into someone else’s wireless Internet

connection without proper authorization Apartment complex Neighborhoods Illegal in some states

NY Times Article 2006

Easily guessed (40-50%) Share passwords Post password next to computer Passwords too short

Use ‘strong’ passwords◦ Mix numbers and letters; mix case (upper and

lower)◦ The longer the better (6-8 chars or longer)

Brute Force – trying every combination until password is determined

◦ Pet, kids and spouse names make bad passwords◦ Be inconsistent – use different passwords for

different sites (I know…hard to do!)

◦ Change passwords often

No such thing as 100% security :◦ Make sure Operating System is up-to-date (automatic

update/service packs)◦ Use anti-malware programs/Security Suites (update)◦ Use a bidirectional firewall◦ Use additional anti-spyware scanners (Spybot S&D,

Adaware, Windows Defender)◦ Secure wireless network (WEP/WPA/WPA2)◦ Use unique (strong) passwords ◦ Consider using different browser – Internet Explorer is a

popular target (Opera, Firefox)◦ Use encryption (E-mail, IM - example ‘PGP Desktop’)◦ Backup important files (ex. storms, hardware

failure)◦ Be mindful of “social engineering” issues ◦ Turn computer OFF when not in use

Caesar Cipher Certificates Cookies Cryptography Decryption E-mail / IM Security Encryption HTTPS IP Address Keyboard Sniffer Key Escrow Packet Sniffer Passwords PGP

Piggybacking Privacy Issues Privacy Policy Public-Key System Routinely Transmitted Info. Security (Steps) Third-party Cookie/ Foreign

Cookie TLS /SSL URL Web Beacon / Web Bug Wireless Security WEP / WPA / WPA2