Transcript Computer & Web Security

Computer & Web Security
 Security
Problems in Computer Use
 Privacy-Protecting Techniques
 Privacy-Protecting Technologies:
cryptography,
digital signatures & certificates, etc.
1
Computer Security: Basic Issues
 Different
dimensions of the security problem:
 Securing
hardware (e.g. via locks or tags) vs. securing
software
 Preventing damage through system failure (software or
hardware) vs. preventing damage through malicious
intentional actions (security attacks, theft)
 We
will mainly focus on preventing malicious
intentional actions on the software level
2
Types of System Failure
 Hardware:
power outage, corrupted disks, hard
drive crashes, etc.
 Software:
 Software
crashes – a common problem (have you
noticed?)
 Software does not perform as intended/desired; note
that this could be caused by user errors
 While
these problems cannot be completely
avoided, damage can be greatly reduced…
3
Avoiding Severe Damage: Backups
 Types
of backup:
 Level-zero
backup: copy of the original system when
first installed
 Full backup: copy of every file on the computer
 Incremental backup: copy of all modified files
 Possible
security risks: with automatic backup
systems, deleting a file does not put it out of
existence
4
Intentional Security Attacks
 Security
risks have greatly increased due to the
Internet; no computer is an island
 We focus on security issues related to the Internet,
but this will also include basic security for the
user’s computer
5
What do attackers want?
 Scan
your system for confidential documents
 Corrupt information on your computer
 Modify your operating system by creating security
loopholes
 Steal credit card numbers
 Block access to your system (coordinated attack)
 Press coverage
6
Big Brother is watching you traces you leave in the Web
I) User-provided information
 Setting up an account with an online shop, purchasing
tickets via the web



What legal restrictions govern the use of the information
provided? (in the US: few)
What privacy policy does the vendor have? (the vendor’s web
site should have some information about this!)
Note: even simple demographic information may be
sufficient for identification (e.g. ZIP-code + birthday)
7
Further traces you leave
II) Log files
 Ubiquitous; lots of applications and network programs
create log files of various activities the user performs
 Web logs: files which are created on remote web server
when a page is downloaded; information stored includes:
IP address of the computer that downloaded the web page,
time of requrest, URL requested, username (sometimes),
refer link, web browser used
 Mail logs: created by mail servers, contain at least to: and
from:
8
III) Cookies
 Text file left by a remote web server on your
computer; the cookie is sent to the web server
every time a web page from that server is
requested
 Allows the user to maintain a certain state while
requesting different pages; example: shopping cart
9
 Where
are cookies stored?
 Netscape
Navigator: ~/.netscape/cookies
 Microsoft Explorer: folder Cookies
 Browser
preferences can be adjusted so that you
can refuse cookies when they are sent
10
IV) Web Bugs
 Simple to program in HTML
<img src=“http://…” width=1 height=1 border=0>
 This will alert the specified web server every time the
page is viewed; outsourced web site monitoring
 Useful for gathering web use statistics
 Can also be used to check when HTML e-mails are read,
or to send personal information encoded in URL (like
Google puts search strings in URL)
11
Privacy-Protecting Techniques
Picking a good password (and not writing it down)
 Passwords can be captured by password sniffers when
they are transmitted over the network; beware of protocols
which do NOT use encryption:

FTP (File Transfer Protocol)
 HTTP (Hypertext Transfer Protocol)
 POP (Post Office Protocol)
 TELNET (Remote Terminal Protocol)
 RLOGIN (Remote Login for UNIX machines)

12
More Privacy-Protecting Techniques
 Avoiding
Spam and Junk Mail
 Don’t
put your e-mail address on your home page, or
write “pauly (and now this strange symbol) csc.liv.ac in
you know which country)”
 Take your e-mail out of online directories
 Don’t post to public mailing lists
 Pick an unusual username
 Address Munging: [email protected]
13
Privacy-Protecting Technologies
 Antispam
Services: analyse your e-mail to check
whether it is spam, using AI technology, whitelists
+ confirmation e-mails, etc.
 Antispam Software: does the same, but runs on
your computer; your mail stays where it belongs
 Browsers allow you to refuse cookies
14
More Privacy-Protecting Technology
 Anonymous
Browsing – protecting your IP address
 Use
a public terminal (e.g. at a library)
 Use a proxy server of your internet service provider; in
this case, the proxy servers IP address is passed on
 Use anonymous web browsing services; they usually
work as proxy servers
 Secure
E-mail: encrypt messages before sending
15
Secure Sockets Layer (SSL)
 Uses
a cryptographic protocol for sending
information over the web
 Main usage with web pages
https://…
 Browsers
will usually tell you whether the current
page/document is “secure”
 Example: Booking a flight with a credit card…
16
Cryptography
Encryption
Algorithm
Encryption
Decryption
17
Symmetric Key Algorithms





The same key is used for both encryption and
decryption
Sometimes also called private key algorithms
Used for the bulk encryption of data
Algorithms are very fast & easy to implement
There are a large number of possible keys, hence
encryption is difficult to crack, hence high level
of secrecy
18
 Example:
using an 80-bit key, and assuming that 1
million keys per second can be searched, it will
take approx. 38 billion years to try all keys
 Common algorithms: DES, Blowfish, RC2, RC4,
RC5
 Problems:
parties have to share a secret & private key
 Both parties need to have a copy of the key
 I need a different key for every person I want to
communicate with; (N2-N)/2 keys for N different users

19
Asymmetric Key Algorithms
Encryption and Decryption key differ
 For encrypted messaging, encryption key is public and
decryption key private
 Public key can be published on your web page (see e.g.
Benjamin Hirsch)
 Also called public key algorithms
 Algorithms are slower & more difficult to implement and
analyse
 Easier to attack than symmetric key algorithms
 Common algorithms: DSA/DSS, RSA
20

 A further
advantage: asymmetric keys can be used
for digital signatures, simply make the encryption
key private and the decryption key public
 Most “secure” protocols will use a mixture of both
symmetric and asymmetric key cryptography
 Example: Use asymmetric key cryptography to
exchange a symmetric key, and use that key for
encrypting the main data
21
Conclusions
 Keys
are still stored somewhere on the system
 Hence, in spite of everything that’s been said, there
is no perfect security
 Still, you can be aware of the security risks, and of
some of the ways to improve security
22