Transcript Tutorial 9

XP
Tutorial 9
Securing and Enhancing Your
Use of the Internet
Internet Security and Browser Extensions
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
1
XP
Objectives
• Investigate the different kinds of computer threats.
• Identify countermeasures for protecting yourself and
your computer while using the Internet.
• Learn how to protect copyrighted materials that are
published on the Internet.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
2
XP
Objectives
• Learn how to enhance your Web browser with
browser extensions.
• Use popular plug-ins to view animated Web site
content.
• Locate and use browser extensions.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
3
XP
Security Overview
• Security is broadly defined as the protection of
assets from unauthorized access, use, alteration, or
destruction.
• Physical security includes tangible protection
devices, such as locks, alarms, fireproof doors,
security fences, safes or vaults, and bombproof
buildings.
• Protection of assets using non-physical means is
called logical security.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
4
XP
Security Overview
• Logical security may also be broadly called computer security.
• Any act or object that endangers an asset is known as a threat.
• Countermeasure is the general name for a procedure, either
physical or logical, that recognizes, reduces, or eliminates a
threat.
• Countermeasures can recognize and manage threats or they
can eliminate them.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
5
XP
Risk Management Model
High Probability
Low
Impact
(cost)
Contain and
control
Ignore
Prevent
Insurance or
backup plan
High
Impact
(cost)
Low Probability
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
6
XP
Security Overview
• To implement a good security scheme, you identify
the risk, determine how you will protect the affected
asset, and calculate the cost of the resources you
can allocate to protect the asset.
• Computer security can be classified into several
categories:
 Secrecy
 Integrity
 Necessity
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
7
XP
Security Overview
• Secrecy prevents unauthorized data disclosure and ensures the
authenticity of the data’s source.
• Integrity prevents unauthorized data modification.
• Necessity prevents data delays (slowing down the transmission
of data) or denials (preventing data from getting to its
destinations.
• Internet users and businesses with Web sites need to take
appropriate countermeasures in each of these three categories
to protect themselves and the computers they use to connect to
the Internet.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
8
XP
Encryption
• Encryption is the process of coding information using a
mathematical-based program and a secret key to produce a
string of characters that is unreadable.
• The process of reversing encrypted text is called decryption. In
order to decrypt text, you need a key to “unlock” it.
• Encrypted information is called cipher text.
• Unencrypted information is called plain text.
• The process of transforming data from a readable format (plain
text) to an unreadable format (cipher text) is called
cryptography.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
9
XP
Encryption
• Private-key encryption (symmetric encryption)
uses a single key that is known by the sender and
receiver.
• The key might be a password or a number generated
by a special device.
• Private-key encryption works well in a highly
controlled environment.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
10
XP
Private-key (Symmetric)
Encryption
common
key
encrypt
decrypt
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
11
XP
Encryption
• Public-key encryption (asymmetric encryption) uses two
different keys—a public key and a private or secret key.
• The public key is known to everyone.
• The private or secret key is known only to the person who
owns both keys.
• With public-key encryption, each person has a private key
that is secret and a public key that is shared with other users.
• Messages encrypted with a private key must be decrypted with
the public key, and vice versa.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
12
Public-key (asymmetric)
Encryption
encrypt
decrypt
public key
private key
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
XP
13
XP
Encryption
• Encryption is considered to be weak or strong based on its
algorithm and the number of characters in the encryption
key.
• An algorithm is a formula or set of steps to solve a
particular problem.
• A cracker is a person who uses his knowledge of
computers and programming to gain unauthorized access
to a computer for the purpose of stealing or altering data.
• Keys that are 128 bits long are called strong keys.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
14
XP
Using Certificates for
Authentication and Identification
• Phishing is an attack involving phony e-mail messages that
include links to spoofed Web sites that “fish” for information.
• Authentication is a general term for the process of correctly
verifying the identify of a person or a Web site.
• The primary countermeasure for authentication is a digital
certificate.
• A digital certificate is an encrypted and password-protected file
that contains sufficient information to authenticate and prove a
person’s or organization’s identity.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
15
XP
Using Certificates for
Authentication and Identification
• A digital certificate is an electronic equivalent of an
identification card.
• A certificate authority (CA) is a trusted third party which
verifies the certificate holder’s identity and issues the
digital certificate.
• A digital ID (personal certificate) is used to identify a
person to other people and to Web sites that are set up to
accept digital certificates.
• A digital ID is an electronic file that you purchase from a
certificate authority and install into a program that uses it,
such as an e-mail program or a Web browser.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
16
XP
Using Certificates for
Authentication and Identification
• The digital ID authenticates the user and protects data being
transferred online from being altered or stolen.
• A server certificate (SSL Web server certificate)
authenticates a Web site for its users so the user can be
confident that the Web site is genuine and not an imposter.
• A server certificate also ensures that the transfer of data
between a user’s computer and the server with the certificate is
encrypted so that it is both tamperproof and free from being
intercepted.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
17
XP
Processing a Certificate
client 1
server
client 2
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
18
XP
Using Certificates for
Authentication and Identification
• User identification is the process of identifying yourself to a
computer.
• Most computer systems implement user identification with user
names and passwords; the combination of a user name and
password is sometimes called a login.
• To help keep track of their login information for different
computers and Web sites, some people use a program called a
password manager, which stores login information in an
encrypted form on their computer.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
19
XP
Using Certificates for
Authentication and Identification
• Crackers can run programs that create and enter
passwords from a dictionary or a list of commonly used
passwords.
• A brute force attack occurs when a cracker uses a
program to enter character combinations until the system
accepts a user name and password, thereby gaining
access to the system.
• User authentication is the process of associating a
person and his identification with a very high level of
assurance.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
20
XP
Secure Sockets Layer (SSL)
• Secure Sockets Layer (SSL) is a widely used protocol that acts
as a separate layer or “secure channel” on top of the TCP/IP
Internet protocol.
• SSL provides a security handshake when a browser and the
Web page to which it is connected want to participate in a
secure connection.
• Web pages secured by SSL have URLs that begin with https://
instead of http://.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
21
XP
Secure State Indicator
Internet Explorer
Navigator
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
22
XP
Secure Sockets Layer (SSL)
• SSL creates a public-key pair so that it can safely transmit data
using a private key.
• The private key is encrypted using public-key encryption and is
sent to the browser. Using the private key protects the
remainder of the information transfer between the browser and
the Web site.
• When the user leaves the secure Web site, the browser discards
these temporary keys, or session keys.
• Session keys exist only during a single, active session between
a browser and server.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
23
XP
Managing Cookies
• A cookie is a small text file that a Web server creates
and stores on your computer’s hard drive.
• A cookie might store data about the links you click
while visiting the Web site (called a clickstream),
information about the products you purchase, or
personal information that you provide to the site.
• Some cookies are removed automatically when you
leave a Web site (a session-only cookie).
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
24
XP
Managing Cookies
• Many Web sites use cookies to make their sites easier to
navigate.
• A cookie is not a program and it can only store information that
you provide to the Web site that creates it.
• Sometimes you provide the data openly, and at other times, the
cookie might silently record your behavior at a Web site.
• Only the Web site that stored the cookie on your hard drive can
read it, and it cannot read other cookies on your hard drive or
any other file on your computer.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
25
XP
Managing Cookies
• Cookies can represent a security threat for some users, especially
those who access the site from a public computer.
• Internet users can control the storage of cookies on their
computer’s hard drive by changing their browser’s settings.
• The best way to prevent another user from gaining access to
information is to make sure that you do not leave an electronic trail
to its path.
• Internet Explorer stores cookies in C:\Windows\Cookies folder.
• Navigator stores cookies in a file named cookies.txt on the user’s
hard drive.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
26
Managing Cookies in
Internet Explorer
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
XP
27
Managing Cookies
in Navigator
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
XP
28
XP
Web Bugs, Spyware, and Adware
• A Web bug is a small, hidden graphic on a Web page or in an email message that is designed to work in conjunction with a
cookie to obtain information about the person viewing the page
or e-mail message and to send the information to a third party.
• When the user loads the Web page that contains this code, the
browser downloads the hidden graphic. This process can
identify your IP address, the Web site you last visited, and other
information about your use of the site in which the clear GIF file
has been embedded and record it in the cookie file.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
29
XP
HTML for a Web Bug
Clear GIF
file
location
<FRAMESET ROWS=“*.20” BORDER=0 FRAMEBORDER=0
FRAMESPACING=0>
<!– Start of Doubleclick Tracking Code: Please do not remove -->
<script LANGUAGE=“javascript”>
var axel = Math.random( )+” “;
document.write(‘ <IMG
SRC=http://ad.doubleclick.net/activity;src=585966;type=counter;cat=oran;or
d=1;num=‘ + a + ‘?
WIDTH=1 HEIGHT=1 BORDER=0>’);
</SCRIPT>
Cookie identification
number generated for the
<noscript>
current user
<img src=‘http://127.0.0.1:3388/bug.cgi’>
</NOSCRIPT>
<!– End of Doubleclick Tracking Code: Please do not remove -->
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
30
XP
Web Bugs, Spyware, and Adware
• Adware is a general category of software that includes
advertisements to help pay for the product in which they
appear.
• In many freeware and shareware programs, adware
provides opportunities for developers to offer software at
little or no cost to the user.
• Adware usually does not cause any security threats
because the user is aware of the ads and the parties
responsible for including them are clearly identified in the
programs.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
31
XP
Web Bugs, Spyware, and Adware
• Spyware is a category of adware in which the user has
little control over or knowledge of the ads and other
monitoring features it contains.
• Spyware occurs in situations where a developer has sold
ads to a third party or embedded other features in the
program.
• A Web bug is an example of spyware because the clear
GIF and its actions are hidden from the user.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
32
XP
Web Bugs, Spyware, and Adware
• One way to protect computers from the potential privacy
violations created by cookies, Web bugs, and spyware is
to set Web browsers to block third-party cookie files.
• There are many good shareware programs that erase
spyware from your computer.
• These programs, sometimes called ad blockers, search
for files written by known spyware.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
33
XP
Firewalls
• The computer version of a firewall is a software program or
hardware device that controls access between two networks,
such as a local area network and the Internet or the Internet and
a computer.
• A port on a computer is like a door; it permits traffic to leave and
enter a computer. When the port is closed, traffic can’t leave or
enter the computer.
• A port scan occurs when one computer tests all or some of the
ports of another computer to determine whether its ports are
open, closed, or stealth.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
34
XP
Basic Firewall Architecture
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
35
XP
Firewalls
• Until the recent increase in the number of users with
broadband connections to the Internet, corporations
used hardware firewalls almost exclusively.
• Some firewall software programs are available for
free or at a very low cost so they are become popular
with other types of users.
• Some antivirus programs and Internet suites include
basic firewall protection.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
36
XP
Integrity Threats and
Countermeasures
• An integrity threat occurs when an unauthorized party has the
chance to alter data while it is being transferred over the Internet
or while it is stored on a computer.
• The most visible integrity threats have been from Trojan horses,
viruses, and worms that attack computers and the programs
they run.
• A Trojan horse is a small program hidden inside another
program that causes harm when the user accesses or
downloads the program in which it is hidden.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
37
XP
Integrity Threats and
Countermeasures
•
A worm is a variation of a virus, and is a self-replicating program
that is usually hidden within another file and then sent as an e-mail
attachment.
•
A worm can replicate itself on a computer or server, but it cannot
infect other files.
•
The best defense against a worm is to install an antivirus program,
update your virus patterns regularly, display Windows filename
extensions so you can determine the type of file you have
downloaded, and avoid opening attachments that you are not
expecting.
•
A firewall can prevent the spread of Internet worms by preventing
the worm from sending information from your computer without
your permission.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
38
XP
Protecting E-Mail Messages
• To help maintain the integrity of an e-mail message, you can
send the message through a message digest function
program (hash code function program) to produce a number
called a message authentication code (MAC).
• After it receives the MAC, the e-mail program sends the
message and matching MAC together to the recipient.
• The recipient’s e-mail program recomputes the message’s MAC
and compares the computed MAC to the received MAC.
• If they match, the content of the message is unaltered. If they do
not match, then the message cannot be trusted.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
39
Producing a MAC for
a Message
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
XP
40
XP
Protecting E-Mail Messages
• To be useful, the message digest function must exhibit the
following characteristics:
 It must be impossible or costly to reverse the MAC and
produce the original message.
 The MAC should be random
 The MAC must be unique to the message
• You can also protect outgoing e-mail messages with the
Secure/Multipurpose Internet Mail Extensions
(S/MIME) specification, which when combined with a
person’s digital ID provides authentication and encryption
to e-mail messages.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
41
Necessity Threats and
Countermeasure
XP
• Necessity occurs when a cracker uses a program to disrupt
normal computer processing or, possibly, to deny processing
entirely.
• A packet flooding attack or denial of service (DoS) attack
occurs when a cracker bombards a server or other computer
with messages in an attempt to consume the network’s
bandwidth resources.
• Delaying processing can render a service unusable or
unattractive.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
42
XP
Necessity Threats and
Countermeasure
•
One of the most dangerous entry points for delay and denial threats
come from coded programs that travel with applications to a
browser and execute on the user’s computer.
•
A Java applet, which is a program written in the Java programming
language, could execute and consume a computer’s resources.
•
A JavaScript program can pose a problem because its programs
can run without being compiled before running on a computer.
•
ActiveX components are Microsoft’s technology for writing small
applications that perform some action in Web pages—these
components have full access to a computer’s file system.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
43
XP
Copyright & Intellectual Property
Threats and Countermeasures
• Copyright and safeguarding intellectual property rights
are also security issues.
• Intellectual property threats are a large problem due to the
Internet and the relative ease with which one can use
existing material without the owner’s permission.
 It is very simple to reproduce an exact copy of anything
you find on the Internet.
 Many people are naïve or unaware of copyright
restrictions that protect intellectual property.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
44
XP
Copyright & Intellectual Property
Threats and Countermeasures
• A digital watermark is a process that inserts a digital
pattern containing copyright information into a digital
image, animation, or audio or video file.
• Steganography is a process that hides an encrypted
message within different types of files. It can be used
to add copyright information to different types of files.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
45
XP
Enhancing Your Use of the Internet
with Browser Extensions
• Browser extensions allow a Web browser to perform tasks it
was not originally designed to perform.
• Plug-in: integrated browser software that the browser uses to
display or play a specific file that you request.
• Helper applications: programs installed on the user’s computer
that the browser starts and uses to “help” display or play a file.
• Add-ons: include tools that enhance your browsing experience,
such as toolbars or programs that block pop-up ads from
opening.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
46
XP
Enhancing Your Use of the Internet
with Browser Extensions
• Helper applications are independent programs that
are stored on your computer and are activated
automatically when needed.
• Plug-ins do their work inside the browser and do not
activate a standalone program that is stored on your
computer.
• When you install a Web browser, many popular plugins are often installed with it.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
47
XP
Enhancing Your Use of the Internet
with Browser Extensions
• Browser extensions are often grouped into categories
based on the type of content they deliver. These
categories are:






Document and productivity
Image viewer
Multimedia
Sound player
Video player
Three-dimensional (3-D) graphics
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
48
Document and Productivity
Browser Extensions
XP
• Document and productivity browser extensions
let you use a browser to read documents, such as
files saved in PDF format and viewed using Adobe
Acrobat Reader.
• If you have Acrobat Reader, a browser can use it to
display and print files with .pdf extensions.
• If you have installed Microsoft Office, a browser can
start Word, Excel, and other Office programs to
display files with extensions, such as .doc and .xls.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
49
XP
Image Viewer Browser Extensions
• Browser extensions from this category let the
browser display graphics, such as interactive road
maps or alternative file formats and viewers for GIF
and JPEG files.
• Image viewer plug-ins also display different picture
file formats.
• If a Web site indicates you need a specific image
viewer plug-in to view something on its site, you can
usually download it at that time, directly from that site.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
50
XP
Multimedia Browser Extensions
• Multimedia contains browser extensions that appeal
to most of the senses.
• The Flash Player lets your Web browser display
simple animations, user interfaces, static graphics,
movies, sound, and text.
• The Shockwave Player is a more fully featured
browser plug-in that you must download and install.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
51
XP
Sound Player Browser Extensions
• Sound player browser extensions, such as Beatnik,
and Real Player, let your Web browser play sounds.
• Real Player is a free plug-in that plays streaming
audio and video files over the Internet.
• Beatnik delivers high-quality interactive music and
sound on the Web and in many wireless devices.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
52
XP
Video Player Browser Extensions
• Video player browser extensions deliver movies to Web
browsers over the Internet.
• QuickTime was one of the first movie players developed. It
plays video, sound, music, 3-D, and virtual reality for both
Macintoshes and PCs.
• Other widely used movie players include RealPlayer and
Windows Media Player.
• Some of these players download a complete movie before
playing it, while others use streaming technology to play a movie
before it has been completely downloaded.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
53
XP
3-D Browser Extensions
• Virtual Reality Modeling Language or VRML is an Internet
programming language that creates three-dimensional
environments that can mimic known worlds or define fictional
ones.
• With VRML you can navigate and interact with a threedimensional scene.
• VRML sites are used for gaming and product and location tours.
• Extensible 3D (X3D) is the next generation open standard for
3D on the Web.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
54
XP
Finding Browser Extensions
• A good way to locate browser extensions is to visit a
download site such as Tucows.
• Many download sites group plug-ins by the functions
they perform, which makes it easy to view the
available plug-ins for the type of files you want to use.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
55
Commonly Used
Browser Extensions
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
XP
56
XP
Summary
• There are different types of computer security threats and some
countermeasures that you can take to prevent them.
• There are copyright issues related to the information you locate
and use on the Internet.
• There are different categories of browser extensions that you
might need as you use the Web.
• You should use the security information presented in this tutorial
to create a safe environment in which to enjoy the Web’s many
resources and games on your own computer.
New Perspectives on The Internet, Fifth Edition—
Comprehensive, 2005 Update Tutorial 9
57