CS363Week 13 - Wednesday

Last time

What did we talk about last time? Authentication and privacy Data mining and privacy Privacy online

Questions?

Security PresentationTom Gorko

Assignment 5

Project 3

Privacy on the Web

Cookies

A cookie is a small text file kept on your computer that records data related to web browsing It was originally intended to avoid the need to log on and store

information on websites' servers Sites can store as many cookies as they want with any

data they want (user name and password, credit card numbers, etc.)

Cookies can only be read by the site that originally stored the cookie

The way to get around this is called third-party cookies Networks of sites can form an alliance in which they cooperate

to track all of your visits to sites in the network DoubleClick is such a network

Tracking where you go online is called online profiling

Web bugs

Only a website you visit can leave a cookie or run JavaScript, right? Sure, but how many sites do you visit?

Images that are linked to other websites (especially ads) count as visiting other websites

Visiting a single page could store cookies from every ad on the page (and more!)

Web bugs are images that are usually 1 x 1 pixels and clear They make it impossible to know how many sites

could be storing cookies

Spyware

Cookies represent a limited threat because they are passive

Spyware is a general term for software that records data about you without you knowing

Sometimes it is installed by accident, along with other software, or through holes in your browser's security

One particular kind of spyware are keystroke loggers, which record your keystrokes

Although spyware came up in the discussion of malicious code, we mention it here because most spyware focuses on monitoring your web access

Spyware is often difficult to remove

Adware

Adware is a form of spyware It displays ads in pop-up windows or tabs or the

main browser window Adware is usually installed with other software In these cases, the software is not technically a

Trojan horse because you probably agreed to let it run wild on your system

A drive-by installation is a way of tricking a user into installing such software The dialog boxes you see can be manipulated or

distorted so that the Yes and No options are switched or the product claims to be from a reputable source

Shopping on the Internet There are some good deals on the Internet

But there are shady practices A typical brick-and-mortar company like

McDonald's will sell everyone who comes into the store a cheeseburger for the same price

Online stores may change prices on the fly based on previous browsing or buying histories

Amazon.com had a differential pricing scandal when it was shown that loyal customers paid more in some cases They have vowed not to do that anymore

Rights online

Let's see how well we know the rules

Behavior True or False

% Right on

Survey

Most online merchants give you the right to correct incorrect information about you False 53%

Most online merchants give you the chance to erase information about you False 50%

It is legal for an online merchant to charge different people different prices at the same time of day True 38%

It is legal for a supermarket to sell buying habit data True 36%

Travel services such as Orbitz and Expedia have to present the lowest price found False 32%

A video store is allowed to sell information about what videos a customer has rented True 29%

E-mail Security

Interception of E-mail

Regular mail cannot be opened under penalty of federal law

Most people do not encrypt their e-mail using PGP or S/MIME

Typical e-mail transmission: Alice composes an e-mail on her computer When she hits send, it goes to her organization's SMTP server▪ The organization can (and often does) keep a copy or at least scan

the e-mail for questionable content The SMTP sends it out through their ISP▪ Anyone on the Internet has a chance at grabbing the e-mail

It arrives at Bob's POP server▪ Bob's organization can record or scan the e-mail

Bob's computer pulls it down from the POP server and reads it

Monitoring of E-mail

Companies and government agencies can legitimately monitor e-mail going to and from their employees

The same is true for students at schools and patrons at libraries

ISPs can monitor all the traffic that goes through them They have to! Over 90% of the e-mail in the

world is spam You have no expectation of privacy when

sending e-mail, ever

E-mail anonymity

Some strategies can be adopted to maintain anonymity: Sign up for a Gmail, Yahoo, or Hotmail account

specifically to send a sensitive message Remailers are trusted third parties who

resend your e-mail under a pseudonym▪ But the remailer still knows who sent the e-mail

A mixmaster remailer takes it a step further by anonymizing through many layers▪ Only the first layer knows the sender▪ Only the last layer knows the receiver

E-mail authenticity

Unless you verify authenticity cryptographically or through some other mechanism, you can't be sure where an e-mail comes from

An e-mail is a series of packets, whose source IP address and from e-mail address can be spoofed

Viruses also can take control of a computer and send e-mails to everyone on an address list Sometimes they spoof the sender as someone else

on the address list so that the virus is harder to track down

Privacy in Emerging Technologies

RFID tags

Radio frequency identification (RFID) tags are usually small, inexpensive transmitters They can be attached to almost anything They can be as small as a grain of sand

Some are passive and need an external signal to power their response

Others have their own power supplies (and greater ranges) Their transmission range varies from a few centimeters to

several meters They are currently used for:

Toll plaza payments Some subway passes Stock and inventory labels in warehouses Passports and identity cards Some credit cards with wave-style payment

RFID issues

RFID tags are being put in everything A tag in your shirt could identify where you bought

it and maybe even some unique identifier that could be tied to you in a database

This tag could be scanned as you walk down the street

Some people with rare medical conditions have an RFID implanted in their bodies

The infrastructure does not currently exist to track everyone's movements and activities

As the price goes down for RFID tags and their readers, it is a possibility for the future

Electronic voting

Many polling places throughout the US (and many other countries) use computers to tally votes

Voting systems should: Keep a voter's choices secret Allow a voter to vote only once Be tamperproof Report votes accurately Be available through the election period Keep an audit trail to detect irregularities but

still not say how an individual voted

Voting is a mess

It's very hard to engineer a system that you can guarantee only lets someone vote once and yet not keep track of how they voted

The software and hardware design for these systems are generally not publicized This leaves everything in the hands of Diebold, a company

whose chief executive had been a top fundraiser for George W. Bush

Diebold has since spun off its voting machine business Internet voting will probably increase

Some US and UK elections have used it Estonia has the largest Internet voting system, which relies

on a national ID card that can be verified from home using an inexpensive card reader

VoIP

Voice over IP (VoIP) is a way to make phone calls over the Internet Many phone companies actually use VoIP transparent

to their users Skype is the market leader in consumer VoIP VoIP is attractive because long distance costs are

essentially zero if you already have high speed Internet

Issues: ISPs and others can track who you're having phone

calls with, even if the audio is encrypted Skype uses 256 bit AES (but they could have a

backdoor to eavesdrop)

Quiz

Upcoming

Next time…

Intellectual property and information law

Meets Thursday (tomorrow!)

Reminders

Read Chapter 11 Work on Assignment 5

Due next Friday before midnight Keep working on Project 3 Phase 1

Due Thursday before midnight!