1

Computer & Web Security

Security Problems in Computer Use

Privacy-Protecting Techniques

Privacy-Protecting Technologies: cryptography, digital signatures & certificates, etc.

2

Computer Security: Basic Issues

Different dimensions of the security problem:Securing hardware (e.g. via locks or tags) vs. securing

softwarePreventing damage through system failure (software or

hardware) vs. preventing damage through malicious intentional actions (security attacks, theft)

We will mainly focus on preventing malicious intentional actions on the software level

3

Types of System Failure Hardware: power outage, corrupted disks, hard

drive crashes, etc. Software:

Software crashes – a common problem (have you noticed?)

Software does not perform as intended/desired; note that this could be caused by user errors

While these problems cannot be completely avoided, damage can be greatly reduced…

4

Avoiding Severe Damage: Backups

Types of backup:Level-zero backup: copy of the original system when

first installedFull backup: copy of every file on the computer Incremental backup: copy of all modified files

Possible security risks: with automatic backup systems, deleting a file does not put it out of existence

5

Intentional Security Attacks

Security risks have greatly increased due to the Internet; no computer is an island

We focus on security issues related to the Internet, but this will also include basic security for the user’s computer

6

What do attackers want?

Scan your system for confidential documents Corrupt information on your computer Modify your operating system by creating security

loopholes Steal credit card numbers Block access to your system (coordinated attack) Press coverage

7

Big Brother is watching you -traces you leave in the Web

I) User-provided information Setting up an account with an online shop, purchasing

tickets via the web What legal restrictions govern the use of the information

provided? (in the US: few) What privacy policy does the vendor have? (the vendor’s web

site should have some information about this!)

Note: even simple demographic information may be sufficient for identification (e.g. ZIP-code + birthday)

8

Further traces you leave

II) Log files Ubiquitous; lots of applications and network programs

create log files of various activities the user performs Web logs: files which are created on remote web server

when a page is downloaded; information stored includes: IP address of the computer that downloaded the web page, time of requrest, URL requested, username (sometimes), refer link, web browser used

Mail logs: created by mail servers, contain at least to: and from:

9

III) Cookies Text file left by a remote web server on your

computer; the cookie is sent to the web server every time a web page from that server is requested

Allows the user to maintain a certain state while requesting different pages; example: shopping cart

10

Where are cookies stored?Netscape Navigator: ~/.netscape/cookiesMicrosoft Explorer: folder Cookies

Browser preferences can be adjusted so that you can refuse cookies when they are sent

11

IV) Web Bugs Simple to program in HTML <img src=“http://…” width=1 height=1 border=0> This will alert the specified web server every time the

page is viewed; outsourced web site monitoring Useful for gathering web use statistics Can also be used to check when HTML e-mails are read,

or to send personal information encoded in URL (like Google puts search strings in URL)

12

Privacy-Protecting Techniques Picking a good password (and not writing it down) Passwords can be captured by password sniffers when

they are transmitted over the network; beware of protocols which do NOT use encryption: FTP (File Transfer Protocol) HTTP (Hypertext Transfer Protocol) POP (Post Office Protocol) TELNET (Remote Terminal Protocol) RLOGIN (Remote Login for UNIX machines)

13

More Privacy-Protecting Techniques

Avoiding Spam and Junk MailDon’t put your e-mail address on your home page, or

write “pauly (and now this strange symbol) csc.liv.ac in you know which country)”

Take your e-mail out of online directoriesDon’t post to public mailing listsPick an unusual usernameAddress Munging: pauly@csc.liv.ac.uk.nospam

14

Privacy-Protecting Technologies

Antispam Services: analyse your e-mail to check whether it is spam, using AI technology, whitelists + confirmation e-mails, etc.

Antispam Software: does the same, but runs on your computer; your mail stays where it belongs

Browsers allow you to refuse cookies

15

More Privacy-Protecting Technology

Anonymous Browsing – protecting your IP addressUse a public terminal (e.g. at a library)Use a proxy server of your internet service provider; in

this case, the proxy servers IP address is passed onUse anonymous web browsing services; they usually

work as proxy servers Secure E-mail: encrypt messages before sending

16

Secure Sockets Layer (SSL)

Uses a cryptographic protocol for sending information over the web

Main usage with web pageshttps://…

Browsers will usually tell you whether the current page/document is “secure”

Example: Booking a flight with a credit card…

17

Cryptography

EncryptionAlgorithm

Encryption

Decryption

18

Symmetric Key Algorithms The same key is used for both encryption and

decryption Sometimes also called private key algorithms Used for the bulk encryption of data Algorithms are very fast & easy to implement There are a large number of possible keys, hence

encryption is difficult to crack, hence high level of secrecy

19

Example: using an 80-bit key, and assuming that 1 million keys per second can be searched, it will take approx. 38 billion years to try all keys

Common algorithms: DES, Blowfish, RC2, RC4, RC5

Problems: parties have to share a secret & private keyBoth parties need to have a copy of the key I need a different key for every person I want to

communicate with; (N2-N)/2 keys for N different users

20

Asymmetric Key Algorithms Encryption and Decryption key differ For encrypted messaging, encryption key is public and

decryption key private Public key can be published on your web page (see e.g.

Benjamin Hirsch) Also called public key algorithms Algorithms are slower & more difficult to implement and

analyse Easier to attack than symmetric key algorithms Common algorithms: DSA/DSS, RSA

21

A further advantage: asymmetric keys can be used for digital signatures, simply make the encryption key private and the decryption key public

Most “secure” protocols will use a mixture of both symmetric and asymmetric key cryptography

Example: Use asymmetric key cryptography to exchange a symmetric key, and use that key for encrypting the main data

22

Conclusions

Keys are still stored somewhere on the system Hence, in spite of everything that’s been said,

there is no perfect security Still, you can be aware of the security risks, and of

some of the ways to improve security