Week 13 - Wednesday. What did we talk about last time? Authentication and privacy Data mining and...
-
Upload
alvin-sherman -
Category
Documents
-
view
220 -
download
2
Transcript of Week 13 - Wednesday. What did we talk about last time? Authentication and privacy Data mining and...
CS363Week 13 - Wednesday
Last time
What did we talk about last time? Authentication and privacy Data mining and privacy Privacy online
Questions?
Security PresentationTom Gorko
Assignment 5
Project 3
Privacy on the Web
Cookies
A cookie is a small text file kept on your computer that records data related to web browsing It was originally intended to avoid the need to log on and store
information on websites' servers Sites can store as many cookies as they want with any
data they want (user name and password, credit card numbers, etc.)
Cookies can only be read by the site that originally stored the cookie
The way to get around this is called third-party cookies Networks of sites can form an alliance in which they cooperate
to track all of your visits to sites in the network DoubleClick is such a network
Tracking where you go online is called online profiling
Web bugs
Only a website you visit can leave a cookie or run JavaScript, right? Sure, but how many sites do you visit?
Images that are linked to other websites (especially ads) count as visiting other websites
Visiting a single page could store cookies from every ad on the page (and more!)
Web bugs are images that are usually 1 x 1 pixels and clear They make it impossible to know how many sites
could be storing cookies
Spyware
Cookies represent a limited threat because they are passive
Spyware is a general term for software that records data about you without you knowing
Sometimes it is installed by accident, along with other software, or through holes in your browser's security
One particular kind of spyware are keystroke loggers, which record your keystrokes
Although spyware came up in the discussion of malicious code, we mention it here because most spyware focuses on monitoring your web access
Spyware is often difficult to remove
Adware
Adware is a form of spyware It displays ads in pop-up windows or tabs or the
main browser window Adware is usually installed with other software In these cases, the software is not technically a
Trojan horse because you probably agreed to let it run wild on your system
A drive-by installation is a way of tricking a user into installing such software The dialog boxes you see can be manipulated or
distorted so that the Yes and No options are switched or the product claims to be from a reputable source
Shopping on the Internet There are some good deals on the Internet
But there are shady practices A typical brick-and-mortar company like
McDonald's will sell everyone who comes into the store a cheeseburger for the same price
Online stores may change prices on the fly based on previous browsing or buying histories
Amazon.com had a differential pricing scandal when it was shown that loyal customers paid more in some cases They have vowed not to do that anymore
Rights online
Let's see how well we know the rules
Behavior True or False
% Right on
Survey
Most online merchants give you the right to correct incorrect information about you False 53%
Most online merchants give you the chance to erase information about you False 50%
It is legal for an online merchant to charge different people different prices at the same time of day True 38%
It is legal for a supermarket to sell buying habit data True 36%
Travel services such as Orbitz and Expedia have to present the lowest price found False 32%
A video store is allowed to sell information about what videos a customer has rented True 29%
E-mail Security
Interception of E-mail
Regular mail cannot be opened under penalty of federal law
Most people do not encrypt their e-mail using PGP or S/MIME
Typical e-mail transmission: Alice composes an e-mail on her computer When she hits send, it goes to her organization's SMTP server▪ The organization can (and often does) keep a copy or at least scan
the e-mail for questionable content The SMTP sends it out through their ISP▪ Anyone on the Internet has a chance at grabbing the e-mail
It arrives at Bob's POP server▪ Bob's organization can record or scan the e-mail
Bob's computer pulls it down from the POP server and reads it
Monitoring of E-mail
Companies and government agencies can legitimately monitor e-mail going to and from their employees
The same is true for students at schools and patrons at libraries
ISPs can monitor all the traffic that goes through them They have to! Over 90% of the e-mail in the
world is spam You have no expectation of privacy when
sending e-mail, ever
E-mail anonymity
Some strategies can be adopted to maintain anonymity: Sign up for a Gmail, Yahoo, or Hotmail account
specifically to send a sensitive message Remailers are trusted third parties who
resend your e-mail under a pseudonym▪ But the remailer still knows who sent the e-mail
A mixmaster remailer takes it a step further by anonymizing through many layers▪ Only the first layer knows the sender▪ Only the last layer knows the receiver
E-mail authenticity
Unless you verify authenticity cryptographically or through some other mechanism, you can't be sure where an e-mail comes from
An e-mail is a series of packets, whose source IP address and from e-mail address can be spoofed
Viruses also can take control of a computer and send e-mails to everyone on an address list Sometimes they spoof the sender as someone else
on the address list so that the virus is harder to track down
Privacy in Emerging Technologies
RFID tags
Radio frequency identification (RFID) tags are usually small, inexpensive transmitters They can be attached to almost anything They can be as small as a grain of sand
Some are passive and need an external signal to power their response
Others have their own power supplies (and greater ranges) Their transmission range varies from a few centimeters to
several meters They are currently used for:
Toll plaza payments Some subway passes Stock and inventory labels in warehouses Passports and identity cards Some credit cards with wave-style payment
RFID issues
RFID tags are being put in everything A tag in your shirt could identify where you bought
it and maybe even some unique identifier that could be tied to you in a database
This tag could be scanned as you walk down the street
Some people with rare medical conditions have an RFID implanted in their bodies
The infrastructure does not currently exist to track everyone's movements and activities
As the price goes down for RFID tags and their readers, it is a possibility for the future
Electronic voting
Many polling places throughout the US (and many other countries) use computers to tally votes
Voting systems should: Keep a voter's choices secret Allow a voter to vote only once Be tamperproof Report votes accurately Be available through the election period Keep an audit trail to detect irregularities but
still not say how an individual voted
Voting is a mess
It's very hard to engineer a system that you can guarantee only lets someone vote once and yet not keep track of how they voted
The software and hardware design for these systems are generally not publicized This leaves everything in the hands of Diebold, a company
whose chief executive had been a top fundraiser for George W. Bush
Diebold has since spun off its voting machine business Internet voting will probably increase
Some US and UK elections have used it Estonia has the largest Internet voting system, which relies
on a national ID card that can be verified from home using an inexpensive card reader
VoIP
Voice over IP (VoIP) is a way to make phone calls over the Internet Many phone companies actually use VoIP transparent
to their users Skype is the market leader in consumer VoIP VoIP is attractive because long distance costs are
essentially zero if you already have high speed Internet
Issues: ISPs and others can track who you're having phone
calls with, even if the audio is encrypted Skype uses 256 bit AES (but they could have a
backdoor to eavesdrop)
Quiz
Upcoming
Next time…
Intellectual property and information law
Meets Thursday (tomorrow!)
Reminders
Read Chapter 11 Work on Assignment 5
Due next Friday before midnight Keep working on Project 3 Phase 1
Due Thursday before midnight!