COS 109 Monday November 30

• Housekeeping– Lab 7 and Problem Set 8 available now– Final exam – January 18 (Monday) at 7:30PM

• Today’s class– A variety of forms of bad behavior on the Internet

MalwareBotnetsInternet censorship

Cookies are not the only tracking mechanism

• web bugs, web beacons, single-pixel gifs– tiny images that report the use of a particular page– these can be used in mail messages, not just browsers

• Flash cookies ("local shared object")– cookie-like mechanism used by Flash

• "super cookies"– e.g., Verizon's X-UIDH HTTP header on cellphones

• HTML canvas fingerprinting– uses subtle differences in browser behavior to distinguish users

• defenses: addons like AdBlock, FlashBlock, Cookie Monster, Ghostery, NoScriptBut, companies can retaliate

http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works/

Plug-ins, add-ons, extensions, etc.

• programs that extend capabilities of browser, mailer, etc.– browser provides API, protocol for data exchange– extension focuses on specific application area

e.g., documents, pictures, sound, movies, scripting language, ...

– may exist standalone as well as in plug-in form– e.g., Acrobat Reader, Flash, Quicktime, Windows Media Player, ...

• scripting languages interpret downloaded programs– Javascript– Java

compiled into instructions for a virtual machine (like the Toy machine on steroids)

instructions are interpreted by virtual machine in browser

Javascript tracking

• most web pages include some Javascript• some is used for interactive features, validation, etc.• much is used for tracking: "Google Analytics offers a great breadth of functionality -

you can use it to track visitor flow through your site, to view the source of referrals to your site, and to see how well visitors make it through a conversion process such as purchasing an item or signing up for a newsletter."

• defenses: NoScript disables all Javascript Ghostery disables Javascript trackers from a list

Potential security & privacy problems

• attacks against client– release of client information

cookies: client remembers info for subsequent visits to same server

– adware, phishing, spyware, viruses, ...spyware: client sends info to server upon connection (Sony,

…)often from unwise downloading

– buggy/misconfigured browsers, etc., permit vandalism, theft, hijacking, ...

• attacks against server– client asks server to run a programs when using cgi-bin

server-side programming has to be careful– buggy code on server permits break-in, theft, vandalism, hijacking, …– denial of service attacks

• attacks against information in transit– eavesdropping

encryption helps– masquerading

needs authentication in both directions

client servernet

Privacy on the Web

• what does a browser send with a web request?– IP address, browser type, operating system type– referrer (URL of the page you were on)– Cookies

• Which browser am I using? • what do "they" know about you?

– whatever you tell them, implicitly or explicitly (e.g., Facebook)

– public records are really public– lots of big databases like phone books– log files everywhere– aggregators collect a lot of information for advertising– spyware, key loggers and similar tools collect for nefarious

purposes– government spying is everywhere

• who owns your information?– in the USA, they do– less so in the EU

Targeted advertising at Target

Whenever possible, Target assigns each shopper a unique code — known internally as the Guest ID number — that keeps tabs on everything they buy. “If you use a credit card or a coupon, or fill out a survey, or mail in a refund, or call the customer help line, or open an e-mail we’ve sent you or visit our Web site, we’ll record it and link it to your Guest ID … We want to know everything we can.”

Also linked to your Guest ID is demographic information like your age, whether you are married and have kids, which part of town you live in, how long it takes you to drive to the store, your estimated salary, whether you’ve moved recently, what credit cards you carry in your wallet and what Web sites you visit. Target can buy data about your ethnicity, job history, the magazines you read, if you’ve ever declared bankruptcy or got divorced, the year you bought (or lost) your house, where you went to college, what kinds of topics you talk about online, whether you prefer certain brands of coffee, paper towels, cereal or applesauce, your political leanings, reading habits, charitable giving and the number of cars you own.

Public records

•election contributions are public records•house purchases are public records•census data is confidential for 72 years

Website of the day – is this bad behavior?

An email I received a few years ago

 • From: Elizabeth Swart [mailto:swarte@nwpg.gov.za]

Sent: Monday, November 25, 2013 7:35 AMSubject: Your password will expire in 3 Days

•  • Dear e-mail owner,

 Your password will expire in 3 Days CLICK HERE to validate your e-mail. ThanksSystem Administrator 

•  • Disclaimer• "This e-mail and any files transmitted with it may contain information

which is confidential, private or privilege in nature and it is for the sole use of the recipient to whom it is addressed. If you are not the intended recipient, you must immediately notify the sender via electronic mail and further refrain from reading, disseminating, distributing, copying or using this message or any of its transmitted files. Any views of this message and its transmitted files are those of the sender unless the sender specifically states such views to be those of the North-West Provincial Government. Though this message and its transmitted files have been swept for the presence of computer viruses, the North-West Provincial Government accepts no liability whatsoever for any loss, damage or expenses resulting directly or indirectly from the use or access of this message or any of its transmitted files."

More spam

Date: Thu, 8 Oct 2015 08:03:21 -0700From: Marilyn Fagles <marilynfagles@yahoo.com>Reply-To: marilynfagles@outlook.comTo: undisclosed recipients: ;Subject: How Are You Doing???Good Morning,Can i ask you to do me a favor?Best, Lynne

Date: Thu, 26 Nov 2015 03:01:07 +0100 (CET)From: Liliane Bettencourt <khadija.hadj-salem@lcis.grenoble-inp.fr>Reply-To: Liliane Bettencourt <lilianbett@outlook.com>To: undisclosed-recipients: ;Subject: Donation

-- I, Liliane authenticate this email of 3.5M USD donation to you,please viewmy link: http://en.wikipedia.org/wiki/Liliane_Bettencourt and Email me onlilianbett@outlook.com for more info I, Liliane authenticate this emailof 3.5M USD donation to you,please view my link:http://en.wikipedia.org/wiki/Liliane_Bettencourt and Email me onlilianbett@outlook.com for more info

Even more spam

Date: Sun, 27 Sep 2015 06:07:23 -0700From: Kmart~Reward~Center <KmartRewardCenter@achenavy.win>To: david@daviddobkin.comSubject: Kmart Thank You Bonus, No. 24051150

$50 Kmart Reward~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/Kmart Member david@daviddobkin.com

This week only we are offering a $50 Reward for all Kmart shoppers. (Expires 28Sep2015)

Go here to claim your Kmart Voucher today- http://details.bonusgiftrewards.date Thanks again for shopping with us.

KmartShop Your Way===================================Shopping Bonus No. 24051150Shopper ID: KB2873212

Bad things that people do

• Spam• Worms• Viruses• Phishing• Pharming• Pagejacking and mousetrapping• Flybox• Denial of service

(some of) this morning’s spam

Spam

Date: wo, 29 jan 2003 15:42:30From: "mawelala2003@rediff.com" <mawelala@mail.com>To: dpd@CS.Princeton.EDUSubject: URGENT PARTNERSHIP

REQUEST FOR FINANCIAL TRANSACTIONI am pleased to introduce myself to you. My name is Mr.Joseph Mawelala a native of South Africa currently on course here in

the Netherlands.I am writing this letter to request your assistance in order to redeem an investment with the then South African mining

cooperation now the ministry of natural resources. The said investment, now valued at $19,750,000.00 (Nineteen million seven hundred and fifty thousand dollars) was purchased by Mr.Lucio Goran and contracted out of South African mining cooperation in 1977.The redeemable investment interest, has now fully matured since last year.

Since March last year, several attempts have been made to contact Mr Lucio without success. And there is no way to get in touch with any of his close relatives in whose favour the investment cash value can be paid.

Since we have asses to all Mr.Lucios information?s we can actually claim this money with the help of my partner in the ministry of natural resources. All we have to do is to file claims using you as Mr.Lucios relative, whom the money will be paid to without delay.

I Would like to assure you that there is absolutely nothing to worry about, because it is perfectly safe and risk free. Please ensure to keep this matter strictly confidential. My partner will file for the claims of this money on your behalf in the south African Mining cooperation. When the claim is approved, you as the beneficiary would be paid the sum of $19,750.000.00.

Due to the fact that the money can be paid into any bank account of your choice, your responsibility is to assure us that my partners and I receive 70%of the total sum. While you keep 25% for your assistance and the balance 5% would be set aside for any expenses that maybe incurred in the course of this transaction.

I would appreciate if you can give your assistance and guarantee that our share would be secured. Please for the sake of confidentiality you can reach me on my personal email(mawelala@mail.com).Let me know if this proposal is acceptable to you.

TRULY YOURS,JOSEPH MAWELALA.

What becomes of people who send messages such as this?

Worms

• Internet worms are truly autonomous virtual viruses, spreading across the net, breaking into computers, and replicating without human assistance and usually without human knowledge. http://www.livinginternet.com/i/is_vir_first.htm

The impact of a worm on a Windows machine

• A worm in action

The first worm

• The first worm. The first worm disabled most of the Internet then existing. Robert Morris, a Computer Science graduate student at Cornell University and (embarrassingly) son of the Chief Scientist at the National Computer Security Center, wrote a 99 line program in the C language designed to self-replicate and propagate itself from machine to machine across the Internet. The worm performed the trick by combining a bug in the debugging mode of the sendmail program used to control email on almost all Internet computers, a bug in the finger program, and the Unix rexec and rsh commands. On November 2, 1988, Morris released his worm, but did so from an MIT computer to disguise his origin. In his view, only one thing went wrong -- the worm started replicating at a much faster rate than he had predicted, and began crashing and disabling computers across the Internet.

• Morris sent out an anonymous message telling people how to disable the worm, but because it had brought down the Internet, the message about how to disable it couldn't get through. The worm eventually infected more than 6,000 computers across the Internet. Within a day teams of programmers at the University of California at Berkeley and Purdue University reverse engineered the worm and developed methods of stopping it. The Internet then came back to normal in a couple of days.

A more recent worm

• Stuxnet (2010)– Believed to have been developed by Israel and the USA

– Attacked sites in IranThe uranium enrichment plant at NatanzDestroyed roughly 1/5 of the centrifuges by causing

them to spin out of control

– First publicly known attack of cyber warfare

Viruses

• Internet viruses are spread like worms but have the power to corrupt functions on your machine.

http://www.livinginternet.com/i/is_vir_first.htm st.htm

The Anna Kournikova virus

• The Anna Kournikova computer virus was a computer virus authored by Dutch programmer Jan de Wit on Feb 11, 2001. It was designed to trick email users into opening a mail message purportedly containing a picture of tennis player Anna Kournikova, while actually hiding a malicious program. If set off, the program plunders the address book of the Microsoft Outlook e-mail program and attempts to send itself to all the people listed there.[1] The Kournikova virus tempts users with the message: "Hi: Check This!", with what appears to be a picture file labelled "AnnaKournikova.jpg.vbs".[1] The worm arrives in an email with the subject line "Here you have, ;0)" and an attached file called AnnaKournikova.jpg.vbs. When launched under Microsoft Windows the file does not display a picture of Anna Kournikova but launches a viral Visual Basic Script that forwards itself to everybody in the Microsoft Outlook address book of the victim.

• The virus was created using a simple and widely available Visual Basic Worm Generator program developed by an Argentinian programmer called “[K]Alamar”.[2] While similar to the ILOVEYOU virus that struck a year earlier, in 2000, the Anna Kournikova virus did not corrupt data on the infected computer.[2]

From http://en.wikipedia.org/wiki/Anna_Kournikova_(computer_virus)

Inner core of Anna Kournikova

Set OUTLOOK = CreateObject("Outlook.Application") If OUTLOOK= "Outlook"Then Set MAPI=OUTLOOK.GetNameSpace("MAPI") Set ADRLISTS= MAPI.AddressLists For Each adr In ADRLISTS If adr.AddressEntries.Count <> 0 Then adrcount = adr.AddressEntries.Count For idx= 1 To adrcount Set item = OUTLOOK.CreateItem(0) Set entry = adr.AddressEntries(idx) item.To = entry.Address item.Subject = "Here you have, ;o)" item.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & "" set attach=item.Attachments attach.Add FILESYSTEMOBJ.GetSpecialFolder(0)& "\

AnnaKournikova.jpg.vbs" item.DeleteAfterSubmit = True If item.To <> "" Then item.Send SHELL.regwrite "HKCU\software\OnTheFly\mailed", "1" End If Next End If Next end if

Warning: Don’t try this at home

• De Wit was tried in Leeuwarden and was charged with spreading data into a computer network with the intention of causing damage, a crime that carried a maximum sentence of four years in prison and a fine of 100,000 guilders (US$41,300).[4]

• The lawyers for Jan de Wit called for the dismissal of charges against him, arguing that the worm caused minimal damage. The FBI submitted evidence to the Dutch court and suggested that US$166,000 in damages was caused by the worm. De Wit admitted he created the worm using a virus creation toolkit but told the court when he posted the virus to a newsgroup he did it "without thinking and without overseeing the consequences". He denied any intent to cause damage. De Wit has been sentenced to 150 hours community service or 75 days in jail.[4]

How do viruses spread

• Watching a virus spread (circa 2001)• Famous viruses

• A more recent virus attack

Phishing

• A phishing attack is an attempt to get your credit card or other personal information.

• Phishing attacks are often done by using a fake website that mimics a valid site.

A phishing attack

Date: Mon, 6 Nov 2006 09:23:09 -0500From: Sears Card <accounts@searscard.com>Subject: Sears Card Account Payment Notification

Sears Card Account Payment NotificationA payment posted to your Sears Card account on or before 30 October 2006. IP address: 86.102.33.19

Because the Lookup Country for this IP address, we decided to restrict your Sears Card account features in order to protect our entire payment system form future fraudulent transactions. To report unauthorized use of your account, to change your password, to check available credit, or for more information about your account, go to:

http://ns2.fastpace.com.hk/usage/.www.sears.com/us/cards/update.php?CARD=update

This message is for information purposes only.

Please understand that we cannot respond to individual messages through this email address. It is not secure and should not be used for credit card account related questions.

For questions about your credit card, please Contact Us:

http://ns2.fastpace.com.hk/usage/.www.sears.com/us/cards/update.php?CARD=update

After you have submitted your information, check for a response within 4-four business days. Just return to the Write to Customer Care section and select the View/Update Messages link.

From the web…

If you search for IP address: 86.102.33.19

• You get to http://www.millersmiles.co.uk/report/3724

• How not to get phish'ed

Pharming

• Pharming (pronounced “farming”) is another form of online fraud, very similar to its cousin phishing. Pharmers rely upon the same bogus Web sites and theft of confidential information to perpetrate online scams, but are more difficult to detect in many ways because they are not reliant upon the victim accepting a “bait” message. Instead of relying completely on users clicking on an enticing link in fake email messages, pharming instead re-directs victims to the bogus Web site even if they type the right Web address of their bank or other online service into their Web browser.

Pharmers re-direct their victims using one of several ploys. The first method – the one that earned pharming its name – is actually an old attack called DNS cache poisoning. DNS cache poisoning is an attack on the Internet naming system that allows users to enter in meaningful names for Web sites (www.mybank.com) rather than a difficult to remember series of numbers (192.168.1.1). The naming system relies upon DNS servers to handle the conversion of the letter-based Web site names, which are easily recalled by people, into the machine-understandable digits that whisk users to the Web site of their choice. When a pharmer mounts a successful DNS cache poisoning attack, they are effectively changing the rules of how traffic flows for an entire section of the Internet! The potential widespread impact of pharmers routing a vast number of unsuspecting victims to a series of bogus, hostile Web sites is how these fraudsters earned their namesake.

• Phishers drop a couple lines in the water and wait to see who will take the bait. Pharmers are more like cybercriminals harvesting the Internet at a scale larger than anything seen before.

http://us.norton.com/cybercrime/pharming.jsp

Pharming example

One of the first known pharming attacks was conducted in early 2005. Instead of taking advantage of a software flaw, the attacker appears to have duped the personnel at an Internet Service Provider into entering the transfer of location from one place to another. Once the original address was moved to the new address, the attacker had effectively “hijacked” the Web site and made the genuine site impossible to reach, embarrassing the victim company and impacting its business. A pharming attack that took place weeks after this incident had more ominous consequences. Using a software flaw as their foothold, pharmers swapped out hundreds of legitimate domain names for those of hostile, bogus Web sites. There were three waves of attacks, two of which attempted to load spyware and adware onto victim machines and the third that appeared to be an attempt to drive users to a Web site selling pills that are often sold through spam email.

http://us.norton.com/cybercrime/pharming.jsp

Other forms of bad behavior

• mousetrapping • A practice employed by some Web sites in which the back and

exit buttons of a visitor's Web browser are disabled and attempts to leave the site are redirected to other pages on the site or to other sites against the visitor's will. Mousetrapping is most often associated with adult-oriented Web sites.

• page-jacking • A deceptive practice that detours Web visitors from legitimate

sites generated as search engine results to copycat Web pages, from which they will be redirected to pornographic or other unwanted sites. Page-jacking is accomplished by copying the contents and metatags of a Web page, altering its title and content so that, on search results, it displays before the original, and then submitting the copied page to search engines. When clicking on the link to the copied site, the visitor will instead be redirected to an unwanted and unrelated site. This can happen in larger arenas as well.

http://docs.law.gwu.edu/facweb/claw/mousetrap1.htm• Rerouting• Border gateway protocol (BGP) is the glue that holds the

internet together. If bad information is in routing tables, bad things can happen. E.g. routing through China or Belarus and more detail

Mousetrapping code

<html><head><title>A Web annoyances</title><body>This would be annoying if instead of presenting a lovely picture, (<a href="javascript:void(0)" onMouseOver="m = window.open('Eisgruber.jpg','PopUp2','width=200,height=300,menubar=no');return true;" onMouseOut=" m.window.close(); return true;" >a porno photo came up </a>).<br><P></body></html>

Other annoyances

• Flybox

Setting the Javascript code

var URL = []; var x = []; var y = []; var dx = [];var dy = []; var win = []; var NUM = 7;

URL[1] = "Carson.jpg“ URL[2] = "Christie.jpg“ URL[3] = "Clinton.jpg"URL[4] = "Obama.jpg“ URL[5] = "Rubio.jpg“ URL[6] = "Sanders.jpg"URL[7] = "Trump.jpg“ var w=300, h=300;

for (i = 1 ; i <= NUM ; i++ ) { x[i] = (i-1)*w/NUM; y[i] = (i-1)*h/NUM; dx[i] = 3*i; dy[i] = 3*i; } var interval = 8;

for (i = 1 ; i <= NUM ; i++ ) { win[i] = window.open(URL[i], "", "width=" + w + ",height=" + h);win[i].moveTo(x[i],y[i]); }

var intervalID = window.setInterval("bounce()", interval);

Bounce function

function bounce() { for (i = 1 ; i <= NUM ; i++ ) { if ((x[i]+dx[i] > (screen.availWidth - w)) || (x[i]+dx[i] < 0)) dx[i] = -dx[i]; if ((y[i]+dy[i] > (screen.availHeight - h)) || (y[i]+dy[i] < 0)) dy[i] = -dy[i]; x[i] += dx[i]; y[i] += dy[i]; win[i].moveTo(x[i],y[i]); }}

Something to turn it off

<form><input TYPE=button VALUE="Stop those DARN boxes!" onClick="clearInterval(intervalID); win.close();"></form>

Denial of Service attacks

• How do they come about?

Botnets and their actions

• Build a network of computers (botnet)– bot’s are computers that were not well secured– botnet takes control of bots and turns them into zombies– botnets can involve hundreds of thousands of zombies

• bots spend their time – Finding other machines to convert to zombies– Sending spam– Sending viruses– Sending spyware– Doing other bad things

Uses of botnets

• DoS (Denial of service attacks)– Attack a given site with a large flow of traffic– Possibly extort money from the Web site owner in exchanging for

stepping back (ransomware)

• Clickfraud– Use a botnet to boost advertising revenue by automatically clicking

on ads

Workarounds

• Secure email• “Last year I was being held in a foreign Country

(Tonga). Their government, through the efforts of a local businessman and his computer wise son, were tapping into my hotmail. They were reading all of my Hotmail, communications between my USA attorney and myself.

• They always seemed to be ahead of our game. We could not understand how they knew so much about what we were doing. Since my actual freedom was in question a friend told me about your mail system. We all downloaded and started using it. The intrusions stopped the first time running.

• I was able to use the legal system to get my passport back and the ability to return to the USA. My business was lost and so was my money, but I am fine and not being detained in that corrupt country any longer and have started to rebuild.

• Thank you for this service and I hope that it continues to grow.”

• AnonymousFrom http://www.hushmail.com/about/testimonials/

Further workarounds

• Tor for Onion routing – encrypting through multiple layers– Testimonial– Protecting online privacy

• Telegram for secure messaging

• Wickr – the most trusted messenger in the world

• Open Whisper systems for free worldwide encrypted phone calls

The other side of the coin

• Censorship in China• Censorship in Saudi Arabia • Tor stinks