CIS-420Personal Computer SecurityPersonal Computer Security

Email Security

Web Securityy

• What dangers are there on the Web?• Why you should not download software from

most Web sitesWhat software is okay to download?• What software is okay to download?

• Trusting a 'secure' e-commerce Web site for Procurement card transactionsProcurement card transactions

• Visual clues for secure HTTP, and checking a certificate

• It’s secure – so what?

2

Dangers on the Webg

• The Golden Rule of Browsing:Free stuff on the Internet is like candy from a stranger

Web sites that request information about you• Web sites that request information about you.• Web sites that run code against your PC

while you browsewhile you browse.• Web sites that upload malicious code to your

PC, either by stealth or by having you y y g ydownload seemingly harmless programs.

3

Downloading Softwareg

• The downloading of software is a hacker’s d li htdelight.

• Seemingly harmless games, utilities, and other ‘fun stuff’ can work behind the scenes toother fun stuff can work behind the scenes to• Send the hacker your passwords• Send the hacker your banking information

S d th h k dit d i f ti• Send the hacker your credit card information

• Identity theft is booming – thanks to the Internet.te et

• It’s not just bugs and viruses anymore.

4

Legitimate Downloadingg g

• Well known software vendors offer upgrades d f t i l ftand free trial software

• Microsoft• McAfee• Symantec

• Ask yourself, “Would I buy a used car from this Web site?”this Web site?• If you have never heard of the company, be wary• Err on the side of caution

5

Validating a Site’s Securityg y

• Look for the “Secure Sockets Layer” label• Regular URL’s (Web addresses) start with the

characters, http://Secure URL’s start with https://

6

• Secure URL’s start with https://

6

Validating a Site’s Securityg y

• Click on the lock to validate the credentials.

7

Validating a Site’s Securityg y

• Click on the padlock, then View Certificate

8

Validating a Site’s Securityg y

• You can confirm the owner, issuer, and valid dates of the certificate

9

It’s Secure, so what?,

• Just because a Web site is secure does not guarantee that your credit card information is safe.

• Legitimate companies have been hacked into and credit card numbers stolen.Ch k t t t• Check your statements:• Report problems immediately.• You can only be held accountable for $50 if the• You can only be held accountable for $50 if the

card number is stolen, and that is usually waived.

10

Computing from Homep g

• Use a firewall• Use Anti-virus, Anti-spyware applications• Disable or restrict file sharing with ACL’sg

11

Cookies

• A cookie is a file created by an Internet site to storeA cookie is a file created by an Internet site to store information on your computer

12

Cookies

• Computer files that contains user-specific i f tiinformation

• Need for cookies is based on Hypertext Transfer Protocol (HTTP)Transfer Protocol (HTTP)

• Instead of the Web server asking the user for this information each time they visits that site, y ,the Web server stores that information in a file on the local computerAtt k ft t t ki b th• Attackers often target cookies because they can contain sensitive information (usernames and other private information)

13

and other private information)

Cookies (continued)( )

Can be sed to determine hich Web sites• Can be used to determine which Web sites you view

• First party cookie is created from the Web• First-party cookie is created from the Web site you are currently viewing

• Some Web sites attempt to access cookies• Some Web sites attempt to access cookies they did not create• If you went to wwwborg, that site might attempt toIf you went to wwwborg, that site might attempt to

get the cookie A-ORG from your hard drive• Now known as a third-party cookie because it was

t t d b W b it th t tt t t14

not created by Web site that attempts to access the cookie

Java and ActiveX

JavaGeneral programming languageWeb pages may contain Java code

d b i l hiJava executed by Java Virtual Machine

ActiveXCompiled binaries executed by client OSCompiled binaries executed by client OSControls can be downloaded and installed

15

JavaScriptp

• Popular technology used to make dynamic content

• When a Web site that uses JavaScript is accessed, the HTML document with the JavaScript code is downloaded onto the user’s computeruser s computer

• The Web browser then executes that code within the browser using the Virtual Machinewithin the browser using the Virtual Machine (VM)―a Java interpreter

16

JavaScript (continued)p ( )

S l d f h i t• Several defense mechanisms prevent JavaScript programs from causing serious harm:harm:• JavaScript does not support certain capabilities• JavaScript has no networking capabilities

• Other security concerns remain:• JavaScript programs can capture and send user

information without the user’s knowledge orinformation without the user s knowledge or authorization

• JavaScript security is handled by restrictions within the Web browser

17

within the Web browser

JavaScript (continued)p ( )

18

Java Appletpp

• A separate program stored on a Web server and downloaded onto a user’s computer along with HTML code

• Can also be made into hostile programs• Sandbox is a defense against a hostile Java

l tapplet • Surrounds program and keeps it away from

private data and other resources on a localprivate data and other resources on a local computer

• Java applet programs should run within a

19

pp p gsandbox

Java Applet (continued)pp ( )

20

Java Applet (continued)pp ( )

• Two types of Java applets:• Two types of Java applets:• Unsigned Java applet: program that does not

come from a trusted source • Signed Java applet: has a digital signature proving

the program is from a trusted source and has not been alteredbeen altered

• The primary defense against Java applets is using the appropriate settings of the Webusing the appropriate settings of the Web browser

21

Java Applet (continued)pp ( )

22

ActiveX

• Set of technologies developed by Microsoft• Outgrowth of two other Microsoft

technologies:• Object Linking and Embedding (OLE) • Component Object Model (COM)

N i l b f• Not a programming language but a set of rules for how applications should share informationinformation

23

ActiveX (continued)( )

• ActiveX controls represent a specific way of• ActiveX controls represent a specific way of implementing ActiveX • Can perform many of the same functions of a JavaCan perform many of the same functions of a Java

applet, but do not run in a sandbox• Have full access to Windows operating system

• ActiveX controls are managed through Internet Explorer

• ActiveX controls should be set to most restricted levels

24

ActiveX (continued)( )

25

Common Gateway Interface (CGI)y ( )

• Set of rules that describes how a Web server communicates with other software on the server and vice versa

• Commonly used to allow a Web server to display information from a database on a Web page or for a user to enter informationWeb page or for a user to enter information through a Web form that is deposited in a databasedatabase

26

Common Gateway Interface (CGI)(continued)(continued)

• CGI scripts create security risks• Do not filter user input properly• Can issue commands via Web URLs

• CGI security can be enhanced by:• Properly configuring CGI

Di bli CGI i t• Disabling unnecessary CGI scripts or programs • Checking program code that uses CGI for any

vulnerabilitiesvulnerabilities

27

8.3 Naming Conventionsg

• Microsoft Disk Operating System (DOS) limited filenames to eight characters followed by a period and a three-character extension (e g Filename doc)(e.g., Filename.doc)

• Called the 8.3 naming conventionR t i f Wi d ll fil• Recent versions of Windows allow filenames to contain up to 256 charactersTo maintain back ard compatibilit ith DOS• To maintain backward compatibility with DOS, Windows automatically creates an 8.3 “alias” filename for every long filename

28

filename for every long filename

8.3 Naming Conventions (continued)(continued)

• The 8.3 naming convention introduces a security vulnerability with some Web servers• Microsoft Internet Information Server 40 and other• Microsoft Internet Information Server 40 and other

Web servers can inherit privileges from parent directories instead of the requested directory if the requested directory uses a long filenamerequested directory uses a long filename

• Solution is to disable creation of the 8.3 alias by making a change in the Windows registry y g g g ydatabase• In doing so, older programs that do not recognize

long filenames are not able to access the files or29

long filenames are not able to access the files or subdirectories

Securing Web Communicationsg

• Most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol

• One implementation is the Hypertext Transport Protocol over Secure Sockets LayerLayer

30

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)Transport Layer Security (TLS)

• SSL protocol developed by Netscape to securely transmit documents over the Internet• Uses private key to encrypt data transferred

th SSL tiover the SSL connection• Version 20 is most widely supported version• Personal Communications Technology (PCT)• Personal Communications Technology (PCT),

developed by Microsoft, is similar to SSL

31

Secure Sockets Layer (SSL)/Transport Layer Security (TLS) p y y ( )

(continued)• TLS protocol guarantees privacy and data• TLS protocol guarantees privacy and data

integrity between applications communicating over the Internetover the Internet• An extension of SSL; they are often referred to as

SSL/TLS• SSL/TLS protocol is made up of two layers

32

Secure Sockets Layer (SSL)/Transport Layer Security (TLS) p y y ( )

(continued)• TLS Handshake Protocol allows

authentication between server and client and negotiation of an encryption algorithm and cryptographic keys before any data iscryptographic keys before any data is transmitted

• FORTEZZA is a US government security• FORTEZZA is a US government security standard that satisfies the Defense Messaging System security architectureMessaging System security architecture• Has cryptographic mechanism that provides

message confidentiality, integrity, authentication,

33

and access control to messages, components, and even systems

Secure Hypertext Transport Protocol (HTTPS)Protocol (HTTPS)

• One common use of SSL is to secure Web HTTP i ti b t b dHTTP communication between a browser and a Web server• This version is “plain” HTTP sent over SSL/TLSThis version is plain HTTP sent over SSL/TLS

and named Hypertext Transport Protocol over SSL

34

Secure Hypertext Transport Protocol (HTTPS)Protocol (HTTPS)

• Sometimes designated HTTPS, which is the t i t th HTTP t l th t textension to the HTTP protocol that supports

it• Whereas SSL/TLS creates a secure• Whereas SSL/TLS creates a secure

connection between a client and a server over which any amount of data can be sent security, HTTPS is designed to transmit individual messages securely

35

Securing Instant Messagingg g g

• Depending on the service, e-mail messages may take several minutes to be posted to the POP3 account

• Instant messaging (IM) is a complement to e-mail that overcomes these

All d t t h t th t th• Allows sender to enter short messages that the recipient sees and can respond to immediately

36

Securing Instant Messaging (continued)(continued)

• Some tasks that you can perform with IM:• Chat• Images• Sounds• Files• Talk• Talk• Streaming content

37

Securing Instant Messaging (continued)(continued)

• Steps to secure IM include:• Keep the IM server within the organization’s

firewall and only permit users to send and receive messages with trusted internal workersmessages with trusted internal workers

• Enable IM virus scanning• Block all IM file transfers• Encrypt messages

38

Security Settingsy g

39

Installing Controlsg

• If you install and run, no further control over the code.

40

Password Phishingg

• User cannot reliably identify fake sites• Captured password can be used at target sitep p g

Password

Password

Fake Site

41