CSCI-235 Micro-Computer in Science Privacy & Security

CSCI-235CSCI-235Micro-Computer in ScienceMicro-Computer in Science

Privacy & Security Privacy & Security

© Prentice-Hall, Inc

Privacy in CyberspacePrivacy in Cyberspace

PrivacyPrivacy refers to an individual’s ability to refers to an individual’s ability to restrict the collection, use, and sale of restrict the collection, use, and sale of confidential personal informationconfidential personal information

The Internet is eroding privacy through the The Internet is eroding privacy through the selling of information collected through selling of information collected through Web sitesWeb sites

Few laws regulate selling personal Few laws regulate selling personal informationinformation


CookiesCookies CookiesCookies are small files that are written to an are small files that are written to an

individual’s hard drive whenever a Web site is visitedindividual’s hard drive whenever a Web site is visited Legitimate purposes of cookies include recording Legitimate purposes of cookies include recording

information for future use. Example: retail sites using information for future use. Example: retail sites using “shopping carts”“shopping carts”

Questionable practices include banner ad companies Questionable practices include banner ad companies tracking a user’s browsing actions and placing tracking a user’s browsing actions and placing banner ads on Web sites based on those actionsbanner ads on Web sites based on those actions


CookiesCookies

A small text file stored on your hard driveA small text file stored on your hard drive File is sent back to the server each time you File is sent back to the server each time you

visit that sitevisit that site Stores preferences, allowing Web site to be Stores preferences, allowing Web site to be

customizedcustomized Stores passwords, allowing you to visit multiple Stores passwords, allowing you to visit multiple

pages within the site without logging in to each onepages within the site without logging in to each one Tracks surfing habits, targeting you for specific Tracks surfing habits, targeting you for specific

types of advertisementstypes of advertisements


Example ofExample of CookiesCookies


SecuritySecurity HackerHacker – someone who attempts to gain access – someone who attempts to gain access

to computer systems illegallyto computer systems illegally Originally referred to as someone with a high degree Originally referred to as someone with a high degree

of computer expertiseof computer expertise


Definition of a HackerDefinition of a Hacker

Hacker Hacker noun (see Raymond, 1991)noun (see Raymond, 1991) A person who enjoys learning the details of A person who enjoys learning the details of

computer systems and how to stretch their computer systems and how to stretch their capabilities – as opposed to the most users of capabilities – as opposed to the most users of computers, who prefer to learn only the computers, who prefer to learn only the minimum amount necessaryminimum amount necessary

One who programs enthusiastically or who One who programs enthusiastically or who enjoys programming rather than just enjoys programming rather than just theorizing about programmingtheorizing about programming


Definition of a HackerDefinition of a Hacker

Person whoPerson who is an expert or enthusiastic of any kindis an expert or enthusiastic of any kind enjoys the intellectual challenge of creatively enjoys the intellectual challenge of creatively

overcoming or circumventing limitationsovercoming or circumventing limitations

Used as a compliment Used as a compliment


First Network Hack (Telephone)First Network Hack (Telephone)

John Draper (AKA Cap’n John Draper (AKA Cap’n Crunch)Crunch)

1970’s: 1970’s: Free long distance calls Free long distance calls

using a whistle found in a using a whistle found in a cereal boxcereal box

Whistle emits the same Whistle emits the same frequency as AT&T long frequency as AT&T long lines to indicate a line lines to indicate a line was ready to route a new was ready to route a new call (2600 Hz)call (2600 Hz)


First Network Hack (Telephone)First Network Hack (Telephone)

Flaw:Flaw: AT&T took cost cutting measuresAT&T took cost cutting measures The signaling and voice used the same circuitThe signaling and voice used the same circuit This flaw made the system vulnerable to This flaw made the system vulnerable to

anybody that can generate 2600 Hzanybody that can generate 2600 Hz Solution:Solution:

Now signaling takes place on a separate path Now signaling takes place on a separate path from the one you talk on from the one you talk on


Computer VirusesComputer Viruses

Computer virusesComputer viruses are malicious programs are malicious programs that infect a computer system causing that infect a computer system causing various problems with its usevarious problems with its use

Viruses replicate and attach themselves to Viruses replicate and attach themselves to programs in the systemprograms in the system

There are more than 20,000 different There are more than 20,000 different computer viruses with the number growing computer viruses with the number growing dailydaily


How Virus Infections SpreadHow Virus Infections Spread

Virus Infections spread by:Virus Infections spread by:Inserting a disk with an infected program and then Inserting a disk with an infected program and then

starting the programstarting the programDownloading an infected program from the InternetDownloading an infected program from the InternetBeing on a network with an infected computerBeing on a network with an infected computerOpening an infected e-mail attachmentOpening an infected e-mail attachment


Virus MythsVirus Myths

You cannot get infected by simply being You cannot get infected by simply being onlineonline If you download and execute an infected file, If you download and execute an infected file,

you can get infectedyou can get infected

Although most e-mail viruses (e.g., the Although most e-mail viruses (e.g., the MelissaMelissa virus) are in attachments that virus) are in attachments that must be opened, it is possible to get must be opened, it is possible to get infected by viewing an e-mailinfected by viewing an e-mail


Types of VirusesTypes of Viruses

File InfectorsFile Infectors Attach themselves to program filesAttach themselves to program files Spread to other programs on the hard driveSpread to other programs on the hard drive Are the most common type of virusAre the most common type of virus

Boot Sector VirusesBoot Sector Viruses Attach themselves to the boot sector of a hard Attach themselves to the boot sector of a hard

drivedrive Execute each time the computer is startedExecute each time the computer is started May lead to the destruction of all dataMay lead to the destruction of all data


More Rogue ProgramsMore Rogue Programs Time BombsTime Bombs

Also called Also called logic logic bombsbombs

Harmless until a Harmless until a certain event or certain event or circumstance circumstance activates the programactivates the program

WormsWorms Resemble a virusResemble a virus Spread from one Spread from one

computer to anothercomputer to another Control infected Control infected

computerscomputers Attack other Attack other

networked computersnetworked computers

Trojan HorsesTrojan Horses Disguise themselves as useful programsDisguise themselves as useful programs Contain hidden instructionsContain hidden instructions May erase data or cause other damageMay erase data or cause other damage


Identity TheftIdentity Theft Identity theftIdentity theft is one of the fastest growing crimes in the is one of the fastest growing crimes in the

United States and CanadaUnited States and Canada Identity theft occurs when enough information about an Identity theft occurs when enough information about an

individual is obtained to open a credit card account in individual is obtained to open a credit card account in their name and charge items to that accounttheir name and charge items to that account

Examples of information needed are name, address, Examples of information needed are name, address, social security number, and other personal informationsocial security number, and other personal information

Laws limit liability to $50 for each fraudulent chargeLaws limit liability to $50 for each fraudulent charge An individual’s credit report is affected by identity theftAn individual’s credit report is affected by identity theft


Using FirewallsUsing Firewalls FirewallsFirewalls are programs that are designed to are programs that are designed to

prohibit outside sources from accessing the prohibit outside sources from accessing the computer systemcomputer system

A A personal firewallpersonal firewall is designed to protect home is designed to protect home computers from unauthorized access while being computers from unauthorized access while being connected to the Internetconnected to the Internet


Using Antivirus ProgramsUsing Antivirus Programs

They use They use pattern-matchingpattern-matching techniques to techniques to examine program files for patterns of virus codeexamine program files for patterns of virus code

Two drawbacks:Two drawbacks: They cannot find viruses not in their databaseThey cannot find viruses not in their database They cannot find new viruses that alter They cannot find new viruses that alter

themselves to evade detectionthemselves to evade detection Use antivirus programs that offer frequent Use antivirus programs that offer frequent

updates and monitor system functionsupdates and monitor system functions Check disks that were used on another system Check disks that were used on another system

for virusesfor viruses


Backing Up DataBacking Up Data Back up programs and data regularlyBack up programs and data regularly Store backups away from the computer Store backups away from the computer

systemsystem Types of backups:Types of backups:

Full backupsFull backups – Back up everything stored on – Back up everything stored on the computer once a monththe computer once a month

Incremental backupsIncremental backups – Daily or weekly back – Daily or weekly back up of only those files that have changed since up of only those files that have changed since the last back upthe last back up


The Encryption DebateThe Encryption Debate

EncryptionEncryption is the coding and scrambling is the coding and scrambling process by which a message is made process by which a message is made unreadable except by the intended unreadable except by the intended recipientrecipient

Encryption is needed for electronic Encryption is needed for electronic commercecommerce

The Encryption DebateThe Encryption Debate

EncryptionEncryption is the coding and scrambling is the coding and scrambling process by which a message is made process by which a message is made unreadable except by the intended unreadable except by the intended recipientrecipient

Encryption is needed for electronic Encryption is needed for electronic commercecommerce

Simplified Data Simplified Data Communications ModelCommunications Model

Encryption BasicsEncryption Basics

A readable message is called A readable message is called plaintextplaintext

An An encryption algorithmencryption algorithm is a formula used to is a formula used to make plaintext unreadablemake plaintext unreadable

The coded message is called The coded message is called ciphertextciphertext

I LOVE YOU

V YBIR LBH

Encryption BasicsEncryption Basics Symmetric key encryptionSymmetric key encryption are encryption techniques that are encryption techniques that

use the same use the same keykey to encrypt and decrypt a message to encrypt and decrypt a message

Strong encryptionStrong encryption refers to encryption methods that are refers to encryption methods that are used by banks and military agencies and are nearly used by banks and military agencies and are nearly impossible to breakimpossible to break

Symmetric EncryptionSymmetric Encryption

or conventional / or conventional / private-keyprivate-key / single-key / single-key sender and recipient share a common keysender and recipient share a common key all classical encryption algorithms are all classical encryption algorithms are

private-keyprivate-key was only type prior to invention of public-was only type prior to invention of public-

key in 1970’skey in 1970’s

Basic TerminologyBasic Terminology

plaintextplaintext - the original message - the original message ciphertextciphertext - the coded message - the coded message ciphercipher - algorithm for transforming plaintext to ciphertext - algorithm for transforming plaintext to ciphertext keykey - info used in cipher known only to sender/receiver - info used in cipher known only to sender/receiver encipherencipher ((encryptencrypt) - converting plaintext to ciphertext ) - converting plaintext to ciphertext decipherdecipher ((decryptdecrypt) - recovering ciphertext from plaintext) - recovering ciphertext from plaintext cryptography cryptography - study of encryption principles/methods- study of encryption principles/methods cryptanalysis cryptanalysis ((codebreakingcodebreaking) - the study of principles/ ) - the study of principles/

methods of deciphering ciphertext methods of deciphering ciphertext withoutwithout knowing key knowing key cryptology cryptology - the field of both cryptography and - the field of both cryptography and

cryptanalysiscryptanalysis

Symmetric Cipher ModelSymmetric Cipher Model

RequirementsRequirements

two requirements for secure use of two requirements for secure use of symmetric encryption:symmetric encryption: a strong encryption algorithma strong encryption algorithm a secret key known only to sender / receivera secret key known only to sender / receiver

YY = E= EKK((XX))

XX = D= DKK((YY))

assume encryption algorithm is knownassume encryption algorithm is known implies a secure channel to distribute keyimplies a secure channel to distribute key

Classical Substitution CiphersClassical Substitution Ciphers

where where letters of plaintext are replaced by letters of plaintext are replaced by other letters or by numbers or symbolsother letters or by numbers or symbols

Caesar CipherCaesar Cipher

earliest known substitution cipherearliest known substitution cipher by Julius Caesar by Julius Caesar first attested use in military affairsfirst attested use in military affairs replaces each letter by replaces each letter by kk-th letter on-th letter on Example ( what is Example ( what is k k ? ):? ):

meet me after the toga partymeet me after the toga party

PHHW PH DIWHU WKH WRJD SDUWBPHHW PH DIWHU WKH WRJD SDUWB

Caesar CipherCaesar Cipher can define transformation (with can define transformation (with kk = 3) as: = 3) as:

a b c d e f g h i j k l m n o p q r s t u v w x y za b c d e f g h i j k l m n o p q r s t u v w x y zD E F G H I J K L M N O P Q R S T U V W X Y Z A B CD E F G H I J K L M N O P Q R S T U V W X Y Z A B C

mathematically give each letter a numbermathematically give each letter a numbera b c d e f g h i j k l ma b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 120 1 2 3 4 5 6 7 8 9 10 11 12n o p q r s t u v w x y Zn o p q r s t u v w x y Z13 14 15 16 17 18 19 20 21 22 23 24 2513 14 15 16 17 18 19 20 21 22 23 24 25

then have Caesar cipher as:then have Caesar cipher as:YY = E= EKK((XX) ) = (XX + k) mod 26XX = D= DKK((YY) ) = (Y Y – k) mod 26

EXAMPLE:EXAMPLE: Encrypt Encrypt “howdy”“howdy” using key using key kk = 5 = 5

Cryptanalysis of Caesar Cipher Cryptanalysis of Caesar Cipher

only have 26 possible ciphers only have 26 possible ciphers A maps to A,B,..Z A maps to A,B,..Z

could simply try each in turn could simply try each in turn

a a brute force searchbrute force search

given ciphertext, just try all shifts of lettersgiven ciphertext, just try all shifts of letters


Private-Key CryptographyPrivate-Key Cryptography

traditional private/secret/single key traditional private/secret/single key cryptography uses cryptography uses oneone key key

shared by both sender and receiver shared by both sender and receiver

if this key is disclosed communications are if this key is disclosed communications are compromised compromised

also is also is symmetricsymmetric, parties are equal , parties are equal

Public-Key CryptographyPublic-Key Cryptography

probably most significant advance in the probably most significant advance in the 3000 year history of cryptography 3000 year history of cryptography

uses uses twotwo keys – a public & a private key keys – a public & a private key asymmetricasymmetric since parties are since parties are notnot equal equal uses clever application of number uses clever application of number

theoretic concepts to functiontheoretic concepts to function complements complements rather thanrather than replaces private replaces private

key cryptographykey cryptography


public-key/two-key/asymmetricpublic-key/two-key/asymmetric cryptography involves the cryptography involves the use of use of twotwo keys: keys: a a public-keypublic-key, which may be known by anybody, and , which may be known by anybody, and

can be used to can be used to encrypt messagesencrypt messages, and , and verify verify signatures signatures

a a private-keyprivate-key, known only to the recipient, used to , known only to the recipient, used to decrypt messagesdecrypt messages, and , and signsign (create) (create) signaturessignatures

is is asymmetricasymmetric because because those who encrypt messages or verify signatures those who encrypt messages or verify signatures

cannotcannot decrypt messages or create signatures decrypt messages or create signatures


Public-Key CharacteristicsPublic-Key Characteristics

Public-Key algorithms rely on two keys Public-Key algorithms rely on two keys with the characteristics that it is:with the characteristics that it is: computationally infeasible to find decryption computationally infeasible to find decryption

key knowing only algorithm & encryption keykey knowing only algorithm & encryption key computationally easy to en/decrypt messages computationally easy to en/decrypt messages

when the relevant (en/decrypt) key is knownwhen the relevant (en/decrypt) key is known

Digital Signatures and Digital Signatures and CertificatesCertificates

Digital signaturesDigital signatures are a technique used to are a technique used to guarantee that a message has not been guarantee that a message has not been tampered withtampered with

Digital certificatesDigital certificates are a technique used to are a technique used to validate one’s identityvalidate one’s identity

Documents

CSCI-235 Micro-Computer in Science Privacy & Security