Security and Privacy Settings of Your Web Browser Are As High As Possible for Your Style of Use

Computer Security: The Dark Side of ICT IWKS 2300 Fall 2019 John Bennett Why Should You Care about Computer Security ?

• Cybercrime costs the global economy around $1.5 trillion a year, more than the illegal drug trade (estimated to be ~$500B) • 1 in 10 URLs are malicious • Election-related cybercrime is prevalent worldwide • ~800 million adult victims globally in 2018 • ~500 million identities exposed in 2018 • Almost three quarters of online adults have been a victim of cybercrime in their lifetime (this figure is 80% for men between 18 and 31 who access the Internet from their mobile phone) • More than 400 million unique variations of malware • Three times more adults worldwide have suffered from online crime than from offline crime • Millennials are the most vulnerable to online crime (~50% have been cybercrime victims; yet ~30% still share passwords) • 63% would rather go on a bad date than have to deal with customer

service after a security breach  Source: Symantec Cybercrime Report 2019 The Dark Side of ICT

• Some Risks • Malware • Identity Theft • Some Underlying Technologies • Encryption • Authentication • Some Practical Advice for CU Students Malware: Barbarians at the Gates Types of Malware Adware Programs that secretly gather personal information through the Internet and relay it back to another computer • Tracks browser usage (e.g., “tracking cookie”) • Often used for advertising “Dialers” Programs that access pay-per-minute sites (without your knowledge) • Typically to accrue charges Types of Malware Hack Tools Programs used to gain unauthorized access to your computer. • e.g., keystroke logger (tracks and records individual keystrokes, then sends this information to someone else). Hoax Email chain letter • no file attachment • no third party validation Types of Malware Jokes Programs that change or interrupt the normal behavior of your computer • General distraction or nuisance • Harmless Remote Access Programs that allow another computer to attack or alter your computer • Usually preceded by another form of attack Types of Malware Spyware Stand-alone programs that can secretly monitor system activity • detects passwords or other confidential information and transmits this information to another computer • Often in shareware, freeware, email, and IMs Trojan Horse A program that causes damage or compromises the security of the computer • Neither replicates nor copies itself • Does not email itself Ransomware A program that hijacks/locks the computer and demands money to unlock • Computer is rarely unlocked even if you pay Types of Malware Virus A program that replicates; that is, infects another program, boot sector, partition sector, or document, by inserting itself or attaching itself to that medium • Most viruses only replicate • Some do a large amount of damage as well Worm A program that makes copies of itself; from one computer/disk drive to another • Worm may do damage and compromise the security of the computer • The process of replication may cause “denial of service attack” Types of Malware Formjacking The use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of eCommerce sites Cryptojacking Programs installed by coinminers on victims’ devices used to mine cryptocurrencies Election Interference Using various kinds of malware to influence the outcome of an election Identity Theft and Fraud How hard is it to steal an identity?

• What information do you need? • Is it easier to steal or create an identify? • Who are the most vulnerable to identity theft? (Some) Ways to Steal an Identity • Garbology (Dumpster Diving) • Post Mail Theft / False change of address • Digital Copy Machines • Electronic Theft of Credit Card Data • Phishing (phone and email) • Purchase of “novelty” fake drivers licenses and other ID cards • “Old-Fashioned” Theft • By insiders (employees of companies that have such data) • By others • Credit reports under false pretenses

- US Odds: about 1/100 in your lifetime; about 1/10000 this year - Identity Theft Twice as Likely in English-Speaking Countries (although non-English language crime is increasing) Types of Identity Fraud in the US • Credit Card • Opened line of credit • Charged to existing card • Otherwise abused credit • Utilities • Bank Account • SSN • DL, Tax Return, or other Govt. ID • Employment • Loan • Other

US DATA

2013 2018

2018 The Top 15 in the US (2013/2018)

2013 2018 The Bottom 10 in the US (2013/2018) What is at Risk? From Where? Your personal/business information, no matter where it is stored, is at risk from anywhere in the world! Where is your information? • Social Networking sites (Facebook, Twitter, Instagram, etc.) • Location-Based Social Networking Sites (Foursquare, Loopt, GyPSii, Citysense, Plazes. etc.) • Search Engines (Look yourself up) • Resume Websites (Monster, Indeed, CareerBuilder, etc.) • Official Websites/Medical Systems/School Systems • Associations/Professional/Hobbies Websites (LinkedIn, Ancestry.com, etc.) • In Cell Phones, PDAs, Smartphones (GPS coordinates on all JPEGS) • E-Mail (official and personal), E-mail servers • Cars (What’s in your glove box?) • Homes/businesses (Where is your personal/business information (electronic and hard copy)) located? • Real mail boxes • Your garbage Cybersecurity Risk – Mobile Devices Mobile devices can be hacked; conversations can be heard and recorded even if the mobile device is not “on”.

There are thousands of pieces of malicious Android software. Android is at the top of the list of the highest targeted mobile platforms at present. Most of these are coming from third-party Android markets. . Facebook

Researchers were able to accurately infer Facebook users’ ethnicity, IQ, sexual preference, substance use, personal wealth and political views using only a record of the subjects and items they had "liked" on Facebook – even if users had chosen not to reveal that information. http://www.guardian.co.uk/technology/2013/mar/11/facebook-users-reveal-intimate-secrets Remote Administration Attacks • A RAT (Remote Administration Tool) is designed to allow system vendors to take control of your computer as a diagnostic tool. • “RATers” co-opt this software to (among other things) turn on the camera of your computer without your knowledge. • College-aged women's systems are preferentially targeted for this kind of attack. Things the RAT Tool DarkComet can do

• Control your computer remotely • Execute various types of scripts on your system • Modify/View/Steal your files • Put files of its own on your system • Listen to your microphone • Log your keystrokes • Scan your network • View your network shares • Steal your contacts / Add new contacts • Steal from your clipboard (things you’ve copied) • Control your printer • Lock/Restart/Shutdown your computer • Watch your webcam • Use your computer to attack others Some Underlying Technologies • Encryption (protecting secrets) • Authentication (proving I am who I say I am) Encryption • Based on science of cryptography • Symmetric-key encryption • secret code that each of the two computers must know • For example, code is "Shift alphabet by 2 letters“ e.g. “Attack Now” becomes “Cvvbem Pqy” • Public-key encryption • uses a combination of a private key and a public key • private key is known only to your computer, public key is given by your computer to any computer that wants to communicate securely with it. Single-Key Systems (From Caesar until 1975) • Sender and receiver agree on a key • Apply the key to the message (by means of an invertible function called the “key”) to produce “ciphertext” • Apply the key to the ciphertext and you get the message back {M}K = C K K {C} = {{M}K } = M Public Key Cryptosystems • Everyone has two keys, public (literally!) and secret • These keys are inverses of each other S P {{M}P } = M = {{M}S } • Knowing the public key doesn't help you guess the secret key • To send you a message, I simply encrypt it using your public key {M}P(you) = C • Only you can decrypt it, because only you know the inverse -- your secret key S(you) S(you) {C} = {{M}P(you) } = M Digital Signatures • To send you a message that can only have come from me, I encrypt it first with my secret key, and then with your public key: P(you) {{M}S(me) } = C

• To decrypt, you first apply your secret key (which only you can do): P(you) S(you) {C}S(you) = {{{M}S(me) } } = {M}S(me)

• Then you apply my public key: {{M}S(me) }P(me) = M More on Signatures • If you save a copy of {M}S(me) ...then you can send it to someone else as proof to them that I said what you claim I did -- no one but me could have created that message. • You can further encrypt it for secrecy on the wire, just as I did when I sent it to you: {{M}S(me) }P(third party) How Do We Pick the Keys? [RSA] (Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman, 1977) • Your secret key is a pair of big prime numbers** • Your public key is the even bigger composite number that's the product of these primes**

**The actual encryption/decryption functions are somewhat more complex, involving modular arithmetic, and a bunch of number theory derived from Euler's theorem (a generalization of Fermat's little theorem). Security of RSA Everything depends upon our belief that it’s really hard to factor products of large prime numbers**. • This belief is based upon years of work in number theory and in the theory of computation. If you could find the prime factors of the public key, you could break the cipher. **The security of RSA also depends upon the difficulty associated with finding eth roots modulo a composite number N whose factors are not known (the “RSA problem”) Security of RSA (cont.) • RSA keys are typically 1024–2048 bits long • 1024-bit keys may be breakable • 4096-bit keys are not likely to be breakable But… • In 1994, Peter Shor published an algorithm showing that a quantum computer could in principle perform the factorization needed to break RSA in polynomial time. • And we have not proven that it is necessarily very hard to factor products of large primes Cryptography is Readily Available

PGP for CU Students/Faculty/Staff: http://www.colorado.edu/oit/tutorial/pgp-windows-installation-and-configuration

PGP International Freeware (only for older OS): http://www.pgpi.org/products/pgp/versions/freeware/

The GNU Crypto project: http://www.gnu.org/software/gnu-crypto/

Cypherix LE http://www.cypherix.com/cryptainerle/

PC-encrypt: http://www.pc-encrypt.com/_site/pce/download.mhtml What is the US Government’s Position? What you might expect...

• They don't like foreign governments having strong cryptography • They don't like domestic criminals having strong cryptography • They probably would prefer that you and I not have strong cryptography [Cryptographic Algorithms are a “Munition”] And remember ... because everything is bits (phone calls, files, emails, video streams, etc.), it all can be encrypted! Authentication Methods

• Passwords

• Challenge - Response

• Biometrical Methods Obtaining Password Information

• German consumers are the most vigilant with passwords. Only 28 % ever shared an account password with a family member or friend. • 60 % of Americans shared passwords • 56 % of French shared passwords Obtaining Password Information • Almost half of online consumers in all countries use important dates, family member names, nicknames or pets’ names as their online passwords. • French and Spanish consumers are apparently the most lax • 61% of French consumers and 63% of Spanish consumers change their passwords less than once per year or only when required to do so. Obtaining Password Information • 40 percent of online consumers worldwide use social networking sites • Some of these consumers display personal information that they also use for passwords: • ¼ French consumers display their birth dates on social networking sites and also use birth dates as online passwords • Less than 10 percent of consumers in the UK and Canada do the same. Passwords are Easy to Attack How Does Bitcoin Work? Bitcoins Worth $10K Each! Bitcoin Today Genesis of Bitcoin Bitcoin Basics • Online payments sent directly from one party to another (no bank involvement). Messages are broadcast on a best effort basis. • Digital signatures on payments are based upon public key encryption • Transactions are timestamped by hashing them into an ongoing chain of hash-based “proof-of-work,” forming a record that cannot be changed without redoing the proof-of-work. • Network CPUs are incentivized to perform this work. • The longest chain serves as proof of the sequence of events witnessed, and proof that it came from the largest pool of CPU power. • Nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone. • As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they generate the longest chain and outpace attackers. • There will only ever be 21,000,000 bitcoins Bitcoin Transactions Bitcoin Timestamp Server • Bitcoin requires that transactions be publicly announced, and a system for participants to agree on a single history of the order in which transactions were received (to avoid double payment). • Bitcoin implements these requirements with a distributed timestamp server, which works by taking a hash of a block of items to be timestamped and widely publishing the hash. • The timestamp “proves” that the block must have existed at the time the time the timestamp was created. • Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it. Bitcoin Privacy • The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. • The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by keeping public keys anonymous. • The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. • This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the "tape", is made public, but without telling who the parties were. • As additional protection, a new key pair should be used for each transaction to keep them from being linked to a common owner. Incentive (Mining) • Every time someone successfully creates a hash of the last block stored in the blockchain, they get a reward of 25 bitcoins, the blockchain is updated, and the network hears about it. • This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them. • The steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. In our case, it is CPU time and electricity that is expended. This is “Bitcoin Mining” • The incentive may also help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, she would have to choose between using it to defraud people by stealing back her payments, or using it to generate new coins. What Happens When We Run Out? • Nakamoto designed the bitcoin protocol to reward every ten minutes, halve every 4 years, and last 100 years. • Thus, there will only every be 21,000,000 bitcoins. • The supply of bitcoins is designed to mimic precious metals. There is a certain amount of gold in the world, and every year we dig up a bit more. Eventually there will be none left to mine. So supply tapers off with time. • Bitcoin is thus a deflationary currency. The supply is limited to an ultimate cap of 21 million possible coins. This makes bitcoins a rare asset. Over time, bitcoins increase in value. • Once 21,000,000 coins are in circulation, we will need an incentive for mining that does not rely upon new coins. Transaction fees are expected to serve this need. • If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction. Once 21,000,000 coins have entered circulation, the mining incentive will have to transition entirely to transaction fees. Why isn’t everyone mining Bitcoins?

• The hash of the last block stored in the blockchain is hard to compute. • The bitcoin protocol deliberately makes this difficult, by introducing ‘proof of work’. A block’s hash has to have a certain number of zeros at the start. There’s no way of telling what a hash is going to look like before you produce it, and as soon as you include a new piece of data in the mix, the hash will be totally different. • Miners are not supposed to meddle with the transaction data in a block, but they must change the data they are using to create a different hash. They do this using another, random piece of data called a ‘nonce’. This is used with the transaction data to create a hash. If the hash doesn’t fit the required format, the nonce is changed, and the whole thing is hashed again. It usually takes many attempts to find a nonce that works, and all the miners in the network are trying to do this at the same time. That’s how miners earn their bitcoins. Proof of Work Details • The proof-of-work involves scanning for a value that, when hashed, the hash begins with a certain number of zero bits. The average work required to find this hash is exponential in the number of zero bits required, but the result can be verified by executing a single hash. • Bitcoin implements the proof-of-work by incrementing a nonce in the block until a value is found that gives the block's hash the required number of zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. • As later blocks are chained after it, the work to change the block would include redoing all the blocks after it. • This proof-of-work also solves the problem of determining representation in majority decision making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. In Bitcoin, the majority decision is represented by the longest chain, which has the greatest proof-of-work CPU effort invested. • If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. This is because, in order to modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it, and then catch up with and surpass the work of the honest nodes. Network Operation 1. New transactions are broadcast to all nodes. 2. Each node collects new transactions into a block. 3. Each node works on finding a difficult “proof-of-work” for its block. 4. When a node finds a proof-of-work, it broadcasts the block to all nodes. 5. Nodes accept the block only if all transactions in it are valid and not already spent. 6. Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash. • Nodes always consider the longest chain to be the correct one and will keep working on extending it. • If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. • The tie will be broken when the next proof of work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one. Some People Take Bitcoin Seriously Some People Take Penny Stocks Seriously Some Practical Security Advice Protecting Yourself Against Identity Theft

• Practice Safe Internet Use • Delete spam emails that ask for personal information (if in doubt, delete) • Keep your anti-virus and anti-spyware software up- to-date (free from OIT) • Shop online only with secure web pages (https only) • Never send credit card numbers or other personal information via email • Do not open an attachment sent to you by anyone that you do not know/trust Protecting Yourself Against Identity Theft • Destroy Private Records • Tear up or shred credit card statements; ATM, credit, or debit card receipts; bank deposit receipts; loan solicitations; and other documents that contain private financial information. • Secure Your Mail • Empty your (real) mailbox quickly and get a mailbox lock. When mailing bill payments or checks, mail them from the post office or other secure mailbox (e.g., on campus). Protecting Yourself Against Identity Theft • Check Your Credit Report • At least once a year, obtain and review your credit report for suspicious activity. 1. Equifax: 1-800-525-6285; www.equifax.com 2. Experian: 1-800-397-3742; www.experian.com 3. TransUnion: 1-800-680-7289; www.transunion.com/ • Beware of Scams • Never give personal information to telemarketers or respond to emails from someone claiming to represent your bank, credit card company, a government agency, a charity, or other organization. How to be Paranoid • Only print your initials and last name on checks, but sign with whole name. • Don’t sign credit cards, put “Photo ID Required” (may cause problems) • Only put last 4 digits of account number on checks used to pay bills • Put your work phone or cell phone on checks (use a number not linked to a CC card). • Photocopy the contents of your wallet and passport and keep in safe place • Take hotel CC room keys with you Passwords in the Real World Many people fail to use a secure password (at least 8 characters, a mix of alphanumeric and special characters, including capital letters Examples of bad passwords: • John • snowflake • Treasure • 5-23-89 Examples of good passwords: • [01umBiney • Iwtb0t,Iwtw0t • ApY,af0ij My advice: “Make your password something you would be truly embarrassed to share” (this may be a very high bar…) Securing your Computer in the Real World • Install anti-virus software; KEEP IT UP TO DATE. • Norton: http://www.symantec.com/product/ • McAfee: http://www.mcafeesecurity.com/ • Microsoft (included with Windows 10): Earlier Versions: http://windows.microsoft.com/en-US/windows/security-essentials-download • Free a-v software for CU students from OIT • Install anti-spam software. Be sure and check the “Junk Mail” folder from time to time. • Protect yourself from Office macro viruses. • Office Icon → Word Options → Trust Center→ Trust Center Settings → Macro Settings → check “Disable all Macros with notification” • Ensure that “Trusted Publishers” is blank Securing your Computer in the Real World • Ensure that Security and Privacy settings of your web browser are as high as possible for your style of use. • Tools → Internet Options → Security and Privacy tabs • Make frequent backups (JKB uses Sync and local USB drive. • ShadowProtect http://www.shadowprotect.com/ (not free) is the best backup software out there. • Encrypt files containing personal information • Install security patches to crit. SW (OS and a-v) • Use cloud accounts (e.g., Google Drive) sparingly (if at all) Securing your Computer in the Real World • Encrypt critical files or folders. NTFS: Right Click → Properties, select the “Advanced” tab, and check the “Encrypt contents to secure data” box. • Never send anything by unencrypted email that you are not willing share with your mother, your boss, your biggest competitor, the police, or a potential thief. • If you want to send secure email, install PGP • Never give your password to anyone for any reason (even your mother). • Hint: Make your password something you would be embarrassed to share, especially with your mother. Wireless Security

• Most wireless networks (especially residential, are unsecured) • Lots of “rogue” access points, even in “highly secure” corporate settings • Security, if present, is usually based upon set of authorized MAC (Media Access Control) addresses • Easy to trick - use Sniffer (a software product from Network Associates) or hacker equivalent to obtain authorized MAC address, then “spoof” that address (most wireless cards support this capability in the driver) • Always select “public network” or wireless equivalent • Use VPN from off-campus Questions? Expo Form Link Every project team or individual must submit a form (only one per project needed): http://tinyurl.com/expoFall2019

Deadline for submission: 5:00 PM on Friday, 22 November (prior to Thanksgiving break)

Submitting by the deadline ensures that a project will be included in the judge’s guide and have access to booth needs (like power). FCQ Link colorado.campuslabs.com/courseeval