Security on the Web

Outline (Security on the Web)

Security on the Web [5]
Privacy on the Web [4]

Security on the Web Erik Wilde and Dilan Mahendran: Security & Privacy

(4) Trust and Security on the Web

Web-based applications introduce many risks
- do you trust your browser? (it may not safeguard your information)
- do you trust your computer? (it may have a virus)
- do you trust your network? (it may be monitored on various levels)
- do you trust the server? (it may be a fake phishing [http://en.wikipedia.org/wiki/Phishing] server)
Most of these risks are amplified by the Web's scale
- phishing and spamming only work because the Web makes fraud more effective
Controlling Web access is important for safe browsing
- trusting shared browsers is risky (they may store logins and cache pages)
- trusting the network can be risky (more and more networks are wire-tapped)
- trusting the server is risky (phishing and poor server security)

Security on the Web Erik Wilde and Dilan Mahendran: Security & Privacy

(5) Session Hijacking

HTTP sessions [State Management (Cookies); Session (1)] require a session ID
If an attacker can steal the ID of your active session, he can pretend to be you
Many ways this can happen:
- Most common: Cross-site scripting (XSS) is when an attacker injects malicious code into another website
  - XSS exploits the trust victims have for a particular website (e.g. Facebook)
- Cross-site request forgery (XSRF) is when an attacker tricks a victim's browser into executing some action on a target website
  - XSRF exploits the trust a website has in a victim's browser
- Clickjacking is when an attacker creates some interactive content (e.g. a game) that tricks a victim into executing some action on a target website
  - Clickjacking exploits user interface bugs in browsers
Many variations on and combinations of these

Security on the Web Erik Wilde and Dilan Mahendran: Security & Privacy

(6) Malware

Malware is software that, when installed on a victim's computer, does something bad:
- steals data: passwords, credit card numbers, or files
- sends spam
- attacks other computers or web sites
- distributes itself to others
- tracks victim's behavior
- uses computing power for nefarious purposes (e.g. breaking password)
- uses the victim's computer for storing illegal material
The Web is the primary way malware is transmitted
- Attacked or evil sites can take advantage of browser security bugs to install malware silently
- Victims can be tricked into installing malware
- Attackers can inject malware into otherwise innocuous software installs

Security on the Web Erik Wilde and Dilan Mahendran: Security & Privacy

(7) Network Security Risks

HTTP sends clear-text messages
Attackers on the same network can intercept and read these messages
Examples:
- An attacker sharing the same LAN (for example wifi at a cafe, wired network in a dorm) can read the contents of all HTTP packets
- An attacker can set up an "evil twin" wifi hotspot and trick people into connecting to it
Making HTTP secure requires additional mechanisms
Encryption is done by a layer on top of TCP
- Secure Sockets Layer (SSL) is the protocol layer invented by Netscape
- Transport Layer Security (TLS) is the standardized Internet version
- TLS adds more encryption schemes and more flexibility
Lower-level methods may also provide encryption
- Virtual Private Networks (VPN) provide IP-based encryption

Security on the Web Erik Wilde and Dilan Mahendran: Security & Privacy

(8) Social Engineering and Phishing

Social engineering is tricking or manipulating people into doing something, like clicking on a link or entering information into a form
- Many of the previously discussed attacks rely on tricking someone in this way
Phishing is a common form of social engineering in which an attacker pretends to be a trusted party
- Typically, the victim receives a fraudulent but realistic "official" email with a link to an attack site
  - or a chat message, or a Facebook update, or...
- URL obscuring techniques are used to make the attack site URL look trustworthy
- The attack site is designed to mimic a trusted site
- Further techniques may be used to hide the real URL, e.g. in the address bar
- Or instead of building a fake site, the attackers may use XSS or XSRF to achieve the same ends

Privacy on the Web

Outline (Privacy on the Web)

Security on the Web [5]
Privacy on the Web [4]

Privacy on the Web Erik Wilde and Dilan Mahendran: Security & Privacy

(10) Behavioral tracking

Behavioral tracking is the recording and analysis of individuals' actions, in order to provide:
- Personalized content (e.g. news)
- Targeted advertising
- Customized pricing
- or, just to learn about users
Actions may be tracked:
- on the website offering the personalized/customized/targeted content
- on other websites, via advertising networks
- even offline, via real-world retailers

Privacy on the Web Erik Wilde and Dilan Mahendran: Security & Privacy

(11) Flash Cookies

Behavioral tracking relies on cookies
Many people clear cookies regularly to avoid behavioral tracking
Increasingly, this is a useless exercise due to Flash cookies [http://en.wikipedia.org/wiki/Local_Shared_Object]
Flash cookies are local information stored by Flash Player
- Flash cookies can store the same data as browser cookies
- Not deleted when you clear cookies in your browser
- Can be used to re-create the browser cookies with the same data after they have been deleted
A study [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862] by UC Berkeley researchers showed that Flash cookies are widespread and used to re-create deleted cookies
BetterPrivacy [https://addons.mozilla.org/en-US/firefox/addon/6623] is a Firefix extension that can show and delete Flash cookies

Privacy on the Web Erik Wilde and Dilan Mahendran: Security & Privacy

(12) New Potential Privacy Threats

HTML5 geolocation privacy issues [http://escholarship.org/uc/item/0rp834wf]
- Sites using the new geolocation features can request users' location, either one time or on an ongoing basis
- Users have to explicitly grant access the first time
- If the site has requested ongoing access, users may not be aware that their location information is being sent subsequently
- Users may not be aware or have any control over the precision of location data
- Users may not be aware of what else their location is used for (e.g. Behavioral tracking [Behavioral tracking (1)])
HTML5 Web Storage [State Management (Cookies); HTML5 Web Storage (1)] could be abused similarly to Flash cookies

Privacy on the Web Erik Wilde and Dilan Mahendran: Security & Privacy

(13) Privacy Policy Quiz

True or false:
- If a website has a privacy policy, it means that the site cannot share information about you with other companies, unless you give the website your permission.
- If a website has a privacy policy, it means that the site cannot give your address and purchase history to the government.
- If a website has a privacy policy, it means that the website must delete information it has about you, such as name and address, if you request them to do so.
- If a website violates its privacy policy, it means that you have the right to sue the website for violating it.
- If a company wants to follow your internet use across multiple sites on the internet, it must first obtain your permission.

Security & Privacy

Web Architecture and Information Management [./]
Spring 2011 — INFO 153 (CCN 42509)

Erik WildeUC Berkeley School of Information and UC Berkeley School of InformationDilan MahendranUC Berkeley School of Information, UC Berkeley School of Information
2011-04-20

Contents

(2) Abstract

Security on the Web

Outline (Security on the Web)

(4) Trust and Security on the Web

(5) Session Hijacking

(6) Malware

(7) Network Security Risks

(8) Social Engineering and Phishing

Privacy on the Web

Outline (Privacy on the Web)

(10) Behavioral tracking

(11) Flash Cookies

(12) New Potential Privacy Threats

(13) Privacy Policy Quiz

Security & Privacy

Web Architecture and Information Management [./]Spring 2011 — INFO 153 (CCN 42509)

Erik WildeUC Berkeley School of Information and UC Berkeley School of InformationDilan MahendranUC Berkeley School of Information, UC Berkeley School of Information2011-04-20

Contents

(2) Abstract

Security on the Web

Outline (Security on the Web)

(4) Trust and Security on the Web

(5) Session Hijacking

(6) Malware

(7) Network Security Risks

(8) Social Engineering and Phishing

Privacy on the Web

Outline (Privacy on the Web)

(10) Behavioral tracking

(11) Flash Cookies

(12) New Potential Privacy Threats

(13) Privacy Policy Quiz

Web Architecture and Information Management [./]
Spring 2011 — INFO 153 (CCN 42509)

Erik WildeUC Berkeley School of Information and UC Berkeley School of InformationDilan MahendranUC Berkeley School of Information, UC Berkeley School of Information
2011-04-20