Computers, Privacy, and Security

1
Chapter 9

• Computers, Privacy, and Security

2
Introduction

• With the rise of the Internet, personal data is
  often made available online
• Many government agencies make a wide range of
  records available online
• The accessibility of personal information on the
  Internet raises security and privacy concerns
• Security concerns include system failure and
  securing online transactions and e-mail
• Privacy concerns include the collection of
  customer data, spam, and online activity tracking
• Laws and software tools can protect an
  individuals security and privacy

3
Security Concerns

• System Failure
• Prolonged malfunction to a computer
• A crash (in user mode) occurs when an application
  tries to execute an illegal instruction, and is
  shut down by the operating system (OS)
• A crash in the operating system itself can occur
  as well, when for example it was hacked and
  illegal instruction was attempted to be executed,
  or drivers failed (which run in kernel mode), OS
  updates were installed which were not completely
  tested, etc.
• A hang can also occur. For example, two or more
  threads are deadlocked, or an application is
  causing 100 CPU usage (ex. has an infinite loop)
  and the machine appears frozen, there is a memory
  leak in some application, so machine is out of
  memory and appears frozen, etc.

4
Security Concerns, cont.

• An environmental failure
• Undervoltage occurs when the electrical supply
  drops below 120 volts (in the U.S.)
• Overvoltage occurs when the incoming electrical
  voltage increases significantly above 120 volts
• Secure Internet Transactions and E-Mail
• Information transmitted over networks has a
  greater security risk than internal data
• There is no central administrator present on the
  Internet
• Data over the Internet may be routed through a
  number of networks, any of which can be monitored
• On an e-commerce site, intercepted data might
  include contact and credit card information
• An unprotected e-mail might contain personal or
  confidential information

5
Privacy Concerns

• When one uses a computer to send data over the
  Internet, their privacy can potentially be
  compromised
• Personal information and online activity may be
  shared
• Personal information may be stored databases on
  servers
• Ex. health insurance, travel sites, government
• Some personal information may not be considered
  private by a user, such as grocery store
  purchases
• Other information one may want protected, such as
  medical history or Web surfing activity

6
Collecting Customer Data

• Electronic profiling
• Companies can sell personal data to national
  marketing firms and Internet advertising firms
• These firms create profiles of customers to
  identify their preferences, as well as buying
  trends in general
• Electronic profiles can be sold to other
  companies
• Privacy policies sometimes change without the
  customers knowledge
• Opt out policies should be clear and easy to find
• Privacy policies should be easy to understand

7
Spam

• Any unsolicited junk e-mail message or newsgroup
  posting sent to many recipients or newsgroups at
  once
• Often a result of companies sharing personal
  information
• Used to sell products, promote business
  opportunities, special offers, etc.
• Can contains viruses or spyware
• Accounts for almost half of all U.S. e-mail
  traffic
• May degrade the usefulness of e-mail

8
Online Activity Tracking

• Cookie
• Small text file that a Web server stores on your
  computer
• Contains user data, such as user name and
  preferences
• Used for several purposes
• Customizes Web pages
• Stores username and password so that you do not
  have to log in each time
• Tracks which Web pages or ads you have visited
• Keeps track of items in your online shopping cart
• Web sites may sell cookie data, or use
  third-party cookies to record click stream data
  from any Web page or link

9
Yahoo uses a cookie to store information about
your customized
MyYahoo page
10
Types of cookies
11
Online Activity Tracking, cont.

• Spyware
• A program placed on a computer without the users
  knowledge that secretly collects information
  about the user
• Can enter the computer as a virus, or just
  install itself in the background (when low
  security settings are used)
• Used by employers to monitor employees
• Used by firms to determine Web browsing habits
• Web bugs
• A graphic embedded on Web pages to collect
  information about visitors to the site
• Can store IP addresses, browser type, Web address
  of previous page, time of visit, and a previously
  set cookie value
• Used to gather statistics or customize a a users
  experience

12
Carnivore is a FBI packet-sniffing program used
to monitor all data sent to and from a suspected
criminals computer
13
Privacy Laws

• Electronic Communications Privacy Act
• Protects electronics communications
• Excludes businesses monitoring and the use of the
  Carnivore program to monitor suspected criminals
• Computer Fraud and Abuse Acts
• Outlaws unauthorized access to federal government
  computers and the transmission of harmful
  computer code
• Fair Credit Reporting Act
• Limits people who can legally view a credit
  report to those with legitimate business needs,
  but does not define legitimate business need
• Childrens Online Privacy Protection Act
• Requires parental permission for children over 13
  for marketing or personal data

14
Summary of the major U.S. laws concerning privacy
15
Many Web sites demonstrate their commitment to
privacy by applying to be part of the TRUSTe
program
16
Protecting against System Failure

• A surge protector protects against electrical
  power variations
• It smoothes out overvoltages, provides a stable
  current flow, and keeps an overvoltage from
  reaching computer equipment
• An uninterruptible power supply (UPS) can provide
  power during a temporary or permanent loss of
  power
• Contains surge protector circuits and one or more
  batteries
• Connects a computer with the power source
• Can shut down the computer properly if power is
  out for a certain number of minutes

17
Backing Up Data

• A backup is a duplicate of a file, program, or
  disk that can be used if the original is lost,
  damaged, or destroyed
• Critical files should always be backed up and
  stored off site
• Can be stored on any storage media, including
  tapes, CDs, DVDs, or on remote machine, or
  duplicate hard drives
• Can also be stored on an Internet hard drive,
  also called online storage
• Might be impractical without a high-speed
  connection
• Backups can be done manually, with a built-in
  backup utility, or with a backup software package
• Backup procedures specify a regular plan of
  different types of backups

18
Types of backups
19
Defining a Disaster Recovery Plan

• A disaster recovery plan is a written plan
  describing the steps a company would take to
  restore computer operations in the event of a
  disaster
• The plan contains four components
• Emergency, backup, recovery, and test plans
• Companies may maintain a hot or cold site for
  backup
• A hot site is a separate facility that mirrors
  the systems and operations of the main site
• A cold site mirrors the main site, but does not
  become operational until the main site is down

20
Components of a disaster recover plan
21
Protecting against Unauthorized Access and Use

• Access controls use a two-phase process
• Authentication verifies that the individual is
  the person he or she claims to be
• Authorization verifies the user has permissions /
  privileges to access the resource requested, or
  perform the actions requested
• Firewalls prevent unauthorized access to services
  through the network
• Companies use firewalls to deny access to
  outsiders, as well as to restrict employee access
• A proxy server outside of the companys network
  controls which communications pass into the
  companys network
• A personal firewall protects a personal computer
  from undesirable network connections

22
A firewall helps to prevent unauthorized access
to services, resources and data available on a
network
23
Protecting against Unauthorized Access and Use,
cont.

• Intrusion detection software identifies possible
  security leaks
• Analyzes all network traffic, assesses system
  vulnerabilities, identifies unauthorized access
  or suspicious behavior patterns
• A honeypot entices an intruder to hack a system
  by posing as a simulated computer system /
  virtual machine with security vulnerabilities
  (not patched)
• Therefore, all critical security updates for the
  platform and services/applications running on it
  should be installed as soon as they become
  available (enable automatic updates) in order to
  patch vulnerabilities.
• A choice of a strong password can reduce chances
  of gaining unauthorized access to a machine.
  Password should be as long as possible,
  containing letters (upper case and lower case),
  numbers, and punctuation. A combination of two or
  more words, or a pass-sentence is much more
  difficult to generate through brut force
  algorithms, or other password guessing programs
  than a pass-word, as words are available in the
  dictionary.

24
Protecting against Unauthorized Access and Use,
cont.

• Possessed objects are items (usually cards,
  badges, smart-cards) that users must carry to
  gain access to a facility or computer
• Biometric devices authenticate a persons
  identity by translating physical characteristics
  into a digital code (finger print, retina scan,
  face recognition, etc.)
• A callback system only allows to connect to a
  computer after the computer calls the person back
  at a previously established phone number
• Audit logs maintain a file record of successful
  and unsuccessful attempts to access a system

25
Protecting against Hardware Theft

• School and companies use
• Physical access controls, such as locks
• Alarm systems
• Physical security devices such as cables that
  lock equipment to a desk or cabinet
• Small locking devices to secure access to a disk
  drives
• Mobile equipment users can
• Carry equipment with them at all times
• Lock it temporarily with a cable
• Install a mini-security system

26
(No Transcript)
27
Protecting Online Privacy -Encryption

• Encryption is the process of converting readable
  data into unreadable characters to prevent
  unauthorized access
• The recipient must decrypt the data into a
  readable form
• Private key encryption
• Both the originator and recipient use the same
  secret key to encrypt and decrypt the data
• Public key encryption
• Both a public key and a private key are generated
• A message encrypted with your public key can only
  be decrypted with your private key, and vice
  versa
• RSA encryption is a powerful public key
  encryption technology used for transmitting data
  over the Internet

28
Four simple methods of encryption
29
Protecting Online Privacy - Transactions

• Many Web browsers provide 40-bit or 128-bit
  encryption (a random number used to encrypt
  communication with SSL, after the initial
  handshake).
• A secure Web site uses encryption techniques
• Security protocols
• Secure Sockets Layer (SSL), or HTTPS, require the
  server to have a digital certificate. The
  certificate has two parts public key and a
  private key, which are used for the encryption
  algorithm. The public key is digitally signed by
  the certification authority, which issued the
  certificate.
• The certificate contains information to identify
  the web site such as web site name, company name,
  and location. It also contains the certificate
  authoritys (CA) name (which certifies the
  company is who they say they are) a digital
  signature, serial number of the certificate,
  expiration date, etc.
• Secure Electronics Transactions (SET)
  Specification secures financial transactions on
  the Internet

30
Protecting Online Privacy E-mail and Spam

• Protect e-mail by
• Encrypting it with an e-mail encryption program
• Using a digital signature which attaches an
  encrypted code to a document to verify the
  identity of the sender
• Reduce spam by
• Changing e-mail settings to block and delete spam
  (junk mail filters if available)
• If not, sign up for e-mail filtering services
  that block e-mail messages from designated
  sources
• Use an antispam software

31
Protecting Online Privacy - Cookies, Spyware,
and Web Bugs

• Set your browsers privacy setting to specify
  what type of cookies you accept
• You do not want to refuse all cookies, because
  some legitimate online applications would not
  work properly if you did not have cookies
  enabled. However, you may set the browser to
  prompt before downloading/creating a cookie.
• Set the browser security settings to medium or
  high (it will prompt before downloading any files
  (cookies, activeX controls, applets, spyware
  etc.) and block pop-ups )
• May use software which checks for spyware and web
  bugs
• Limit the amount of information you enter on a
  Web site
• Create a designated junk mail e-mail, and give
  only that e-mail to online sites requiring you to
  provide e-mail (in order to purchase things, or
  use online services)

32
Security and Privacy in the Workplace

• Employee monitoring and surveillance are often
  used in companies today to ensure network
  security, manage productivity, and protect the
  companys reputation
• Companies should have an acceptable use policy
  (AUP) that outlines what a computer may or may
  not be used for
• Employee Internet Management (EIM) software helps
  employees monitor and report on employee
  behavior, such as Internet use.
• Employee monitoring and video surveillance tools
  are legal
• Maintaining security and privacy is a balancing
  act

33
(No Transcript)
34
Summary

• Security concerns discussed in this chapter
  include
• System failure
• Securing online transactions and e-mail
• Privacy concerns surrounding computers include
• Collection of customer data for electronic
  profiling
• Spam
• Online activity tracking with cookies, spyware,
  and Web bugs
• A computer can be protected by
• using software or hardware tools (firewall,
  antivirus software, automatic updates software),
• set browser to use medium or high security
  settings,
• use strong passwords,
• set appropriate access controls (permissions)/
  user privileges