 Welcome to Computer Science that you want. My name is David Malin, and this is lecture eight already, security. So this is, I am incredibly nervous at the moment, because as you can see, we have three computers involved in this class, three different hard drives, the desktop computer over there. And it's sort of the lecture from hell, so far as demos go, and making sure they all work right. But everything's been tested now, so knock on wood. Let's hope everything is as exciting and perilous as it should hopefully be. Tonight is our first of two lectures about security and with security discussion on privacy. And this has clearly been something that people have been chomping at the bit about for quite a while. Let's dive right into tonight by just considering some of the more high level issues at play here. And then we'll conclude tonight by really getting our hands dirty with, one, a spyware analysis of one of your own classmates' machines, and two, a forensic analysis of a number of different hard drives, which we've pulled from the shelf. So sit back, get ready. And let's chat for a moment about threats to privacy. This is sort of a general way of categorizing a lot of the threats that do exist in common computer use today to one's privacy. And I cite as perhaps the most obvious example of them all so far these things known as forms. So we'll talk in a couple of lectures time about making your own web pages. And with website design comes the ability to write interactive web pages whereby users can provide your website with information. There's probably not one of us in this room that hasn't once filled out a form like this, whether to buy something, whether to search the web. And so we have here an example from a popular e-commerce site, buy.com. This is a screenshot that I took just before I actually purchased some particular product. So clearly you're being asked for some fairly private information here, among whose primary concerns is one piece of data in particular. What is, if you had to pick one, the piece of data that most people are most nervous about using online? OK, social security numbers. By far one of the most fearful things to input into a website, whether you're requesting a credit report or verifying, though you shouldn't be your PayPal account. Well, what's another candidate for something that gives people pause? A credit card. Yeah, a credit card. And this one's kind of an ironic one, that people are scared about inputting their credit cards into a computer terminal. Because even if you've never bought anything online, is there anyone in this room that hasn't at one point bought something by phone or in person with your credit card? There have been many cases over the years of low paid employees stealing people's credit card numbers, because what they're handed all day long is pieces of plastic. And it's not hard to either jot down on a piece of paper the credit card number that someone used back in the day in restaurants when you used to get the physical carbon copies. Well, unless you, like my grandfather, literally took that black piece of carbon that had imprinted on it your name and credit card number and no joke at every Italian restaurant we would go to, drop it in the candle in the middle of the table to burn it up in flames. That is, though, quite embarrassing at the time, probably the most reliable way of destroying evidence like that. But long story short, it is not hard in the real world to get someone's credit card number. Probably once a day some of you are providing that number to other people and there is absolutely nothing stopping a human being from jotting it down. And yet I say this is ironic because those same people are then typically nervous about inputting that information into a website. And yet we've already talked briefly about websites that flash this, those small icon, this padlock, which denotes what? So it denotes that it's a secure connection. And you have to be aware of these kinds of symbols because as you'll see over time, you'll get spams or you'll get phishing attack-based emails, whereby you'll see icons like this padlock. And just because a yellow padlock appears in an email you get, that doesn't mean anything about the security of the email. It means the fissure was wise enough to give the illusion of security by playing off of people's assumptions that this icon does, in fact, mean a secure connection. Most of the time it does, but only if it truly appears in your browser's window and nowhere else. In fact, it's almost funny. As an aside, if you go up, go to many banks, electronic commerce, many banks, online banking interfaces today, this is sort of tucked too far down and off to the right to be obvious to most people. So you'll see at certain banks like Citizens or Chase, will they put a copy of this icon, smack dab in the middle of the page, right next to where you might type in your credit card number? Well, any Joe Bob can make a website that includes a GIF that looks like a yellow padlock icon, put it smack dab in the middle of the page, and call it secure. That doesn't mean it's actually secure. So only if you see these icons in the bottom bar of your browser, whether it's Mozilla or Netscape or Internet Explorer, should you really be 99% comfortable that the connection is, in fact, secure. Of course, if you have a secure connection to a bogus URL, not that one that's by.com, but rather jobob.com, just to pick a trite example. Well, sure, you may have a secure connection, a secure connection right to Joe Bob's personal web server. So security in and of itself is not wholly indicated by this icon alone. As on this same note, you have to even be aware with things like URLs. And this is a bit of an aside from the forms that we introduced this lecture with. But there was a case not too long ago where folks were receiving emails from a bank out west called Bank of the West, which was a Midwestern bank that had its own online banking interface. And people were receiving emails that looked like they were coming from Bank of the West, prompting them, like most phishing attacks, to enter some personal information. Re-verify your checking account number. Re-verify your social security number, your name, and so forth. But unfortunately, when people were visiting this website, they were visiting something of the form, Bank of the West.com. So even the most paranoid of users could check that one, the padlock icon's there, OK, good, secure connection. Who's the secure connection to? Well, they check the URL. This URL is buy.com, something or other. But they check the URL in this case, and they're like, OK, Bank of the West. This particularly clever Fisher had bought Bank of the VVS, which is incredibly subtle. And even the most astute of users might not notice that. In fact, none of you, though it could just be a chalk typo on my part, none of you even noticed that what I wrote was two Vs on the board, and not, in fact, a W. And so even when it comes to the URLs, you can't necessarily be wholly trustworthy. Because again, the wisest of Fishers are going to choose things that give the illusion of being truthful. You might see commonly things like, you know, you might see something like this, where I'm making it obvious now that this is bogus, but a Google, if someone purchased it with two 0s. Well, you might not notice, even as an astute user, that when the URL appears in IE, well, maybe you wouldn't really notice that those O's are not just capitalized, but they're 0s. So even this, I'm not one to be paranoid when it comes to security on the internet, but there are some pretty clever people out there. And if you're trained just to look for the obvious, a padlock icon or URL, even someone like me or you could presumably get duped by these things. But back to the story at hand about credit card numbers, assuming that you're on the right website and it is a secure connection, events by this padlock icon, you are probably safer, I would conjecture, using your credit card online for the simple reason that there is no human between you and that endpoint. Yeah, eventually some human is going to put your order into a box and ship it off to you, but that same human is not likely to be involved in this particular billing process, not for sites like amazon.com or buy.com, who deal in such large volumes that it is by necessity and by design, all automated by computers. I mean, the fact of the matter is, if you take, I know I say this every week, one thing away from this course, it should be, in my opinion, a complete comfort with generally using your credit card number online, assuming that you're confident that you visited the correct website. With that caveat, there's really no reason to be concerned, especially when these days there's pretty much not a credit card out there that wouldn't guarantee you in the event that your card were fraudulently used. Odds are you're not gonna be responsible for those charges. And so, as I said a few lectures ago, the only types of online financing that I would be aware of, or just be a little more paranoid about, is online banking, when you actually are accessing your checking account, which is just a little easier for someone to liquidate and a little harder for you than to contest that those funds were taken fraudulently than it is for something like a credit card, which you're not paying up front for, typically. So, that's a mouthful about one cue here, simple form, but the short of it is that a lot of us are inputting information into web pages, some e-commerce, some search base every day, and there's information out there that can in fact be stored on us. In fact, some of that information is being stored on your local computer. I've all done a good job tonight if I can freak everyone out by the end of the two hours and never have you touch a computer again. So, here we are on our way. You've all heard about cookies. What is a cookie? Even if you know that it's not really a good thing sometimes, what is it? Yeah. Yes, it's to some extent what graphics you've clicked on. A cookie is, as this image suggests, a file, a file that a web server has installed onto your computer when you visited that website. In fact, E1's own website uses cookies. If you'll note carefully upon visiting the website the next few times, the banner does change once a day, but it relies on the last time that you saw the banner in order for it to change because what we store on your computer when you visit it is a cookie that essentially includes the time of day that you last visited the website because what cookies do is as follows. A website, when you visit it, can put a cookie on your computer and it can put anything in that cookie, your name, your email address, or simply the time of day like we do. But the design of cookies is such that when you then visit that website again in the future, by design the browser will send that same website the cookie that it once put there. So in this way, can the website in a sense remember who you are? Because we all know by now from our internet lectures that your IP address is going to be the same or is not going to be the same each time you turn on the internet. And not necessarily, right? There's the whole world of DHCP and IP addresses being dynamically assigned so you can't trust that a user is gonna be coming to your website from the same IP address. So it's not enough to assume that, oh, if I see a visit from IP address x.y.z.w, well, David visited from that IP address last time. I'm gonna assume this is David this time and just let him access his online banking without re-entering his password. We also know about NAT, Network Address Translation and internet routers for one's homes, right? You can have multiple computers all sharing what? The same IP address. So again, there it's not really ever safe to assume that an IP address uniquely identifies a user and that's why cookies are a useful thing because what typically a website does is quite trivial. It puts a large random number in a cookie that gets stored on your hard drive but it then remembers in its own database that that random number belongs to a user that might not necessarily be associated with your name or your address or anything like that but with the pages you looked at or the types of products you browsed through on Amazon. If you've ever used amazon.com, Amazon remembers the last several items that you looked at. Amazon remembers who is logged into the website even if you close the window and pull up Amazon again. Gmail does this, Hotmail can do this, Yahoo Mail can do this. A lot of these websites where you can check a box and say, remember my username and password? Well, these websites are doing that by way of cookies. They're not typically storing your username and password in these cookies. Rather, they're storing a number, one, two, three, four, five, six such that when they receive that cookie back the next time you visit their website, it says, oh, user one, two, three, four, five, six, let me check my database. Okay, I see that that number was given to David Malan at davidmalanatyahoo.com. Let's just automatically let this user back in because he told us, let me in without a password next time. So by design, cookies are meant to be wonderfully convenient. They allow websites to remember your preferences for your zip code when you wanna pull up the local news or weather, your username and passwords when you visit a site. Most online banking sites and credit card sites remains to be seen how long it takes for me to trip over our own wires here tonight. Most finance related websites will remember your username but they won't allow you to save your password for fairly obvious security reasons but in email programs like Gmail and Hotmail people are a little less concerned about the website remembering who they are so because it's less private typically that information than one's own financial resources. But the short of it is cookies are a good thing in spirit. Unfortunately, they can be used for more malevolent purposes, one, sometimes there have been bugs in Internet Explorer and Netscape whereby not just the author of the cookie that website has been able to access it but other websites as well. That is a flaw in the browser, not in the design or the notion of a cookie unto itself. But perhaps more troubling is this, you may have heard of companies like DoubleClick or AdClick, anytime you very quickly see in the bottom left hand corner of your Internet browser some mention of anything related to do with ads or anything like that will often websites like CNN or any websites that sell advertising will have banner ads and some kind of advertisements on their website but they don't typically store those JIFs or JPEGs on their own web server, they simply use and you'll see how to do this in our XHTML lectures. Well, they simply reference images that are on DoubleClick.com's web server or whoever the person doing the advertising is so that they don't have to store all of the advertisements on their local web servers. Well, if you visit a webpage that has ads being pulled we'll call them third party websites, in other words, if you visit CNN, CNN has an advertisement from some Joe Bob's warehouse. Well, if you pull up CNN.com and you see that ad from Joe Bob that ad might be coming from JoeBob.com which means now that not only can CNN put a cookie on your computer so can Joe Bob but and here's where it gets a little tricky if Joe Bob is advertising on other websites, MSNBC or Friendster or Hotmail or any other popular websites. Well, Joe Bob because he is also putting a cookie on your computer and is associated in a sense with these other websites essentially Joe Bob can figure out what websites you're visiting if he configures his own cookie in a certain way. And so websites can in a sense track who you are not necessarily your name and your number and your email address but at least some uniquely identifying user. They can come up with a profile source realizing that oh, this user likes to read national news, likes to check their email all day long, likes to buy romance novels from Amazon.com all because these websites are all using the same ad provider. And so if you are sort of nervous by this idea of being trackable on your computer well a solution in internet explorer at least is quite simple. If under tools you go to internet options and from there you go to privacy and click on advanced well there's this option here to override default cookie handling. And when the website says, and we can shoot this when the website says first party cookies on the left except what a first party is that means if you go to CNN.com will you let CNN.com put a cookie there and usually it's a good thing just to say accept. Prompt tends to be a bad thing because you will be prompted at almost every webpage you pull up subsequently and you'll very quickly go back and change it to accept. I promise you. Third party cookies though it's not configured on this particular account that I've logged in with today on my personal machines I typically just say block because block just means that someone like double click or joebob.com even if they're advertising on CNN.com if CNN is the websites you visited joebob would be a third party and by this setting cookies from joebob would be blocked because really cookies from third parties serve them more than they do you whereas first party cookies are really a convenience typically for you. So in short I would say that this represents a very reasonable setting to use. Session cookies as an aside session cookies are a type of cookie that only exist in RAM while you are browsing a website as soon as you close the window they disappear they are not stored on disk as in the case of these files and I did say before that cookies are files if you want your own computer and we can continue shooting this browse to essentially on Windows XP your document since settings folder slash username slash cookies you can see all of the cookies on your website but if you double click on these things and open the files they'll open in notepad but they'll probably just look like random numbers or a bit of junk in there maybe an email address totally depends on the website but probably nothing that is too human legible but this is a archive of as was said before a lot of the websites you visited before almost every website today uses cookies it's pretty fair generalization which means if you have your nosy neighbor coming over and checking his or her email on your computer it is as easy as opening certain folders on your hard drive to figure out where you have been visiting not only do you see files in the cookies folder but there's also a temporary internet items folder which we might take a look at later that has not only mentions of the URLs you visited but also every piece of webpage all of the actual HTML and all of the JPEGs you've looked at all of the JIFs you've looked at whatever those JPEGs or JIFs might be are typically stored locally for performance reasons we talked earlier in the course about caching well most browsers cache all internet browsing related files on your local hard drive so that when you reload a page or move around you don't have to constantly request the page again of the network much faster just to look on your own computer but potential breach of privacy questions or fear so this is why and let me make one note here if in internet explorer again and almost every browser has similar features that you can usually find under the preferences options internet explorer if you go to the general tab delete cookies what that does is what it says it doesn't do it perfectly well and we'll get to that later but it's the idea of it is to empty that folder that we saw a moment ago and all of those cookie files delete files deletes all of those temporary files that are supposedly stored on your local computer and then clear history this is perhaps the easiest way to figure out where someone's been you can often in internet explorer and other browsers use a little pop up to see where someone has been and fortunately this computer has been nowhere sketchy lately we've been to microsoft.com fas.harvard.edu cnn.com but it's also as easy as that figuring out where your nosy neighbor has been visiting on their own computer and as we'll see later tonight even these options delete cookies delete files they're not a hundred percent robust and only if you wipe the files away as we'll discuss and forensically rigorously delete them you can pretty much recover all of this information anyway boom question okay other question yes good question how do these cookies serve you beyond for the few hours that you're browsing well cookies also have inside of them any content but usually they have an expiration date and time so if you're experiencing websites usually forgetting about you after a few hours or days that's simply because the cookies have been designed to expire but you can have cookies that expire a year from now which means that the website shouldn't forget who you are if the cookie expires the browser should be deleting it at some point but that doesn't mean it's deleting it securely it might still be lingering as we discussed in our Harvard lecture it might be deleted from the fat the file allocation table but it's still sitting there physically on the hard drive other questions what about the other end of the world we've talked about browsing and breaches of privacy so far as you the user are concerned what can the other end of the transaction remember about you well that leads us to this discussion of logs anytime you visit a website odds are every page you're looking at every file you pull up every jpeg every jiff is logged on that web servers hard drive now it's typically not something that the system administrators look through very often because for popular websites you can imagine how large these logs become and for the largest of websites it's possible they don't even bother logging this data because of the gigabytes of space it would require every day just for instance for cnn to record every graphic and piece of news that someone is pulling up during the day but what we did for fun what is in a log well mention of what page was accessed maybe it's index dot html maybe it is e one dot jiff or david dot jpeg whatever the actual file is that you pulled up that would be stored in a file on the web servers hard drive but they typically remember what browser you were using usually for diagnostic purposes were they using internet explorer or netscape or mozilla it remembers perhaps a little more troubling what information after all is a web server receiving every time you request a web page think back to our internet lectures the ip address right we talked about the sort of virtual envelope that sent with both a destination address but also a return address which is yours so inside of these web server logs are the ip addresses or host names the names of the computers that you're visiting the website from so it's not necessarily particularly personally identifying information especially if you for instance live with ten other people and behind a home router you're sharing the same ip address with ten other people what you have in that case what's called plausible deniability because you can point your fingers you know it's the nine other people in your home and say they visited that website not me so there is a limit to the amount of information that sacrificed with these things but what you see here is an excerpt of an analysis that we ran on the logs for e one's own website so by default f as logs all of the visits to the website so we know what handouts are popular among students we know what videos might be being watched we know what links you might be following in short anytime that anyone in the world student or non-student clicks on a link on the website f as is logging that information and that's typically just standard practice it's not because they're ever looking for anything in particular just taking up space on this but it is useful in the aggregate often to get a sense of what links do we can we stop maintaining what handouts should we really be pushing on students well this is an analysis of the daily traffic or every other day traffic for e one's website in the month of october and what do you notice that's kind of funny yeah it's like what is that spike around yes so there were about fourteen thousand requests for stuff from e one's website just before the exam and quick rather quickly people lost interest now fourteen thousand my god like it that that suggests the student who's not been keeping up but actually each of these requests bear in mind is for an individual image on the website or an individual web page so on a typical e one web page though it looks like one beautiful work of art there's actually many different gifs on a web page including ours many different uh... jpegs as well for instance that banner though it looks like one continuous graphic as you'll see if you haven't already in section when designing your own banners it's actually in at least two pieces we've just put them right up next to each other so that it looks like a single whole well a lot of websites will break up images into many different pieces or they'll just be many images on the page so each such image constitutes in our logs of request hence fourteen thousand some odd requests but what i thought would be interesting not so much to scare since uh... the only thing that would be bad if we notice that solution sets were being accessed on the website as opposed to the questions but here is the actual analysis from which i took that chart a moment ago and it's nicely formatted we ran a nice little program that generates this web page stored locally on my hard drive but it's formatted with the web page so that we can click around and jump around so here's a summary you see that the program was run on november first the time of our first request with smack dab on midnight on october first and then these logs are current up through eleven p.m. in fifty nine seconds uh... fifty nine minutes on october thirty first well this is all kind of boring here but we poke around the left hand side we can see the daily report that i pulled up a moment ago which is just a frequency distribution of what how many pages are being accessed but it gets a little juicier we can look at let's see we can look at this graph in two parts here this is a domain report the blue half of that uh... pie chart is number one and we see that of those requests oddly enough are coming from a dot net network actually find a little bit surprising a lot of them though are coming from a dot com address so the greenish number two in the top right hand corner suggests that about twenty percent of the requests are coming from dot com addresses some of them the what program couldn't figure out or they weren't logged properly uh... about eight percent are coming from people with dot edu addresses so students looking on campus whether here at harvard or other universities and then you can start to see in what other countries people are visiting the website so we seem to have oddly enough half of half a percent of folks are coming from dot d e which is what well that's a stupid question germany dot jp is japan we have some canada singapore france and several others even dot arpa that's pretty neat so some really smart technical people are actually looking at our websites presumably not for the education of it so still it's a little juicy but we can do better what if we go down to let's see host report so host reports we begin to see our frequent fliers the ip addresses that appear in our logs a good amount of the time so these aren't ip addresses these are host names but recall via dns there's an association of host names with ip addresses so for instance we have someone whose i p address it resolves in dns to sm a two a dot m i t d dot edu they constituted uh... one-third of a percent of all of the requests for e ones content uh... we have a lot of people from comcasts network so home users we have someone in tampa florida using variety since dsl presumably uh... this i p address didn't have a host name so it's just somewhere in the world can fast-forward and odds are every one of you appears in these logs because not listed here are eight thousand other i p addresses or host names but none of you made the top uh... that's because more requests are coming from these particular host names but we can do even better than this what about search query report oddly enough the number one reason people find their way to our website via google or any other search engine is because they're looking for that guy there roman roman rubenstein is the number one search query that ultimately leads to e ones website that doesn't mean if you search for roman rubenstein he's nest it necessarily makes e one the top hit but relative to the other queries like harvard computer science or harvard e one that someone might be searching for a google the most popular one twenty six last month alone were because people were looking for information on robert ruben roman uh... rubenstein ppt hard disk concepts odd that twenty four people were looking for that but harvard e one harvard computer science e one uh... my phone number thank you very much this was the expected way to figure out the significance of the number not to call me at eleven p m but that's alright podcast that's pretty cool so six people looking for podcasts found their way computers are your future two thousand five see if there's any dopey ones on here uh... twinkies project dot com uh... which on first glance is a little strange but recall that this was one of the or else in the problem set so someone who searched for that and somehow made their way to our website because google tends to index even our problem sets which in which that word did appear so there's other stuff you can gather but notice that even though it begins to get a little more personal it does stop short of knowing exactly who logs in because only when you visit the videos do we actually ask you who are you for your idea number and so forth but in the aggregate this information's kind of interesting and just the spike alone around exam time kind of corroborates what one's intuition would be which is that people would be turning to the website and therefore uh... demonstrating that it is in fact a useful resource to put out there right around exam time so we'll see if there's a similar spike in another few weeks questions on this program was generated by program called looks uh... either analog four point oh for unix or report magic for analog for solaris so program called analog seems to do that and if you want to email so we can try to find the exact reference so other questions all right well on the agenda next is uh... data recovery and is the best clip art i could come up with but that's because we have all of these demos out here before us so you know it's a cool subject when you walk in and your hardware is kept in this nice sort of fb i looking case where you keep all of your computer equipment we've got a lot of hardware appears some of which i'll pass around or hold up and these are essentially tools that a forensic investigator would use whether in the criminal space in a district attorney's office or in the private practice simply doing forensic analyses for personal clients would use in order to recover data that has once been deleted or might be protected by passwords we talked in our hardware lectures that it is not that hard to recover deleted data but let me let you remind us why and give you a reminder a few minutes ago exactly almost every operating system today when you delete a file it simply forgets where that file was on this but it does not erase the bits on a desk in our sections local students may have seen the process by which a hard drive is formatted even before this class what did you understand the word to format to mean to wipe it clean to erase neither formatting a disk tends to do very little and most operating systems what it typically does is it does write out a few bytes or a few kilobytes but really only the so-called metadata like a new file allocation table and some useful header information as it's called at the start of the hard drive that essentially preps it for use in a computer with something like windows or macOS it does not look over or erase all of the bits that were previously there it overwrites some of them but a negligible percentage of them why for those of you who also have done this yourselves either in section or at home why does formatting a disk nonetheless seem to take so long right that progress bar if you've ever watched it or if you've ever just waited it can take ten minutes twenty minutes forty five minutes to format a hard drive what the heck is it doing if not erasing the data well first of all how many of you have experienced the process of formatting a hard drive do agree that it really long time i'll take that a really long time what these format utilities are typically doing is they're only verifying the drive they are trying to read every portion of the hard disk but in an attempt to make sure that it's entirely functional because the beautiful thing about hard drives typically is that even if parts of them fail or some part of the platter gets a little bit corrupted they had a so-called bad block well hard drive can automatically do what's called remap that part of the disk essentially tell the operating system uh-uh you can't use this part of the hard disk because it seems to be broken and so never again can you access data on that part of the disk but you can use the rest of the hard drive the ninety nine percent of it that is working so the formatting process typically verifies that all of the blocks all of the parts of the hard drive are working and for any that aren't it sort of maps around them so as not to hold you back in the future but it doesn't change the data typically beyond setting up some minimal data structures necessary for them using that hard drive in a computer which means even once you formatted hard drive the data is typically left there how do we demonstrate this and prove this to be true well what we have in front of me here tonight are three different hard drives all of which uh... for better for worse we're taken from fairly boring users machines at the district attorney's office we tend to find much more interesting stuff than will be on these hard drives tonight but what i did do was also simulate the amount of information that you can get off someone's computer by also putting on to this flash drive piece of hardware we've discussed uh... users uh... not a suspect temporary internet items so we can also see exactly how much information is retained on a user upon having browsed a website or used a browser for some number of days so what do we have here in front of us so inside of this crazy looking box we first have uh... s s hardware some of which is really only germane to forensic investigations and is not the kind of hardware you need to go out and buy it best buy to do any of this sort of stuff but this is what's called a right all this piece of hardware does is it allows you to connect a hard drive to it and it to your computer and though it lets you read data from the hard drive it does not as you might guess let you right data to the drive now for data recovery companies this is typically a useful thing because the worst thing for them to do often is to make the user's problem worse right it's fine perhaps if they can't salvage the data but it's usually nice to be able to hand the drive back to the user and say sorry we couldn't recovers any of the data but we didn't make the problem worse perhaps someone with more advanced techniques can still recover the data in criminal investigations it's even more important because to hold up in court uh... as a reasonable and a lawfully executed search of a hard drive you need to be able to claim under oath that you did not obviously plant any evidence on the hard drive and what better way to assure that than to assure the court that you use throughout the forensic investigation right blocking hardware which means you could look to your heart's content at data on the hard drive but physically had no means of writing it to the hard drive now the conspiracy theorists among you will recognize of course that that does not prevent tampering with evidence of course right how do you still tamper with evidence how do you still mess up your clients hard drive more don't use it well that's even more complicated just don't use it right so there's sort of an irony even in the legal system where this guarantees that you have not modified the data on the hard drive but you then need someone to vouch for the fact that you actually use the hardware so the irony is that it tends to it's enough and you have sort of at some point simply have to trust in the legal profession not to do such things but it's no more realistic than it is with any other kind of evidence data being on a hard drive so with that said this device we use not only to block data from going on to a hard drive but it's also a convenient way of loading data from a hard drive like this onto something like a laptop right after all where would i put this in the laptop well you can't so what this device allows you to do is to connect an ID hard drive via an ID cable to take a guess what ports on my laptop or raise laptop tonight could we connect a device like this to do you think what would be appropriate the city is not so well if we could pull the cd player out possibly we could connect it by idea but laptops are still kind of different but what's a very useful connector that most computers including laptops have today usb so in fact what we'll use tonight is usb not to print or to look at digital photos but to actually look at another hard drive so what i'm going to do is first connect this to a power source so that i can plug power into the hard drive i'm going to plug the other end of the cable into one of these hard drives which is just a this is a six gigabyte or so i d e hard drive made by macstar so i'm going to go ahead and connected this and then finally i'm going to connect do this properly finally i will connect the hard drives power which will come from this connector here alright so the program that i'm about to pull out is the following i now have a hard drive plugged in i'm thrown a switch which gives power to it so even though this thing's not sitting inside of a computer the platter is now in fact spinning and you might be able to hear it if you're sitting at least closely enough the other end of this device is simply being plugged in by usb to raise laptop and what i'm going to load now after changing monitors here is perhaps the de facto standard in law enforcement for forensic investigations it is a program called encase e n c a s e and it essentially is a windows program just a moment to get the monitor synced it is essentially a program that lets you browse a user's hard drive while also performing various types of searches on it so we can search for instance for someone for certain key words on a computer we can tell the program to go ahead and search for all of the internet activity that a user has been engaging in we can go ahead and say find me all of the email addresses on the computer find me all of the credit card numbers all on the computer pretty much anything you might want to find you can just tell the program go search the hard drive for this word or these words uh... yes please we can shoot this so this is encase what i'm going to do is the following it'll be a bit of a whirlwind tour since um... probably won't need to do this on your own anytime soon hopefully won't be involved in this process ever but with this particular software here is where an investigator would enter the case name that we've assigned we'll call it ds uh... the investigators name you might specify where these files are supposed to be stored then we can go ahead and say finish i now have a blank window essentially with which i can begin to investigate a particular case when i'm first going to do is add to this case a device the device i'm going to add is a local drive because it is of course connected locally we could also if you were in the field that say a suspect home simply connect your laptop to their laptop or their desktop via a uh... ethernet crossover cable or parallel cable hardware that we've talked about before as well but for now it's local since i've connected it directly it is right blocked which means even though we'll be able to read everything on this hard drive which is from a former computer uh... that we used in the course we will not be able to change any of the data on it some strange reason things are jumping around what's that here we go what do we see well not only does this program and really any forensic tool allow you to look at partitions on a hard drive which are sort of subsets of the hard drive your c drive your d drive but it can also look at the physical disk and that's usually more helpful in the event that someone is repartition their hard drive you simply want to have unfettered access to the entire piece of hardware so what we will choose is uh... drive one which essentially means the secondary i d e channel recall from our hardware discussions in section perhaps we see among other things it is a master and it's about a ten gigabyte it turns out nine point five so i'm going to click next and i'm going to click next again and now what i have here is drive one well the curious thing about this drive is that if one has properly sanitized a hard drive and by that i mean not just formatting it not highlighting all of their sketchy files and hitting delete and then empty recycle bin but instead have truly shredded their data as they say or wiped the hard drive this is what you will see if you have properly sanitized a hard drive what do you see zeroes this is a properly sanitized hard drive that i ran a scrubber or a wiper on wiping utility call it whatever you want but ultimately what it does is it overrides all of the data on the hard drive ultimately with zeroes but as you'll see in one of tonight's optional readings and we don't often have optional readings but this is perhaps one of the most fun articles written uh... to read uh... written by a postdoc at harvard right now in computer science just graduated with his phd from m i t this is a study on a project that he and another m i t student engaged in whereby over the course of a year or so they bought about two three hundred hard drives off of ebay they proceeded to perform of forensic analyses of all of them and the results of what they found are quite disturbing and quite fascinating to read about it here among the things they found were uh... that the heart one of the hard drives they had i believe came from an htm machine it had not been properly sanitized others came from hospitals others came from universities uh... one came from a woman who had actually taken her hard drive and her computer to one of these pc recycling companies she had paid them to recycle it paid them five dollars or so that company then literally turned around and sold that hard drive on ebay for another five dollars breaking their verbal or written contract actually sanitize the drive it literally went from woman's hand to mailbox where this fellow simpson was proceeded to do an analysis not necessarily with the software but with software like it what this article also has is in addition to the friend a listing of the popular forensic tools that are in use today both in civil and criminal investigations also perhaps more of interest the utilities that exist free and commercial to actually sanitize one's own hard drive it is not necessary to for instance wipe out your entire hard drive to keep it properly clean you can install windows or macOS specific software that will allow you to quote unquote securely delete or wipe or shred specific files so if you are working with documents that you are specifically never want to be divulged to the world or you simply it's personal it's an outdated will anything like this to really get rid of it you can run one of the tools that are described in this article so it's a wonderful follow-up i think to the sort of stuff we'll talk about tonight so this unfortunately is sort of a disappointment but this would be the ideal to strive for if you ever dispose of a hard drive or give it to someone or donate it to someone expecting that it will be used elsewhere will post on the website and follow-up after lecture one of the best and easiest tools to use to wipe a whole hard drive clean but i'll defer to the article for some of the more piecemeal solutions that let you delete just your internet history or just your microsoft word document or so forth but let's turn this drive off plug in one of the other drives and because i'm using this piece of hardware on the side i don't need to reboot the computer every time i connect a new drive i just have to shut off the power what i'm gonna do just for simplicity is shut this down just since we're not going to bother with that drive anymore reload the program start a new case and add a new device and that device this time is going to be this other hard drive we've connected it's again a local drive it is again called drive one this time it's a twelve point six gigabyte drive and we can continue shooting this demo as well this might take a moment here so in the meantime let me pause and see if there are any questions and anything at all so just for the sake of the camera let me repeat so a while back i said that the only real truly robust way to get rid of data is to physically burn or destroy or as a lot of companies do drill holes through all of the platters pretty much rendering the disk unusable there do exist software utilities like one will post on the website and many others on the uh... market today including some from semantic norton and so forth do this sort of thing there this is one of those maybe the nsa can still recover the data sort of uh... old wives tales or urban legends whether or not that is true is unclear most people most computer scientists conjecture that simply overriding a hard drive with all zeros once is more than enough to stop someone from recovering any of the data unless they have much much money in time to throw at the problem and hardware and by that i mean once you've overwritten the data with zeros it's pretty much gone from a software perspective but theoretically you could open the hard drive physically take an oscilloscope or some other analog device and try to read back the magnetic particles orientations in hopes that yeah it's a zero maybe the particles aligned like this but maybe it's like that so it's mostly a zero but it was once a one and this is literally the idea behind which you could physically recover some data how well you could do that is a matter for further experimentation most people beyond just zeros would say for added comfort you would want to use a the department of defenses standard which is what i ran on that earlier hard drive which essentially overwrites the whole hard drive with random data once overwrites the hard drive with random data twice thrice four times five times six times seven times and then on the last past writes all zeros that's the sort of way that most government agencies would wipe hard disks today and it's probably more than enough but it's one of those things where people will typically wave their hands and say well unless you're the nsa you can't recover the data but no one's really done rigorous experimentation to demonstrate exactly how much data can get back but if you're in sort of situation where you're worried about the nsa uh... recovering your data you probably wouldn't be in this course right you'd be spending time elsewhere well we have acquired this drive which just means to load it into the program this one was not wiped which means we can actually navigate it still so i haven't booted this hard drive per se i've simply connected to it via raise laptop what you see at left is a sort of standard windows explorer hierarchy of all of the folders and files that are still on this hard drive based on this alone what operating system do you think this hard drive was once running in a real pc yes windows nt or windows two thousand both of which use that win n t directory which you see at left third from the bottom well what we can do here and would do if say this were a seized suspects hard drive is start essentially poking around right one of the easiest places to start when you're looking for data that someone is storing on the hard drive is frankly start with my documents right now most uh... individuals do tend to keep their most private data in my documents and you don't really need to be a forensic scientist to go double-click on my documents so sometimes the most obvious places are a good place to start if we wanted to do something more interesting we could do the following i'm gonna click this icon here which looks a little like a home plate that essentially means show me all of the files in the hard drive at once no matter how deep in a folder they are and show them it right and what i can now do is not just look at all the files and folders on this hard drive is a long list like the one you see here but instead i can look at it in gallery mode this is a means of very quickly visually scouring a hard drive for the types of images that happened to be on it for whatever purposes so if we quickly flip through these and i was careful to flip through these before class tonight uh... what you'll see is wherever this computer was last in use and we think it was from one of our old pcs that we used in the course and therefore we booted up with students and we may be pulled up some random websites at the time but then shut it down there's very little data on this hard drive you see that there's relatively few images but there's a bitmap at the bottom if i scroll back up you start to see some jpegs you start to see some gifs that's clearly someone visited yahoo they visited some microsoft website so you can very quickly see all of the graphics on the computer you could similarly run scripts and i could generate a nice interface that tells me every one of the urls that this user visited this is not because the user deleted that information in this program is necessarily recovering it but even when you delete things like your cookies by internet explorer or your temporary internet files by the same internet options interface there are still files on your hard drive that retain traces of those data and the most surefire way of really covering one's tracks and of getting rid of data that you would consider to be personal or private or for your eyes only is frankly to use third party software today because windows and even mac os and linux they don't really solve this problem very well most of these programs tragically also don't solve it very well there's been a study recently from another university where this graduate student evaluated a lot of the most popular scrub or wipe utilities on the market today many of them dare say most of them he found to be buggy which means though they claimed on the shrink wrap box at a price of twenty nine ninety five or ninety nine ninety five to delete certain types of files in all relevant locations the people who write the software are human and they air sometimes and even just as microsoft word in windows has bugs so do scrub utilities have bugs and what this one particular report found was that a number of these programs claimed for instance to completely get rid of your internet temporary items not so they were in fact there because of simple mistakes in the software so it is kind of a scary thing when you can even trust these utilities and so frankly if you ever get dispose of a computer and just don't want your credit card numbers or your kids names or any of your emails to be ultimately discovered by someone on another market or by sifting through the trash the best way to get rid of data is to wipe the whole hard drive better yet a furnace but barring that just wipe it with all zeros as we saw in the case before because that software it's hard to get that wrong it's hard to get wrong a process that says start at the beginning right zeros to the end but navigating a complex operating systems file structure like windows or macOS it is harder to get right so i wouldn't necessarily trust the software that exists on the market today unless you've done some research into reviews and analyses that might have been done on it alright welcome back so we looked at couple of hard drives one of which was already wiped one of which had some data intact but we really haven't spoken to this issue of actually recovering data so with that i give you this demonstration what i've just plugged into raise laptop is that flash drive which is just a usb device this one is somewhat older it only stores thirty two megabytes but it is flash so it's non-volatile memory when i pull it out of the computer the data stays there and it essentially operates just like a hard drive prior to tonight's class i dropped a few different files on to this uh... folder i copied over the history folder and temporary internet folder from the computer that we've used in previous lectures to uh... uh... during lectures so we'll see all of that we can potentially see websites and so forth that we've looked at in these particular classes i also dumped a copy of folder eight which is all of the resources related to tonight's lecture and then i also put a copy of the syllabus on there so to our point about deleting files well of course deleting a file is as simple as hitting delete on it or dragging to the recycle bin if rate doesn't mind can i now empty the recycle bin i'm going to go ahead and say yes i do want to delete that now i'm going to go ahead and empty the recycle bin presumably now that file is gone and just to hammer home this point what i'm going to do is remove this device the usb mass storage device just so i can unplug it safely okay safe to remove hardware okay no longer on this flash drive is the syllabus but still on there presumably is all the other data so now sometime passes i go ahead and plug it back into the computer or i have happened to find this data in a suspect's home and we want to see exactly what was on it well of course we could open it up as usual with windows we can do that what do we see well exactly what we had before sands syllabus dot pdf because that was in fact deleted well we're a little suspicious as to what this user has been keeping on this flash drive and so we might be inclined to pull up not just windows to look at the folder but actually pull up a forensics tool like uh... in case so we'll quickly say new case will acquire this device because after all it is just like a hard drive though in this case a smaller hard drive clicking next will show us our options and now notice drive one is not a ten gig hard drive but it's this flash drive of some sort and it's only thirty one and a half thirty two megabytes next finish it now shows up on the left and because this too is an active drive it has not been wiped it has not been formatted it is actually a currently in use device we can navigate it on the left just like we could our second hard drive but notice you see some more interesting icons this time so on the right hand side we see the eight directory and we could go in there and look at the power point for tonight and other handouts we see the history folder which we saw before we see the internet uh... temporary internet items and then we see some other stuff we see this icon here which is a big x which is for something called secan o four slides dot ppt secan o four cheat sheet dot pdf secan o four slides dot pdf and then underscore syllabus dot pdf hazard a guess at what we're seeing here we're seeing files that were once deleted and even though the file allocation table has been changed the bits yes are still on disk but so often are the original file names or the names of the directories they were in so it is true that in order to easily on a race data you need to have something like noran this dot or noran utilities installed in advance of your mistake late one night so that you can go and recover data because noran makes this process much easier but clearly we can't go back in time and change data that people have deleted over whose drives we have no control but there's often still evidence of it on the computer now though this is an x that x simply indicates that that file was deleted in the sense of dragging it to a recycle bin and emptying the trash well with something like in case or again any of these tools if there is still a good amount of the data left that is maybe part of it's been overwritten in which case maybe we'd lose the tail end of an email or parts of some words therein well let's try and go ahead with the syllabus right click on it and say copy on erase well i'm gonna on erase the highlighted file just say next to those options where do i want to save it well for simplicity i'm gonna go ahead and store on raise desktop for the moment can we it's an underscore syllabus so for some reason we lost the s so the question now at hand is do we did we lose any of the contents well let's go ahead and say finish okay completed pretty quickly it recovered one hundred seventy five point two kilobytes that sounds pretty big so there's a good amount of data in there i'm gonna minimize in case for a moment go to raise desktop we have syllabus though with a underscore the syllabus is back and if we go through it page by page i think you'll find that because i've made no other changes to the flash drive all of the bits except the s in the name are still there and it wasn't even all that hard to get the data back so it is possible it's often not that hard at least with the right tools questions well as if those warrants enough threats or worries to go home with let me give you this little musical interlude let me give you this little snippet to motivate our next chat so that is a clip from a popular movie called so space balls so it we introduced that little clip to motivate our discussion here of another risk when it comes to one's privacy or security that being password probably every one of you even beyond this course have one or more passwords that you make use of i use passwords to check your email passwords to check your bank accounts passwords just to buy something online one of the problems now with the prevalence of passwords today is that really hard to keep them all straight probably in every website advises you to do what she's a password that that you can remember that is certainly one criteria and but also one that ideally you're not using elsewhere right better is to have a unique password for every different account you have so that if one is compromised you don't compromise all of your accounts unfortunately we are only human and it becomes difficult to remember all of one's passwords and how many of you use the uh... the post-it note technique at work right it's sort of uh... a couple people just messed up so it's sort of funny if not completely contrary to the point of having a password if it's literally staring oneself in the face but it's a very real issue because it is a difficult thing for people to remember so many passwords even sometimes one password for those who aren't necessarily such the technophiles so fortunately the world is moving toward other different techniques some of you who might work for particularly sensitive companies my carry around the special keychain things and just doing this for a fact i don't have one on my keychain that's a little electronic device that has a number on it and that number changes every few minutes and therefore when you try to log into your account at a very highly secure network you'll have to type in your username in a password but you'll also have to punch in the number that's currently on display on your keychain it changes every minute on your keychain but it also changes every minute or so on the server and those two pieces of hardware the server and the keychain thing are synchronized when they first ship so that they're forever in sync and there are actually protocols with which they can re-synchronize if necessary but that's one other uh... it's a two-factor authentication as it's called one factor would be just your password why is carrying around something like that on your keychain a useful second factor to use you don't well you don't have to remember if that's the only means of authentication but what if you still have a password that almost seems kind of strange right in a sense you've made it twice as hard putting it simply to compromise an account because not only now must you demonstrate that you know something the password you must now also demonstrate that you have something so biometric authentication is another step that some manufacturers and companies are working to uh... toward it doesn't seem to work very well in laptops these days i think in certain i'd be a models or del models maybe you can get that uh... fingerprint recognition thing in the bottom right hand corner where by to log into your machine you have to roll your finger over a fairly inexpensive fingerprint device uh... based on third-hand knowledge i'm told that this does not work very well yet and you're often doing this just to log into your computer but that's another form of authentication it's an additional factor you must have not only you must not only know your password you must also your finger and there are other techniques as well and of course you get the extreme cases right in the movies where the bad guys have your finger uh... so it does break down at some point but the world at least is moving toward a system that's a little more secure passwords are fallible particularly on the web today because not only you might be typing away at the keyboard so might a piece of spyware be listening in on what you type and frankly and i've said it before the only types of websites that still make me nervous these days even on my own computer are like banking websites because even i you know is savvy as i like to think i am with computers don't necessarily trust my own computer especially when on occasion i'll download stuff from the internet install it for a class for personal use whatever you have to trust every piece of software you are installing and downloading and that's the scary thing because any one of those programs could include a trojan horse so to speak that perhaps one's in the background thereafter logging every one of your keystrokes passwords are a dangerous thing because if you're typing them in at the keyboard they could be recorded for someone to look at after it's happened before in harvard's computer labs it is one of the easiest things to do to go into one of these computer labs find a computer that someone has already logged into and forgotten to log off at configure it in such a way that the whole hard drive won't be erased when the next person logs in but install keystroke logger as it's called and it does exactly what the name describes it logs the keystrokes of everyone who sits down thereafter it's an incredibly simple thing because that user could even install keystroke logger that not only logs every command that's typed at the keyboard but also emails him or her that log or sends it to some website via ftp or some other protocol and all you have to have done is sit down at that computer or that internet cafe installed something and walk away now fortunately a lot of computers are designed to erase data put there by other users but it's not hard to find an internet cafe or a computer lab or someone's personal computer to get data on it even passwords as an aside passwords on a computer are no deterrent i can if you bring me any windows computer i can with a floppy disk remove every one of the passwords that you are using to log it is that simple even with microsoft windows xp service pack to you put the computer with the right floppy disk that user name that you have to type after type clicking the cute little duck that represents your icon can remove it all together all too easily so we've been there things are not necessarily secure if you have physical access to the machine now with that said we've already talked about another threat is read another risk of sorts when it comes to security packet sniffing we talked about it in the context of hobs though why what was germane about hobs to the issue of packet sniffing exactly hobson signals the data that comes into it to every computer connected computers by design should not listen in on that data but it's not hard with the right software or the right skills to put a network card into promiscuous mode as it was called that essentially means listen to everybody's traffic and there exist devices there exist software programs that if you install them in the right place in the central point of the network you can have a nice little pictures and diagrams of all of the websites being visited all of the user names going across the wire all of the instant message conversations all of the everything anything you transmit over the internet can be logged can be sniffed the only real protection is if you actually have end-to-end encryption encryption via ssl when we talked about websites so long as you trust the other end such that the data you're sending over the network is encrypted scrambled so to speak then you can take comfort in being protected against things like this but even that there are many caveats to it so-called man-in-the-middle attacks and other techniques where you can think you're connected to that person b securely but you're really connected to person c who's in between you and b it's not that hard technologically to achieve you as an individual probably not so much at risk the risks are increased if you have a particular adversary you're worried about it's not that hard to target a specific person and start to dig up information and logs and so forth about them but in the general sense most people probably don't care what you are doing with your computers in your homes so that's not necessarily a reassurance but uh... security through obscurity in a sense packet sniffing i put this up just to kind of be a little more technical though we won't spend much time here this is just a old ascii-based depiction of what a t c p packet looks like we've talked about t c p i p as being the language spoken on the internet well the fact that t c p i p virtual envelopes depicted here a bit more technically contain uh... source and destination port and in another picture also contain um... i p address destination and origin this is just uh... reminder that anything you send across the wire can be traced back to your particular computer or at least your particular network uh... but we won't spend much time on these details now hacking so it's kind of funny we've talked about privacy security so far tonight but haven't once mentioned this term again this is the uh... the best clip art i could come up with for you what does it mean to hack into a network or to hack a computer that's pretty good break the codes break into that computer the funny thing is that hacking for a long time and technically now had a more positive connotation hacker back in the day was someone in m it type that was quite good with computers could figure anything out could write any type of program so a hacker was a positive thing to attribute to someone over the years it's become conflated with a term called cracker which in this context means someone who does exactly as you propose breaks into computer systems uh... cracks open software violates passwords or circumvents them in reality most people just use hacker in the negative sense these days and if you are a hacker you've probably done something wrong but historically that wasn't necessarily the case uh... what does it mean in more technical terms to hack a computer booting a computer with the right floppy disk that has the right software on it that circumvents and removes all passwords watching over a shoulder as he logs into his computer and jotting down the password that i'd realized tonight is about a hundred characters long so good luck crack hacking uh... raise password make that an extra credit into itself uh... hacking into computer systems just figuring out what the passwords are right there are probably some of you at home with no passwords pretty easy to hack into your systems there might be some of you with passwords that are quote unquote password mean that there have worked for companies where the default password was password which means all you have to know is the name of the new guy before he logs into his computer to access his account and do whatever with it that you please another one not uncommon one two three four five right it's pretty easy to remember it's also pretty obvious to guess other common passwords in use today birth dates how many of you with birth dates in your password not such a wise idea since especially with the proliferation legal and otherwise of information on the web today some of which you can pay you know nineteen ninety five four and have someone's financial history social security number and so forth probably pretty easy for us to figure out your kids birthdays or your you're the date of your wedding which was probably published in a newspaper right all this information is probably out there and so truly the only secure passwords assuming no packet sniffing and keyboard stroke logging it's probably random sequences of characters with numbers with letters with punctuation marks with alternating capitalization uppercase and lowercase really the best password is the one that even you can't remember so there's clearly uh... tension there between memorability and also usability but that's why often when you chose your first f as password how many of you got annoyed at the machine because it kept telling you your passwords based on a dictionary word your password is too short your password is too easy right it pushes you in the direction of coming up with more secure passwords hackers try to circumvent those things and uh... perhaps one of the easiest ways to circumvent someone's password is to look over their shoulder or to uh... go trashing i'm reminded of one of our staff picks a movie called course i'm reminded uh... help me sneakers sneakers is one of the staff's picks and in that movie the good guys or bad guys call them what you will figure out information about a guy by trashing what is trashing in this context please do it too going through somebody's trash to figure out information about them to figure out passwords that have been thrown away financial documents that have been thrown away trashing is a viable way of hacking into someone's network or computer if they are careless enough to not shred their information those of you who did once have posted notes but we're yelled at by the it guy well how many of you just crumbled them up and threw them away in the trash can it's still not a good solution right it should have been you know my grandfather's approach burned or it should have been shredded or at least torn up if it went into the trash can you really only met the it guys halfway so hacking a general term you can use it in so many different contexts let's try to be a bit more specific fishing attacks we've already discussed at length here's another representative one a full look uh... full email from city bank just to recap what's a pretty robust way for you the user of being sure that this is in fact a bogus email what are some of the techniques we chatted about check the bottom of your browser so you can see uh... that'll tell you if the connection secure but we're at the point of looking at the email before we actually click anything you can see where it came from but email addresses can be spoofed i can send you an email later tonight pretending to be ready and you could not tell the difference technologically yeah yeah it in a lot of mail programs you can just hover over the link and you'll actually see in a nice yellow box the true address that it's mapping to if you are reading the email in a non html mode in a mode that's just text it might look hard to read but you'll actually see and we'll get to this in our xxt in our website lectures you'll see the actual href a hyper reference to which the link is going or you can click the link potentially adding yourself now to a new spam list but at least you'll then see in the url where you ended up and if you ever see an ip address as opposed to a host name it's a dangerous thing unless you want to take the time to reverse look up the name of that website based on its ip address but even then even i probably wouldn't catch something like that if i click the link so the best approach really is to assume that when you get emails like this that make mention of personal information that make mention of bank account information are from banks you don't have accounts with that they're probably fishing attacks and sadly and yet wonderfully one of the best mental filters to apply to fishing attacks is that i have so rarely seen a fisher who can spell correctly big companies do not make typos and important emails fishers for some unknown reason where you would think you're emailing a million people maybe you should take the extra sixty seconds to spell check your document even if english isn't your uh... first language to look up the actual spellings of the english words you can usually filter out spam and fishing attacks by the stupid spelling mistakes that are in the document and this one actually is pretty good what doesn't make any one uh... network is out primary perfect is out primary concern pretty bad but still looks pretty good on first glance well now we get to one of our last and juiciest if not scariest topics out of viruses and warms you probably all had this these terms in your lexicon for quite a while a virus is something that you might have even been infected with a warm is something you might have even been hit with there have been many viruses and worms over the years in the thousands at this point some of them have made national news some of them have reportedly cost billions of dollars disabled corporate networks and so forth some of them are so problematic and i experienced this with a friend of mine where she asked me to come over to help her fix her computer because she would boot it up she has a comcast connection and within fifteen to forty five seconds she would get this pop up saying your computer will be shut down in forty five seconds unfortunately forty five seconds for my friend at least was not nearly enough time to go to windows update download the fix for this problem install it and then reboot you could do that in maybe three minutes maybe ten minutes not in forty five seconds and so it was this tragic sort of catch twenty two she was experiencing where to fix this problem she needed to update her computer but to update her computer she needed to be online for more than forty five seconds but she needed to update her computer because she couldn't be online for more than forty five seconds the reason for that at the time i think was a worm called blaster which was going around and was attacking pretty much any vulnerable machine and the symptom of this particular warm it might have been slammer as well i forget in this particular instance was that it would cause someone's computer to shut down ultimately there are ways around this uh... networks have gotten better at filtering out traffic like this but what this means is that a worm is almost always a malevolent piece of software written by someone with either a motive or with too much free time and the goal of the warm is simply to propagate itself worms travel over networks by themselves you don't need to open an attachment to be infected with the worm you don't need to forward an email you don't need to download a file to be infected by a worm you simply need to be connected to a network because they crawl literally from computer to computer just by choosing a random IP addresses to go to next or more intelligently choosing local IP addresses to go to next viruses by contrast are those things that you're told not to open emails with a virus is not self-propagating it requires human intervention to infect you so a virus is typically uh... installed on your computer when you unknowingly or foolishly double-click an attachment in an email that is infected with a virus or you download some file or go to some website that tells you to look at some file and it has a virus in it if you ever receive an email with an attachment that ends in dot exe henceforth never open it even if it's from your dad or your mom and i hypothesizing that this has happened to me saying these are the cutest little horses you've ever seen and they sing a song to you well that's exactly the kind of software that virus authors like to embed malicious software in because who wouldn't like to see little horses dancing around singing on the screen but behind the scenes behind the singing the virus is often going through your entire email address book and sending those horses to everyone you know using your email address or worse yet sending that virus to everyone you know using someone else's email address making it even harder to figure out who is in fact infected but a virus really does require human intervention and the best way to protect yourself against viruses it's just don't open attachments and let's you know where they're from and you know it's a legitimate email uh... almost always you can assume that if you receive is if you receive a pdf it's going to be safe usually if you receive a jiff or jpeg it's most likely to be safe though there have been jpegs that can infect computers because of bugs in for instance internet explorer never open exe's ask that the person resend the file to you in a zip format or in some other format or not at all but even zip files can contain viruses inside of them but usually because files inside of the zip files are infected so in short it's really just to be careful sort of approach now of course is it possible to spoof the extension so that if it's really uh... absolutely you could receive an attachment that's called something dot pdf but it's really a dot exe but windows would not know that it's an exe unless you manually change the extension back so that would not really be a robust way of infecting someone because no one would probably manually change the extension but that does remind me incidentally uh... back to our forensic discussion these tools do not just rely on file extensions to for instance find all of the images on your hard drive right because the most clever of suspects well one a more a more clever suspect would simply rename all of the jpegs or the word documents on his or her hard drive with dot dll or with dot zip or dot pdf something that's less innocuous than you know jpeg or word document which might have juicier stuff in it forensic tools however don't trust file extensions almost every file format today zip microsoft word excel usually start with a sequence of bits that are known and are standardized so that you don't even need the file extension you can simply look at the first few bites or bits in a file and then say oh this is a jpeg because it starts with one two three four five and then the rest of these files tend to have the actual content or the picture or the word document so how do you protect yourself against viruses and worms well for a long time i practiced exactly what i just preached i never used anti-virus software because i simply used smart computing i didn't open attachments i didn't download files from suspect websites i didn't visit a lot of these like game or kid oriented websites where you know they try to slip spyware and other bad programs in by giving you a free game or horses or whatnot right i just kind of forget it it's not worth the risk but more recently especially with worms that are not the result of your own foolishness or naivete but just the result of your being connected to the network you kind of need anti-virus software as it's called and this is sort of a catch-all term these days you don't really buy anti-worm software you buy anti-virus software and with that comes protections against viruses and worms if you receive an email with a virus and you have software installed let's see what do we have here so this was simply an email i received i don't think it even had a virus in it but it talked about a virus called klez dot e um i'm trying to remember it's very dangerous by converting your files you only to run oh okay here we go so this was an email that mess claims that there's this new virus on the prowl and to protect yourself you should run this program well that was the virus that was going around was the program being released so if you ever get emails like that saying run this program even if they look like they are from a friend they are possibly and if not quite likely actually viruses unto themselves because as we just said if your friend is infected you can receive an email from joe bob if your buddies with joe bob but just because you were in joe bob's address book not because he manually sent it so again the best way to vet these things is to get a sense would joe bob really write this kind of english prose if not not probably from the real joe bob question yes um this is an example of a pop-up that's quite popular even today this is the sort of uh... window you get by browsing the web and visiting some website that happens to have pop-ups well it's very nice of the website to inform you that maybe you are at risk because your computer is broadcasting and i p address it's sort of a statement of the obvious at least to the e one student now right it is not problematic that your i computer is broadcasting i p address but in of itself to the you know uneducated user it's a little scary right put a red x like that just like you put a yellow padlock icon just as that suggests security this suggests a problem you too would probably click okay but that okay is not a real button this is a whole gif that is in this pop-up window you click that link you'll be whisked away to some website that will probably ask you to download some program or buy some program to protect you against the latest and worst programs but often that's either a scam just to get you to buy something that's not really that good or it's the bad thing itself and it's sort of a web-based phishing attack trying to hook a user with something like that so yeah you can absolutely get infected from websites even websites that don't have pop-ups but there have been known problems with certain web servers and certain web browsers whereby the web server can get infected with a virus and you by visiting that website become infected you the user really don't have all that much control over this that becomes more the server's problem until the manufacturers of antivirus software know about it and can therefore protect you Chris good question how do you know that clicking that x in the top right hand corner well in this case you want to really click the real x in the top right hand corner which uh... well let's see I have a window and a window here was this one if you're not sure frankly alt f4 is the safest way to close windows alt f4 closes any window in almost any windows program and back in the day before there were pop-up blockers if you ever visited a website and we're just slam with a dozen two dozen pop-up windows that sort of overwhelmed your screen oftentimes if you try clicking and closing one of those what happens the next one and how many of you have just rebooted your computer all together at that point probably but frankly it's a little bit of a cheat but hitting alt f4 and just riding the thing just holding your fingers on it alt f4 that will usually be faster than the pop-ups themselves can be triggered and just in general that's the safest way if you're worried about clicking the wrong x so this is um... this is just meant to cue a bit of history here i pulled up a little excerpt of some of the most um... damaging the most popular worms over the past few years just to be clear again that a virus is something that someone has written viruses don't just get magically created or mutate as they might in the biological world someone has sat down and written a virus that takes advantage of again someone's naivete or maybe of some flaw or bug in some software worms are the same way and worms you can release just by sitting down at an internet cafe and launching the latest worm which has certainly happened before the more foolish worm authors have launched them not from an internet cafe or a lab but from their home or usually their parents home since they are not un-often uh... seventeen and eighteen year olds uh... these days with that said oh and incidentally you saw earlier this clip here this was of the melissa author who back in nineteen ninety nine david smith was in fact caught so the he was caught because he was bragging about his exploit as felons often do in some chat room or something stupid like that where there was actually an undercover officer or a user who did report the conversation to someone else and ultimately that whole uh... his arrogance his uh... his ego ultimately got him caught other people gotten caught because their email addresses have been in the source code to the worm or the virus or their name or their handle their nickname other people because the i p address uh... that it was originally sent from their parents cable modem account was ultimately uh... traceable so there are thousands of virus authors and warm authors that haven't been caught but the biggest ones are often caught because of the number of resources and dollars that are thrown at the problem by the government would you be liable legally probably not i don't know of any case where an unknowing user was in any way prosecuted or gotten in trouble criminally for having unknowingly been infected with some malware malware being malevolent software so that is not something i would worry about i would only worry about being on the receiving end of a phone call or knock on the door if you were the one who initiated the infection uh... there are thousands of computers on the internet today still infected with various programs and where harvard's network not somewhat secure i could literally turn on one of these computers put it on the network and show you the attacks that happen to this day from warms that have not yet been silenced so uh... the short answer is no i would not fret about that i would you're more likely to happen is your is p is likely to call you or just shut off your connection if they notice that you are sending worms and viruses off of your computer for weeks or days or months but i wouldn't worry about a knock from anyone in suits yes uh... can you notice or not notice things like worms uh... it's becoming a problem the fastest of worms and this has been shown empirically and also theoretically can affect entire vulnerable populations in minutes which means a well-written worm if the bad guy knows about some bug in a web server or in windows before the good guys know or before microsoft releases releases a fix for it you can literally in fact hundreds or thousands of computer with a carefully crafted and released warm fifteen minutes is hard to manage uh... so yes you can certainly be infected for a good amount of time but also you can be infected before you even have a chance to do anything about it and there are what are called zero day attacks a zero day attack is one in which maybe microsoft announces that there's some flaw in windows and you should please update your systems well most people don't respond to that immediately some of you might have no clue when microsoft releases such announcements and so so long as one bad guy listens to that announcement figures out all that was the flaw writes a program that takes advantage of that flaw releases it before you update your system again you're in trouble and this is a real concern for corporate networks there are a lot of i t individuals who not out of laziness but out of conscious decisions do not update their systems immediately when microsoft or another vendor update software because when you're running a corporate network with hundreds or thousands of users or you there is just money to be lost if you screw up and start crashing your systems you want to wait until everybody else has tried the latest version of windows before you actually install it but unfortunately you're exposing yourself uh... to that risk by waiting and waiting you will find that even there are some corporate networks that get hit with worms not when the worm first comes out but months later when they are among the few people who aren't yet uh... actually protected against it tough to answer quickly uh... among the topics you just cited are firewalls anti-virus software let me pluck off the second one anti-virus in just a moment a firewall recall is usually a programmer piece of hardware that sits between you at a computer or network and the rest of the world typically a firewall filter traffic based on port numbers and i p addresses so most home networks are safe against most warms because warm attacks are initiated from the outside world and they initiate by connecting to a known port number not eighty first something like http but the port number five six seven which is generally not used if your computer is exposed on the internet on a comcast connection you have no firewall well then that worm can probably connect to your machine and infect you if you're behind a firewall or any of these home routers by default they only let traffic in that was initiated from someone on the inside this is why some of you might have trouble for instance using a well instant messenger or google talk to chat with someone who's also behind a firewall because if both firewalls only let outgoing connections through but not incoming connections well it's kind of hard to establish a bi-directional connection programs are getting better at circumventing that but the short of it is that a firewall protects you against network based attacks if someone emails you a virus or emails you something bad and you double click it will you just circumvented the firewall it will typically protect you more rigorously against warm attacks is a safe generalization and let me before i change monitors here bring up well this is just a funny aside also go around not just worms and viruses but emails like this hoaxes which talk about of this is the easiest kind of virus you can write the easiest way you can generate chain letters tell someone about some new scary virus tell them to forward the email to all of their friends which should also be a visual cue but don't actually write the virus or worm the good times virus was a hoax and this was an email that went around a long a long time ago but quite prevalently and even sometimes today and there are dozens if not hundreds of these all they are chain letters pretending that there's some virus going around but in fact there's no such thing if you do in fact then ever read an email from someone at work or personally who warns you of some new virus or worm almost always you can act you can you know perhaps with some reluctance have these folks put their foot in their mouth by very quickly googling some of the key words they just warned you about finding the link on the web that says this is a hoax this is an urban legend you can then hopefully after taking this course be the guy who informs that co-worker that you've just been duped and then few minutes later you'll get the redaction from the same individual don't forward emails about viruses and worms they are almost always hoaxes with that said two quick words just on jargon before we switch over to elizabeth's computer for our virus and worm and spyware demonstration in reverse order this term cracking we mentioned before cracking usually refers to the process of cracking software software that has like a serial number requirement or registration code requirement if software is cracked that means that those copyright protections have been removed by someone who's been clever enough or malicious enough to remove those protections where's often written in funny capitalization means software that has been cracked commercial software that has been made publicly and illegally available if you have gotten microsoft office from a friend on a cd or downloaded it from the web somewhere and it wasn't from microsoft dot com you are the lucky owner of where's which violates all of those shrink wrapped uh... conditions that you never even read and it is in fact illegal where's then is illegal software illegally distributed software on our demonstration and elizabeth one of your classmates was kind enough to bring in her computer which i've assured her i won't use for forensic purposes but will instead use to put in and our remaining time the e one anti spyware and anti virus and anti worm software spyware something that i've mentioned before spyware is just another form of malware again malicious software that someone is written uh... sometimes for corporate gain spyware is the name suggests the software that tends to spy on you a keystroke logger would kind of fall into the auspices of a uh... spyware program spyware can watch as we've said in the past all of the websites that you're visiting so that it can trigger ads relevant to the websites you're visiting i had spyware once on my computer where if i visited dot dot dot extension dot harvard dot edu up came a pop-up from the university of phoenix which is this online school will call it uh... that's had partnered with some spyware vendor that i somehow had a piece of spyware installed on my computer that essentially said anytime this user visits a dot edu website pop up this advertisement and the people who were paying for that ad were the university of phoenix this online university well what i've put on this cdr are a few programs which are pretty much the only programs i ever use in the way of anti spyware anti virus anti worm you don't need to pay for any of this stuff frankly there's a lot of shrink wrap boxes all of which are overpriced there are freely available alternatives which frankly i have gotten by with just fine again by practicing safe computing so to speak but also by occasionally running programs like this uh... i will defer to an at-home exercise using something like a vg a vg which is linked on the course's website under software in the security category is a anti-virus program it's free it's configured to automatically down updates every day every night frankly i see no reason to pay for macphie's virus scan or nor an anti-virus when freely available alternatives are there too it's not to say it's better or as good sometimes as those programs because the fact that matter is even macphie or nor in miss some of the latest threats the best solution then is often to run multiple products but again frankly if you practice safe computing in general you know one free option is enough for if it's any um... reinforcement this is all that i personally use the other programs we have linked on the website and i will also link one of the wiping utilities is a program called spybot is i think one of the best freely available programs that searches one's hard drive for known spyware i'm gonna very quickly go through the boring installation process since it's all rather obvious you want to be on a network connection whenever you use these things because almost all of them have the ability to update themselves via the internet so that you have the latest protections so now i've just rebooted this computer and hopefully quite quickly it will come back and what i'm going to do is run this program searching elizabeth's hard drive for known spyware hopefully it will have some juicy stuff because being that it's used by her kids she said you know kids do visit websites that do tend to be associated with spyware um... because they're often downloading games and they're often downloading freely available stuff and they're often visiting websites with pop-ups so with that said let's give this just a moment to reboot and let me answer any questions that you might still have yeah in the back no i would not say that uh... and apple has been very careful as a company never in my experience to claim that their computers are more secure because this is a very fleeting defense the more popular max beget the more the targets they will become max have far fewer viruses and worms that can affect them not because the software in my estimation is any better but because when you only have one percent or even ten percent market share nobody really cares as much to write the militia software against you the more their popularity increases mark my words there will be more attacks and at least one of them i presume will hit the mainstream and make your cnn.com elizabeth which one should i use use this one that's okay we can use any of them it'll find anything on the hard drive okay so i am quickly going to begin our search label have time enough to see the results ad aware is another program that i put and you already have security center so that might be doing some useful things for us anyway uh... ad aware is another one it's best to use it as in addition to something like spy bot only because again like anti-virus software some programs catch some things others catch others best to try your hand at several of them going to cancel out of this one of the nice things as an aside spy bot has this immunized feature which is useful because it installs protections against all known exploits against internet explorer so internet explorer has been among the bugger browsers or at least the more commonly targeted browsers the nice thing about this is that essentially you can protect against any of the bugs that have already been discovered so that you can't become infected by spyware that is already infected other people this is an uninteresting demo but it would would be something that i would suggest doing it's uninteresting only because it just says done but what i'm going to do here is normally i would update but because we don't have an internet connection for elizabeth's computer i'm simply going to click service okay we'll ignore that because we haven't updated to the latest but i just clicked check for problems notice that spy bot as of the time i downloaded and made the cd knows about twenty three thousand types of spyware some of which are variants of each other but that's a pretty good ballpark twenty three thousand possible things that might go wrong with your computer this is where one realizes that it would have been ideal to start this earlier in class and do the um... the gloria child uh... the um... that julia child's you know out of the oven effect with the computer that had this done already to it so what i will tried doing is a bit of a cheat we can always continue next time well if i stop it's not going to find anything let me turn our attention for a moment to one other program that is on the cd and is also linked on the course's website the most arcane program to use but perhaps the most powerful one is a program called hijack this which though it sounds like a bad thing is actually quite a good thing this is a program that essentially let's you edit the windows registry the windows registry is a big complicated preferences file essentially that almost every piece of software on your computer can write to to make changes to in the registry can you make mentions of programs that should run its startup so most spyware programs are loaded on startup because some program has inserted a reference to them in the so-called registry you can edit the registry with a program called reg edit but it's a tool that people recommend you not use because you can do scary things and break things you can also do that with this program but what i'm going to do is just give you a glimpse at what you might do if you're quite savvy with this or comfortable with this there's nothing really personal on here this is all of this relevant potentially dangerous stuff in elizabeth's registry and among the things we see are mentions of all the programs that load on startup so adobe acrobat has something that loads on startup because it appears in this listing and see it says adobe uh... acrobat seven reader dot exe exe is an executable it's clearly launching something in the background at startup a roxio easy cd creator any of these icons that are in the bottom right of your screen are usually loaded on startup because they are in the registry and hijacked this is giving us a view of that registry just by eyeballing this i can say that some of this is macphie is anti-virus this is why a well instant messenger loads on startup because it's mentioned in this file and i realize the font is small but this program doesn't let you change it fortunately well there we go hijacked internet access by new net so there is some form of spyware on here that we could further diagnose if we wanted to on closer inspection and spybot should be able to catch that but this is clearly not so much a good thing but overall based on just experience with this there's not much spyware on this computer at least that's evidence from this search uh... here we have a few things that spybot has actually found and it did finish so it found only three worrisome things one of which is avenue a tracking cookie that just means it's a third party cookie that's sitting there it's not a huge threat but it's because you don't have third party cookies disabled this is a little more worrisome and we could google this term dso exploit to learn more about it but almost always things that appear here in spybot should be removed because they don't belong here and down here is probably the most worrisome one most likely this program and we'll have to google it after class to find out a bit more about it is as they said hijacking your internet connection because what some spyware can do is configure your machine in such a way that even if you manually type w w w dot chase manhattan dot com or bank of america dot com and hit enter your computer's been reconfigured to change the i p address that your computer thinks belongs to bank of america which means you might think you're on bank of america's website but you really aren't because of this internal change so with that cliffhanger we'll resume and continue our discussion of security at next week's lecture and i'll stick around after to field some questions tonight