 All right, welcome back to Computer Science E1. This is our continuation of our security lecture. And this is my Windows Vista business computer that's finally booting up. Irrelevant because tonight's focus is on security. So I see we captured that on camera nonetheless though. So tonight's a continuation of our chat about security. And in particular, focusing on threats and also mitigations of threats, what you can do to protect yourself and why some of these threats exist in the first place. And perhaps one of the most common threats, at least one that most folks are familiar with, is this notion of a virus or this notion of a worm. And we talked about these briefly last week. We'll continue this here to start with with a quick recap. What was or is a virus in the context of computers? What do you got for me? Good, so malicious code. So malicious code is malicious software. So software that someone has written, generally someone with either an aim for doing bad things or frankly just someone with too much free time. So what can a virus do? It's just a program, a program that generally does bad things. Yeah, take complete control over your computer if desired. What else? Corrupt your data. Corrupt your data, certainly. What else? Good, so corrupt other people's data as well. So in short, anything that you can imagine making a computer do for good or for evil, I mean a virus can do because it's just a program that someone has written to generally achieve some malicious task. And there was an interesting distinction between this thing called a virus and also a worm. What was the key distinction we said last time between virus and worm? Exactly, there's no human intervention necessary for a worm to spread from computer to computer which makes them even more dangerous because once your computer becomes infected with the worm, it can hop from your computer to another provided of course you're actually on the internet or on some kind of network. A virus by contrast needs a host much like in the world of mammals whereby a virus attaches itself to another file. Generally a file ending in .exe in the Windows world but it can also attach itself to other types of files as well. So how, oh and actually, just to sort of speak to the severity of these kinds of threats, it wasn't all that long ago that I was helping an older friend of mine who had a typical Windows computer running Windows XP and there was some bug discovered in Windows itself and Microsoft had identified the problem and had released a patch for it so to speak, a patch being an update to the software that you generally download for free. Either through that thing called automatic updates that happens for you, which she did not have on or you have to go to some website to download it. Unfortunately it was one of these catch 22 situations whereby this bug in Windows was so bad that a person on the internet, anywhere on the internet could crash your computer just by sending the right type of data, the right type of packet to it over the internet. So they weren't compromising your computer, they weren't breaking in but they were sending a message, a packet of data that was structured in such a way that upon receipt at a buggy computer, a computer running an older version of Windows, the computer just because someone made a mistake at Microsoft would crash and it would tell you specifically you have 30 seconds until your computer automatically restarts and unfortunately there was no cancel button. So she called me as she often does to help her out with this particular situation and she was being attacked by a worm that was trying to spread from computer to computer. Unfortunately, there was a fix to this and it was right there on Microsoft's website, free download. Unfortunately to get this download you need to be on the internet but to be on the internet you have to expose yourself to this threat which literally meant, no joke, I had exactly 30 seconds to solve this problem before I'd get hit by this worm, her computer would and then the computer would forcibly reboot itself and so this was quite the conundrum which frankly was well beyond her technical means to actually figure out and long story short we had to futz around with the firewall to make sure we were protecting her in yet another way until I could finally get the patch and fix things but the short of it is that this is non-trivial and this was not her fault certainly and yet she was quite helpless in fact and so much like we did last week not only will we discuss some of these threats we'll now focus on how you address them. So we talked about or David just mentioned two major things, viruses and worms. So let's just focus on one of them viruses for now. What is a good way to protect ourselves from getting a virus or from allowing our computers to catch a virus if you will? If it requires human intervention to somehow allow these to propagate, what can we do? Yes? Never connect to the internet. Okay, that is one thing that we could do though unfortunately we could also make the argument for living in a cave and not using technology at all at that point. But that is an off-sided anecdote. There's a very famous person who was once quoted as saying something along the lines of the most secure computer in the world is the one that is powered off and locked in a room to which you don't have the key. It's true, but it's an extreme, so please continue. So is there a way that we can still maintain our connection to the internet and still protect ourselves? Yes. Okay, so using McAfee, so like an antivirus some software protection against these this malware against viruses and certainly we can use software such as this and in the windows world it is almost a prerequisite really in order to do anything on the internet. But there you can make an argument that these very large companies that create antivirus software such as McAfee and Norton, they are targeted more frequently against with viruses that they may not protect against. So in other words, people know that a lot of people have Norton or McAfee and so they will write viruses specifically targeting systems that are carrying this software. Does that mean that they're ineffective? No, it doesn't. Of course, they still are effective against a lot of the known viruses, but it takes a little bit of time in order for these companies to catch up with the malware, yes. Right, very good. So perhaps in even better ways, so of course having some additional software such as McAfee or Norton and David might recommend a few windows are free alternatives such as AVG I think and the other one is Avast. I believe both have free versions of antivirus software that you might take a look at instead of McAfee or Norton. But one of the best ways to protect yourself is just to be sure that you don't have the problem to begin with, so be absolutely sure of everything that you download from the internet whether it's an actual program or whether you're downloading what you think are photos from a website on the internet. If it's an attachment that comes in an email, if you are plugging in a disk into your computer, it doesn't even have to be a diskette. It could be a CD or it could be a USB thumb drive. Be sure that you know where that is coming from and if possible be sure that it is cleaned before you actually start to use the contents of that data. Did you have something to add about the software? Nope, just that I pulled up both this and this one Dan alluded to called Avast, A-V-A-S-T. Okay, so yeah, so here David brought up the web pages of both Avast and AVG. I think I'm not sure we could recommend one over the other in any of these antiviruses. They'll have their positives, their minuses, their advantages, disadvantages, so you'll just have to find the one that works best for you, yes. Both of them. Both of them are free. I believe Avast has a non-free version, like some enterprise version or something like that, but I do believe that they have a free version that you can download. So Norton and McAfee are both commercial software. You can get, I believe, McAfee for free through FAS, that download page that John gave instructions to downloading Photoshop and a number of other things, that's only useful while you are registered here at Harvard. And so while you certainly can use one of these commercial versions, such as McAfee or Norton, you are paying a subscription fee to use them, whereas these do not require subscription fees to use them. And I'll go so far as to say that this is not software that I think is worth paying for. I think McAfee and Norton, which is a popular competitor, are unnecessarily complicated. You're constantly getting pop-ups. They're too defensive. You often get messages that you have to approve or deny. I would say save your money and spend on something like Microsoft Office, which is your even Adobe Photoshop, which you really can't get decent free alternatives to, or at least familiar alternatives. I've never once paid for antivirus software. I mean, frankly, on some of my computers, I don't even run antivirus software because if you know what to watch out for, frankly, there's not a huge need. There's some things that you can still get attacked with, but frankly, so many of us are already behind firewalls these days, even if you just have a home router. Most traffic can't get into your network. It can just get out. So you have a lot of implicit defenses, including those that come with Windows and macOS. Both of them come with something called the firewall, which we'll talk about as well this evening. Yeah, good question. Do you wanna feel that? Sure, so it is true that it is not likely to get a virus on a Macintosh, and that's simply because they just are none. There are many attacks on Macintosh users that people like to call viruses, but they are not. They usually are some sort of social engineering type of attack where they say, okay, run this program, it will do something, and the program itself is just a program that's meant to delete everything in your home folder, for example. That's not strictly a virus because you are actually running the software that is doing what it's intended to do. It's just disguised as something else. The arguments as to why Macs have less software, it's an interesting argument in and of itself. Lots of people make the argument that Macs are more secure, whether or not that's true is up to debate, and probably not the case, and what I think David would most likely argue is that the target base is just not as great. If you can write a successful virus for a Windows machine, you will hit many, many more computers and affect many more people, which tends to be the intent of this malicious software. So just because you have a Mac, sure you are protected, but not because necessarily they are more secure, but because the attacks just are not there for them. Which is a nice side effect, frankly, for that word. Sure, get a Mac and just sort of play the odds. It is. So be in your favor. I have not run antivirus software on my Mac since I got my first Mac six years ago, and it's just not necessary. There are antivirus software available for Macintosh, but it's really to eliminate viruses that exist that you might send to Windows users. So let's say you download a Word document, and it has or an Excel file that has an illegal macro or a malicious macro that will delete a lot of files on a Windows computer. This antivirus software will find that, but it will not affect your computer. So it doesn't really, really matter. I think you've been trying to ask a question for a while. Yes. So if you go to a store and they are trying to sell you Norton over McAfee or McAfee over Norton, I would say it's pretty safe to ignore that. I'm not sure that one is any better than the other. It's just that it's probably a purely money making factor when a store tells you one of those. And like we said, AVG or Avast are wonderful free alternatives. You can decline any of these for purchase antivirus software and go the free routes and you will most likely be safe. Okay, lots of questions. Yes. Is there a particular way that you can check an email for viruses? Usually if you have antivirus software, you can tell the software to, well you can, let's see David, you might have to correct me on these steps, but I believe you can download the file onto your computer without opening it. So the crucial step is not to open the file, but you may download it and run your antivirus software on that file and see if it comes up with anything. Of course, like we said, these antivirus programs do need to be updated to reflect the most recent attacks. So you may not be 100% safe and clear, but that is one way that you could protect yourself. And it's often simpler, frankly. Like most of these programs, if not all of them, if you're using a standard email client, like Outlook for instance, they hook into those programs. So my email, for instance, when I, on the computers that do have this installed, it scans my incoming email and I get a little pop up that says this is infected with the such and such virus before I even click on something. But I'll push back on one suggestion you made, which is don't open emails or attachments from people you don't know. Frankly, you have to be careful with people you do know for two reasons. One, I mean, I've had people I know send me things like, oh, click this file. It's these beautiful dancing horses or something stupid like that, but amuse them. But it's .exe, which is an executable file. Or it's .scr, which is a Windows screensaver, which is the same thing as an executable. And so these people might have been greatly amused by the little dancing horses or whatever they were. But meanwhile, something bad is going on in the background. Because what better way to do malicious things on someone's computer than to sort of wrap it in the most unsuspecting wrapper, like something cute. And similarly too, even if you get an email from someone you think you know, realize that a lot of worms and viruses actually troll through people's address books in Outlook, Udora, and other client software and then send emails without you knowing it as though they're from you or better yet as though they're from people in your address book and spread in that way too. So you have to sort of be careful. I would say I don't get many emails like that these days, but it's definitely a risk. And if you ever get something suspiciously worded that says, you know, check this out. Or frankly, the best indicator, frankly, of malware is typographical errors and bad English. It's an amazing tell, but very often do these things come from abroad. And for some reason they don't take the time to go use Google Translate or some website and give you good deceiving English. You know, it's to go even another step beyond that, even though these things could come in a wrapper. So whereas David said, sure you could have a program that displays dancing horses or whatever and then does something malicious in the background, that doesn't even have to happen. It could say that it's, you know, dancing horses, check out these dancing horses. And when you click on it, nothing happens and you have no idea what's going on, but in the background, your files are being deleted, for example. So yeah, they're all very good points. You do have to be careful no matter where the file or files originated from. If you're not sure, best is to contact that person directly via phone maybe and just say, did you intend to send me this file? If they say yes, then you know. If they say no, then you can say, well, you might want to know, but there's some malware being run on your computer potentially as you sending out information. Quick question. Oh, yes. Am I better protected from running two antivirus on my computer? Are you better protected if you were running two antivirus? Yeah, that's a big no-no. You don't get double the protection or anything like that. In fact, because of how many hooks that these antivirus software packages have into the system, you can often break more things than you are trying to fix. For a long time, Norton and McAfee, when you installed both at the same time, would actually attempt to disable each other and you would actually get a non-working computer. Well, the computer would work, but you wouldn't be able to get online. So it's generally recommended that you only run one at a time. And if you want to switch, completely remove one before installing the other. But I would say, if this all sounds very complicated, honestly, pick one, install it, make sure it's automatically updating itself, and then just leave it alone, frankly. And I would frankly not even pay for it, as I said. Just download one of these free ones. Well, so if you're asked to renew on a yearly basis, if you decide not to renew, just go to your start menu, control panel, add, remove programs, and just remove it that way. You'll then reboot like any other program, and then you can go ahead and download, install. Some other alternative. Just like any other program, yep. That's actually not true. Norton will not uninstall completely. If you just add or remove it, you need to download the Norton Removal Tool from the outside. And you can see this all the time. That's true of the Capitol, so it's very hard to get rid of it. So just to resay that for the camera, you can't actually just strictly use the add, remove feature. You actually have to download an antivirus removal tool from the respective websites, Norton or McAfee in order to completely remove each software package. That is pretty lame. It's very lame. There's another question. Okay, so you have Norton, so be happy, I suppose, but no one else should get Norton or McAfee, I'd say. Yeah. You stole my thunder, because the next question was going to be, what other kinds of threats might you find on your computer? I was gonna use that same quizzical face. So. Once a week and there's all this stuff, and I'm doing software and stuff, and the other thing, now in Mac, I haven't done anything like that. I've only had a Mac for like a year. There's gotta be stuff in there, because I mean, you would see on the spy wire, it would pop up, you're getting rid of this, you're getting rid of this, you're getting rid of this, every single week. Yeah, yes, so. There's gotta be something on the Mac. So you can speak to this better. Spyware on the Mac. Spyware on the Mac. So. Here, we should take a step back. What is spyware? Well, spyware can be very loosely defined. It's any bit of software that tries to record any piece of information on you and send it back to some centralized place. And so this can have malicious intent, obviously, where they're trying to capture maybe passwords or a variety of other personal information from you and send it back to the mothership, or it could be something relatively innocuous, such as what Google or what Microsoft does is where they're just phoning home whenever there's an error in their program, for example, and they just want to know what had happened to cause the errors that they can better their software. And so I think that there are a number of spyware removal tools, such as Spybot, that are a little aggressive in removing spyware because they take the more general form of this definition and just go after anything that might potentially be sending information back. Maybe not necessarily large software packages such as Microsoft Office or Firefox because they know that if a person has that installed, most likely they intend to have that installed. But just something along those lines, maybe packages that are not as well known that may still be phoning home for relatively legitimate purposes. So certainly these spyware removal tools are very good, but they are intentionally aggressive just to try to get rid of everything all at once rather than being too loose with the definition or too strict with the definition rather and not removing enough. So give an example of the symptoms of a spyware infection or AKA adware. There was a time a couple of years ago where I was puzzled because I had gotten something on my computer, on this particular computer, and every time I visited www.extension.harvard.edu, I would get an ad popping up for the University of Phoenix. And any time I visited then another .edu site, there seemed to be this pattern where all of a sudden it was though the extension school, wherever I was, was advertising the University of Phoenix. And what had happened was I'd gotten some piece of malware, malicious software, of which spyware is just a specific instance, and it was just watching all of my web traffic. And any time it saw a URL being pulled up, ending in .edu, it decided, oh, let's try to steal this user's eyes by presenting this ad. So somehow or other, the University of Phoenix was clearly paying for this service, although it probably wasn't they who put the software on my computer. But there's certainly lots of campaigns that go on behind the scenes with these kinds of things. And there's many different names that we've been slapping on all of these things. But at the end of the day, they're all pieces of software that shouldn't be there. And fortunately, there do exist tools to get rid of them. But it is a vicious cycle. Like if you don't run certain protection, spyware is one where I would say far more so than viruses and worms is useful to protect yourself against with whatever programs in the world of Windows. Really, the solution, which, better yet, is free, is indeed called spybot. Unfortunately, the program's a little cryptic, or at least navigating their website is. But if you go to Google Spybot and go to the download page and then install this thing, you can essentially accept a lot of the defaults, while just installing the software. Let it run automatically. And it will immunize, so to speak, at least internet explore if you're currently using internet explore. And there are dozens of little ways in which internet explore, for instance, has been buggy over the years. So this, too, is just one of these things, that if you're going to install it, then slap it on there and then let it sort of do its thing. And I preach this more so on a PC than something like a virus or worms, because spyware often infects your computer by visiting a website. And your browser happens to have some kind of bug in it. So whereas with a browser, you're sort of by nature sort of going out on the internet and exposing yourself to all of these different sites, some of which might themselves be infected, even unbeknownst to the website's owners, viruses and worms kind of have to come in to get you. So there's a slight distinction there. And I, for instance, do run this, but I don't really bother with antivirus anymore. But I would not do as I say not as I do. Probably a bad idea. Yeah. Always a lot of confessions in this corner of the room. That's true. Yeah, no, I mean, it's honestly quite true, as much as we might smile here, like the sort of sketchier the website or sort of the more free the website. And one of the things that my older friend is constantly being infected by is spyware, because her grandchildren are coming over and they're going to these wonderfully cute sites, which ironically might have dancing horses on them. But the one of the ways in which these game sites sort of make money is by trying to get junk on your computer. Not necessarily viruses and worms are spyware proper, but they try to trick the kid into saying yes to installing some piece of software that somehow benefits them. And so I'm constantly, frankly, cleaning up things like that. So absolutely, the more reputable the websites you're visiting, if you're not following random links and clicking on pop-ups, this too is sort of an implicit defense mechanism by just practicing safe computing. So again, I think the amount of attacks that we get are really focused on the web browsers that are more popular than others. So for many years, the most popular web browser was Internet Explorer. So there are a great number of attacks or adware that can be installed onto an Internet Explorer installed just by visiting a webpage when you were using it. And so using some other browsers, such as Firefox or Safari, protects you not just because it's necessarily safer or more secure, but also that the attacks just necessarily aren't there for these smaller, lesser-known browsers. And they're just as useful and just as effective as Internet Explorer. So that's another thing to consider. Sure, you can use spybots, which is a very good tool, even though I was talking about how aggressive it is, in conjunction with Internet Explorer and try to protect yourself that way, or you can just try to use a lesser-known browser that may not have so many successful attacks against it and just try to mitigate the problem that way. It's all, of course, everything is give and take. So if you absolutely have your heart set on Internet Explorer, then by all means use it. But if you find that there are some other web browser that has maybe some features that you like more, or is perhaps simpler to use, and in some way then you may consider that a viable option as well. So let's tie one of last week's threads together with this one. So why, perhaps armed now with some more of technical information, did I personally propose that you never check, say, your Bank of America account on any computer other than your own? And even then, be a little wary. Like, what is the danger of sitting down at someone else's computer, would you say? Yeah. Okay, so keyloggers, what's a keylogger? Yeah, so this is a form of something, malware for sure, maybe spyware arguably, but it's really not that hard to write a program that doesn't have windows, it doesn't have icons, but it's nonetheless running in the background of a computer. And sole purpose in life is to just record every keystroke that it hears. It still lets the keystroke go through in this display on the screen, end up in your email or whatnot, but it's also storing a copy of it, probably in, say, a text file, some more hidden on the hard drive. And every 20 minutes, every hour, every second, this file potentially could be uploaded to some random guy on the internet who put this piece of software there. So case in point, in Harvard's computer labs, they are structured in such a way that they're supposed to reformat themselves and kind of tidy themselves up on some schedule or once a day or when you reboot them or log out. But frankly, Perdan's point on social engineering earlier, sort of the art of deception in human terms, well, it's probably not all that hard for me to walk up to like a PC in Harvard's science center, log in as maybe myself or just frankly, keep an eye out for someone who steps away and doesn't, in fact, log themselves out, you know, put my floppy drive or USB stick in the computer and just double click an icon so that some keystroke logger that I didn't even need to write, I just downloaded for free, probably off the internet, starts logging keystrokes. And then I can walk away forever because if this thing has an internet connection, it, as you propose, can just ship these keystrokes off elsewhere. And what's then the danger? Like, what might this adversary be getting? I mean, everything. So all of your emails have been now sent across the internet, which is already kind of a threat. But what about the username and the password used to get into your email? What about the username and password used to get into your bank account while checking your balances? So if you have really no control whatsoever over the computer, even if it's owned by an authority like Harvard, there's thousands of people who walk through that building each day. It's not the safest place to do your email checking. And this is why, too, last week I conceded that, you know what, I sort of accept the risk when I'm abroad, sitting down in an internet cafe. Yes, someone could be stealing my email password, but there's really not all that much that they can gain from reading my personal emails. Might be embarrassing, but they're not gonna steal my cash via that mechanism. So trade-offs, because again, you have very little control over what's out there today. This is a fundamental problem. Like computers these days, MaxPCs, Linux boxes alike, were not well-designed with security in mind. They've sort of grown more organically over the years and only in recent years are people finally putting the manpower and the money behind addressing these same concerns. Yeah. So it's a good question. So it's a good question, and I hate to be the bearer of bad news, but the question is, are you safe just using your own work computer and your own home computer? Well, frankly, no, because if you're using that computer to go out on the internet, to receive emails that might have attachments, I mean, you are exposing yourself to these threats because you're not in that locked room with the power off. So in theory, yes, your computer could absolutely be infected with the same stuff. And so this is why, I mean, to be extreme, you know, various Department of Defense groups or CIA type folks, I mean, they don't put their computers on the internet because you just open yourself up to these threats. So short answer is, I mean, there's probably a healthy line between paranoia and sort of careful computing, but the only way to be perfectly safe, I mean, is beyond the convenience and means of most people, because it's just you have to sort of accept the realities that software today is buggy and bugs lend themselves to exploitation by bad people. If I can respond a little bit differently, I interpreted that question just a little bit differently in that you might be safe using your work computer just as you would be using your home computer and sure, all of these attacks and exploits do exist and you're aware of those even on your home computer. But even in that scenario, I would say that no, your work computer is not necessarily any safer because the IT guys in your work environments actually do have access to the network and potentially to the traffic that is flowing from your work computer to and from their central servers that may be redistributing that to the internet. So of course your IT guys may not have a malicious intent, but still that possibility does remain there where you don't have control over as much aspect of your access to the internet as you would from say your home computer. It shouldn't, only if some bad piece of software has somehow made its way onto your computer should you worry about keystroke logger threats. Okay, that's, but if you have them, it is an possibility? Absolutely, absolutely. There do exist hardware versions of keystroke loggers as well. These are, this would be more difficult to install on your work computer because you would need physical access to it, but it's typically just a little device that your keyboard plugs into and then you plug this device into your computer and it has a little bit of memory and it just recalls or it just remembers in its own memory all of the strokes that you type. And so this isn't something that you may find on your work computer, like I said, because you actually have to physically plug it in, but this would be more of a risk at say an internet cafe where it's more of a public computer and someone could very easily just plug in this physical device. Even here on campus like David said, if the computer is out and not locked underneath the desk and someone could easily unplug the keyboard, plug one of these in and you would never know it by looking at the software because you have no idea by looking at the software that there's any data being sent out on the internet. And I'll take the fear factor one step further if I may, if only because maybe the knowledge at least makes you, if more fearful, maybe more careful. So even if your machine is 100% safe, not infected with anything and you sit down and pull up bankofamerica.com and even if that URL begins with, HTTPS colon slash slash, which indicates SSL, the encryption mechanism that we've talked briefly about, even then in theory, someone who's determined to sit between you and Bank of America, say some malicious IT guy in that company could absolutely intercept all of the traffic because what can happen then is what's generally called a man in the middle attack, whereby even though your browser thinks it's establishing an encrypted connection to some endpoint like bankofamerica.com, if there's some bad guy sitting in between you two, maybe right in your own office building down the hall and has sort of the savvy with which to do this, they can trick your computer into yes, establishing a secure connection, not to hear, but to them. And then they complete the other half of the transaction and connect securely to Bank of America, thereby proxying all of the data from you to them to Bank of America and back. And so the ironically the, or rather paradoxically, like the whole transaction is encrypted and it's secure except you have some eavesdropper in the middle watching and listening to everything. And this is not something you yourself, at least with normal means or certainly with any ease can defend against. You just have to similarly sort of trust that this amazon.com, this bankofamerica.com is in fact the site you think it is. Now I will say these threats are very rare and really only if you have someone out to get you should you probably worry about these threats. But they do exist. And I think just knowing this kind of stuff is perhaps scary but hopefully empowering at the same time. Do any of you remember from just a few months back this very large DNS scare that was in the news left and right? People were saying, oh, there's this huge hole in the DNS system and it's this huge security risk and everything, CNN ran with it. I think all of the major papers did. And it essentially, this attack, if you remember the DNS system, now you can sort of start to piece together what it is. The DNS system is the address book of sorts that allows you to map, let's say CNN.com or a domain name to its IP address. There was a way potentially for a hacker to be able to change the IP address of that domain so that this man in the middle attack could become relatively more common. Luckily now this attack has been patched, this hole has been patched and we are now relatively safe again on the intertubes, but for now, or at least at that point, this sort of attack did become a very real possibility. Yes? I was going to mention, they literally take your computer out, swap hard drives, bring you back into Fox and the other ones can return back to the company. I assume they like them, but your information sort of sits on there so that's a good job. No, I mean, I'll leave the department nameless, but for years this course used to collect hardware from various departments on campus because then we would dissect them in sections and let students got them because they were sort of beyond their life and perhaps a little too trustingly or unknowingly, we had at least one department just hand over the computers to us. Now, they did have the savvy to know that they should format the drives, but they ran it through the Windows or DOS format utility, which is, I think we mentioned last week, doesn't really do anything, even though programs like this often say, often in big bold letters, this will erase all data on the disk. It really doesn't. It just gets rid of a few important bits that creates the illusion to the computer that it's good to go for sort of another run, but all of the data was still there and frankly, they were turning over. This was, shall we say, a department that really shouldn't have been to turning over hard drives on the honor system for legal reasons and also just good practices, but I mean, we ourselves, I don't think we even wiped them, we just gutted them which sort of achieved the same effect, but I mean, it was sort of telling. I mean, these were technical experts in their department and here they were handing over their clients, personal information. So, I mean, here too, so if you ever leave a job and you sort of have the time and the ability to sort of cover your tracks, even if it's completely innocuous, you've just been using it maybe for personal email and financial stuff. If you have the ability to wipe your own hard drive, you can download something like Derek's Boot and Nuke, which we mentioned last week and it's unfortunately not as easy as you would like it to be, but at least you can pop that CD in the drive before your last day, let it boot up, follow the prompts, say, wipe this computer and the IT guys shouldn't really flip out because they have a working computer, they just need to put software back on it. But certainly, if you get rid of a machine or if you wanna be paranoid, send it in for service and you don't really trust the anonymous person fixing your computer, wipe it before you go send it away to be repaired if at least you have ways of recovering the data from backups or such. Yeah, wow, that's his timeline. That's always a good one. So I will say blindly that any time you get an email that tells you to forward this to everyone you know, don't send it to everyone you know because it's just, again, one of these people with too much free time. In this particular case, does the email contain any links whatsoever? Addresses? A friend or like literally a friend. Oh, so she forwarded it? So she was duped, right? These are the people that now that having taken E1, you should maybe gently reply and say, actually, this is not true. In fact, I think if you're sitting here in class, highlight a few keywords, like highlight an interesting part of the sentence and paste it into Google, very often will you find these emails circulating on the internet because there's people with, good people, but with too much free time, who post emails like this to the web to sort of let people know here's the spam that's been going around. So I mean, there's multiple reasons for this. Often these emails, which are really social engineering attacks, trying to trick sort of trusting humans into doing something much like a chain letter, they'll contain URLs that if clicked lead to bad sites or URLs of spyware or viruses and such. Or frankly, some people just get off on the idea of thinking that, wow, I could send out this email and let's just see if it actually makes its way back to me. Because that alone is kind of a neat technical trick. But that's all it is. So this, let the buck stop here, if you would. And- So I just need- Well, I would respond to this person. I like to educate, for instance, people who send me these things by doing a quick Google search and saying, yeah, okay, not so bright. Did you say it was the subject you received a Hallmark postcard? Is that, was that it? No, but that's- Oh, okay, so there are, there was even an email that was like this that went around for a long time. And it said- Five seconds, sorry. Yeah, so, and it went around and it said that, oh, if you have this specific file on your computer, you most likely have this virus. Be sure to delete it right away. And you will then be protected from this virus. Unfortunately, when you deleted this file, it was actually a very important system file. And when you deleted it, you hosed your computer. So you, this is an aspect of social engineering. The fact that you trusted this person when they said to do something on your computer, even though it was the completely wrong thing to do, you went ahead with it. You acted as your own virus, so to speak. You just hosed your own computer. And so you really should be careful with things such as this. And yeah, it looks like- Is this the same one? David pounded the email just with a five second Google search. So keyword, I mean, Frank, I've had family members send me these things. And just to be the good son, I just revealed to it was, I, you know, often send them back the URLs here corresponding to these things. But things like this, this is the worst virus announced by CNN. You know, CNN might comment on things, but they don't really like proclaim this is the worst virus ever. Microsoft certainly, it has been classified by Microsoft as the most destructive virus ever. This kind of her purbelies should sort of throw up red flags for you, frankly. Anytime you see lots of exclamation points at the top, big virus coming. Like this is not a legitimate email. But there's a lot of people, especially who, you know, are just not that savvy or who wouldn't think that there would dare be people with this much free time in the world who would circulate stuff like this. This seems to have a URL, which may or may not lead to a bad place. Yeah, Snopes, which is the one here. I have that here actually. So if you look at Snopes, they try to bust rumors or they try to look at rumors and figure out whether or not they're true. And so this postcard virus does actually reference a real virus. But the details about it are completely false. They completely exaggerated because if we take a look all the way at the bottom here, it says, although the postcard virus is real, it isn't the big virus coming. It will not burn the whole hard disk of your computer and CNN didn't classify it as the worst virus ever. So clearly, of course you know that viruses are out there and they're going to try to infect your computer and do malicious things to you. But just because you receive this email doesn't mean that we have to all of a sudden be worried about this one virus. You should just take the usual precautions. If it has any links, be wary of them. Because if you look up here, I believe the actual Hallmark virus, this one here, you've received a postcard from a family member. And I think I've seen these a number of times. This seems to be one of the latest fads in internet spam. It has a link to something really strange and they tell you to open it. And as soon as you open it, what do you think happens? Yeah, something bad. I mean, something bad is going to happen. Whether it's adware, spyware, a virus, it doesn't really matter. You just know that clicking on this is going to bring you into a heap of trouble. And one of the things that you can do to protect yourself is just to literally look at the URL. Does this look like a valid URL? Not me.hk, which I believe is Hong Kong. I mean, most likely you don't know what this domain is. And you could do some research on the domain to see if it's legitimate or what have you. But if you find something like this or if you find, instead of a domain name, you see an IP address listed there, that's almost always something that's trying to trick you into thinking, oh, this is an actual URL. It's something really important. I should click on it. You have to be careful with all of these things. Oh, no, you don't have, well, you could copy, paste it though. I would say that that's perhaps kind of risky, just in case you copy, paste it into the wrong field. But another thing that you can do, remember we had this tool, did we show who is a while ago? I forget if we did. Yeah, but I mean, per what I just did, I just copied a few choice words and typed them manually into Google, right? For this email, I'd probably type in, your family member has sent you an e-card and see what pops up on Google. All right, so I mean, honestly, I would say it's as simple as that and you're gonna take a look at the URL itself. So yeah, if you just type in that, you can see all of this information. But what I was talking about is, if you're not sure of the URL itself, let's say you do a Google search and you find no hits, you want to look up some information on the URL itself. You have a couple of things at your disposal. First, if you leave your mouse over a domain name in an email client for a few seconds, you'll usually see the true address that this is pointing to. Sometimes this address is not the real address that it's actually referring to. So just leave your mouse over for a couple of seconds and take a look at the domain name, see if it is actually legitimate. The other thing you could do, just to do some research about this, if you really wanted to go all out, is to use who is. And you can use this usually just from a terminal window. You just do who is and then the domain name, which was not me.hk. When you hit enter, it looks up some information, okay, so it looks up some information on the domain. And in this case, it says the domain is not found. So this is not a valid domain. So something here is fishy and you definitely should not click on this domain name. If you're absolutely sure that the email is legitimate from a friend, you might want to again call them up or send them a reply and say, what's going on? Did you really send this to me? If you did, the domain's not right. Maybe you should resend the link or give it to me some other way. Do you mind toggling back? This is not the only instance. This is actually wonderfully fortuitous, frankly, that you just received this. So thank you for making lecture more dynamic here. This is, I found this via Google search. I searched for virus hoaxes and this I'm sure is just a partial list of things that the company called McAfee has discovered over the years. And these links bring up things just like we saw, fake emails that are what are generally known as phishing attacks, P-H-I-S-H-I-N-G, which are again, social engineering attacks. You're trying to dupe a human into doing something based really on no technical grounds, but just on the idea that you're receiving an email from someone who's a friend, quote unquote. And damn, I just lost my train. You want me to take over for a second? Save me. Okay, so I actually have an example of a phishing email that was sent to us a while ago and I thought it was pretty cool because I actually do have a Capital One card. So it took my attention for just a second. And if you read it, it's actually pretty surprising because unfortunately there's no, none of the telltale signs. It looks like a legitimate URL. It looks like a legitimate email because there's no common misspellings. There's nothing really, really strange about this, but there are a few red flags. And first of all, you'll notice that look who it sent to. It was sent to an email list rather than to me directly. That's always a big one. But the other thing is if we try that trick of mine, where I just leave my mouse over the URL for a second, you'll notice that the URL changes slightly. And it says now, towernet2.capitalone.com.view. Oh crap. Looks fine to me. Capitalone.com.view62.com. So you'll notice that here it's trying to trick you because it says, capitalone.com.view62.com. What is this portion right here? That towernet.capitalone.com. What was that called? Remember from our internet lecture? Yes, it's subdomain. That's right. So it's actually a subdomain. And the domain is actually view62.com. So here, if you didn't know that, you might see this.com and say, okay, it's from capitalone.com. But clearly, knowing a little bit more, you know that this is a subdomain and this is not actually a valid URL. Of course, if you ever get something like this from a bank or from a credit card company or something and you're not sure, just give them a call. They will be happy to tell you whether or not that promotion is real. Another thing is just to go directly yourself to the website that you know. So capitalone.com, for example, bankofamerica.com, rather than clicking on the link here. And in fact, that's generally good practice. If you're given a link, it's better to type it out yourself to go to the domain that you know is legitimate rather than trusting a potentially malicious link in an email. And fortunately, a lot of companies, banks in particular, have finally wisened up. So a good bank does not include a URL, necessarily. They'll say, visit our website. Or they'll outright say, don't click this link, type in manually to your browser just to kind of reassure their customers that they're taking steps toward defending themselves against this. A popular candidate, if you're familiar with PayPal, PayPal now owned by eBay is a website that allows little people to earn money by taking credit card transactions and other types of monetary forms. And this is a huge target for these fissures, people that are trying to get you to click on links and particularly provide your new username and password. So another useful takeaway tonight perhaps is if you ever receive any kind of email, and maybe this is stating the obvious for some folks that asks you for your username, for your password, or just to verify, please, your address for us so that we can update our records, I mean, don't do it. Like, reputable companies, if they're smart, don't ask for information in this form. And frankly, if they've reached you via this mechanism and you do have, say a PayPal account, as Dan says, go to their website directly and then figure out if something is in fact legit. So it's very, very cheap to send emails, right? It doesn't take that much effort or money these days to send out a million emails, especially if they're very small. And you might think, well, gee, how could this actually be profitable? But if you imagine sending out a million emails, even if only 1% of the people out there are naive, or doofuses, or just accidentally click on these things, that's 10,000 possible victims you might have. And if any of them have just a few dollars in their account, I mean, this might actually pay for itself these kinds of attacks, right? It's a numbers game. You send this kind of stuff to enough people, you're gonna get some percentage of people who don't know or don't realize and they're out some money or some account or something personal. It's not that hard. All right, there's a lot of, put more bluntly, there's a lot of stupid people out there. And so hopefully one of the takeaways from this kind of class is that you won't be among them, henceforth. Yes. So that's a good one. So you've been receiving, heard the camera, emails from people claiming that you've, they bought things from you via eBay. So why did you get these, do you think? What's going on? I think that's the right call. I mean, think of it this way, you send out a million emails telling all million people that you've bought something from them and you want your money back. Well, odds are some percentage of those people do use eBay and have sold something to someone recently. And so therein lies the ability to dupe someone because you'll get just the fraction of people and not alone can be profitable. And actually. And even that, so even if your email is easily scrapable from some website, even these days, people guess email addresses. Hotmail is a disaster for spam because everyone knows Hotmail is popular. It's not much like Windows is popular. And so why not try spamming not even known email addresses, just random addresses? Let's try all four-letter usernames from the English alphabet. Then let's move on to all five-letter usernames and let's see if we get a match. Because even if we do this a million times and only 1% of them are actually addresses, that's a lot of email going through. Now, fortunately, Microsoft and the like try to defend against this, but it's often a losing battle. The bad guys have more incentives than the good guys to stay ahead of the curve. You know, here's another trick that people will do as well. They can send you an email, may or may not look legitimate, but trying to look a little bit more legitimate, they will actually put an unsubscribe link at the very bottom of the email. And usually that unsubscribe link will have in it some sort of unique identifier so that when you click on that link, the server knows that it is you, but how could this be used against you? What happens if you click on this link all of a sudden? Yes? That's right, exactly. Now they know it's a real email address, so bingo. Now they have a list of verified email addresses that they can sell to other people or spam even more themselves. And so how do you know when you can click on an unsubscribe link or not? Well, generally it has to be from a rather large and reputable company in order for you to really, truly trust these unsubscribe links. Otherwise just let it go to your junk mail box, I would argue. So if you're failing tonight that you're kind of screwed no matter what you do with your computer, it's kind of true. Best to just put it out of your mind and continue sending instant messages. But I think we'll take a quick five minute break and when we come back, maybe we'll try to talk a little bit more about some of the ways you can protect yourself from a lot of these things. Okay, so during the break, David actually found some juicy stuff that we want to show you. So over the course of the nine months leading up that you won every year, I have a folder called show these and I drop rare spams that I've received over the course of the year. And this is one, this is pretty in vogue lately. It's something of this form where there's some blanks that you apparently need to fill in, namely for your username here and your password here. Notice that it began with dearfas.harvard.edu subscriber. We're currently carrying out a maintenance process to your FAS account to complete this process. You must reply to this email immediately and enter your username here and password here if you are the rightful owner. This process we help us to fight against spam mail. So if the red flags have not started going up, you need to sort of attenuate better. Note you will be send the password reset message in the next seven working days after undergoing this process for security reasons. Thank you for using fastharvard.edu. So a couple of comments. So one, it still never ceases to amaze me that if you're gonna send out a million emails, like check your grammar before you do it. There are online tools that even someone with English as a second language, I'm sure could figure out. How do you think I ended up getting this? Just hypothesize. I don't even know, because we can only guess, but how might I've gotten this? Yeah, anything. It's actually true. We got the same exact email to the word at MIT. It says the mit.edu team or something like that, which is completely true. Very coincidental. Everyone's updating their records at the same time. So another popular one is the Nigerian scam type ones where you are asked, you're informed that someone's got like a whole boatload of money that they want to share a percentage with you for help getting it out of the country. And the sad thing here, frankly, is that you hear those news stories, once a year, about some poor folks who actually bought into this or something like it. So even these kinds of things work too. These are often a little more thoughtful, often sent by someone comma Esquire, but they too are examples of phishing attacks that have been around for many years. This one is fun. The subject line was oddly enough, out of office reply, you are not Brad Pitt, but you have Viagra, it's better. So this was an auto reply from a legitimate email address. So a very popular spam technique these days is to not use a fake email address in the from field, but to use a legitimate user's email address in the from field. So bad person grits a whole bunch of legitimate emails by scraping the internet or doing something like that, stealing a database of email addresses. But rather than send emails to those addresses, they also use those same addresses in the return field so that these emails appear to be coming from legitimate users because what then happens, if the emails bounce for a variety of reasons, some of you have probably received some kind of automated responses before where email bounces, when you sort of get a two for one, whereby not only is the recipient getting the email, but the bounce back is also gonna go to a legitimate user as well. So you get again sort of twice the emails for the price of one. So this too, so this actually was a legitimate auto reply from some unsuspecting guy who was out of the office because this probably is de-priest at whatever this is, RetirementServices.com, but it's because he received the spam as though it were coming from me. And the interesting thing here is that back in the day when people were less familiar with this stuff, I think even I got an email or two from someone like him saying, hey, your computer's infected with a virus, you just sent me this email, but that's not even necessarily the case. Yes, he got a spam from mailinatwhatever.harvard.edu, but it didn't have to come from my computer. Anyone can forge these addresses. We talked about email a few weeks ago, really not hard for someone with the right skills to forge an email address. IP addresses is tougher to forge, but if you're sitting in an internet cafe who really cares what your origin IP address is? Certainly not the recipient, yeah. To yourself? Yeah, I mean, any permutation you can think of, emails from you to you, from you to you, it all is possible, right? It's been like a lucky guy. Sure, sure, so realize I wouldn't worry too much about what labels you slap on, these kinds of things, but yeah, spam is just junk email, unwanted email. So it sounds like if your dad's winning the lottery every day, that qualifies as spam of some sort. If he's being told he won the lottery, he needs to click this here link in not me.hk to claim his prize, then it becomes a phishing attack. But again, these are just sort of buzzwords that you slap on what you can describe in English, quite reasonably, yeah. So you went to a large box and I was... Means you'll come back next week for the solutions. It's a good question. So to summarize, Firefox is a popular browser and alternative to IE and others. It has the additional support for plugins and a nice, vibrant community of people with lots of free time that they're using for good to make plugins that enhance your browser. What are the risks there? I think the simplest answer is they exist. And if you are trusting someone else's software on your computer, which you kind of have to, unless you're gonna write your own operating system and write your own Microsoft Office, it's an acceptable risk. But I think a lot of what mitigates this here is sort of buy-in. So if you're finding the plugin listed on Mozilla.org, the authors of the Firefox plugin, at least you have some kind of commercial or at least sociological vetting of this software where you kind of have buy-in from an authority. Now they can make mistakes and links can get changed around. So if it's not a safe thing, it's not 100% safe, but it's better than just clicking some random link saying install this Firefox plugin. Look for it at a reputable site. Can you scan this for protections? So yes and no, it depends. I don't know if McAfee, Norton scan things like Firefox plugins. In theory, they're supposed to scan all types of file types and a Firefox plugin is just a WPI file. So it's just a file type that is supported by Firefox. So in that sense, sure, it could get scanned like any other. But Dan alluded to this idea a little bit ago. There are the scariest types of attacks are what are called zero-day attacks, whereby almost always do people take advantage of your computer by exploiting bugs, by exploiting mistakes in computer programs. And we'll talk in a couple of weeks about what it means to write a program and what a bug really is. But it's just a mistake made by some human. And when programs like Windows and Office are literally millions of lines of programming code long, you're just bound to make mistakes. It will happen, certainly in this day and age. So what happens then is your computer is vulnerable to these kinds of things. And if it takes a company, very reasonably, several days to realize, oh, we made a mistake. We need to release an update for this software to sort of fix our mistake. There's this window of time whereby the problem is not detected or it is detected, but it's not fixed during which the bad guys can try to take advantage of that. And one of the most brilliant things that bad people have done over the years is they watch sites like Microsoft waiting for Microsoft to announce the discovery of some bug in their software, some vulnerability. Because even though Microsoft, if they're smart, will generally only do that once they're ready to fix the problem themselves, there's a lot of system administrators and certainly consumers who don't update their computers constantly. It's new normal people in this room who are not watching Microsoft's alert page for these latest updates, and a lot of system administrators will make a conscious decision, a business decision, not to update their company's computers for multiple weeks or months, because they'd rather someone else sort of make sure that this thing is going to fix it and not create more headaches for them. So you have this window of opportunity, zero-day attacks are ones in which this happens the same day that the vulnerability is found, but you're sort of vulnerable. Even if you have things like Norton and McAfee installed on your computer, because those things have to be updated for the latest threats, and if it takes Norton a few hours, a few days to update them, you are vulnerable, even if you've got that software installed. On the other hand, this is one of the positives that people argue about open source, is that it's in a closed source environment, such as with Internet Explorer, where very few people get to take a look at the actual code, the source code that makes up, let's say Internet Explorer, a lot of people, it's open to the public, so a lot of people, any one of us, can go download the source code for Firefox, maybe not necessarily the plugins, but for the web browser itself. Take a look at the code, and if one of us finds a bug, we can issue a patch and send it directly to them, where it will then be reviewed and potentially built into the next release of Firefox. And so in this way, there are many, many eyes looking at the same code, trying to find these mistakes that other people have made, and of course, the mistakes aren't necessarily malicious, but when you have many people with the same objective trying to accomplish this same task, then the argument is that the software becomes safer. Whether or not it actually happens is of course up to debate, but you can argue that this is actually an advantage or a positive side of this open source, is that there are so many people taking a look, and you could argue, well, overall, the people have to have a, you have to believe in the general good of people in order for the mistakes to be pushed down and the good code to be brought up and written into the software, but whether or not that actually happens, like I said, is news for another day, but I did actually want to, what? Can I interject? Yeah, sure. To put it tritely, sometimes good people do bad things. Sony, I think it was, correct me if I'm wrong, got slammed in the press a couple of years ago, because I think it was some music CD that they released had some form of copy protection on it, which is software that's trying to avoid people copying that disc, but this software would automatically, unbeknownst to the owner of this new brand new music CD, install itself on your computer, and it would do it in such an underhanded way that you couldn't detect it on your computer because they did some very low level, very sophisticated techniques that would sort of impress a computer scientist, but it was completely unethical in terms of putting software on someone's computer without ever disclosing it, plus they screwed up such that if you tried to remove this thing, blue screen of death, you would crash your computer, and it was a huge issue that really came back to bite them because not only did they do this badly in the first place, they also broke people's computers when they tried to remove this, and it created quite a bit of stir, but here was an example of a company that was maybe rightfully so, trying to protect its intellectual property, but they did it by trying to hide something on your computer for what they viewed as good and most people viewed as bad. So there too, I mean, this is just the state of the world. We claimed at the end of last week's lecture that we're kind of in a primitive state, and I think that's absolutely the case, and it will be many years before you sort of have to worry about these kinds of things less. I mean, the beauty of PCs, the beauty of Macs these days is that there are such open-ended platforms. You can do most anything on them. You can buy a game. You can buy a word processor. You can buy a graphics program. They do everything, but as a result, if they can do everything, they can do everything that's good and bad, and so it's a trade-off. Otherwise, what you get are devoted devices, like your microwave, it's kind of hard to attack your microwave because it only microwaves food, but there too, it's a trade-off. These are very open-ended devices, and that's sort of the price we pay right now. So I just wanted to go a few steps back. David mentioned earlier that it seems like every few weeks or every few months we see something in the news about somebody getting scammed, and in fact, this is very recent. This is from today. Oregon Woman loses $400,000 to Nigerian email scam. If you just read the first couple paragraphs, it's funny in a really horrible way, and it says here, let's see. So this woman simply became curious when she received an email promising her $20.5 million if she would only help out a long-lost relative identified as JB Spears with a little money upfront. And what's interesting about it is that this person actually had the same name, the same last name as her because this woman's name I think is Danella Spears. And so she said Spears told K-A-T-U-T-V about the scammer's ability to identify her relative by name was persuasive. That's what got me to believe it, she said. So why wouldn't you send over $100? So it's just this sort of idea. It starts out maybe innocuously enough as $100, but clearly that's a sunk cost or some money that you're just never ever going to get back. And it can grow to be some really extreme amounts of money. And if you read even further, it said that she went so far as to, let's see, she mortgaged the house and took a lean-out on the family car and ran through her husband's retirement account in order to accomplish this scam. So she, I mean, you could argue that she literally destroyed her life over someone that was clever enough to just use her last name in an email. How do you go from sending $100 to the other $399,999,000? I don't know. You have to probably read the rest. But I think what sometimes happens is that when some people send money to these scammers, they get a little excited and they reply, saying, okay, we're almost there. Why don't you send another $1,000 or something like that in words that are more clever than how I just said it. But still, they're able to get these people to... So it wasn't about from sending... My familiarity with this case is basically what you see on the screen. So I don't know if they were able to get access to her account. But it sounds like since she actually took the mortgage out on her house and put a lean-out on the family car that she actually did this and that they didn't have her bank account information. Fortunately, these are the extremes. And I think there's probably some other things going on there beyond just an effective phishing campaign. It sounds like it. Yeah. Oh, I've heard about this where... Yeah, there are groups. I'm not familiar with that group specifically, but there are groups that actually try to scam scammers. And I think on some show like Dateline or something, they've actually been able to meet face-to-face with some of these people and expose them for who they are. And of course, scammers never like that. But it's very difficult to catch these people because typically they operate outside of the country and US law and jurisdiction just does not apply to them. So we're kind of stuck in that boat. Another question? Yes. Will it just be a good person? I just want to be right to check. Yeah, absolutely. All of these attacks are really based on trust. Whether it's trusting another person or whether it's trusting your computer to do the right thing or trusting a program to do the right thing. And however they can get and they being the attackers can get you to trust in them or to trust in their program, that is how they will generally get an effective attack on you. And this really can vary everything from phishing emails to scamming to spyware, to software that you even install on your computer. It really just depends on you trusting this person to do it. You know, I'll even admit to this. I don't know if Dan will remember, but it was just a year or so ago. He was looking for apartments and I figured I'd try to help him out one night and I was poking around on Craig's list and I actually found a listing that was kind of too good to be true. Sounded really nice and it was definitely a good price. But I figured, I mean, there's really not much harm in my replying to the guy because it was one of those anonymized Craig's list emails and in terms of spam, my email address is on every damn list. I didn't really care about putting it on one more. So I replied and then it got a little fishier because then this guy replied, explaining, oh, he's really busy with work and business and he's happy to let me see the apartment but he'd like to do the first month's rent via some kind of proxy service just to keep things safe, right? So he too sort of played on my need presumably for some comfort with this transaction. So he assured me this was for safety's sake and I'm sure it was just his buddy or some unreputable company that would have been the proxy but I felt like an idiot. Like, I sent this, I CC Dan on this email to this guy and completely fessed up to being a complete doofus and I'll say at least there was some pedagogical value because it was intriguing. I mean, I wasn't actually gonna go send anyone money so I at least do have a line that some other people perhaps don't have but even I, I mean, it sounded too good to be true but I was willing because I was in need because Dan was in need of finding a place so that was kind of enough. I needed something and I was willing to sort of put my toe in the water. To save you from some embarrassment, he did reply all so I got the reply and I actually made the mistake of following up and just because what he said, he just didn't say much at all in his email so I asked for more information like what do you mean by this and clearly I think that I was equally as embarrassed. I was really hoping that he wouldn't bring it up anyone but here we are. Together we make one full good instructor. So questions, these have been wonderful thus far. What's been scaring you? So I think we should talk a little bit in more detail about some of these firewalls. We've been talking a lot about how firewalls can protect you but what do they actually do? So remember that when we talked in our networking lecture we were talking about how when you connect to another computer you send information to and from that computer via usually some port and that port is associated with the protocol through which you are sending data. So HTTP for example, what port does that operate from or through? Yes? Yeah, 80 is the most common HTTP port and remember we talked about how this could be true where if you take URL you can do a colon and then the port number and actually contact that same service on that same port. And so I typed colon 80 and it actually forwarded over to the regular domain but the point stands. And so what firewalls attempt to do is to filter traffic on each port. So let's say that I have a computer that is or a server that is a web server specifically I am hosting unencrypted HTTP requests. So this sort of server where I'm just giving out web pages and I'm not talking about HTTPS here because that's a different protocol, that's a different port. So a firewall, I would tell my firewall that I want to open port 80 on my server. And what this means is that the firewall then allows all traffic coming into my computer via port 80 to be allowed in to my computer and my computer can then respond to it. If I only open up port 80 then everything else is dropped. So let's say I get some incoming requests for something on port 25 or something on port 22 which are mail and FTP respectively. Well it will actually drop those or SCP, I'm sorry, respectively, it'll actually drop that data and the computer will not respond to it. Just nothing will happen at all. And so this can, you can protect yourself in this way especially if you're not actually running any services by enabling a firewall so that only requests that you send out and are then responded to where your computer get as incoming requests. In this way, you minimize your exposure to bugs in your system because let's say that you have some service running or maybe even if you don't have some service running and an attacker knows of some exploit that they can make on your computer on a specific port using some specific code. If you don't have a firewall, they can issue this exploit and do something to your computer whether it's just something as innocuous as crashing it or it's not innocuous but relatively harmless since you can reboot it or something as major is actually causing the hard drive to be erased or something like that. If you have a firewall, you can potentially protect yourself from these bugs that do exist in an operating system. Of course a firewall itself may have some bugs but that's an entirely different matter but you're still protecting yourself from a wide range of attacks that can exist on a particular computer. And indeed, one of the great things that firewalls were protected against are all of these worms. So the latest Windows firewall is actually pretty good. The one that comes with Vista and I think XP, SP2 and Onward actually has a pretty good firewall where as long as you have it enabled, you will be safe on the internet for just a little while longer from worms and from viruses that you may initiate a download from. And the best type of firewalls typically will allow you to set specific programs that are allowed access to the internet. So they not only block traffic coming into your computer but they also attempt to block traffic going out from your computer. Why might this be useful? Why might you want to block traffic from your computer to the outside world? So you don't upload anything, you don't know you're uploading. Okay, very good. So can we be a little bit more specific than that? What might you not want uploaded or when is the situation in which that might happen? So log file, okay. So even if we're talking about something like a keystroke log or where it may generate a log file of keystrokes or maybe some spyware that's running on your computer where it's trying to send this data out unbeknownst to you, a good firewall will act on your behalf. And as soon as you try to open an application that it perhaps does not recognize or that you perhaps don't recognize, it will come up with a pop-up message. Are you sure you want to initiate this connection? I think I have some software that's pretty innocuous that almost always causes this pop-up. Let's see if it works. Oh, it works this time. How unfortunate. But you can actually, let's see, live demos never work, but let's see if I can get it to happen this time. So as soon as it tries to log in, okay, no, that's not working. So what would happen is when I open a program that's not recognized by the firewall, oh, there it is, perfect. So it says, do you want the application, simplify media to accept incoming network connections? I can either allow or deny this. And so this way I can, literally, if I don't recognize this program, I can tell it, no, I don't know this program. I want to deny it access to the internet. But if I did open this program, then I can allow it access to the internet. And this way you can protect your computer and yourself from data flowing in and out. And sometimes it can get a little annoying, especially if it doesn't remember the programs that you are opening, but generally that's a very good thing to have enabled. I'll deny for now. Okay. Generally what you want to do, let's see, do you happen to have the Windows firewall up on Windows so that we can show that as well? Generally you can, oh, so there are various features that a number of firewalls will have. And one of them is something that the Apple firewall calls self mode, whereas, and what happens there is, if there's some traffic that comes inbound, it will just not respond to it. So rather than responding to it saying, we don't want this traffic, it will just drop all of this traffic and not respond to it. This way a person that's trying to contact your computer doesn't get a response from it, even saying that it's invalid and therefore doesn't know necessarily that your computer exists on the network at that time. That's sort of an additional protection that you can have against adversaries on the internet. Yes, you had a question? So the firewall, so it was perhaps, so when I said that a firewall can protect against viruses that's perhaps not completely true, only in that it can really only protect against worms, the self propagating malware that exists on the internet. Viruses, since they are caused by you actually downloading something, most likely you have initiated that download and you have given the firewall permission to allow that download to occur. So viruses still could get through a firewall. So you still would want antivirus in a case such as that. However, many worms you are protected from in the case of a firewall and also a lot of spyware as well because just as I showed before, it actually prompts you if you want to allow or deny that software the ability to access the internet. Yup, all right. So this is from the start menu, from settings, from control panel, and it's called Windows Firewall. The XP version looks a little different. This is Vista, but I'm just gonna click on change settings. This now looks just like XP. If I click exceptions, you'll see what my computer or what I the human have over time actually approved. So it's a little small here, but you can notice a couple familiar things. Out of the box, my computer wouldn't work with iTunes because iTunes is a network program because it downloads music and songs and Alba Martin stuff like that. It needs to talk to the internet. So at some point, probably when I installed iTunes, Windows prompted me, do you want to let iTunes connect to the internet? And I went ahead and said yes, and this check box got checked. Apparently there's a whole bunch of stuff that I could allow through my connection, but I'm not. But I think it's important to note that these are only partial protections, right? What the means by which firewalls tend to work is they filter out based on IP address so you can blacklist bad guys IP addresses if you happen to know them, but more often port numbers. Remember when we talked in our internet lectures about, say, HTTP, what port number did we say it uses? We were over this. So 80, no, I know, so we'll recap. So what are these things actually translate to on Windows? Well, it's just those numbers, but this suggests then what an adversary should simply do is if he wants to circumvent these very, these numeric based protections is why not just run his malicious software on a known port pretending to be a web server, pretending to be an email server so that you let things pass so realize it's a protection, but if someone assures you where that person at the computer store saying, oh, you're fine, you have a firewall, you know, there's always all of this has to be taken with a grain of salt for these technical reasons. You do have to be careful though. I would push back and say that good firewalls will actually be able to make a determination between programs even on the same port. So for example, remember on the Mac when I opened up a specific program, it did say that I wanted to allow or deny that specific program, whether or not, I suppose I don't know whether or not the Windows firewall operates in that way or if it's port specific, but that is something that you would have to do research on on your specific firewall, whether or not you're relying on the built in Windows firewall or whether you are using some third party firewall to just try to figure out what they're actually doing to protect you. Yeah, I kind of spoiled the teaser so I'll just alt tab back to it. How many of you have ever been to this URL? How many of you have a Bank of the West account? West Coast Bank, so probably not many of you. Oh, just our videographer if you need access to someone's account. So this was one of the most brilliant fishing attacks that I've heard of. It was a few years ago now, but people who suffered this attack received an email in what's called HTML format, something we'll talk about in a couple of weeks and this just means it wasn't pure text, it had graphics, it had colors, it was very nice and the colors and graphics it has were the logos, a big bear from the Bank of the West's website. Not all that hard with Photoshop or something just to go borrow someone's logo and incorporate it into your old email. So that at least should be fairly intuitive these days. But they told people in this email to go ahead and visit this URL. Click this link and go here and sharp eyes might notice what the gotcha is here. It's two Vs. So someone rather cleverly, frankly, registered the domain name for probably 995, Bank of the the the est.com because in a small font, I've magnified it here. But if this is in like a 10 point font and an email or maybe a little hover thing when you're just hovering over the link, a lot of people probably myself included would assume that this is in fact legitimate just because it happens to look so darn close to the actual thing. But unfortunately it was a bad guy who bought this domain name. I think he probably had gone through the trouble of copying what's called the HTML source code of the real Bank of the West site. That too you'll see in a couple of weeks is very easy to do. So he made it look like a genuine site. And then if he was smart or what I would do if I were doing this is you also implement on the webpage a login form asking people for their username and password. So you have this double assurance in a social engineering sense. One, the URL looks legit. Two, once you get there, the site looks legit. Three, it's asking you for your username and password as usual. You provide it. But where does that username and password get sent to? The bad guy's site. And even if he gets shut down by the authorities and are or his country eventually probably gonna take multiple hours if not multiple days for this to get detected and voila. Now that guy can very quickly log into the real Bank of the West site, do a little bill pay and send money who knows where. So it was a brilliant phishing attack if only because it was so sort of non-obvious. And it's a very clever typo. Back to you. Oh, okay. Any questions about anything security related? Yes. A firewall on the router. So many times the home routers do include, they may include a firewall of their own or they may rely on the network address translation, the NAT aspect of the device to actually protect you in certain respects. Because remember, how does the network address translation work? What does it do for us very basically? NAT, network address translation. Anybody recall? Okay, very good, yeah. So the router itself may have several IP addresses associated with it. A public IP address through which it communicates with the internet and an internal IP address which is different from the external one and through its DHCP server will also give out to the computers attached to it variety of these internal IP addresses. And so in this way you can have multiple computers connected through one device to the outside world. And so it will look like to the outside world your home has one IP address or one computer even though the router is distributing all of these packets to the appropriate computer. So in this way what happens when you're sending a message from your computer, let's say you have a computer, several computers in your home connected to a home router which itself is running this network address translation, it's NAT, and so let's say you're trying to visit a web page, cnn.com or the like, your computer sends the request to the router which then translates or it changes the packet so that it looks like it's coming from its external IP address and sends that back out. And so it remembers all of the packets that it sent out in all of the packets that are requested packets from your computers and as soon as it gets the actual response back from the server then redistributes as necessary. And so since there's this table that exists of IP addresses and requests that you have initiated it knows what is legitimate and what may not be legitimate and it could therefore drop the illegitimate packet. So in this way it's sort of a faux firewall because if it's not a packet that it's expecting then it most likely will just drop it rather than try to send it out to all of the servers or all of the computers on your home network. So in this way you are protected just a little bit from the outside world in that you have to initiate a connection generally with the outside world in order for the router to allow packets to come back in. But it's not necessarily, it's not foolproof. It can allow packets, malicious packets to come through, let's say you contact a server and a man in the middle attack is happening. That person, that malicious person can actually send bad packets back through the channel so to speak or through that chain in order to send you bad packets or bad information. Other questions? Well why don't we do this? We have perhaps scared the hell out of some of you. So as to allow you an opportunity to run home and unplug your computers why don't we call it a night early but Dan and I will stick around if you have more personal one-on-one questions. Do things that way. See you in one week. Yep. Visit our websites please.