stanford scientific

Imagine what it would be like to have an internet site automatically alter your password every time you log onto a site. A nightmare? Hardly. This is just one of the many new areas of research being conducted on internet security at the lab of Dr. Dan Boneh, an associate professor of Computer Science and Electrical Engineering at Stanford. His current research may help protect against novel forms of information theft that occur on the Internet by helping to develop new ways that private online data is transferred through the internet.

Andrew Bortz, a Ph.D. student of Dr. Boneh, explains, “People’s passwords could get stolen just by visiting websites. Vulnerabilities in the web browser itself allow the attacker to hijack your computer.” Internet technology is rapidly changing, but the necessary security is still lagging behind. Attackers are taking advantage.

The Internet: An Open Portal The internet has been a springboard of the information age. With the advent of online banking and online shopping, people can finish their errands in just a matter of minutes in a comfy chair at their desks. The internet, however, is also an easily accessible venue for hackers. Thanks to this virtual portal, it has now become easier than ever to devise ways to access the information belonging to others. Internet security programs exist, but it always seems they are one step behind in the game.

The internet used today is vastly different from the original internet envisioned by its creators. Users of the internet today are able to customize web applications as they fancy. For example, iGoogle, a customizable startpage, includes functions from photo displaying to playing youtube videos to storing personal to-do lists. Users can access the functions of multitudes of different

Internet SecurityPasswords, Phishing, and PORTIA

ENG + TECH written by SHINJINI KUNDU

volume VII

websites from simply one convenient web browser, via importable web feeds.

However, hackers also find this convenient. Hijackers use the low-security websites embedded into the iGoogle startpage to find out what websites a person has visited or personal information and use the person’s server to hack other sites with relative ease. Besides iGoogle, Facebook, MySpace, and email applications are other websites that can compromise security. According to Bortz, the security problems are compounded when website authorities fail to take necessary precautions. They either decide to trust the imported web feeds, or worse, assume a security breach would never happen.

Most people realize that passwords can be stolen through low-security sites. But they may not know that security problems are not solely confined to low-security websites. The web browser itself is vulnerable and allows attackers to hijack one’s computer. Passwords may become stolen by visiting any website. Internet users may believe that a website like facebook is relatively safe, but they do not consider the “applications” that can be downloaded onto it or other websites to which it is linked. Attackers use the mediums to access the personal data of many oblivious users.

A classic alternative method to steal passwords is called phishing. Mike Hamburg, a Ph.D. student under Dr. Boneh, describes this as a way to steal information from a webpage that “looks exactly like the original but isn’t.” A phishing scam usually begins with a spam email that appears to come from a legitimate financial organization like Bank of America or PayPal. The email directs the recipient to a website that looks like the financial organization’s homepage. The unsuspecting recipient is directed to login, using his or her username and password.

Of course, the email is not really from the financial organization. The fraudulent but frighteningly well-crafted webpage is established for the sole purpose of gaining access to private information. Hamburg explains, “The attacker wants your banking password so that he can steal your money. He wants your social [security number] so that he can take out loans on your credit. He wants your credit card so that he can buy stuff with it.”

Fortunately, labs such as Professor Dan Boneh’s are actively researching better Internet security protocols to thwart these hacking strategies. Andrew Bortz, a Ph.D. student under Boneh, describes the ongoing research as a “spectrum that ranges from fixing patches, debugging to more architectural issues.”

Hashing Passwords Boneh, an Associate Professor of Computer Science and Electrical Engineering at Stanford, is working on internet security as part of the project PORTIA. PORTIA, which stands for Privacy, Obligations, and Rights in Technologies of Information Assessment, is designed to look at information security in the online world. Boneh and his Stanford group are working with Yale University and a handful of other universities to design the next generation of technology for handling sensitive information and to develop a policy framework for storing and using online data.

PwdHash, short for “password hash,” is one of these new technologies that can help protect sensitive online information. This new application of cryptography is designed to alleviate the problem of people reusing the same passwords for many different websites.

A hash function is a function that turns any data into a relatively small integer. Hamburg

“People’s passwords could get stolen just by visiting websites. Vulnerabilities in the web browser itself allow the attacker to hijack your computer.” – Andrew Bortz

Cred

it: s

xc.c

om

stanford scientifi c

SHINJINI KUNDU is a staff writer for Stanford Scientifi c Magazine. She is a freshman at Stanford University and plans to pursue engineering. In addition to science writing, she enjoys dancing, debate, and writing sci-fi /fantasy novels.

To Learn MoreFor more information, visit the departmental website of Dr. Dan Boneh, http://crypto.stanford.edu/~dabo/

explains, “The feature that PwdHash uses is that cryptographic hashes are one-way.” Given the output of the hash, it is almost impossible to figure out the original input. PwdHash transforms an individual’s password into a site-specific password. A user can activate PwdHash by inserting a special prefix in front of his or her password or by pressing a special key like F2. PwdHash takes the password and combines it with a site-specific domain name.

For example, if your password for Amazon is “airplane,” PwdHash stores the password as a string derived from “airplane” and Amazon through hashing. Even if someone hacks into another site where you use airplane as a password, the attacker will only acquire the site-specific hashed value of the password and not the original password itself. This will prevent the thief from being able to use the password to log into your account on Amazon or any other site.

Cryptic Codes Mike Hamburg is currently working on encryption, which is another way of another way of adding internet security. Encryption is the method by which readily accessible text is “coded” into seemingly indecipherable jibberish. Only the receiver knows the key to decipher this code.

Encryption is an age old technique of replacing a word with a different string of

letters and numbers. During World War I and World War II, both sides encrypted their electronic messages, which required code books to translate. By intercepting and cracking the coded communications during the Second World War, the British gained advantage against the feared German submarines known as U-boats.

Modern encryptions for the internet are much more complex than the codes used in the first half of the last century. Encryption tables are often dynamically changed during transmission using multiple hash parameters. Mike Hamburg is currently working to improve some of the glitches that currently exist in encryptions systems.

Securing the Internet Internet attackers also take advantage of loopholes in internet security to siphon large sums of money from large corporations. This phenomenon is called “click-fraud.” Corporations that display ads on the webpages of large search engines like Google usually pay on a “per click” basis.

They must pay a fixed amount every time a user clicks on their ad.

Sometimes these search engines also pay per click to display ads on the websites of small corporations or individuals. In this system, abusers can set up a website that will receive money when a person clicks on an ad posted on that website. By clicking the ads repeatedly, they can purposely charge corporations of unnecessarily large sums or make small profits for themselves. There have even been lawsuits between corporations over such alleged activities. Andrew Bortz is currently working with Google on making click-fraud defenses more effective.

New internet functions call for new security measures. “We need a web browser to be more like an operating system,” says Bortz. This includes tasks ranging from the basics, like fixing bugs, to much wider architectural improvements to enhance network security. Beware. Secure defenses may soon be brought to a server near you.

ENG + TECH

“We need to a web browser to be more like an operating system.” – Andrew Bortz

Cred

it: s

xc.c

om