Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Team 67 Professor Brunet ECE 110 10 November 2008 The Identity by mifei


									0 Team 67 Professor Brunet ECE 110 10 November 2008 The Identity Crisis Imagine going through a typical day without computers. You can‟t check email, type a paper, access bank accounts, play videogames, or use a cell phone to call a friend. Given how important computers are in the modern world, their security is of paramount importance, especially that of information protection. When one thinks of threats to computer security, hacking to steal information is one of the first topics that comes to mind. With our heavy reliance on computers and the Internet to perform tasks such as bill-paying and online shopping, which require large amounts of sensitive personal information, the growing danger of identity theft becomes an important concern. Due to the prevalence and hazards of identity theft, this paper will investigate several common methods of identity theft employed by hackers as well as measures to protect personal information. Before highlighting hacking methods, it is important to understand the historical background of this problem. The term hacking originates from the 1960‟s. At the Massachusetts Institute of Technology, a group of students coined the term by referring to it as a quick and elegant fix to essentially any problem. These students began their usage of the term heavily while spending time in a model train club. Eventually some of the students trickled into computer systems and started a revolution (“Timeline: A 40-Year History of Hacking”). An early form of the “hacking” commonly known today occurred with telephones. In the 1970s, people realized that by using a whistle with a certain frequency they were able to make free phone calls. Eventually these hackers, nicknamed “phreaks,” moved more heavily into computers and computer systems. In order to gain knowledge and share information, hackers created anonymous message boards, on which they would gossip and trade stolen information (“Hacking: A History”). In the early 1980‟s, the idea of hacking broke into popular culture with the creation of movies such as War Games. In this movie, the main character attempts to break into a video game, but instead ends up inside a military database. This and the addition of magazines‟ popularization of hacking led to an increase of hackers and hacking crimes. Finally, in 1986 Congress passed the Computer Fraud and Abuse Act making it illegal to break into computer systems. During the late 1980‟s and early 1990‟s hacker crimes continued to occur on a much larger scale, resulting in new government programs to prevent hacking. Consequently, the authorities began to catch many hackers (“Timeline: A 40-Year History of Hacking”). During the 1990‟s, the Internet took off with the release of web browsers and affordable, private Internet connections. This resulted in an increase in the hacker population and in hacker crimes; anyone with a computer and a desire could become a hacker. In response, software security became a mainstream industry concerned with protecting companies and individuals. Due to new prevention techniques, hackers have had a harder time attacking larger targets or those with protection software, so instead they have begun to focus on identity theft and attacking unsuspecting and innocent people through a variety of methods (“Timeline: A 40-Year History of Hacking”).

1 Often it is easiest for criminals to obtain innocent persons‟ private information through the simplest of methods: “black hat”1 Google hacking. This form of hacking uses powerful search engines such as Google to locate sensitive information that people have ineptly posted on the Internet. Criminals can find this data from a wide variety of sources, such as loan statements, online resumes, posted court records, and lists of wanted criminals, then used to fill out applications for credit cards2 (Abdelhalim and Traore 241). In a study of the effectiveness of Google hacking with respect to identity theft, Amany Abdelhalim and Issa Traore of the University of Victoria performed a series of “white hat”3 Google hacking sweeps—random keyword searches not directed at specific individuals—in order to determine the extent of sensitive information accessible on the Internet. Using a limited number of searches with keyword combinations such as “social security number”, “social security number AND died”, and “credit card number OR creditno OR creditnum OR ccnum OR ccno OR cc# filetype:xls”, Abdelhalim and Traore were able to find vast amounts of personal data (Abdelhalim and Traore 241). This data includes 1160 social security records for deceased people, 155 social security records for living people, 2 passport records, 28 credit card records, and one health record (Abdelhalim and Traore 242). Such a disturbing breadth of easily accessible information calls for increased security online, which can be achieved simply by avoiding the distribution of personal data on insecure websites. However, organizations are investigating additional security measures regarding the detection and prevention of Google hacking before an identity is actually stolen. One such organization, the Identity Angel Project, focuses on locating posted resumes containing enough personal information for a hacker to steal a user‟s identity and informing the owner of the risk (Abdelhalim and Traore 243). Researchers are also developing the design of systems capable of detecting Google hacking based on repeated searches by users with similar chains of keywords, however this security method is still a work in progress (Abdelhalim and Traore 243). Identity theft is often conducted through more traditional forms of hacking, such as password cracking or bypassing. Have you ever wondered why special characters like commas and dashes are not allowed in usernames and passwords on many sites? Or why there is limited number of characters that can be entered when creating a username and password? These are just some methods to prevent creative hackers from attacking a user‟s computer. Over the years, code writers have developed many creative attacks to access online accounts without knowing the password. One common attack is known as „SQL Injection.‟4 This kind of attack exploits the way software developers write the access codes. A typical login page will have a structure similar to “Username: bob Password: *************” and behind the scenes, a SQL code will be running. Finally, the code that is executed will look something along the lines of “SELECT *

“Black hat” is (a) a fashion statement, or (b) the use of hacking for criminal activity. Here it is more likely being used in the latter sense. Although one could potentially Google hack while wearing a black hat as well.
2 3

Which may then be used for online shopping sprees.

(a) An alternative fashion statement, or (b) the use of hacking methods for research involved in the eventual reduction of criminal hacking.

Structured Query Language, or SQL, is a database programming language often used to verify login information on websites. This should be differentiated from “sequel injection,” having the same pronunciation, a technique used by authors to make addition profits from their intellectual property.

2 FROM users WHERE username=„bob‟ AND password= „bobsp@ssw0rd‟” (Araujo). This code then verifies the password and logs the user into his/her account. However, when a black hat hacker tries to login into Bob‟s account without a password, all he would have to do is to enter “„bob‟+OR+1=1;--” into the username and leave the password blank. The SQL program then treats this username as part of the SQL code used to verify the account login, allowing the hacker to modify the website‟s login verification on the fly. This will bypass the password verification and he is now logged in as Bob without his knowledge or consent. This code now executes as “SELECT * FROM users WHERE username=„bob‟ OR 1=1;” (Araujo). The two dashes (“--”) skips the code that validates that the entered password equals „bobsp@ssw0rd‟. In this case, the code will check that 1=1 which is always true and log the hacker into the account. By exploiting this security flaw within the SQL programming language, the hacker has essentially changed the login page to one that will let any user enter as Bob. Today, however, with the improvement of code writing, most hackers, cannot access a user‟s account without their password. A well-known technique used for identity theft is phishing. Phishing is a method of using deceptive electronic communication to attempt to gather personal information by persuading the user to send it to the criminal party himself. One method of phishing is implemented by sending emails from what appear to be credible companies or websites such as FedEx, Facebook, and online banks. These emails contain links that take the user to a website forged by the hacker which looks identical in appearance to the official website. These then lure the user to enter his username and password, which they send to the hacker (Garfinkel and Cranor 2). Another method of phishing is implemented through pop-up windows, where an undecorated window appears requesting users to enter their personal information. A popup appears to ask for personal information but does not display any URL, making it difficult for users to know what website it has originated from and distinguish it from spam. This type of phishing appeared in 2004 when criminals used it to attack the clients of Citibank (Garfinkel and Cranor 2). Over the years there has been a significant increase in phishing. APACS (Association for Payment Clearing Services) has reported an increase of over two hundred percent in the first quarter of 2008 (“APACS Warns Over Phishing Increase” 3). During 2007, there was an estimated loss of $3.2billion USD due to phishing attacks, which reveals users‟ continued vulnerability to these kinds of attacks (Garfinkel and Cranor 275). To safeguard information from phishing attacks, computer users should avoid suspicious emails and pop-ups and not click on links included in them. No professional company will contact a customer via phone or email to ask for account or login information. Customers should always login to their accounts by accessing the login page themselves rather than through a link. In addition, certain web browsers and search engines, such as Mozilla Firefox and Google, include phishing detection that attempts to warn users when they access dangerous websites. Pop-up blockers are also important to prevent phishing attempts, and are included in most modern browsers as well. Given these preventative measures, phishing is one of the easier forms of identity theft to prevent, although it still causes many cases each year. A less common yet highly effective method used in identity theft is the cookie grabber, a program hidden by a hacker in the HTML code of a website (Leon 3). A cookie is a small packet of information sent from a user‟s computer to websites where it allows the site server to identify returning users or customize the site content based on this information. Cookies can also contain personal information such as passwords and credit card numbers (Leon 2). When a user visits a hacker‟s website, the cookie grabber steals the user‟s cookies and sends them back to the hacker, who then has access to the user‟s personal information (Leon 3). In 2005, a hacker employed

3 cookie grabbers to steal users‟ account information on the online gaming website Neopets. The hacker placed a cookie-grabbing program in the HTML5 code of his personalized account profile and lured other user‟s there under the pretense of critiquing his profile. Once the Neopets users visited the hacker‟s profile, their cookies, and therefore their passwords, were sent to him; accounts, virtual pets, items, and currency were stolen. Although in this case no real harm was done to the user‟s identities, such an attack can easily be implemented on websites in order to steal user‟s personal information. Users can protects themselves and their identities from such attacks simply by making sure that their web browser security is set to disable scripts6 on websites (Leon 3). This measure prevents programs such as cookie grabbers from running and thus protects the user‟s cookies from theft. A more common avenue of identity theft is through the use of spyware. Spyware is a type of software that discloses personally identifying information to a third party without the user‟s consent or, in most cases, knowledge. A common form of spyware is keyloggers and password stealers. Keyloggers are programs, or even hardware devices, that record keystrokes on a computer and send them to a remote user who examines the data and may use it to fraudulently assume one‟s identity online. Many variations of keyloggers exist which attempt to improve the quality of information retrieved from a computer or reduce the chance of the spyware being detected. Some keyloggers only activate once a user visits a specific type of website, such as an online bank. These types of spyware are labeled password stealers, which simplify a criminal‟s task of searching for a user‟s identifying information among all of a user‟s keystrokes (Paget 8). These also reduce the storage space and bandwidth necessary to employ a keylogger, making keyloggers simpler to use and more difficult to detect (due to the reduced Internet activity). Other keylogger-type programs also capture screen content and mouse clicks (called “screen scraping”), allowing the spyware distributor to correlate which usernames and passwords a victim uses at which sites, or easily identify when a victim enters his social security number online (Payton 138). Some hardware devices can also be used to intercept keystrokes and provide data to criminals while being undetectable by software. Such devices are usually connected between the keyboard and the computer‟s keyboard input port (Paget 9-10). Once spyware is present on a computer, it may present advertisements for fake anti-virus or antispyware software. This is often sold by a commercial partner or the spyware distributor itself, contributing to the criminal‟s income. Spyware distributors often sell personalized or consumertargeted advertising space on infected computers to larger companies, where collected personal information can be used to target specific advertisements at the user. Other spyware distributors sell their data to third parties which resell identity information online (Payton 138). Protection from spyware can be difficult or impossible. As of August 2005, corporate computers each had 27 spyware programs on average, with 80 percent having at least one such program (Keizer). Since spyware often embeds itself within other programs or a computer‟s operating system, manual detection and removal is not an option for most victims. Users should have complete computer security software installed and updated, including an anti-virus utility,


HTML could refer to the High-Technology Mail Lifter, a sorting robot that may exist in the US postal service, but more probably refers to Hypertext Markup Language, the encoding format used for web pages.

Hidden programs that run when a website is loaded, or stories that are played out onstage when a producer hires actors.

4 an anti-spyware utility, and a firewall. Since spyware threats change quickly, it is important to keep these programs updated frequently (Paget 14). On its own, anti-spyware software is not enough to protect users. Detecting and removing spyware can be extremely difficult, and anti-spyware utilities are not effective against all threats. To prevent infection, computer users must also exercise basic Internet caution. Users must be especially careful when installing free software, because it often includes bundled or attached spyware, which infects the computer when the victim gives the software package permission to install. Even innocent-appearing programs such as screensavers may contain attached spyware. Notification of this extra software installation may be included in the fine print of the free software‟s extensive End User License Agreement, giving distributors the legal cushion that the user agreed to the installation of the spyware. This is especially important to be wary of because uninstalling the host program (which originally installed the spyware) rarely uninstalls the malicious software. Some programs even re-install themselves if their main executable files are deleted (Payton). Users should also be careful not to exchange important or identifying information insecurely over the Internet, such as through email. Even if the sender‟s computer is clean (not infected with spyware), the recipient‟s computer may have spyware that could transmit the information to a malicious third party (Paget 14). As this paper has examined, Identity theft can occur through a wide variety of technical avenues. Protecting oneself from these threats generally involves only one broad precaution, however: be aware of the danger and use common sense to keep your information private. People should avoid placing personal information online and create user accounts only on trusted websites. They should never enter account information when requested to through email, and should only do so on the login page of a trusted website. Users should avoid clicking on links inside emails, and if they do make sure to check the sender and carefully read the URL of the site after it has opened. They should have anti-virus and anti-spyware software, and keep all their software, especially security and web browser software, updated. It is also important to avoid installing or running programs from unknown or untrustworthy sources. These precautions depend heavily on the capability of security software to prevent hacking, an area that provides a wide variety of applications within electrical and computer engineering as well as computer science. Further research could examine the methods of protection employed by anti-virus and anti-spyware software, firewalls, and secure login pages online. These present many difficult challenges to engineers, including distinguishing between hostile and safe applications, verifying account passwords safely, and securely encrypting account verification data. Students interested in computer security and security software may be interested in taking classes at the University of Illinois including ECE 422/CS 461: Computer Security I, ECE 424/CS 463: Computer Security II, ECE 419/CS 460: Security Laboratory, and ECE 439: Wireless Networks.

5 Works Cited Abdelhalim, Amany, and Issa Traore. “The Impact of Google Hacking on Identity and Application Fraud.” IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, 2007. PacRim 2007. (2007): 240-4. Compendex. Grainger Engineering Library Article Databases. U of Illinois Grainger Engineering Lib., UrbanaChampaign, IL. 8 Oct. 2008 <>. “APACS Warns Over Phishing Increase.” 15 Apr. 2008. 10 Nov. 2008 <$1218796.htm>. Araujo, Rudolph. “The Spy Who Hacked Me!” Microsoft Corporation. 2008. Oct. 2008 <>. Garfinkel, Simson, and Lorrie Faith Cranor. “What Is Phishing (Or, How to Fight Phishing at the User-Interface Level).” O’Reilly Media. 25 Oct. 2005. 10 Nov. 2008 <>. “Hacking: A History.” BBC News. 27 Oct. 2000. 10 Nov. 2008 < tech/994700.stm>. Keizer, Gregg. “8 out of 10 Enterprise PCs Spyware Infected.” Information Week 23 Aug. 2005. 24 Oct. 2008 < showArticle.jhtml?articleID=169600330>. Leon, James F. “Ten Tips to Combat Cybercrime.” The CPA Journal 78.5 (2008): 6,8-11. ABI/ INFORM. ProQuest. U of Illinois Grainger Engineering Lib., Urbana-Champaign, IL. 8 Nov. 2008 <>. Paget, François. Identity Theft. McAfee White Papers. McAfee. Jan. 2007. 23 Oct. 2008 <>. Payton, Annie M. “A Review of Spyware Campaigns and Strategies to Combat Them.” Proceedings of the 3rd Annual Conference on Information Security Curriculum Development (Feb. 2007): 136-141. Compendex. Grainger Engineering Library Article Databases. U of Illinois Grainger Engineering Lib., Urbana-Champaign, IL. 23 Oct. 2008 <>. “Timeline: A 40-Year History of Hacking.” 19 Nov. 2001. 10 Nov. 2008 <>.

To top