CS338 Computer Security Monday, 23 May 2022 + Today - Announcements - Questions & debriefing - Starting to think about data privacy (readings & a video to follow) + Announcements - Grading exam corrections is underway but not done (background process with too many foreground processes) - Who needs a partner for the history video? Pick a topic promptly! - Are you set for creating the videos? Simple techniques with Zoom, QuickTime Player, etc. + Questions & debriefing - ARP assignment - Metasploit lab last Friday - As a hacker, you're going to do - Vulnerability scan - Identify an exploit for the vulnerability - If the exploit allows you to run code on the target machine, select a payload - (typical payload is some sort of command shell) - Run the exploit, run the payload - Do bad stuff - "Exfiltrate" data (download it) - Destroying data (w/ or w/o ransomware) - Install secret monitoring software (keyloggers, etc.) - Move laterally (use access on the target machine to login to other machines with more desirable stuff) - Metasploit gives you - Library of exploits & payloads - Keeps track of your work as you go - Ethical analysis assignment - History video assignment + Privacy, round 1 - List of data types you provide to internet services - Location - Social security # - Name, age, demographics in general - What you did on the website (clicks, views, your entire history, time watching each video,...) - Airplane ticket info - Banking and credit card info - Purchase histories - Fingerprint - Likes (explicit, but also "what Netflix stuff did you watch") - Face, voice - Friends (loosely defined) - Photos - Daily routine (where you go, etc.) - Photo tags - List of data collection techniques companies can use - They ask for it, you give it to them (Submit!) - Extrapolate from other data they have - * Cookie trackers - [Put stuff in terms of service that says you give up all your rights] - Recording from mic and camera - Browsers / apps ask "OK to track location?" - Buy datasets - Engagement measures (collected via Javascript) while you're on their site - Ask you to link your accounts - Scraping data from public online sources - CCTV cameras - Credit card records - Browser histories (ISP has this) - Analytics (Google Analytics) + Privacy, round 2 - Location data for one person (5-minute increments, 10-meter resolution) - Can you identify the person? - Yes - Home (from loc), get census records for who lives there, workplace (from loc) But: apartment buildings; remote work; UPS drivers & truckers; - Morning person? Night person? - Home ownership data; shopping data - What else can you find out about the person? - Location data for the entire population of the US - What can you search for? (e.g., can you find people with cancer?) - Who has kids? Living in same place as person who is in school for a lot of the day Visits to pediatric medical facilities Could combine w/ social media photos - People with a particular religion - Exposure to illness - People having affairs - Soldiers jogging --> secret military bases - [Cellphones that stay put during the day; NSA workers? ...] - Friend groups - All the people at that protest last week - People with gambling problems - People of given race/ethnicity/income level/sexual pref? - People who have had an abortion - THINK ABOUT - False positives - False negatives + Privacy, round 3 - What can data brokers and their customers do with the data they collect?