ENG + TECH written by SHINJINI KUNDU

Internet Security
Passwords, Phishing,
and PORTIA
Imagine what it would be The Internet: An Open
like to have an internet site Portal
automatically alter your The internet has been a springboard of the
password every time you log onto a information age. With the advent of online
site. A nightmare? Hardly. This is just one
banking and online shopping, people
of the many new areas of research being
can finish their errands in just a matter of
conducted on internet security at the lab
minutes in a comfy chair at their desks. The
of Dr. Dan Boneh, an associate professor
internet, however, is also an easily accessible
of Computer Science and Electrical
venue for hackers. Thanks to this virtual
Engineering at Stanford. His current
portal, it has now become easier than ever
research may help protect against novel
to devise ways to access the information
forms of information theft that occur on
belonging to others. Internet security
the Internet by helping to develop new
programs exist, but it always seems they are
ways that private online data is transferred
one step behind in the game.
through the internet.
The internet used today is vastly different
Andrew Bortz, a Ph.D. student of Dr.
from the original internet envisioned by
Boneh, explains, “People’s passwords
its creators. Users of the internet today are
could get stolen just by visiting websites.
able to customize web applications as they
Vulnerabilities in the web browser itself
fancy. For example, iGoogle, a customizable
allow the attacker to hijack your computer.”
startpage, includes functions from photo
Internet technology is rapidly changing, but
displaying to playing youtube videos to
the necessary security is still lagging behind.
storing personal to-do lists. Users can access
Attackers are taking advantage.
the functions of multitudes of different

stanford scientific

websites from simply one convenient web
browser, via importable web feeds.
However, hackers also find this convenient.
Hijackers use the low-security websites
embedded into the iGoogle startpage to
find out what websites a person has visited
or personal information and use the person’s
server to hack other sites with relative
ease. Besides iGoogle, Facebook, MySpace,
and email applications are other websites
that can compromise security. According
to Bortz, the security problems are
compounded when website authorities fail
to take necessary precautions. They either
decide to trust the imported web feeds,
or worse, assume a security breach would
never happen.
Most people realize that passwords can be
stolen through low-security sites. But they
may not know that security problems are
not solely confined to low-security websites.
The web browser itself is vulnerable and
allows attackers to hijack one’s computer.
Passwords may become stolen by visiting
any website. Internet users may believe that
a website like facebook is relatively safe,
but they do not consider the “applications”
that can be downloaded onto it or other
websites to which it is linked. Attackers use
the mediums to access the personal data of
many oblivious users.
A classic alternative method to steal
passwords is called phishing. Mike Hamburg,
a Ph.D. student under Dr. Boneh, describes
this as a way to steal information from a
webpage that “looks exactly like the original
but isn’t.” A phishing scam usually begins
with a spam email that appears to come
from a legitimate financial organization like
Bank of America or PayPal. The email directs
the recipient to a website that looks like
the financial organization’s homepage. The
unsuspecting recipient is directed to login,
using his or her username and password.
Credit: sxc.com
Of course, the email is not really from the
financial organization. The fraudulent but
frighteningly well-crafted webpage is
established for the sole purpose of gaining
access to private information. Hamburg
explains, “The attacker wants your banking
password so that he can steal your money.
He wants your social [security number] so
that he can take out loans on your credit. He
wants your credit card so that he can buy
stuff with it.”
Fortunately, labs such as Professor Dan
Boneh’s are actively researching better
Internet security protocols to thwart
these hacking strategies. Andrew Bortz, a
Ph.D. student under Boneh, describes the
ongoing research as a “spectrum that ranges
from fixing patches, debugging to more
architectural issues.”
Hashing Passwords
Boneh, an Associate Professor of Computer
Science and Electrical Engineering at
Stanford, is working on internet security as
part of the project PORTIA. PORTIA, which
stands for Privacy, Obligations, and Rights “People’s passwords
in Technologies of Information Assessment,
is designed to look at information security could get stolen just
in the online world. Boneh and his Stanford
group are working with Yale University and
by visiting websites.
a handful of other universities to design the
next generation of technology for handling
Vulnerabilities in the
sensitive information and to develop a web browser itself
policy framework for storing and using
online data. allow the attacker to
PwdHash, short for “password hash,” is one hijack your computer.”
of these new technologies that can help
protect sensitive online information. This
– Andrew Bortz
new application of cryptography is designed
to alleviate the problem of people reusing
the same passwords for many different
websites.
A hash function is a function that turns any
data into a relatively small integer. Hamburg
volume VII
ENG + TECH
explains, “The feature that PwdHash uses
is that cryptographic hashes are one-way.”
Given the output of the hash, it is almost
impossible to figure out the original
input. PwdHash transforms an individual’s
password into a site-specific password. A
user can activate PwdHash by inserting a
special prefix in front of his or her password
or by pressing a special key like F2. PwdHash
takes the password and combines it with a
site-specific domain name.
For example, if your password for Amazon is
“airplane,” PwdHash stores the password as
a string derived from “airplane” and Amazon
through hashing. Even if someone hacks
into another site where you use airplane as a
password, the attacker will only acquire the
site-specific hashed value of the password
and not the original password itself. This
will prevent the thief from being able to use
the password to log into your account on
Amazon or any other site.
Cryptic Codes
Mike Hamburg is currently working on
encryption, which is another way of
another way of adding internet security.
Encryption is the method by which readily
accessible text is “coded” into seemingly
indecipherable jibberish. Only the receiver
knows the key to decipher this code.
Encryption is an age old technique of
replacing a word with a different string of
stanford scientific
Credit: sxc.com
“We need to a web browser to be more like an
operating system.” – Andrew Bortz
letters and numbers. During World War They must pay a fixed amount every time a
I and World War II, both sides encrypted user clicks on their ad.
their electronic messages, which required
code books to translate. By intercepting and Sometimes these search engines also pay
cracking the coded communications during per click to display ads on the websites of
the Second World War, the British gained small corporations or individuals. In this
advantage against the feared German system, abusers can set up a website that
submarines known as U-boats. will receive money when a person clicks on
an ad posted on that website. By clicking
Modern encryptions for the internet are the ads repeatedly, they can purposely
much more complex than the codes used in charge corporations of unnecessarily large
the first half of the last century. Encryption sums or make small profits for themselves.
tables are often dynamically changed There have even been lawsuits between
during transmission using multiple hash corporations over such alleged activities.
parameters. Mike Hamburg is currently Andrew Bortz is currently working with
working to improve some of the glitches Google on making click-fraud defenses more
that currently exist in encryptions systems. effective.
Securing the Internet New internet functions call for new security
Internet attackers also take advantage measures. “We need a web browser to be
of loopholes in internet security to more like an operating system,” says Bortz.
siphon large sums of money from large This includes tasks ranging from the basics,
corporations. This phenomenon is called like fixing bugs, to much wider architectural
“click-fraud.” Corporations that display ads improvements to enhance network security.
on the webpages of large search engines Beware. Secure defenses may soon be
like Google usually pay on a “per click” basis. brought to a server near you.
SHINJINI KUNDU is a staff writer for Stanford Scientific Magazine. She is a freshman at
Stanford University and plans to pursue engineering. In addition to science writing, she
enjoys dancing, debate, and writing sci-fi/fantasy novels.
To Learn More
For more information, visit the departmental website of Dr. Dan Boneh, http://crypto.
stanford.edu/~dabo/