Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,

Chapter 10:Electronic Commerce Security

Online Security Issues Overview

Computer security The protection of assets from unauthorized access, use,

alteration, or destruction Physical security

Includes tangible protection devices Logical security

Protection of assets using nonphysical means Threat

Any act or object that poses a danger to computer assets

Managing RiskTerms -- Countermeasure

General name for a procedure that recognizes, reduces, or eliminates a threat

Eavesdropper Person or device that can listen in on and copy Internet

transmissions Crackers or hackers

Write programs or manipulate technologies to obtain unauthorized access to computers and networks

Computer Security Classification

Secrecy/Confidentiality Protecting against unauthorized

data disclosure Technical issues

Privacy The ability to ensure the use of

information about oneself Legal Issues

Integrity Preventing unauthorized data

modification by an unauthorized party

Necessity Preventing data delays or

denials (removal)

Nonrepudiation Ensure that e-commerce

participants do not deny (i.e., repudiate) their online actions

Authenticity The ability to identify the

identity of a person or entity with whom you are dealing on the Internet

Some solutions --

Exercise

Visit the Copyright Web site: http://www.benedict.com/

Check out examples of copyright infringement: Audio arts

Visual arts

Digital arts

Read comments Under “Info”

Security Threats in the E-commerce Environment

Three key points of vulnerability the client communications pipeline the server

Active Content

Active content refers to programs embedded transparently in Web pages that cause an action to occur

Scripting languages

Provide scripts, or commands, that are executed

Applet

Small application program

Java

Active X

Trojan horse Program hidden inside

another program or Web page that masks its true purpose

Zombie Program that secretly takes

over another computer to launch attacks on other computers

Attacks can be very difficult to trace to their creators

Viruses, Worms, and Antivirus Software

Virus Software that attaches itself to another program Can cause damage when the host program is

activated Macro virus

Type of virus coded as a small program (macro) and is embedded in a file

Antivirus software Detects viruses and worms

Digital Certificates

A digital certificate is a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be

A certificate is signed code or messages that provide proof that the holder is the person identified by the certificate

Certification authority (CA) issues digital certificates

Main elements:

Certificate owner’s identifying information

Certificate owner’s public key

Dates between which the certificate is valid

Serial number of the certificate

Name of the certificate issuer

Digital signature of the certificate issuer

Communication Channel Security Recall that --

Secrecy is the prevention of unauthorized information disclosure

Privacy is the protection of individual rights to nondisclosure

Sniffer programs Provide the means to record information passing through a

computer or router that is handling Internet traffic

Demonstration of working of a Java implementation of a Packet Sniffer

Other ThreatsIntegrity Integrity threats exist when an

unauthorized party can alter a message stream of information

Cybervandalism Electronic defacing of an

existing Web site’s page Masquerading or spoofing

Pretending to be someone you are not

Domain name servers (DNSs) Computers on the Internet that

maintain directories that link domain names to IP addresses

Necessity

Purpose is to disrupt or deny normal computer processing

DoS attacks

Remove information altogether

Delete information from a transmission or file

Wireless Network Threats

Wardrivers

Attackers drive around using their wireless-equipped laptop computers to search for accessible networks

Warchalking

When wardrivers find an open network they sometimes place a chalk mark on the building

AnonymizerA Web site that provides a measure of secrecy as long as it’s used as the portal to the Internethttp://www.anonymizer.com

Tools Available to Achieve Site Security

Encryption

Transforms plain text or data into cipher text that cannot be read by anyone outside of the sender and the receiver. Purpose: to secure stored information to secure information transmission.

Cipher text text that has been encrypted and thus cannot be read by

anyone besides the sender and the receiver Symmetric Key Encryption

DES standard most widely used

Group Exercise

Julius Caesar supposedly used secret codes known today as Caesar Cyphers. The simplest replaces A with B, B with C etc. This is called a one-rotate code. The following is encrypted using a simple Caesar rotation cypher. See if you can decrypt it:

Mjqqt hfjxfw. Mtb nx dtzw hnumjw? Xyfd fbfd kwtr ymj xjsfyj ytifd.

Encryption

Public key cryptography uses two mathematically related digital

keys: a public key and a private key. The private key is kept secret by the

owner, and the public key is widely disseminated.

Both keys can be used to encrypt and decrypt a message.

A key used to encrypt a message, cannot be used to unencrypt the message

Public Key Cryptography with Digital Signatures

Public Key Cryptography: Creating a Digital Envelope

Securing Channels of Communications Secure Sockets Layer (SSL)

is the most common form of securing channels

Secure negotiated session client-server session where

the requested document URL, contents, forms, and cookies are encrypted.

Session key is a unique symmetric encryption key chosen for a single secure session

Firewalls

Software or hardware and software combination installed on a network to control packet traffic

Provides a defense between the network to be protected and the Internet, or other network that could pose a threat

Characteristics All traffic from inside to outside

and from outside to inside the network must pass through the firewall

Only authorized traffic is allowed to pass

Firewall itself is immune to penetration

Trusted networks are inside the firewall

Untrusted networks are outside the firewall

Packet-filter firewalls Examine data flowing back and

forth between a trusted network and the Internet

Gateway servers Firewalls that filter traffic based

on the application requested Proxy server firewalls

Firewalls that communicate with the Internet on the private network’s behalf

Security Policy and Integrated Security

A security policy is a written statement describing: Which assets to protect and

why they are being protected

Who is responsible for that protection

Which behaviors are acceptable and which are not

First step in creating a security policy Determine which assets to

protect from which threats

Elements of a security policy address:

Authentication

Access control

Secrecy

Data integrity

Audits

Protection of Information Assets CISA 2006 Exam Preparation

Tension Between Security and Other Values

Ease of use Often security slows down processors and adds significantly

to data storage demands. Too much security can harm

profitability; not enough can mean going out of business.

Public Safety & Criminal Use

claims of individuals to act anonymously vs. needs of public

officials to maintain public safety in light of criminals or

terrorists.

Some questions

Can internet security measures actually create opportunities for criminals to steal? How?

Why are some online merchants hesitant to ship to international addresses?

What are some steps a company can take to thwart cyber-criminals from within a business?

Is a computer with anti-virus software protected from viruses? Why or why not?

What are the differences between encryption and authentication?

Discuss the role of administration in implementing a security policy?

Security for Server Computers

Web server Can compromise secrecy if it allows automatic

directory listings

Can compromise security by requiring users to enter a username and password

Dictionary attack programs Cycle through an electronic dictionary, trying every

word in the book as a password

Other Programming Threats

Buffer An area of memory set aside to hold data read from a

file or database Buffer overrun

Occurs because the program contains an error or bug that causes the overflow

Mail bomb Occurs when hundreds or even thousands of people

each send a message to a particular address

Organizations that Promote Computer Security

CERT

Responds to thousands of security incidents each year

Helps Internet users and companies become more knowledgeable about security risks

Posts alerts to inform the Internet community about security events

www.cert.org SANS Institute

A cooperative research and educational organization SANS Internet Storm Center

Web site that provides current information on the location and intensity of computer attacks

Microsoft Security Research Group Privately sponsored site that offers free information about

computer security issues