E-COMMERCE SECURITY THREATS And what you can do about it.

E-COMMERCE SECURITY THREATS

And what you can do about it

Here are some numbers

• In America• 8 out of 10 US consumers use the internet to shop.• In 2012, $42.3 billion were spent online during Nov-Dec alone• $20.4 billion was lost to cyber crime in 2012

The Internet is a Dangerous Place

• 604,826 Million identities exposed per breach

• Targeted attacks (42% + from 2011)• 50% Small-Medium business

• 18% small business• 50% big business

• Bot Nets• 2011: 3.1 million• 2012: 3.4 million

Examples of Recent Security Breaches• Evernote: 10 million users’ data stolen. Passwords hashed +

salted. (Phishing)

• StratFor: 75,000 credit card numbers. 2.5 million emails. (Unsecure CMS plugin)

• Sony: 77 million users’ data. Usernames, passwords, and credit card numbers (security through obscurity)

• LivingSocial: 50 million users'. Name, email, DOB. Passwords hashed + salted.

• 100 major universities (Harvard, Stanford..): 120,000+ emails, username, passwords. SQL Injection

Means of Attack

Out of your control

• Physical server security

• Trustworthy employees

• Server updates

• Usage of a firewall and intrusion detection system.

Things you can control

• Enforcing robust password practices

• Avoiding security through obscurity

• Implementing encryption for data transfers

• Properly coded SQL

• Cross Site Scripting

• Social engineering

DDoS AttacksBecoming more and more popular amongst internet activists, a distributed denial-of-service attack is an attempt to make resources available for legitimate users.

Too much of a good thing?

Both legitimately and illegitimately a website can be DDoSed. (the SlashDot effect, or /b/)

• It is done by using a large network of “zombie” PCs to request your website at the same time, using up your bandwidth and processor power

• They can also flood TCP requests..

But how do I prevent it?

• Don’t be hated on the internet

• Implement caching, limit amount of requests per IP, and purchase hardware

Password Policy

• How long to guess your password?

• Require a complex password for you users

• Change default passwords (WordPress admin, Linksys..)

• Limiting login attempts is also advisable

• These tend to be reused by users

Popularity Password

1 Password

2 123456

3 12345678

4 abc123

5 qwerty

6 monkey

7 letmein

8 dragon

9 111111

10 baseball

Cool trickThis can help you make easy to remember passwords so you don’t have to keep on using the same one on every site.

http://xkcd.com/936/

Password Storage

• Those password your users use, you can just save them in your database, or can you?

Saving them in ‘clear text’ lets you and your employees see a person’s password which has numerous security and privacy implications. So what can you do?

• Hash them!

But this still leaves them venerable, to brute force and rainbow table attacks.

• Salt them!

Adding random characters to the end of the user’s password before hashing it, and keeping that saved in a separate database adds another step for an intruder to overcome.

Security Through Obscurity

• Security problems are usually a when they happen not if they do

• Hiding your password list in a secret remote text file on your server might be well hidden, but anyone can find it.

• You might be the only one who knows how that super awesome custom hashing algorithm you coded works, but that doesn’t mean someone can reverse engineer it and discover problems later.

• That IPX network protocol on your 110 baud modem? Just because it is old doesn’t mean no one else knows how to get in.

SSL EncryptionWhy would you want to encrypt data?

When users log on, they have to submit their username and password over the internet, and anyone along the way can read it.

Would you want your credit card number out in the open?

Asymmetric Encryption

• Authentication and Encryption

• They rely on the PKI(Public Key Infrastructure)• Vulnerable to MIM attacks.

• Costly• Buying a certificate• Processing requests

A Diffie–Hellman key exchange

You are not safe at Starbucks…

• So called “Man-in-the-Middle” attacks are carried out by eavesdropping on your connection

• Using packet sniffers, they can intercept the data you send out and receive

• For more sophisticated attacks they can also spoof an IP with the Address Resolution Protocol

• SSL/TSL prevents this

Cross Site Attacks

• Cross Site Scripting• Client side scripts executed on

webpages

• Cross Site Request Forgery• Unencrypted form links

• Prevention? • Whitelist and escape user input

SQL Injections

• Number one threat since 2010• According to Open Web

Application Security Project (OWASP)

• Easy to execute

• Severe organization impact

SQL Injections, how do they work?

• An innocent SQL Statement"SELECT * FROM users WHERE name = '" + userName + "';"

• Replace userName variable witha';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't;

• The new command becomesSELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

• And that is how someone just deleted your user table!

SQL Injection Prevention

• Use parameters to restrict user input• SQLCommand("SELECT * FROM users WHERE name = '" + userName +

"';“)• Searches for the username “a';DROP TABLE users; SELECT * FROM

userinfo WHERE 't' ='t;”

• Grant necessary permission only• Authorize read on selected information• Example: deny SELECT ON sys.TABLES TO webdatabaselogon;

• Deny or limit xp_cmdshell

Dear Friend, I have an exciting business opportunity for you!How do they do it?

• Scammers may also attempt to trick you or your employees into handing out private information

• They may spoof their emails or phone calls to phish for specific data

• Fake letters to renew your domain name by an unknown host

Is there a way to avoid it?

• Not really, but being skeptical, and educated about new threats will let you avoid falling for these types of scams

• Spam filters are nice too

Pro Tips

Things to avoid

• Reusing the same password

• Falling for email scams

• Using unsecure connection methods

• Avoid giving too much information in error messages

• Letting users upload files

Things to do

• Change your default passwords

• Encrypt personal data

• Enforce user policies

• Examine security/event logs

• Validate your forms for malicious code

THE ENDAny questions?