Transcript Chapter 10: Electronic Commerce Security

Chapter 10:
Electronic Commerce Security
Online Security Issues Overview
 Computer security
 The protection of assets from unauthorized access, use,
alteration, or destruction
 Physical security
 Includes tangible protection devices
 Logical security
 Protection of assets using nonphysical means
 Threat
 Any act or object that poses a danger to computer assets
Terms - Countermeasure
Managing Risk
 General name for a procedure that recognizes, reduces, or
eliminates a threat
 Eavesdropper
 Person or device that can listen in on and copy Internet
transmissions
 Crackers or hackers
 Write programs or manipulate technologies to obtain
unauthorized access to computers and networks
Computer Security Classification
 Secrecy/Confidentiality
 Protecting against unauthorized
data disclosure
 Technical issues
 Privacy
 The ability to ensure the use of
information about oneself
 Legal Issues
 Integrity
 Preventing unauthorized data
modification by an unauthorized
party
 Necessity
 Preventing data delays or denials
(removal)
 Nonrepudiation
 Ensure that e-commerce
participants do not deny (i.e.,
repudiate) their online actions
 Authenticity
 The ability to identify the identity
of a person or entity with whom you
are dealing on the Internet
Some solutions --
Exercise
 Visit the Copyright Web site:
 http://www.benedict.com/
 Check out examples of copyright infringement:
 Audio arts
 Visual arts
 Digital arts
 Read comments Under “Info”
Security Threats in the
E-commerce Environment
Three key points of vulnerability
 the client
 communications pipeline
 the server
Active Content
 Active content refers to
programs embedded
transparently in Web pages
that cause an action to occur
 Scripting languages
 Provide scripts, or commands,
that are executed
 Applet
 Small application program
 Java
 Active X
 Trojan horse
 Program hidden inside another
program or Web page that
masks its true purpose
 Zombie
 Program that secretly takes
over another computer to
launch attacks on other
computers
 Attacks can be very difficult
to trace to their creators
Viruses, Worms, and Antivirus Software
 Virus
 Software that attaches itself to another program
 Can cause damage when the host program is activated
 Macro virus
 Type of virus coded as a small program (macro) and is
embedded in a file
 Antivirus software
 Detects viruses and worms
Digital Certificates
 A digital certificate is a
program embedded in a Web
page that verifies that the
sender or Web site is who or
what it claims to be
 Main elements:
 Certificate owner’s identifying
information
 Certificate owner’s public key
 A certificate is signed code or
messages that provide proof
that the holder is the person
identified by the certificate
 Dates between which the
certificate is valid
 Certification authority (CA)
issues digital certificates
 Name of the certificate issuer
 Serial number of the
certificate
 Digital signature of the
certificate issuer
Communication Channel Security
 Recall that - Secrecy is the prevention of unauthorized information disclosure
 Privacy is the protection of individual rights to nondisclosure
 Sniffer programs
 Provide the means to record information passing through a
computer or router that is handling Internet traffic
Demonstration of working of a Java implementation of a Packet Sniffer
Other Threats
Integrity
 Integrity threats exist when an
unauthorized party can alter a
message stream of information
 Cybervandalism
 Electronic defacing of an existing
Web site’s page
 Masquerading or spoofing
 Pretending to be someone you are
not
 Domain name servers (DNSs)
 Computers on the Internet that
maintain directories that link
domain names to IP addresses
Anonymizer
A Web site that provides a
measure of secrecy as long
as it’s used as the portal to
the Internet
http://www.anonymizer.com
Necessity
 Purpose is to disrupt or deny
normal computer processing
 DoS attacks
 Remove information altogether
 Delete information from a
transmission or file
Wireless Network Threats
 Wardrivers
 Attackers drive around using their
wireless-equipped laptop computers
to search for accessible networks
 Warchalking
 When wardrivers find an open
network they sometimes place a
chalk mark on the building
Tools Available to Achieve Site Security
Encryption

Transforms plain text or data into cipher text that cannot be
read by anyone outside of the sender and the receiver.
Purpose:



Cipher text


to secure stored information
to secure information transmission.
text that has been encrypted and thus cannot be read by anyone
besides the sender and the receiver
Symmetric Key Encryption

DES standard most widely used
Group Exercise
 Julius Caesar supposedly used secret codes known
today as Caesar Cyphers. The simplest replaces A
with B, B with C etc. This is called a one-rotate
code. The following is encrypted using a simple
Caesar rotation cypher. See if you can decrypt it:
 Mjqqt hfjxfw. Mtb nx dtzw hnumjw? Xyfd fbfd
kwtr ymj xjsfyj ytifd.
Encryption

Public key cryptography




uses two mathematically related digital
keys: a public key and a private key.
The private key is kept secret by the
owner, and the public key is widely
disseminated.
Both keys can be used to encrypt and
decrypt a message.
A key used to encrypt a message, cannot
be used to unencrypt the message
Public Key Cryptography with Digital Signatures
Public Key Cryptography: Creating a Digital Envelope
Securing Channels of Communications


Secure Sockets Layer (SSL)
is the most common form of
securing channels
Secure negotiated session


client-server session where
the requested document
URL, contents, forms, and
cookies are encrypted.
Session key is a unique
symmetric encryption key
chosen for a single secure
session
Firewalls
 Software or hardware and
software combination installed on a
network to control packet traffic
 Packet-filter firewalls
 Provides a defense between the
network to be protected and the
Internet, or other network that
could pose a threat
 Characteristics
 Gateway servers
 All traffic from inside to outside
and from outside to inside the
network must pass through the
firewall
 Only authorized traffic is allowed
to pass
 Firewall itself is immune to
penetration
 Trusted networks are inside the
firewall
 Untrusted networks are outside
the firewall
 Examine data flowing back and
forth between a trusted network
and the Internet
 Firewalls that filter traffic based
on the application requested
 Proxy server firewalls
 Firewalls that communicate with
the Internet on the private
network’s behalf
Security Policy and Integrated Security
 A security policy is a written
statement describing:
 Which assets to protect and
why they are being protected
 Who is responsible for that
protection
 Which behaviors are
acceptable and which are not
 First step in creating a
security policy
 Elements of a security policy
address:
 Authentication
 Access control
 Secrecy
 Data integrity
 Audits
 Determine which assets to
protect from which threats
Protection of Information Assets CISA 2006 Exam Preparation
Tension Between Security and Other Values

Ease of use

Often security slows down processors and adds significantly to
data storage demands. Too much security can harm profitability;
not enough can mean going out of business.

Public Safety & Criminal Use

claims of individuals to act anonymously vs. needs of public
officials to maintain public safety in light of criminals or
terrorists.
Some questions
 Can internet security measures actually create
opportunities for criminals to steal? How?
 Why are some online merchants hesitant to ship to
international addresses?
 What are some steps a company can take to thwart cybercriminals from within a business?
 Is a computer with anti-virus software protected from
viruses? Why or why not?
 What are the differences between encryption and
authentication?
 Discuss the role of administration in implementing a
security policy?
Security for Server Computers
 Web server
 Can compromise secrecy if it allows automatic directory
listings
 Can compromise security by requiring users to enter a
username and password
 Dictionary attack programs
 Cycle through an electronic dictionary, trying every word
in the book as a password
Other Programming Threats
 Buffer
 An area of memory set aside to hold data read from a file
or database
 Buffer overrun
 Occurs because the program contains an error or bug that
causes the overflow
 Mail bomb
 Occurs when hundreds or even thousands of people each
send a message to a particular address
Organizations that Promote Computer Security
 CERT
 Responds to thousands of security incidents each year
 Helps Internet users and companies become more knowledgeable
about security risks
 Posts alerts to inform the Internet community about security
events
 www.cert.org
 SANS Institute
 A cooperative research and educational organization
 SANS Internet Storm Center
 Web site that provides current information on the location and
intensity of computer attacks
 Microsoft Security Research Group
 Privately sponsored site that offers free information about
computer security issues