E-commerce Chapter 5
The symmetric key—which the recipient will require to decrypt the document—is itself encrypted, using the recipient's public key. So we have a _______.
"key within a key" (a digital envelope).
digital signature (e-signature)
"signed" cipher text that can be sent over the internet
In 2017, a survey by Ponemon Institute found that the average annualized cost of cybercrime for all 254 organizations in the study was_____________.
$11.7 million
Malicious code
(sometimes referred to as "malware") includes a variety of threats such as viruses, worms, Trojan horses, ransomware, and bots.
Symmetric key cryptography suffers from common flaws:
1. computers are so powerful and fast that these ancient means of encryption can be broken quickly 2. it requires that both parties share the same key. 3. For a team, companies would need a secret key for each of the parties with whom the company will transact with
Modern digital encryption systems use keys with _______________________ binary digits.
56, 128, 256, or 512
Botnets
A collection of captured computers used for malicious activities such as sending spam, participating in a DDoS attack or credential stuffing campaign (malicious login attempts), stealing information from computers, and storing network traffic for later analysis.
The most widely used symmetric key algorithm is _______.
Advanced Encryption Standard (AES)
What can we can conclude about the overall size of cybercrime?
Cybercrime against e-commerce sites is dynamic and changing all the time, with new risks appearing often. The amount of losses to businesses is significant and growing.
_________ is currency to cybercriminals and has a "street value" that can be monetized.
Data
Advances in technology have greatly reduced the entry costs and skills required to enter the cybercrime business because ________
Low-cost and readily available web attack kits enable hackers to create malware without having to write software from scratch.
______________________ use an application-centric approach to firewall control.
Next-generation firewalls
typically do not involve malicious code but instead rely on straightforward misrepresentation and fraud
Phishing attacks
_______ solves the problem of exchanging keys.
Public key cryptogrophy
_________________ provides data encryption, server authentication, optional client authentication, and message integrity for TCP/IP connections.
SSL/TLS
The most common form of securing channels is through the ________________.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
_____________ was used extensively throughout World War II and is still a part of Internet cryptography.
Symmetric key cryptography
How do the sender and the receiver have the same key?
They have to send it over some communication media or exchange the key in person
E-commerce merchants have two concerns related to privacy.
They must establish internal policies that govern their own use of customer information, and they must protect that information from illegitimate or unauthorized use.
Cybercrime against e-commerce sites is dynamic and changing all the time, with new risks appearing often.
True
Next-generation firewalls are able to identify applications regardless of the port, protocol, or security evasion tools used; identify users regardless of device or IP address; decrypt outbound SSL; and protect in real-time against threats embedded in applications.
True
The Trojan horse is not itself a virus because it does not replicate, but is often a way for viruses or other malicious code such as bots or rootkits to be introduced into a computer system.
True
The firewall controls traffic to and from servers and clients, forbidding communications from untrustworthy sources, and allowing other communications from trusted sources to proceed
True
The most prevalent types of attacks were malware, such as viruses, worms, and Trojans, experienced by 98% of the companies surveyed, followed by phishing and social engineering attacks (69%), web-based attacks (67%), botnets (63%), malicious code (58%), and denial of service attacks (53%) (Ponemon Institute/Accenture, 2017).
True
secure negotiated session
a client-server session in which the URL of the requested document, along with the contents, contents of forms, and the cookies exchanged, are encrypted
spyware
a program used to obtain information such as a user's keystrokes, e-mail, instant messages, and so on
Good e-commerce security requires _________________________________________________ that, to the extent feasible, protect individuals and organizations from unexpected behavior in the e-commerce marketplace.
a set of laws, procedures, policies, and technologies
digital envelope
a technique that uses symmetric encryption for large documents, but public key cryptography to encrypt and send the symmetric key
Application gateways
a type of firewall that filters communications based on the application being requested, rather than the source or destination of the message
ransomeware
a type of malware (often a worm) that locks your computer or files to stop you from accessing them.
session key
a unique symmetric encryption key chosen for a single secure session, once used it is gone forever
Spam (junk) websites
also referred to as link farms; promise to offer products or services, but in fact are just collections of advertisements
hash function
an algorithm that produces a fixed-length number called a hash or message digest
BEC (business e-mail compromise) phishing
an attacker poses as a high-level employee of a company and requests that another employee transfer funds to a fraudulent account.
phishing
any deceptive, online attempt by a third party to obtain confidential information for financial gain Ex. Nigerian letter scam
Trojan horse
appears to be benign, but then does something other than expected. Often a way for viruses or other malicious code to be introduced into a computer system
The recipient of this signed cipher text first uses the sender's public key to ______________.
authenticate the message
Some elements of security are missing in public key cryptography. We can be quite sure the message was not understood or read by a third party; however, there is no assurance the message was not altered somehow in transit, there is no guarantee the sender really is the sender; that is, there is no _____________________.
authentication of the sender
Spoofing threatens _________
authenticity and integrity.
Spoofing a website sometimes involves pharming,
automatically redirecting a web link to an address different from the intended one, with the site masquerading as the intended destination
Digital envelope saves time because ___________________.
both encryption and decryption are faster with symmetric keys.
Symmetric Key Cryptography Secret key cryptography
both the sender and the receiver use the same key to encrypt and decrypt the message
SSL/TLS addresses the issue of authenticity
by allowing users to verify another user's identity or the identity of a server.
access controls
determine who can gain legitimate access to a network
Data Encryption Standard (DES)
developed by the National Security Agency (NSA) and IBM. Uses a 56-bit encryption key
To ensure the authenticity of the message and to ensure nonrepudiation, the sender encrypts the entire block of cipher text one more time using the sender's private key. This produces a ______________________.
digital signature
The ciphers or keys used to transform plain text into cipher text are
digital strings.
Proxy servers are sometimes called ____________ because they have two network interfaces.
dual-home systems
Facebook and Twitter have begun to use SSL/TLS for a variety of reasons, including the ability to thwart account hijacking using Firesheep over wireless networks by
encrypting cookies.
Triple DES Encryption Algorithm (TDEA)
encrypting the message three times, each with a separate key
Packet filters
examine data packets to determine whether they are destined for a prohibited port or originate from a prohibited IP address
intrusion detection system (IDS)
examines network traffic, watching to see if it matches certain patterns or preconfigured rules indicative of an attack
social engineering
exploitation of human fallibility and gullibility to distribute malware
Trojan horses are often used for _______ distributed via botnets.
financial malware
Outsider access controls include
firewalls and proxy servers
Hackers often demand victims pay using
g Bitcoin so their transactions are hidden from authorities.
To internal computers, a proxy server is known as the ____________.
gateway
A digital signature is a close parallel to a _______________________.
handwritten signature
intrusion prevention system (IPS)
has all the functionality of an IDS, with the additional ability to take steps to prevent and block suspicious activities
To check the integrity of a message and ensure it has not been altered in transit, a ___________________ is used first to create a digest of the message.
hash function
More complex hash functions produce_________________ that are unique to every message. The results of applying the hash function are sent by the sender to the recipient. Upon receipt, the recipient applies the hash function to the received message and checks to verify the same result is produced. If so, the message has not been altered. The sender then encrypts both the hash result and the original message using the recipient's public key, producing a single block of cipher text.
hashes or hash results
There are six key dimensions to e-commerce security:___________ E-commerce security is designed to protect these six dimensions.
integrity, nonrepudiation, authenticity, confidentiality, privacy, and availability.
spoofing
involves attempting to hide a true identity by using someone else's e-mail or IP address
Public key cryptography is based on the idea of
irreversible mathematical functions.
one-way irreversible mathematical function
is one in which, once the algorithm is applied, the input cannot be subsequently derived from the output
One downside of the packet filtering method ______________.
is that it is susceptible to spoofing, because authentication is not one of its roles.
SSL/TLS also protects the integrity of the messages exchanged. However, once the merchant receives the encrypted credit and order information, that information _____________.
is typically stored in unencrypted format on the merchant's servers.
While SSL/TLS provides secure transactions between merchant and consumer, ____________.
it only guarantees server-side authentication. Client authentication is optional
private key
key is kept secret by the owner
public key
key is widely disseminated
Proxies act primarily to ______________, although some proxy servers act as firewalls as well.
limit access of internal clients to external Internet servers
Insider access controls typically consist of
login procedures (usernames, passwords, and access codes).
To external computers, a proxy server is known as a _______________.
mail server or numeric address.
worm
malware that is designed to spread from computer to computer
Spoofing
misrepresenting oneself online, or claiming to be someone they are not
Like a handwritten signature, a digital signature is unique ____________.
only one person presumably possesses the private key.
There are two major methods firewalls use to validate traffic:
packet filters and application gateways.
Application gateways also process requests at the application level, farther away from the client computer than packet filters. By providing a central filtering point, application gateways ___________.
provide greater security than packet filters but can compromise system performance.
Often display a notice that says an authority such as the FBI, Department of Justice, or IRS has detected illegal activity on your computer and demands that you pay a fine in order to unlock the computer and avoid prosecution.
ransomware
firewall
refers to either hardware or software that filters communication packets and prevents some packets from entering the network based on a security policy
proxy server (proxy)
software server that handles all communications originating from or being sent to the Internet, acting as a spokesperson or bodyguard for the organization
Firewalls can filter traffic based on packet attributes such as ______________.
source IP address, destination port or IP address, type of service, the domain name of the source, and many other dimensions.
Packet filters specifically look at the ____________________, when determining whether the information may be transmitted.
source and destination information, as well as the port and packet type
Some malicious code, sometimes referred to as an exploit, is designed to
take advantage of software vulnerabilities in a computer's operating system, web browser, applications, or other software components.
spear phishing
targeting a known customer of a specific bank or other type of business
the firewall only allows connections from servers ___________.
that you requested service from
privacy
the ability to control the use of information about oneself
availability
the ability to ensure that an e-commerce site continues to function as intended
nonrepudiation
the ability to ensure that e-commerce participants do not deny (i.e., repudiate) their online actions
integrity
the ability to ensure that information being displayed on a website or transmitted or received over the Internet has not been altered in any way by an unauthorized party
confidentiality
the ability to ensure that messages and data are available only to those who are authorized to view them
authenticity
the ability to identify the identity of a person or entity with whom you are dealing on the Internet
From a technology perspective, there are three key points of vulnerability when dealing with e-commerce:
the client, the server, and the communications pipeline.
The strength of modern security protection is measured in terms of
the length of the binary key used to encrypt the data.
As a final step, the recipient applies the same hash function to the original text, and compares the result with the result sent by the sender. If the results are the same, the recipient now knows _____________.
the message has not been changed during transmission. The message has integrity
Advanced Encryption Standard (AES)
the most widely used symmetric key algorithm, offering 128-, 192-, and 256-bit keys
The price for various types of data vary depending on
the quantity being purchased, supply available, and "freshness."
Public and private keys can be used to encrypt and decrypt a message. However, once the keys are used to encrypt a message,
the same key cannot be used to unencrypt the message.
An encrypted report and a digital envelope are sent across the Web. The recipient first uses ___________.
their private key to decrypt the symmetric key
Once authenticated, the recipient uses his or her private key
to obtain the hash result and original message.
The nature of credit card fraud has changed greatly from the theft of a single credit card number and efforts to purchase goods at a few sites,
to the simultaneous theft of millions of credit card numbers and their distributions to thousands of criminals operating as gangs of thieves.
phishers create a website that purports to be a legitimate institution and cons users into entering financial information, or the site downloads malware such as a keylogger to the victim's computer
true
Digital strings can be transformed into cipher text is by multiplying each letter by another binary number.
true.
public key cryptography (also referred to as asymmetric cryptography)
two mathematically related digital keys are used: a public key and a private key. The private key is kept secret by the owner, and the public key is widely disseminated. Both keys can be used to encrypt and decrypt a message. However, once the keys are used to encrypt a message, that same key cannot be used to unencrypt the message
bot
type of malicious code that can be covertly installed on a computer when connected to the Internet. Once installed, the bot responds to external commands sent by the attacker; the computer becomes a "zombie" and is able to be controlled by an external third party
In addition to being exclusive to a particular individual, when used to sign a hashed document, the digital signature is also ______________.
unique to the document, and changes for every document.
Once the symmetric key is decrypted, the recipient _____________.
uses the symmetric key to decrypt the report.
The digital signature is even more unique than a handwritten signature _______________.
when used with a hash function
Every message that is to be sent or received from the network is processed by the firewall, ______________.
which determines if the message meets security guidelines established by the business.
A _________ does not necessarily need to be activated by a user or program in order for it to replicate itself.
worm
SSL/TLS cannot provide irrefutability- _____________.
—consumers can order goods or download information products, and then claim the transaction never occurred.
Why are companies hesitant to report the number of cybercrime cases?
Due to the fear of losing the trust of their customers.
____________________ are intended to build a wall around your network and the attached servers and clients.
Firewalls and proxy servers
In order to share the same key, the key must be sent over a presumably insecure medium where it could be stolen and used to decipher messages.
If the secret key is lost or stolen, the entire encryption system fails
Why is it difficult to estimate the actual amount of cybercrime?
In part, because many companies are hesitant to report, and because even if crime is reported, it may be difficult to quantify the actual dollar amount of the loss
Polymorphic malware is difficult to detect and remove because of which feature?
It enables attackers to generate a unique version of the malware for each victim, making it much more difficult for pattern-matching software used by security firms to detect.
A common default setting on hardware firewalls simply ignores efforts to communicate with ___________.
TCP port 445, the most commonly attacked port
Online credit card fraud is one of the most high-profile forms of e-commerce crime.
The average amount of credit card fraud loss experienced by any one individual is typically relatively small, the overall amount is substantial.