Chapter 10: Electronic Commerce Security

Other Organizations

1989: System Administrator, Audit, Network and Security (SANS) Institute -Education and research efforts -->Research reports, security alerts, and white papers -SANS Internet Storm Center Web site -->Current information on location, intensity of computer attacks worldwide CERIAS (Center for Education and Research in Information Assurance and Security) -Multidisciplinary information security research and education Center for Internet Security -Not-for-profit cooperative organization -Helps electronic commerce companies CSO Online -Articles from CSO Magazine -Computer security-related news items Infosecurity -Articles about all types of online security issues

Active Content

Active content -Program runs when client device loads Web page -Example actions: play audio, display moving graphics, place items into shopping cart Advantages -Moves processing work from server to client device Disadvantages -Can pose a threat to client device Methods to deliver active content -Cookies, Java applets, JavaScript, VBScript, ActiveX controls, graphics, Web browser plug-ins, e-mail attachments Scripting languages: provide executable script -Examples: JavaScript and VBScript Applet: small application program -Typically runs within Web browser -Most browsers include tools limiting applets' actions Active content modules -Embedded in Web pages ActiveX controls -Objects containing programs or properties -Placed on Web pages to perform particular tasks -Run only on Windows operating systems -Give full access to client system resources Crackers: embed malicious active content Trojan horse -Program hidden inside another program or Web page -Masking true purpose -May result in secrecy and integrity violations Zombie (Trojan horse) -Secretly takes over another computer -Launches attacks on other computers Botnet (robotic network, zombie farm) -All controlled computers act as an attacking unit

Integrity Threats

Also known as active wiretapping -Unauthorized party alters message information stream Integrity violation examples -Cybervandalism -->Electronic defacing of Web site Masquerading (spoofing) -Pretending to be someone else -Fake Web site representing itself as original Domain name servers (DNSs) Internet computers maintaining directories -Linking domain names to IP addresses Perpetrators use software security hole -Substitute their Web site address in place of real one -Spoofs Web site visitors Phishing expeditions -Victim tricked into disclosing confidential information -Common victims: online banking or payment system users

Necessity Threats

Also known as delay, denial, and denial-of-service (DoS) attack -Disrupt or deny normal computer processing -Intolerably slow-speed computer processing -Renders service unusable or unattractive Distributed denial-of-service (DDoS) attack -Launch simultaneous attack on a Web site via botnets DoS attacks -Remove information altogether -Delete transmission or file information Denial attack examples -Quicken accounting program diverted money to perpetrator's bank account -Company receives flood of data packets -->Overwhelms sites' servers -->Chokes off legitimate customers' access

Physical Security for Client Devices

Client computers -Control important business functions -Same physical security as early systems New physical security technologies -Fingerprint readers (less than $100) --Stronger protection than password approaches Biometric security device -Identification using part of person's biological makeup -Examples: signature recognition, eye scanners, palm scanners, reading back of hand vein pattern

CERT

Computer Emergency Response Team Housed at Carnegie Mellon University -Software Engineering Institute Maintains effective, quick communications infrastructure among security experts -Security incidents avoided, handled quickly Provides security risk information Posts security event alerts Primary authoritative source for viruses, worms, and other types of attack information

Computer Forensics and Ethical Hacking

Computer forensics experts (ethical hackers) -Computer sleuths hired to probe PCs -Locate information usable in legal proceedings -Job of breaking into client computers Computer forensics field -Responsible for collection, preservation, and computer-related evidence analysis Companies hire ethical hackers to test computer security safeguards

Computer Security and Risk Management

Computer security -Asset protection from unauthorized access, use, alteration, and destruction Physical security -Includes tangible protection devices --Alarms, guards, fireproof doors, security fences, safes or vaults, and bombproof buildings Logical security -Asset protection using nonphysical means Threat -Any act or object posing danger to computer assets Countermeasure -Procedure (physical or logical) --Recognizes, reduces, and eliminates threat -Extent and expense of countermeasures --Vary depending on asset importance

Digital Certificates

Digital certificate (digital ID) -E-mail message attachment or program embedded in Web page -Verifies sender or Web site -Contains a means to send encrypted message -Signed message or code --Provides proof of holder identified by the certificate -Used for online transactions --Electronic commerce, electronic mail, and electronic funds transfers

Computer Security and Risk Management Contd.

Electronic threat examples -Impostors, eavesdroppers, thieves Eavesdropper (person or device) -Listens in on and copies Internet transmissions Crackers or hackers (people) -Write programs; manipulate technologies -Obtain unauthorized access to computers and networks White hat hacker and black hat hacker -Distinction between good hackers and bad hackers Good security scheme implementation -Identify risks -Determine how to protect threatened assets -Calculate costs to protect assets

Encryption Solutions

Encryption: coding information using mathematically based program, secret key Cryptography: science studying encryption -Science of creating messages only sender and receiver can read Steganography -Makes text undetectable to naked eye Cryptography converts text to other visible text -With no apparent meaning

Firewalls

Firewall -Software, hardware-software combination -Installed in a network to control packet traffic Placed at Internet entry point of network -Defense between network and the Internet -Between network and any other network Principles -All traffic must pass through it -Only authorized traffic allowed to pass -Immune to penetration Trusted: networks inside firewall Untrusted: networks outside firewall Filter permits selected messages though network Separate corporate networks from one another -Coarse need-to-know filter -Firewalls segment corporate network into secure zones Large organizations with multiple sites -Install firewall at each location -All locations follow same security policy

Organizations that Promote Computer Security

Following the Internet Worm of 1988 -Organizations formed to share information -->About threats to computer systems Principle followed -Sharing information about attacks and defenses for attacks -->Helps everyone create better computer security

Intro

Government and large business Web sites constantly under attack from intruders Several incidents in 2009 -Sensitive military data stolen -North Korean and Chinese governments may have been involved Threats are constantly changing

Graphics and Plug-Ins

Graphics, browser plug-ins, and e-mail attachments can harbor executable content Graphic: embedded code can harm client computer Browser plug-ins (programs) -Enhance browser capabilities -Can pose security threats -Plug-ins executing commands buried within media

Online Security Issues Overview

Individuals and businesses concerned about security -Since Internet became a business communications tool Concerns increasing with steady increase in sales and all types of financial transactions Chapter topics -Key security problems -Solutions to those problems

Communication Channel Security

Internet -Not designed to be secure -Designed to provide redundancy -Remains unchanged from original insecure state Message traveling on the Internet -Subject to secrecy, integrity, and necessity threats

Cookies and Web Bugs

Internet connection between Web clients and servers -Multiple independent transmissions -No continuous connection (open session) maintained between any client and server Cookies -Small text files Web servers place on Web client -Identify returning visitors -Allow continuing open session Cookie sources -First-party cookies Web server site places them on client computer Third-party cookies -Different Web site places them on client computer Disable cookies entirely for complete cookie protection Disadvantages -Useful cookies blocked (along with others) -Full site resources not available Web browser cookie management functions -Refuse only third-party cookies -Review each cookie before allowing -Provided by most Web browsers Web bug -Tiny graphic that third-party Web site places on another site's Web page -Provides method for third-party site to place cookie on visitor's computer Web bugs (also called "clear GIFs" or "1-by-1 GIFs") -Graphics created in GIF format -Color value of "transparent" -As small as 1 pixel by 1 pixel

Threats of Physical Security of Internet Communications Channels

Internet's packet-based network design -Precludes it from being shut down by attack on single communications link Individual user's Internet service can be interrupted -Destruction of user's Internet link Larger companies, organizations -Use more than one link to main Internet backbone

Other Software-Based Threats

Java or C++ programs executed by server -Passed to Web servers by client or reside on server -Use a buffer -->Memory area set aside holding data read from file or database Buffer overrun (buffer overflow) error -Programs overfill buffer -->Cause: error in program or intentional -Excess data spills outside designated buffer memory -1998 Internet worm Insidious version of buffer overflow attack -Writes instructions into critical memory locations -Web server resumes execution by loading internal registers with address of attacking program's code Reducing potential buffer overflow damage -Good programming practices -Some hardware functionality Mail bomb attack -Hundreds or thousands of people send message to particular address

Origins of Security on Interconnected Computer Systems

Modern computer security techniques -Developed by US Department of Defense --"Orange Book": rules for mandatory access control Business computers -Initially adopted military's security methods Networks -Increased number of users accessing computers Computers now transmit valuable information

Viruses, Worms, and Antivirus Software

Programs display e-mail attachments by automatically executing associated programs -Macro viruses within attached files can cause damage Virus: software -Attaches itself to another program -Causes damage when host program activated Worm: virus -Replicates itself on computers it infects -Spreads quickly through the Internet Antivirus software -Detects viruses and worms -Either deletes or isolates them on client computer Companies that track viruses, sell antivirus software, provide virus descriptions on Web sites -Symantec (Symantec Security Response) -McAfee (McAfee Virus Information) Data files must be updated regularly -Recognize and eliminate newest viruses Some Web e-mail systems provide antivirus software -Scan attachments before downloading -Examples: Yahoo! Mail, Gmail

Secure Sockets Layer (SSL) Protcol

Provides security "handshake" Client and server exchange brief burst of messages All communication encrypted -Eavesdropper receives unintelligible information Secures many different communication types -HTTP, FTP, Telnet HTTPS: protocol implementing SSL -Precede URL with protocol name HTTPS

Secrecy Threats

Secrecy -Prevention of unauthorized information disclosure -Technical issue -->Requiring sophisticated physical and logical mechanisms Privacy -Protection of individual rights to nondisclosure -Legal matter E-mail message -Secrecy violations protected using encryption -->Protects outgoing messages -Privacy issues address whether supervisors are permitted to read employees' messages randomly Electronic commerce threat -Sensitive or personal information theft Sniffer programs -Record information passing through computer or router Backdoor: an electronic "hole" -Left open accidentally or intentionally -Content exposed to secrecy threats -Example: Cart32 shopping cart program backdoor Stolen corporate information -Eavesdropper example Web users continually reveal information -Secrecy breach -Possible solution: anonymous Web services

Elements of Computer Security

Secrecy -Protecting against unauthorized data disclosure -Ensuring data source authenticity Integrity -Preventing unauthorized data modification -Man-in-the-middle exploit --E-mail contents changed before forwarded to original destination Necessity -Preventing data delays or denials (removal)

Client Security for Mobile Devices

Security measures -Access password -Remote wipe: clears all personal data -->Can be added as an app -->Capability through corporate e-mail synchronization -Antivirus software Rogue apps: contain malware or collect information and forward to perpetrators -Apple App Store tests apps before authorizing sales -Android market does less extensive testing

Establishing a Security Policy

Security policy elements -Assets to protect and why -Protection responsibility -Acceptable and unacceptable behaviors -Physical and network security, access authorizations, virus protection, disaster recovery Corporate information classifications -Public -Company confidential Steps to create security policy -Determine which assets to protect from which threats -Determine access needs to various system parts -Identify resources to protect assets -Develop written security policy -Commit resources Comprehensive security plan goals -Protect privacy, integrity and availability -Authenticate users -Selected to satisfy Figure 10-2 requirements Security policy points -Authentication: Who is trying to access site? -Access control: Who is allowed to log on to and access site? -Secrecy: Who is permitted to view selected information? -Data integrity: Who is allowed to change data? -Audit: Who or what causes specific events to occur, and when?

Password Attack Threats

Sensitive file on Web server -Holds Web server username-password pairs -Solution: store authentication information in encrypted form Passwords threats -Dictionary attack programs cycle through electronic dictionary, trying every word as password -Solutions -->User password requirements -->Use password assignment software to check user password against dictionary Help creating very strong passwords -Gibson Research Corporation's Ultra High Security Password Generator

Steganography

Steganography -Hiding information within another piece of information Can be used for malicious purposes Hiding encrypted file within another file -Casual observer cannot detect anything of importance in container file -Two-step process -->Encrypting file protects it from being read -->Steganography makes it invisible Al Qaeda used steganography to hide attack orders

Encryption in Web Browsers

Two approaches used to establish secure connections between Web servers and clients -Secure Sockets Layer (SSL) -->Goal: secures connections between two computers -Secure Hypertext Transfer Protocol (S-HTTP) -->Goal: send individual messages securely

Database Threats

Usernames and passwords -Stored in unencrypted table in some databases -Database fails to enforce security -->Relies on Web server to enforce security Unauthorized users -Masquerade as legitimate database users Trojan horse programs hide within database system -Reveal information -Remove all access controls within database

Threats to Wireless Networks

Wireless Encryption Protocol (WEP) -Rule set for encrypting transmissions from the wireless devices to the wireless access points (WAPs) Wardrivers -Attackers drive around in cars -Search for accessible networks Warchalking -Place chalk mark on building -->Identifies easily entered wireless network nearby -Web sites include wireless access locations maps Preventing attacks by wardrivers -Turn on WEP -Change default login and password settings Example -Best Buy wireless point-of-sale (POS) -Failed to enable WEP -Customer launched sniffer program -->Intercepted data from POS terminals