Chapter 10: Electronic Commerce Security

Online Security Issues Overview Computer security The protection of assets from unauthorized access, use, alteration, or destruction Physical security Includes tangible protection devices Logical security Protection of assets using nonphysical means Threat Any act or object that poses a danger to computer assets

Managing Risk Terms -- Countermeasure Eavesdropper Crackers or hackers General name for a procedure that recognizes, reduces, or eliminates a threat Eavesdropper Person or device that can listen in on and copy Internet transmissions Crackers or hackers Write programs or manipulate technologies to obtain unauthorized access to computers and networks

Computer Security Classification Secrecy/Confidentiality Protecting against unauthorized data disclosure Technical issues Privacy The ability to ensure the use of information about oneself Legal Issues Integrity Preventing unauthorized data modification by an unauthorized party Necessity Preventing data delays or denials (removal) Nonrepudiation Ensure that e-commerce participants do not deny (i.e., repudiate) their online actions Authenticity The ability to identify the identity of a person or entity with whom you are dealing on the Internet

Some solutions --

Exercise Visit the Copyright Web site: http://www.benedict.com/ Check out examples of copyright infringement: Audio arts Visual arts Digital arts Read comments Under “Info”

Security Threats in the E-commerce Environment Three key points of vulnerability the client communications pipeline the server

Active Content Active content refers to programs embedded transparently in Web pages that cause an action to occur Scripting languages Provide scripts, or commands, that are executed Applet Small application program Java Active X Trojan horse Program hidden inside another program or Web page that masks its true purpose Zombie Program that secretly takes over another computer to launch attacks on other computers Attacks can be very difficult to trace to their creators

Viruses, Worms, and Antivirus Software Software that attaches itself to another program Can cause damage when the host program is activated Macro virus Type of virus coded as a small program (macro) and is embedded in a file Antivirus software Detects viruses and worms

Digital Certificates A digital certificate is a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be A certificate is signed code or messages that provide proof that the holder is the person identified by the certificate Certification authority (CA) issues digital certificates Main elements: Certificate owner’s identifying information Certificate owner’s public key Dates between which the certificate is valid Serial number of the certificate Name of the certificate issuer Digital signature of the certificate issuer

Communication Channel Security Recall that -- Secrecy is the prevention of unauthorized information disclosure Privacy is the protection of individual rights to nondisclosure Sniffer programs Provide the means to record information passing through a computer or router that is handling Internet traffic Demonstration of working of a Java implementation of a Packet Sniffer

Other Threats Integrity Necessity Wireless Network Threats Integrity threats exist when an unauthorized party can alter a message stream of information Cybervandalism Electronic defacing of an existing Web site’s page Masquerading or spoofing Pretending to be someone you are not Domain name servers (DNSs) Computers on the Internet that maintain directories that link domain names to IP addresses Necessity Purpose is to disrupt or deny normal computer processing DoS attacks Remove information altogether Delete information from a transmission or file Wireless Network Threats Wardrivers Attackers drive around using their wireless-equipped laptop computers to search for accessible networks Warchalking When wardrivers find an open network they sometimes place a chalk mark on the building Anonymizer A Web site that provides a measure of secrecy as long as it’s used as the portal to the Internet http://www.anonymizer.com

Tools Available to Achieve Site Security

Encryption Transforms plain text or data into cipher text that cannot be read by anyone outside of the sender and the receiver. Purpose: to secure stored information to secure information transmission. Cipher text text that has been encrypted and thus cannot be read by anyone besides the sender and the receiver Symmetric Key Encryption DES standard most widely used

Group Exercise Julius Caesar supposedly used secret codes known today as Caesar Cyphers. The simplest replaces A with B, B with C etc. This is called a one-rotate code. The following is encrypted using a simple Caesar rotation cypher. See if you can decrypt it: Mjqqt hfjxfw. Mtb nx dtzw hnumjw? Xyfd fbfd kwtr ymj xjsfyj ytifd.

Encryption Public key cryptography uses two mathematically related digital keys: a public key and a private key. The private key is kept secret by the owner, and the public key is widely disseminated. Both keys can be used to encrypt and decrypt a message. A key used to encrypt a message, cannot be used to unencrypt the message

Public Key Cryptography with Digital Signatures

Public Key Cryptography: Creating a Digital Envelope

Securing Channels of Communications Secure Sockets Layer (SSL) is the most common form of securing channels Secure negotiated session client-server session where the requested document URL, contents, forms, and cookies are encrypted. Session key is a unique symmetric encryption key chosen for a single secure session

Firewalls Software or hardware and software combination installed on a network to control packet traffic Provides a defense between the network to be protected and the Internet, or other network that could pose a threat Characteristics All traffic from inside to outside and from outside to inside the network must pass through the firewall Only authorized traffic is allowed to pass Firewall itself is immune to penetration Trusted networks are inside the firewall Untrusted networks are outside the firewall Packet-filter firewalls Examine data flowing back and forth between a trusted network and the Internet Gateway servers Firewalls that filter traffic based on the application requested Proxy server firewalls Firewalls that communicate with the Internet on the private network’s behalf

Security Policy and Integrated Security A security policy is a written statement describing: Which assets to protect and why they are being protected Who is responsible for that protection Which behaviors are acceptable and which are not First step in creating a security policy Determine which assets to protect from which threats Elements of a security policy address: Authentication Access control Secrecy Data integrity Audits                          Protection of Information Assets CISA 2006 Exam Preparation

Tension Between Security and Other Values Ease of use Often security slows down processors and adds significantly to data storage demands. Too much security can harm profitability; not enough can mean going out of business. Public Safety & Criminal Use claims of individuals to act anonymously vs. needs of public officials to maintain public safety in light of criminals or terrorists.

Some questions Can internet security measures actually create opportunities for criminals to steal? How? Why are some online merchants hesitant to ship to international addresses? What are some steps a company can take to thwart cyber-criminals from within a business? Is a computer with anti-virus software protected from viruses? Why or why not? What are the differences between encryption and authentication? Discuss the role of administration in implementing a security policy?

Security for Server Computers Web server Can compromise secrecy if it allows automatic directory listings Can compromise security by requiring users to enter a username and password Dictionary attack programs Cycle through an electronic dictionary, trying every word in the book as a password

Other Programming Threats Buffer An area of memory set aside to hold data read from a file or database Buffer overrun Occurs because the program contains an error or bug that causes the overflow Mail bomb Occurs when hundreds or even thousands of people each send a message to a particular address

Organizations that Promote Computer Security CERT Responds to thousands of security incidents each year Helps Internet users and companies become more knowledgeable about security risks Posts alerts to inform the Internet community about security events www.cert.org SANS Institute A cooperative research and educational organization SANS Internet Storm Center Web site that provides current information on the location and intensity of computer attacks Microsoft Security Research Group Privately sponsored site that offers free information about computer security issues