Electronic Commerce Security Presented by: Chris Brawley Chris Avery

Online Security Issues – people worry about interception of private messages. Web Shopping – concerns about revealing credit card #’s is still prevalent. Doubts remain about companies willingness to keep private information secure.

Online Security Issues Computer Security – the protection of assets from unauthorized access, use, alteration, or destruction. - Physical Security - Logical Security - Threat

Online Security Issues Managing Risk  Counter measures  Eavesdropper  Hackers

Online Security Issues Computer Security Classifications 1. Secrecy: refers to protecting against unauthorized data disclosure and assuring authenticity of data sources. 2. Integrity: refers to preventing unauthorized data modification. 3. Necessity: refers to preventing data delays or denials.

Online Security Issues Security Policy and Integrated Security  Security policy: A written statement describing which assets to protect and why they are being protected, who is responsible for protection, and which behaviors are acceptable and which are not.

Online Security Issues Creating a security policy Step 1: Determine which assets to protect. Step 2: Determine who should have access. Step 3: Determine what resources are available to protect the assets. Step 4: Commit resources to building software, hardware, and physical barriers that implement the security policy.

Security for Client Computers Cookies: Small text files that Web servers place on Web client computers to identify returning visitors.  Helps to maintain open sessions.  Shopping cart and payment processing both need open sessions to work properly.

Security for Client Computers Two ways of classifying cookies: 1. By time duration  Session Cookies  Persistent Cookies 2. By source  First-party Cookies  Third-party Cookies

Security for Client Computers Active Content: Programs that run on the client computer.  Extends functionality of HTML  E.g. shopping carts that compute amounts, taxes, shipping, etc…  Best known forms: cookies, Java applets, JavaScript, VBScript, and ActiveX controls.  Trojan Horse  Zombies

Java Applets  Java is a programming language developed by Sun Microsystems that is used widely in web pages to provide active content.  Java adds functionality to business applications and can handle transactions and a wide variety of actions on the client computer. Security for Client Computers

JavaScript: A programming language developed by Netscape to enable Web page designers to build active content.  Can be used for attacks.  Can also record URLs of Web pages  The do not execute on their own. Security for Client Computers

ActiveX Controls: An object that contains programs and properties that Web designers place on Web pages to perform particular tasks.  Run only on computers with Windows  Security risk  ActiveX actions cannot be halted once they are executed.

Example of ActiveX Warning:

Viruses, Worms, and Antivirus Software  Virus: Software that attaches itself to another program and can cause damage when the host program is activated.  Worm: A type of virus that replicates itself on the computers that it infects.  attachments are common carriers. Security for Client Computers

Antivirus Software: detects viruses and worms and either deletes them or isolates them on the client computer so they cannot run. Are only effective if software is kept current.  Symantec  McAfee Security for Client Computers

Digital Certificates: An attachment to an message or a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be. - Signed Code Security for Client Computers

Digital Certificates - Do not attest to the quality of the software. - Simply is an assurance that the software was created by a specific company. - Digital Certificates are not easily forged. Security for Client Computers

Digital Certificates include six elements: Certificate owners ID Certificate owners public key Dates between which the certificate is valid Serial number of the certificate Name of the certificate issuer Digital signature of the certificate issuer Security for Client Computers

Steganography: describes the process of hiding information within another piece of information. Physical Security for Clients  Fingerprint readers  Biometric security devices Security for Client Computers

Communication Channel Security

Secrecy Threats Secrecy is the prevention of unauthorized information disclosure. Privacy is the protection of individual rights to nondisclosure. The Privacy Council created an extensive Web site surrounding privacy.

Anonymizer

Integrity Threats Also called active wiretapping. Cybervandalism Masquerading or spoofing Necessity Threats Denial of Service (DoS) attack

Threats to the Physical Security of Internet Communications Channels The Internet was designed from inception to withstand attacks on its physical links. However, an individual user’s Internet service can be interrupted by destruction of that user’s link. Few individuals have multiple connections to an ISP. Larger companies often have two or more links to the main backbone of the Internet.

Threats to Wireless Networks If not protected properly anyone within range can access any of the resources on the wireless network. Default SSID, username and password WEP WPA

Encryption Solutions Encryption Algorithms Hash Coding Asymmetric Encryption Symmetric Encryption (aka Private Key Encryption)

Secure Sockets Layer (SSL) Protocol Provides a security “handshake”. Encrypts web traffic for senstive information use as username/password, credit card information and other personal data. Session key

Secure Sockets Layer (SSL) Protocol

Secure HTTP (S-HTTP) Extension to HTTP that provides security features such as: Client and server authentication Spontaneous encryption Request/response nonrepudiation Developed by CommerceNet Symmetric encryption and public key encryption Defines from SSL in how it establishes a secure session

Ensuring Transaction Integrity with Hash Functions Integrity violation One-way functions Message digest

Ensuring Transaction Integrity with Digital Signatures Provides positive identification of the sender and assures the merchant that the message was not altered. Not the same as digital signatures used to sign documents electronically.

Guaranteeing Transaction Delivery Transmission Control Protocol is responsible for end-to-end control of packets. TCP ensures that packets aren’t missing. No special protocols or software required.

Security For Server Computers

Web Server Threats Automatic directory listings Requiring username and password multiple name Username and Password file Weak passwords  Dictionary attack programs

Database Threats Storage of username/password in unencrypted format Trojan horse programs

Other Programming Threats Buffer overrun or buffer overflow Mail bomb

Threats to the Physical Security of Web Servers Use a secure offsite provider Maintain backup servers and backups of web server Level 3, PSINet, and Verio Security Services

Access Control and Authentication Controls who has access to the web server Uses certificates, username and password Access Control List

Firewalls Provides a defense between a network and the Internet or between a network and any other network that could pose a threat  All traffic from outside to inside and from outside to inside the network must pass through it.  Only authorized traffic, as defined by the local security policy, is allowed to pass though it  The firewall itself is immune to penetration

Types of Firewalls Packet filter Gateway server Proxy server

Firewall Issues Perimeter expansion Intrusion detection systems

Organizations That Promote Computer Security CERT Microsoft Security Research SANS Institute BuqTraq CSO Online

US Government Agencies US Department of Justice’s Cybercrime US Department of Homeland Security’s National Infrastructure Protection Center

Computer Forensics and Ethnical Hacking Some corporations hire ethnical hackers to do penetration tests Ethnical Hacking is used to locate data that can be used in legal proceedings Computer forensics is used to collect, preserve and analysis of computer related evidence.