Electronic Commerce Security

1
Electronic Commerce Security

• Presented by
• Chris Brawley
• Chris Avery

2
Online Security Issues

• Email people worry about interception of
  private messages.
• Web Shopping concerns about revealing credit
  card s is still prevalent.
• Doubts remain about companies willingness to keep
  private information secure.

3
Online Security Issues

• Computer Security the protection of assets from
  unauthorized access, use, alteration, or
  destruction.
• - Physical Security
• - Logical Security
• - Threat

4
Online Security Issues

• Managing Risk
• Counter measures
• Eavesdropper
• Hackers

5
Online Security Issues

• Computer Security Classifications
• Secrecy refers to protecting against
  unauthorized data disclosure and assuring
  authenticity of data sources.
• Integrity refers to preventing unauthorized
  data modification.
• Necessity refers to preventing data delays or
  denials.

6
Online Security Issues

• Security Policy and Integrated Security
• Security policy A written statement describing
  which assets to protect and why they are being
  protected, who is responsible for protection, and
  which behaviors are acceptable and which are not.

7
Online Security Issues

• Creating a security policy
• Step 1 Determine which assets to protect.
• Step 2 Determine who should have access.
• Step 3 Determine what resources are
• available to protect the assets.
• Step 4 Commit resources to building software,
• hardware, and physical barriers
  that
• implement the security policy.

8
(No Transcript)
9
Security for Client Computers

• Cookies Small text files that Web servers place
  on Web client computers to identify returning
  visitors.
• Helps to maintain open sessions.
• Shopping cart and payment processing both need
  open sessions to work properly.

10
Security for Client Computers

• Two ways of classifying cookies
• By time duration
• Session Cookies
• Persistent Cookies
• By source
• First-party Cookies
• Third-party Cookies

11
Security for Client Computers

• Active Content Programs that run on the client
  computer.
• Extends functionality of HTML
• E.g. shopping carts that compute amounts, taxes,
  shipping, etc
• Best known forms cookies, Java applets,
  JavaScript, VBScript, and ActiveX controls.
• Trojan Horse
• Zombies

12
Security for Client Computers

• Java Applets
• Java is a programming language developed by Sun
  Microsystems that is used widely in web pages to
  provide active content.
• Java adds functionality to business applications
  and can handle transactions and a wide variety of
  actions on the client computer.

13
(No Transcript)
14
Security for Client Computers

• JavaScript A programming language developed by
  Netscape to enable Web page designers to build
  active content.
• Can be used for attacks.
• Can also record URLs of Web pages
• The do not execute on their own.

15
Security for Client Computers

• ActiveX Controls An object that contains
  programs and properties that Web designers place
  on Web pages to perform particular tasks.
• Run only on computers with Windows
• Security risk
• ActiveX actions cannot be halted once they are
  executed.

16
Example of ActiveX Warning
17
Security for Client Computers

• Viruses, Worms, and Antivirus Software
• Virus Software that attaches itself to another
  program and can cause damage when the host
  program is activated.
• Worm A type of virus that replicates itself on
  the computers that it infects.
• Email attachments are common carriers.

18
Security for Client Computers

• Antivirus Software detects viruses and worms
  and either deletes them or isolates them on the
  client computer so they cannot run.
• Are only effective if software is kept current.
• Symantec
• McAfee

19
Security for Client Computers

• Digital Certificates An attachment to an e-mail
  message or a program embedded in a Web page that
  verifies that the sender or Web site is who or
  what it claims to be.
• - Signed Code

20
Security for Client Computers

• Digital Certificates
• - Do not attest to the quality of the
• software.
• - Simply is an assurance that the software
• was created by a specific company.
• - Digital Certificates are not easily forged.

21
Security for Client Computers

• Digital Certificates include six elements
• Certificate owners ID
• Certificate owners public key
• Dates between which the certificate is valid
• Serial number of the certificate
• Name of the certificate issuer
• Digital signature of the certificate issuer

22
(No Transcript)
23
Security for Client Computers

• Steganography describes the process of hiding
  information within another piece of information.
  
• Physical Security for Clients
• Fingerprint readers
• Biometric security devices

24
Communication Channel Security
25
Secrecy Threats

• Secrecy is the prevention of unauthorized
  information disclosure.
• Privacy is the protection of individual rights to
  nondisclosure.
• The Privacy Council created an extensive Web site
  surrounding privacy.

26
Anonymizer
27
Integrity Threats

• Also called active wiretapping.
• Cybervandalism
• Masquerading or spoofing

Necessity Threats

• Denial of Service (DoS) attack

28
Threats to the Physical Security of Internet
Communications Channels

• The Internet was designed from inception to
  withstand attacks on its physical links.
• However, an individual users Internet service
  can be interrupted by destruction of that users
  link.
• Few individuals have multiple connections to an
  ISP. Larger companies often have two or more
  links to the main backbone of the Internet.

29
Threats to Wireless Networks

• If not protected properly anyone within range can
  access any of the resources on the wireless
  network.
• Default SSID, username and password
• WEP
• WPA

30
Encryption Solutions

• Encryption Algorithms
• Hash Coding
• Asymmetric Encryption
• Symmetric Encryption (aka Private Key Encryption)

31
Secure Sockets Layer (SSL) Protocol

• Provides a security handshake.
• Encrypts web traffic for senstive information use
  as username/password, credit card information and
  other personal data.
• Session key

32
Secure Sockets Layer (SSL) Protocol
33
(No Transcript)
34
Secure HTTP (S-HTTP)

• Extension to HTTP that provides security features
  such as
• Client and server authentication
• Spontaneous encryption
• Request/response nonrepudiation
• Developed by CommerceNet
• Symmetric encryption and public key encryption
• Defines from SSL in how it establishes a secure
  session

35
Ensuring Transaction Integrity with Hash Functions

• Integrity violation
• One-way functions
• Message digest

36
Ensuring Transaction Integrity with Digital
Signatures

• Provides positive identification of the sender
  and assures the merchant that the message was not
  altered.
• Not the same as digital signatures used to sign
  documents electronically.

37
(No Transcript)
38
Guaranteeing Transaction Delivery

• Transmission Control Protocol is responsible for
  end-to-end control of packets.
• TCP ensures that packets arent missing.
• No special protocols or software required.

39
Security For Server Computers
40
Web Server Threats

• Automatic directory listings
• Requiring username and password multiple name
• Username and Password file
• Weak passwords
• Dictionary attack programs

41
Database Threats

• Storage of username/password in unencrypted
  format
• Trojan horse programs

42
Other Programming Threats

• Buffer overrun or buffer overflow
• Mail bomb

43
Threats to the Physical Security of Web Servers

• Use a secure offsite provider
• Maintain backup servers and backups of web server
• Level 3, PSINet, and Verio Security Services

44
Access Control and Authentication

• Controls who has access to the web server
• Uses certificates, username and password
• Access Control List

45
(No Transcript)
46
Firewalls

• Provides a defense between a network and the
  Internet or between a network and any other
  network that could pose a threat
• All traffic from outside to inside and from
  outside to inside the network must pass through
  it.
• Only authorized traffic, as defined by the local
  security policy, is allowed to pass though it
• The firewall itself is immune to penetration

47
Types of Firewalls

• Packet filter
• Gateway server
• Proxy server

48
Firewall Issues

• Perimeter expansion
• Intrusion detection systems

49
Organizations That Promote Computer Security

• CERT
• Microsoft Security Research
• SANS Institute
• BuqTraq
• CSO Online

50
US Government Agencies

• US Department of Justices Cybercrime
• US Department of Homeland Securitys National
  Infrastructure Protection Center

51
Computer Forensics and Ethnical Hacking

• Some corporations hire ethnical hackers to do
  penetration tests
• Ethnical Hacking is used to locate data that can
  be used in legal proceedings
• Computer forensics is used to collect, preserve
  and analysis of computer related evidence.