Security Introduction

1
Security - Introduction

• Systems security has always been a IT management
  issue - it is a massive subject
• Security issues have been amplified by the
  E-Commerce revolution and bad publicity
• A security policy is required - this can invoke
  trust amongst customers visiting your site
• There are a variety of techniques to form a
  security policy
• There is also a trade off between cost () of
  implementing and amount of security

2
Issues with Security

• Networking Technology Security
• firewalls, Virtual Private Networkss(VPNs) and
  Security policies
• Aim to protect internet servers from hackers
• Internet access in a secure manner
• Intrusion detection - catching the hacker -
  honeytraps policy adopted by Microsoft to lure
  hackers
• Tracking threats - throughput and traffic analysis

3
Security issues

• Cyber crime - recent reports of cyber crime
• Fraud - see notes section of slide and notice
  board
• Security User groups - alt.2600
• Chaos clubs /Hackers - Depends on what is worth
  stealing/graffiti/Vandalism factor
• careless email/email bombs/spam(random) email
  can be excessive enough to stop servers handling
  normal traffic solution use automated tracing
  and blocking software but can be hard to block if
  slightly different sender and subject line
• Denial of service attack affected Yahoo! a year
  ago

4
Is E-Commerce held back?

• Recent media articles and research indicate that
  security is the biggest fear amongst consumers -
  fear of giving personal/credit card details over
  the internet
• Two problems have always existed in trade of any
  sort
• 1. Authentication of the shopper and vendor
• 2. Security issues from the release of credit
  card etc details
• But these issues have been amplified by the
  openess of the internet

5
How genuine is the site?

• When Buying via E-Commerce-
• If you can - check the business address of the
  company - is it a genuine address?
• Is the company known or reputable?
• Look at the terms and conditions for the site
• Where do you go when what you have purchased goes
  wrong?

6
Solutions - Evidence of security

• How can you tell if a site is secure or to be
  trusted?
• Look for the padlock in the bottom right hand
  corner or the url shows https// this means the
  pages you are using are located on a secured
  server (Secure Sockets Layer(SSL))
• Some other notice of trust e.g. BT Trustwise on
  MFIs site - these are good and popular
• Which? trader kitemark
• Comet - site visibly shows IMRG trust mark
• Thorntons - site uses SSL

7
Threats - types

• Packet sniffers - Nature of Internet
  information divided into packets, carried over
  different routes and assembled again - solution
  encryption
• Cross-site scripts(CSS) - attackers introducing
  web scripting code (JavaScript etc) into web
  pages held on public servers. When downloaded to
  a user the script is executed in their web
  browser and can breach security - more slides
  follow after next
• Poison cookies see next slide

8
Poison cookies

• Protocols used to transmit web information across
  the information are connectionless - they have no
  memory of what they did before
• E-Business demands that it is useful to remember
  what was done before e.g. delivery details
• Solution - employ cookies - entries in a text
  file held on the users computer - server writes
  details about site visit to file - raises issue
  of privacy but also malicious code !

9
CSS

• Cross-Site Scripting
• Security flaw reported on 10/2/2000 by Computer
  Emergency Response Team(CERT)
• Flaw in any web site that dynamically generates
  web pages such as search results may have rogue
  HTML scripts embedded in those pages
• pages will be executed by the browser of a
  visiting customer as if they are part of the site

10
CSS

• Cross-Site scripting
• if the malicious scripts are executed before a
  user begins a transaction encrypted using SSL the
  hacker will be able to read the information such
  as credit card numbers

11
Spyware

• Snooping see www.grc.com/optout.htm
• Snoopware are programs installed secretly on your
  computer by a friend, family or work colleague
• Records every keystroke you make whether you are
  sending an email or writing a word document
• Read more about it and solutions at
  www.spydetect.com/news.html

12
CSS - solutions

• Solve by manually checking scripts - some
  software checking tools will not find this flaw
• Site admin - install a code filter on pages where
  user input is processed so as to stop web hackers
  adding rogue scripts
• Surfer - disable scripting languages in their
  browsers which usually run scripts by default
• see Cert web site links for advice on secure
  coding practices in practical

13
Other Solutions

• Encryption
• Encryption has become a selling factor - e.g.
  Net.Commerce from IBM was used for encrypting
  credit card details for the following site
• Passwords - change regularly
• Employ Firewalls for server and client end this
  end sometimes overlooked
• ZoneAlarm available for free at www.zonelabs.com
• Norton firewall
• Magic folders shareware available from
  www.pc-magic.com

14
Types of Solutions

• RSA since 1976 - many companies use this crypto
  system based on a different key for encryption
  and decryption
• Public Key Infrastructure(PKI) - Digital
  signature technology - public key made available,
  private key to decrypt - who holds the private
  keys? See legislation session in a few weeks time
• PGP(Pretty Good Privacy) been around for a long
  time free download available for Windows
  machines at www.pgp.com/products/freeware/default.
  asp

15
PKI

• For latest solutions in the market see Secure
  Computing Feb 2000 PKI
• Link in practical
• BALTIMORE BOSS CALLS FOR 'HANDS OFF' SECURITY
  POLICY Public Key Infrastructure (PKI) has become
  an accepted Internet standard, but the UK
  government must provide a strong legislative
  framework for information security, without being
  seen to interfere with commerce...
  http//www.silicon.com/a36908

16
Security standards?

• DES (56-bit key)
• AES (128-bit key) was restricted by US
  Government
• Secure Electronic Transaction(SET) - may be
  adopted by credit card companies
  soon(Visa/Mastercard)
• Secure Sockets Layer(SSL) - uses public key
  encryption(PKI) -originally created by Netscape
  but has now been published in the public domain
• SSH - secure internet login - encrypts login
  name and password

17
Standards - SSL

• encrypts the conversation between the browser and
  the server rendering packets captured en route
  difficult to decrypt
• Once the transaction is completed merchants have
  possession of the buyers credit card number and
  should store it in a secure place!
• SSL is now being combined with digital
  certificates - this authenticates server

18
Standards - SET

• SET combines SSL, STT(see notes pages) and
  S-HTTP(see notes pages) - thought to be safer?
• identity of buyer and seller are tied together
  using encryption thus making repudiation easier
  to track
• Merchants never see the credit card number as SET
  encodes the credit card numbers on the merchants
  servers - can only be read by banks or credit
  card companies

19
Standards - SET

• It seems SET may be adopted as an industry
  standard as some of the credit card companies
  (Visa and Mastercard)have made sure their
  structure is fully compliant with the standard
  see links on last slide
• The Secure Electronic Transaction Council(SETco)
  authorise the use of the SET trademark. In the
  past they have authorised GlobeSet, Spyrus/Terisa
  Systems, Trintech and Verifone - have a look at
  the the SETco site for latest news
• SETco authorise both client and server software

20
SET and the credit card companies

• Visa and SET
• 1 article
• 2 article

21
Solutions

• Secure web servers
• By its very nature a web server has to be open
  and of course has to be protected
• Certification authorities who can verify web
  server is secure
• Verisign(USA)
• Entrust(USA)
• Thawte(South Africa)
• Microsoft

22
Solutions

• Browser security
• Netscape or MS Explorer have a range of options
  which cover security
• Cookies - can tell service providers some info
  about what is being used - if cache is enabled
  then this may not possible
• CGI scripting - making sure scripts cannot remove
  directories etc also investigating
• Email security

23
Security

• www.fortify.net - can upgrade browser to use
  128bit encryption - can do this also with
  Netscape now

24
Other related info

• Internet2 is forecast to improve security
• Data Protection Act and privacy issues see
  legislation part of the module