Chapter 10: Electronic Commerce Security

1
Chapter 10Electronic Commerce Security

• Electronic Commerce, Sixth Edition

2
Managing Risk

• Countermeasure
• General name for a procedure that recognizes,
  reduces, or eliminates a threat
• Eavesdropper
• Person or device that can listen in on and copy
  Internet transmissions
• Crackers or hackers
• Write programs or manipulate technologies to
  obtain unauthorized access to computers and
  networks

3
Risk Management Model
4
Computer Security Classifications

• Secrecy
• Protecting against unauthorized data disclosure
  and ensuring the authenticity of a data source
• Integrity
• Refers to preventing unauthorized data
  modification
• Necessity
• Refers to preventing data delays or denials
  (removal)

5
Security Policy and Integrated Security

• A written statement describing
• Which assets to protect and why they are being
  protected
• Who is responsible for that protection
• Which behaviors are acceptable and which are not
• First step in creating a security policy
• Determine which assets to protect from which
  threats

6
Requirements for Secure Electronic Commerce
7
Security for Client Computers

• Stateless connection
• Each transmission of information is independent
• Session cookies
• Exist until the Web client ends connection
• Persistent cookies
• Remain on a client computer indefinitely

8
Information Stored in a Cookie on a Client
Computer
9
(No Transcript)
10
Active Content

• Programs embedded transparently in Web pages that
  cause an action to occur
• Scripting languages
• Provide scripts, or commands, that are executed
• Applet
• Small application program

11
Dialog Box Asking for Permission to Open a Java
Applet
12
Active Content (continued)

• Trojan horse
• Program hidden inside another program or Web page
  that masks its true purpose
• Zombie
• Program that secretly takes over another computer
  to launch attacks on other computers
• Attacks can be very difficult to trace to their
  creators

13
Java Applets

• Java
• Programming language developed by Sun
  Microsystems
• Java sandbox
• Confines Java applet actions to a set of rules
  defined by the security model
• Untrusted Java applets
• Applets not established as secure

14
JavaScript

• Scripting language developed by Netscape to
  enable Web page designers to build active content
• Can be used for attacks by
• Executing code that destroys a clients hard disk
• Discloses e-mail stored in client mailboxes
• Sends sensitive information to an attackers Web
  server

15
ActiveX Controls

• Object containing programs and properties that
  Web designers place on Web pages
• Common programming languages used
• C and Visual Basic
• Actions cannot be halted once they begin
  execution

16
Viruses, Worms, and Antivirus Software

• Virus
• Software that attaches itself to another program
• Can cause damage when the host program is
  activated
• Macro virus
• Type of virus coded as a small program (macro)
  and is embedded in a file
• Antivirus software
• Detects viruses and worms

17
Digital Certificates

• A program embedded in a Web page that verifies
  that the sender or Web site is who or what it
  claims to be
• Signed code or messages
• Provide proof that the holder is the person
  identified by the certificate
• Certification authority (CA)
• Issues digital certificates

18
Digital Certificates (continued)

• Main elements
• Certificate owners identifying information
• Certificate owners public key
• Dates between which the certificate is valid
• Serial number of the certificate
• Name of the certificate issuer
• Digital signature of the certificate issuer

19
Steganography

• Describes the process of hiding information
  within another piece of information
• Provides a way of hiding an encrypted file within
  another file
• Messages hidden using steganography are difficult
  to detect

20
Communication Channel Security

• Secrecy
• Prevention of unauthorized information disclosure
• Privacy is the protection of individual rights to
  nondisclosure
• Sniffer programs
• Provide the means to record information passing
  through a computer or router that is handling
  Internet traffic

21
Integrity Threats

• Exist when an unauthorized party can alter a
  message stream of information
• Cybervandalism
• Electronic defacing of an existing Web sites
  page
• Masquerading or spoofing
• Pretending to be someone you are not
• Domain name servers (DNSs)
• Computers on the Internet that maintain
  directories that link domain names to IP addresses

22
Necessity Threats

• Purpose is to disrupt or deny normal computer
  processing
• DoS attacks
• Remove information altogether
• Delete information from a transmission or file

23
Threats to Wireless Networks

• Wardrivers
• Attackers drive around using their
  wireless-equipped laptop computers to search for
  accessible networks
• Warchalking
• When wardrivers find an open network they
  sometimes place a chalk mark on the building

24
Encryption Algorithms

• Logic behind encryption programs
• Encryption program
• Program that transforms normal text into cipher
  text
• Hash coding
• Process that uses a hash algorithm to calculate a
  number from a message of any length

25
Symmetric Encryption

• Encodes message with one of several available
  algorithms that use a single numeric key
• Data Encryption Standard (DES)
• Set of encryption algorithms adopted by the U.S.
  government for encrypting sensitive information
• Triple Data Encryption Standard
• Offers good protection
• Cannot be cracked even with todays supercomputers

26
Asymmetric Encryption

• Encodes messages by using two mathematically
  related numeric keys
• Public key
• Freely distributed to the public at large
• Private key
• Belongs to the key owner, who keeps the key secret

27
Comparing Asymmetric and Symmetric Encryption
Systems

• Public-key (asymmetric) systems
• Provide several advantages over private-key
  (symmetric) encryption methods
• Secure Sockets Layer (SSL)
• Provide secure information transfer through the
  Internet
• SSL
• Secures connections between two computers
• S-HTTP
• Sends individual messages securely

28
Encryption Methods
29
Ensuring Transaction Integrity with Hash
Functions

• Integrity violation
• Occurs whenever a message is altered while in
  transit between the sender and receiver
• Hash algorithms are one-way functions
• There is no way to transform the hash value back
  to the original message
• Message digest
• Small integer number that summarizes the
  encrypted information

30
Ensuring Transaction Integrity with Digital
Signatures

• Hash algorithm
• Anyone could
• Intercept a purchase order
• Alter the shipping address and quantity ordered
• Re-create the message digest
• Send the message and new message digest on to the
  merchant
• Digital signature
• An encrypted message digest

31
Sending and Receiving a Digitally Signed Message
32
Security for Server Computers

• Web server
• Can compromise secrecy if it allows automatic
  directory listings
• Can compromise security by requiring users to
  enter a username and password
• Dictionary attack programs
• Cycle through an electronic dictionary, trying
  every word in the book as a password

33
Firewalls

• Software or hardware and software combination
  installed on a network to control packet traffic
  
• Provides a defense between the network to be
  protected and the Internet, or other network that
  could pose a threat

34
Organizations that Promote Computer Security

• CERT
• Responds to thousands of security incidents each
  year
• Helps Internet users and companies become more
  knowledgeable about security risks
• Posts alerts to inform the Internet community
  about security events

35
(No Transcript)
36
(No Transcript)
37
Other Organizations

• SANS Institute
• A cooperative research and educational
  organization
• SANS Internet Storm Center
• Web site that provides current information on the
  location and intensity of computer attacks
• Microsoft Security Research Group
• Privately sponsored site that offers free
  information about computer security issues

38
(No Transcript)
39
Computer Forensics and Ethical Hacking

• Computer forensics experts
• Hired to probe PCs and locate information that
  can be used in legal proceedings
• Computer forensics
• The collection, preservation, and analysis of
  computer-related evidence

40
Security Landscape

• Firewalls and VPN
• NetScreen
• Anti-Virus
• Trend Micro
• Sophos
• URL Filtering
• WebSense
• Trend Web Manager
• e-Mail Content

• Policy Management
• CONQWEST - e-Minder
• Intrusion Detection and Blocking
• Network ICE - ICE Pak
• Security Audits
• Intrusion Services
• Network Architectures
• Policy Development
• Installation Services

41
Industry Facts

• 55 of workers exchange potentially offensive
  messages at least once a month (PC Week)
• 30-40 of workplace Internet surfing is not
  business related (IDC)
• In a survey of 13,000 e-mail users, 90 said they
  received spam at least once a week (Gartner
  Group)
• In a survey of 800 workers, 21-31 admitted to
  sending confidential information to recipients
  outside the company via e-mail (PC Week)

42
Real Companies, Real Problems

• The New York Times fired more than 20 employees
  for sending inappropriate and offensive e-mail.
• July 28, 2000 the Associated Press reported that
  Dow Chemical will fire 50 workers and discipline
  more than 200 more for sending pornography and
  violent images through company e-mail.
• August 22, 2000, Computerworld reported that Dow
  Chemical will fire as many as 40 employees for
  new violations of the company's Internet policy.
• September 4, 2000, The Seattle Post Intelligencer
  reported that 3 high school teachers have been
  suspended without pay for sending explicit
  pictures over the schools e-mail system.

43
Issues - Security

• Single virus costing company millions of dollars
  in lost information and downtime
• Critical intellectual properties stolen by
  external or internal resources
• Internet and external hacking can ruin a company

44
The Lock SymbolWhat It Means

• The protocol the browser and server will use to
  communicate all data is SSL Secure Socket
  Layer.
• All data transmitted in either direction will be
  encrypted so as to prevent any nefarious
  eavesdropper.
• Your browser recognizes the authority of and has
  the public key of the certificate authority that
  issued and signed the servers certificate.
• The web domain of the server has been registered
  with the certificate authority and is indeed a
  legitimately registered web domain

45
https//www.llbean.com/cgi-bin/ncommerce3/OrderIte
mDisplay

• Users browser accesses a secure site one that
  begins with https instead of http ?

• Browser sends the server its SSL version number
  and cipher settings ?

• Server responds with the sites SSL certificate
  along with servers SSL version number and cipher
  settings ?

• Browser examines servers certificate and
  verifies
• Certificate is valid and has a valid date,
• CA that signed the certificate is a trusted CA
  built into the browser
• Issuing CAs public key built into browser
  validates issuers digital signature
• Domain name in certificate matches the domain
  name the browser is currently visiting

The lock symbol how it works

• Browser generates a unique session key to encrypt
  all communications

• Browser encrypts session key with the sites
  public key and sends it to the server ?

• Server decrypts session key using its own private
  key

• Browser and server each generate message to the
  other informing that messages will hereon be
  encrypted ??

• SSL session is established and all messages are
  sent using symmetric encryption (faster than PKI)

46
(No Transcript)
47
(No Transcript)
48
End of Chapter 10