Upload
megan-sullivan
View
223
Download
0
Tags:
Embed Size (px)
Citation preview
ELC 200ELC 200Day 10Day 10
Agenda Questions? Assignment 3 Posted
Due October 8 (next class) assignment3.pdf
Assignment 4 will be posted soon Quiz 2 Oct 15
Test will be administered from Blackboard, You need not be present to take the quiz. Will be available from 12 Noon to 7 PM
Begin Discussion on eCommerce Security and Payment Systems
Chapter 5Chapter 5E-commerce Security and E-commerce Security and
Payment SystemsPayment Systems
Copyright © 2014 Pearson Education, Inc.
Learning Objectives Understand the scope of e-commerce crime and security problems. Describe the key dimensions of e-commerce security. Identify the key security threats in the e-commerce environment. Describe how technology helps protect the security of messages
sent over the Internet. Identify the tools used to establish secure Internet communications
channels, and protect networks, servers, and clients. Identify the major e-commerce payment systems in use today. Describe the features and functionality of electronic billing
presentment and payment systems.
Class Discussion
Cyberwar: MAD 2.0 What is the difference between hacking and
cyberwar? Why has cyberwar become more potentially
devastating in the past decade? Why has Google been the target of so many
cyberattacks? Is it possible to find a political solution to
MAD 2.0?
Copyright © 2014 Pearson Education, Inc. Slide 5-5
12-6© 2007 Prentice-Hall, Inc
CYBER Warfare China-US Cyber War Russia – Estonia Cyber war Twitter DDoS Korean DDoS Stuxnet Worm Taught at US Military academies
bh-fed-03-dodge.pdf iwar_wise.pdf http://www.westpoint.edu/crc/SitePages/Home.aspx
The E-commerce Security Environment
Overall size and losses of cybercrime unclearReporting issues
2014 CSI survey: 77% of respondent firms detected breach in last year
Underground economy marketplaceStolen information stored on underground
economy servers
Copyright © 2014 Pearson Education, Inc. Slide 5-7
Copyright © 2012 Pearson Education, Inc. Slide 5-8
Current Underground Economy Data
Copyright © 2012 Pearson Education, Inc. Slide 5-9
Copyright © 2013 Pearson Education, Inc. Slide 1-10
US cybercrime: Rising Risks, reduced readinessKey findings from the 2104 US State of Cybercrime Survey
What is Good E-commerce Security? To achieve highest degree of security
New technologies (changes daily)Organizational policies and proceduresIndustry standards and government laws
Copyright © 2014 Pearson Education, Inc. Slide 5-11
The E-commerce Security Environment
Figure 5.1, Page 168
Copyright © 2014 Pearson Education, Inc. Slide 5-12
Copyright © 2014 Pearson Education, Inc. Slide 5-13
The Tension Between Security andOther Values
Ease of use:The more security measures added, the more
difficult a site is to use, and the slower it becomes
Public safety and criminal uses of the InternetUse of technology by criminals to plan crimes or
threaten nation-state
Copyright © 2012 Pearson Education, Inc. Slide 5-14
Security Threats in theE-commerce Environment
Three key points of vulnerability in e-commerce environment:1. Client
2. Server
3. Communications pipeline (Internet communications channels)
Copyright © 2014 Pearson Education, Inc. Slide 5-15
A Typical E-commerce Transaction
Copyright © 2012 Pearson Education, Inc. Slide 5-16
Vulnerable Points in an E-commerce Transaction
Figure 5.2, Page 170
Copyright © 2014 Pearson Education, Inc. Slide 5-17
12-18© 2007 Prentice-Hall, Inc
Snoop and Sniff
Most Common Security Threats in the
E-commerce Environment Malicious codeVirusesWormsTrojan horsesDrive-by downloadsBackdoorsBots, botnetsThreats at both client and server levels
Copyright © 2014 Pearson Education, Inc. Slide 5-19
12-20© 2007 Prentice-Hall, Inc
DDOS
https://zeustracker.abuse.ch/https://feodotracker.abuse.ch/
Most Common Security Threats (cont.)
Potentially unwanted programs (PUPs) Browser parasitesAdwareSpyware
Phishing E-mail scamsSocial engineeringIdentity theft
Copyright © 2014 Pearson Education, Inc. Slide 5-21
12-22© 2007 Prentice-Hall, Inc
Spyware infestation. Taken by Brandon Waddell.
Copyright © 2013 Pearson Education, Inc. Slide 1-23
http://malwaretips.com/blogs/pup-optional-opencandy-virus/
Most Common Security Threats (cont.)
HackingHackers vs. crackersTypes of hackers: White, black, grey hatsHacktivism (Anonymous)
CybervandalismDisrupting, defacing, destroying Web site
Data breachLosing control over corporate information to
outsiders
Copyright © 2014 Pearson Education, Inc. Slide 5-24
Most Common Security Threats (cont.)
Credit card fraud/theft Hackers target merchant servers; use data to establish credit under
false identity Hannaford hack
Spoofing (Pharming) Spam (junk) Web sites
http://www.buycheapr.com/us/result.jsp?ga=us5&q=chevelle+bumper
Denial of service (DoS) attack Hackers flood site with useless traffic to overwhelm network
Distributed denial of service (DDoS) attack
Copyright © 2014 Pearson Education, Inc. Slide 5-25
Most Common Security Threats (cont.)
Sniffing Eavesdropping program that monitors information
traveling over a network
Insider attacks very common Poorly designed server and client software Social network security issues Mobile platform security issues
Same risks as any Internet device
Cloud security issues
Copyright © 2014 Pearson Education, Inc. Slide 5-26
Copyright © 2010 Pearson Education, Inc. Slide 1-27
12-28© 2007 Prentice-Hall, Inc
The Players: Hackers, Crackers, and Other Attackers
Hackers Original hackers created the Unix operating system and
helped build the Internet, Usenet, and World Wide Web; and, used their skills to test the strength and integrity of computer systems
Over time, the term hacker came to be applied to rogue programmers who illegally break into computers and networks
Hacker underground http://www.defcon.org/ http://www.blackhat.com/ http://www.2600.com/
12-29© 2007 Prentice-Hall, Inc
The Players: Hackers, Crackers, and Other Attackers (cont.)
Uber Haxor Wizard Internet Hackers Highly capable attackers Responsible for writing most of the attacker tools
CrackersPeople who engage in unlawful or damaging hacking short for “criminal hackers”
Other attackers “Script kiddies” are ego-driven, unskilled crackers who use
information and software (scripts) that they download from the Internet to inflict damage on targeted sites
Scorned by both the Law enforcement and Hackers communities
12-30© 2007 Prentice-Hall, Inc
How Hackers Hack Many Techniques
Social Engineering Get someone to give you their password
Cracking Guessing passwords A six letter password (no caps)
> 300 million possibilities Merriam-Webster's citation files, which were begun in the 1880s, now contain 15.7 million
examples of words used in context and cover all aspects of the English vocabulary. http://www.m-w.com/help/faq/words_in.htm
Buffer Overflows Getting code to run on other PCs
Load a Trojan or BackDoor Snoop and Sniff
Steal data Denial of Service (DOS)
Crash or cripple a Computer from another computer Distributed Denial of Service (DDOS)
Crash or cripple a Computer from multiple distributed computers
Insight on Technology: Class Discussion
Think Your Smartphone Is Secure? What types of threats do smartphones face? Are there any particular vulnerabilities to this
type of device? Are apps more or less likely to be subject to
threats than traditional PC software programs? http://www.spyphone.com/ http://www.mobile-spy.com/ http://www.foxnews.com/tech/2011/12/01/is-your-smartphone-secretly-
spying-on/
Copyright © 2014 Pearson Education, Inc. Slide 5-31
12-32© 2007 Prentice-Hall, Inc
Maine’s Anti-Hacker laws§432. Criminal invasion of computer privacy
1. A person is guilty of criminal invasion of computer privacy if the person intentionally accesses any computer resource knowing that the person is not authorized to do so. [1989, c. 620 (new).] 2. Criminal invasion of computer privacy is a Class D crime. [1989, c. 620 (new).]
§433. Aggravated criminal invasion of computer privacy 1. A person is guilty of aggravated criminal invasion of computer privacy if the person:
A. Intentionally makes an unauthorized copy of any computer program, computer software or computer information, knowing that the person is not authorized to do so; [1989, c. 620 (new).] B. Intentionally or knowingly damages any computer resource of another person, having no reasonable ground to believe that the person has the right to do so; or [1989, c. 620 (new).] C. Intentionally or knowingly introduces or allows the introduction of a computer virus into any computer resource, having no reasonable ground to believe that the person has the right to do so. [1989, c. 620 (new).][1989, c. 620 (new).]
2. Aggravated criminal invasion of computer privacy is a Class C crime. [1989, c. 620 (new).]
Technology Solutions Protecting Internet communications
Encryption
Securing channels of communicationSSL, VPNs
Protecting networksFirewalls
Protecting servers and clients
Copyright © 2014 Pearson Education, Inc. Slide 5-33
Tools Available to Achieve Site Security
Figure 5.4, Page 181
Copyright © 2014 Pearson Education, Inc. Slide 5-34
Encryption Encryption
Transforms data into cipher text readable only by sender and receiver
Secures stored information and information transmission
Provides 4 of 6 key dimensions of e-commerce security Message integrity Nonrepudiation Authentication Confidentiality
Copyright © 2014 Pearson Education, Inc. Slide 5-35
Symmetric Key Encryption Sender and receiver use same digital key to encrypt
and decrypt message Requires different set of keys for each transaction Strength of encryption
Length of binary key used to encrypt data
Advanced Encryption Standard (AES) Most widely used symmetric key encryption Uses 128-, 192-, and 256-bit encryption keys
Other standards use keys with up to 2,048 bits
Copyright © 2014 Pearson Education, Inc. Slide 5-36
Public Key Encryption Uses two mathematically related digital keys
Public key (widely disseminated) Private key (kept secret by owner)
Both keys used to encrypt and decrypt message Once key used to encrypt message, same key
cannot be used to decrypt message Sender uses recipient’s public key to encrypt
message; recipient uses private key to decrypt it
Copyright © 2014 Pearson Education, Inc. Slide 5-37
12-38© 2007 Prentice-Hall, Inc
What Is Encryption? A way to transform a message so that only the sender and recipient can
read, see, or understand it
Plaintext (cleartext): the message that is being protected
Encrypt (encipher): transform a plaintext into ciphertext
Encryption: a mathematical procedure that scrambles data so that it is extremely difficult for anyone other than authorized recipients to recover the original message
Key: a series of electronic signals stored on a PC’s hard disk or transmitted as blips of data over transmission lines
Plaintext + key = Ciphertext
Ciphertext – key = Plaintext
Public Key Cryptography: A Simple Case
Figure 5.5, Page 184
Copyright © 2014 Pearson Education, Inc. Slide 5-39
12-40© 2007 Prentice-Hall, Inc
Symmetric Key Encryption
Message“Hello”
EncryptionMethod &
Key
SymmetricKey
Party A
Party B
InterceptorNetwork
Encrypted Message
Encryption uses anon-secret encryption method and
a secret key
12-41© 2007 Prentice-Hall, Inc
Simple example (encrypt) Every letter is converted to a two digit number
A=1, Z = 26 ANTHONY 01 14 20 08 15 14 25 Produce any 4 digit key 3654 (10N-1 choices =
9,999) Add together in blocks of 4 digits 0114 + 3654 = 3768 2008 + 3654 = 5662 1514 + 3654 = 5168 2500 + 3654 = 6154 (pad with 00 to make even)
Send 3768566251686154 to fellow Spy
12-42© 2007 Prentice-Hall, Inc
Simple example (Decrypt) Received 3768566251686154 from fellow Spy
Break down in 4 digits groupings 3768 5662 5168 6154
Get right Key 3654 Subtract key from blocks of 4 digits 3768 - 3654 = 114 5662 - 3654 = 2008 5168 - 3654 = 1514 6154 - 3654 = 2500 If result is negative add 10000
Break down to 2 digits and decode 01 = A, 14 =N, 20 = T, 08 = H
Public Key Encryption Using Digital Signatures and Hash Digests
Hash function: Mathematical algorithm that produces fixed-length number called
message or hash digest
Hash digest of message sent to recipient along with message to verify integrity
Hash digest and message encrypted with recipient’s public key
Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation
Copyright © 2014 Pearson Education, Inc. Slide 5-43
Public Key Cryptography with Digital Signatures
Figure 5.6, Page 185
Copyright © 2014 Pearson Education, Inc. Slide 5-44
Digital Certificates and Public Key Infrastructure (PKI)
Digital certificate includes: Name of subject/company Subject’s public key Digital certificate serial number Expiration date, issuance date Digital signature of CA
Public Key Infrastructure (PKI): CAs and digital certificate procedures PGP
Copyright © 2014 Pearson Education, Inc. Slide 5-45
Digital Certificates and Certification Authorities
Figure 5.7, Page 187
Copyright © 2014 Pearson Education, Inc. Slide 5-46
Limits to Encryption Solutions Doesn’t protect storage of private key
PKI not effective against insiders, employeesProtection of private keys by individuals may be
haphazard
No guarantee that verifying computer of merchant is secure
Copyright © 2014 Pearson Education, Inc. Slide 5-47
Insight on Society: Class Discussion
Web Dogs and Anonymity: Identity 2.0 What are some of the benefits of continuing
the anonymity of the Internet? Who are the groups involved in creating an
identity system for the Internet? Who should control a central identity
system?
Copyright © 2014 Pearson Education, Inc. Slide 5-48
Securing Channels of Communication Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) Establishes a secure, negotiated client-server
session in which URL of requested document, along with contents, is encrypted
Virtual Private Network (VPN) Allows remote users to securely access internal
network via the Internet
Copyright © 2014 Pearson Education, Inc. Slide 5-49
Secure Negotiated Sessions Using SSL/TLS
Figure 5.8, Page 189
Copyright © 2014 Pearson Education, Inc. Slide 5-50
Protecting Networks Firewall
Hardware or softwareUses security policy to filter packets
Proxy servers (proxies)Software servers that handle all
communications originating from or being sent to the Internet
Copyright © 2014 Pearson Education, Inc. Slide 5-51
Protecting Servers and Clients Operating system security
enhancementsUpgrades, patches
Anti-virus softwareEasiest and least expensive way to prevent
threats to system integrityRequires daily updates
Copyright © 2014 Pearson Education, Inc. Slide 5-52
E-commerce Payment Systems Credit cards
Still the dominant online payment method in United States
Limitations of online credit card payment systemsSecurity, merchant riskCostSocial equity
Copyright © 2014 Pearson Education, Inc. Slide 5-53
How an Online Credit Transaction Works
Figure 5.10, Page 193
Copyright © 2014 Pearson Education, Inc. Slide 5-54
Alternative Online Payment Systems Online stored value systems
Based on value stored in a consumer’s bank, checking, or credit card account
e.g.: PayPal
Other alternatives Amazon PaymentsGoogle Checkout
Copyright © 2014 Pearson Education, Inc. Slide 5-55
Mobile Payment Systems Use of mobile phones as payment devices
established in Europe, Japan, South Korea Near field communication (NFC)
Short-range (2”) wireless for sharing data between devices
Expanding in United States Google Wallet
Mobile app designed to work with NFC chips
PayPal Square
Copyright © 2014 Pearson Education, Inc. Slide 5-56
Digital Cash and Virtual Currencies Digital cash
Based on algorithm that generates unique tokens that can be used in “real” world
e.g.: Bitcoin
Virtual currenciesCirculate within internal virtual worlde.g.: Linden Dollars in Second Life, Facebook
Credits
Copyright © 2014 Pearson Education, Inc. Slide 5-57
Electronic Billing Presentment and Payment (EBPP)
Online payment systems for monthly bills 50% of all bill payments Two competing EBPP business models:
Biller-direct (dominant model) Consolidator
Both models are supported by EBPP infrastructure providers
Copyright © 2014 Pearson Education, Inc. Slide 5-58