Electronic Commerce Security Presented by: Chris Brawley Chris Avery

Electronic Commerce Security

Presented by:Chris Brawley

Chris Avery

Online Security Issues

Email – people worry about interception of private messages.

Web Shopping – concerns about revealing credit card #’s is still prevalent.

Doubts remain about companies willingness to keep private information secure.


Computer Security – the protection of assets from unauthorized access, use, alteration, or destruction.

- Physical Security

- Logical Security

- Threat


Managing Risk Counter

measures Eavesdropper Hackers


Computer Security Classifications1. Secrecy: refers to protecting against

unauthorized data disclosure and assuring authenticity of data sources.

2. Integrity: refers to preventing unauthorized data modification.

3. Necessity: refers to preventing data delays or denials.


Security Policy and Integrated Security

Security policy: A written statement describing which assets to protect and why they are being protected, who is responsible for protection, and which behaviors are acceptable and which are not.


Creating a security policyStep 1: Determine which assets to protect.

Step 2: Determine who should have access.

Step 3: Determine what resources are available to protect the assets.

Step 4: Commit resources to building software, hardware, and physical barriers that implement the security policy.

Security for Client Computers

Cookies: Small text files that Web servers place on Web client computers to identify returning visitors.

Helps to maintain open sessions.

Shopping cart and payment processing both need open sessions to work properly.


Two ways of classifying cookies:1. By time duration

Session Cookies Persistent Cookies

2. By source First-party Cookies Third-party Cookies

Security for Client Computers Active Content: Programs that run on the

client computer. Extends functionality of HTMLE.g. shopping carts that compute amounts,

taxes, shipping, etc… Best known forms: cookies, Java applets,

JavaScript, VBScript, and ActiveX controls.

Trojan HorseZombies

Java AppletsJava is a programming language developed by

Sun Microsystems that is used widely in web pages to provide active content.

Java adds functionality to business applications and can handle transactions and a wide variety of actions on the client computer.


JavaScript: A programming language developed by Netscape to enable Web page designers to build active content.

Can be used for attacks.Can also record URLs of Web pages

The do not execute on their own.



ActiveX Controls: An object that contains programs and properties that Web designers place on Web pages to perform particular tasks.

Run only on computers with Windows Security riskActiveX actions cannot be halted once they are

executed.

Example of ActiveX Warning:

Viruses, Worms, and Antivirus Software

Virus: Software that attaches itself to another program and can cause damage when the host program is activated.

Worm: A type of virus that replicates itself on the computers that it infects.

Email attachments are common carriers.


Antivirus Software: detects viruses and worms and either deletes them or isolates them on the client computer so they cannot run.

Are only effective if software is kept current.

SymantecMcAfee


Digital Certificates: An attachment to an e-mail message or a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be.

- Signed Code


Digital Certificates

- Do not attest to the quality of the

software.

- Simply is an assurance that the software

was created by a specific company.

- Digital Certificates are not easily forged.


Digital Certificates include six elements:

• Certificate owners ID• Certificate owners public key• Dates between which the certificate is valid• Serial number of the certificate• Name of the certificate issuer• Digital signature of the certificate issuer


Steganography: describes the process of hiding information within another piece of information.

Physical Security for ClientsFingerprint readersBiometric security devices


Communication Channel Security

Secrecy Threats

Secrecy is the prevention of unauthorized information disclosure.

Privacy is the protection of individual rights to nondisclosure.

The Privacy Council created an extensive Web site surrounding privacy.

Anonymizer

Integrity Threats

Also called active wiretapping. Cybervandalism Masquerading or spoofing

Necessity Threats

• Denial of Service (DoS) attack

Threats to the Physical Security of Internet Communications Channels The Internet was designed from inception to

withstand attacks on its physical links. However, an individual user’s Internet service

can be interrupted by destruction of that user’s link.

Few individuals have multiple connections to an ISP. Larger companies often have two or more links to the main backbone of the Internet.

Threats to Wireless Networks

If not protected properly anyone within range can access any of the resources on the wireless network.

Default SSID, username and password WEP WPA

Encryption Solutions

Encryption Algorithms Hash Coding Asymmetric Encryption Symmetric Encryption (aka Private Key

Encryption)

Secure Sockets Layer (SSL) Protocol Provides a security “handshake”. Encrypts web traffic for senstive

information use as username/password, credit card information and other personal data.

Session key

Secure Sockets Layer (SSL) Protocol

Secure HTTP (S-HTTP)

• Extension to HTTP that provides security features such as:

Client and server authentication Spontaneous encryption Request/response nonrepudiation

• Developed by CommerceNet• Symmetric encryption and public key encryption • Defines from SSL in how it establishes a secure

session

Ensuring Transaction Integrity with Hash Functions Integrity violation One-way functions Message digest

Ensuring Transaction Integrity with Digital Signatures Provides positive identification of the

sender and assures the merchant that the message was not altered.

Not the same as digital signatures used to sign documents electronically.

Guaranteeing Transaction Delivery

Transmission Control Protocol is responsible for end-to-end control of packets.

TCP ensures that packets aren’t missing. No special protocols or software required.

Security For Server Computers

Web Server Threats

Automatic directory listings Requiring username and password

multiple name Username and Password file Weak passwords

Dictionary attack programs

Database Threats

Storage of username/password in unencrypted format

Trojan horse programs

Other Programming Threats

Buffer overrun or buffer overflow Mail bomb

Threats to the Physical Security of Web Servers Use a secure offsite provider Maintain backup servers and backups of

web server Level 3, PSINet, and Verio Security

Services

Access Control and Authentication

Controls who has access to the web server

Uses certificates, username and password Access Control List

Firewalls

Provides a defense between a network and the Internet or between a network and any other network that could pose a threatAll traffic from outside to inside and from outside

to inside the network must pass through it.Only authorized traffic, as defined by the local

security policy, is allowed to pass though itThe firewall itself is immune to penetration

Types of Firewalls

Packet filter Gateway server Proxy server

Firewall Issues

Perimeter expansion Intrusion detection systems

Organizations That Promote Computer Security CERT Microsoft Security Research SANS Institute BuqTraq CSO Online

US Government Agencies

US Department of Justice’s Cybercrime US Department of Homeland Security’s

National Infrastructure Protection Center

Computer Forensics and Ethnical Hacking Some corporations hire ethnical hackers to

do penetration tests Ethnical Hacking is used to locate data

that can be used in legal proceedings Computer forensics is used to collect,

preserve and analysis of computer related evidence.

Documents

Electronic Commerce Security Presented by: Chris Brawley Chris Avery