E Commerce Security
E Commerce Security
Electronic Commerce,
Seventh Annual
Edition
Objectives
In this chapter, you will learn about:
• Online security issues
• Security for client computers
• Security for the communication channels
between computers
• Security for server computers
• Organizations that promote computer,
network, and Internet security
2
Online Security Issues Overview
• Computer security
– The protection of assets from unauthorized
access, use, alteration, or destruction
• Physical security
– Includes tangible protection devices
• Logical security
– Protection of assets using nonphysical means
• Threat
– Any act or object that poses a danger to computer
assets
3
Managing Risk
• Countermeasure
– General name for a procedure that recognizes,
reduces, or eliminates a threat
• Eavesdropper
– Person or device that can listen in on and copy
Internet transmissions
• Crackers or hackers
– Write programs or manipulate technologies to
obtain unauthorized access to computers and
networks
4
5
Computer Security Classifications
• Secrecy
– Protecting against unauthorized data disclosure
and ensuring the authenticity of a data source
• Integrity
– Refers to preventing unauthorized data
modification
• Necessity
– Refers to preventing data delays or denials
6
Security Policy and Integrated
Security
• A security policy is a written statement
describing:
– Which assets to protect and why they are being
protected
– Who is responsible for that protection
– Which behaviors are acceptable and which are not
• First step in creating a security policy
– Determine which assets to protect from which
threats
7
8
Security Policy and Integrated
Security (continued)
• Elements of a security policy address:
– Authentication
– Access control
– Secrecy
– Data integrity
– Audits
9
Security for Client Computers
• Stateless connection
• Session cookies
• Persistent cookies
10
Security for Client Computers
(continued)
• First-party cookies
– Cookies placed on a client computer by a Web
server site
• Third-party cookies
– Originates on a Web site other than the site being
visited
• Web bug
– Tiny graphic that a third-party Web site places on
another site’s Web page
11
12
Active Content
• Active content refers to programs embedded
transparently in Web pages that cause an
action to occur
• Scripting languages
– Provide scripts, or commands, that are executed
• Applet
– Small application program
13
14
Active Content (continued)
• Trojan horse
– Program hidden inside another program or Web
page that masks its true purpose
• Zombie
– Program that secretly takes over another
computer to launch attacks on other computers
– Attacks can be very difficult to trace to their
creators
15
Java Applets
• Java
– Programming language developed by Sun
Microsystems
• Java sandbox
– Confines Java applet actions to a set of rules
defined by the security model
16
JavaScript
• Scripting language developed by Netscape to
enable Web page designers to build active
content
• Can be used for attacks by:
– Executing code that destroys a client’s hard disk
– Discloses e-mail stored in client mailboxes
– Sends sensitive information to an attacker’s Web
server
17
ActiveX Controls
• An ActiveX control is an object containing programs
and properties that Web designers place on Web
pages
18
19
Viruses, Worms, and Antivirus
Software
• Virus
– Software that attaches itself to another program
– Can cause damage when the host program is
activated
• Macro virus
– Type of virus coded as a small program (macro) and
is embedded in a file
• Antivirus software
– Detects viruses and worms
20
Digital Certificates
• A digital certificate is a program embedded in
a Web page that verifies that the sender or
Web site is who or what it claims to be
• A certificate is signed code or messages that
provide proof that the holder is the person
identified by the certificate
• Certification authority (CA) issues digital
certificates
21
22
Digital Certificates (continued)
• Main elements:
– Certificate owner’s identifying information
– Certificate owner’s public key
– Dates between which the certificate is valid
– Serial number of the certificate
– Name of the certificate issuer
– Digital signature of the certificate issuer
23
Steganography
24
Communication Channel Security
• Secrecy is the prevention of unauthorized
information disclosure
• Privacy is the protection of individual rights to
nondisclosure
• Sniffer programs
– Provide the means to record information passing
through a computer or router that is handling
Internet traffic
25
Integrity Threats
• Integrity threats exist when an unauthorized
party can alter a message stream of information
• Cybervandalism
– Electronic defacing of an existing Web site’s page
• Masquerading or spoofing
– Pretending to be someone you are not
• Domain name servers (DNSs)
– Computers on the Internet that maintain directories
that link domain names to IP addresses
26
Necessity Threats
• DoS attacks
27
Threats to Wireless Networks
• Wardrivers
– Attackers drive around using their wireless-
equipped laptop computers to search for
accessible networks
• Warchalking
– When wardrivers find an open network they
sometimes place a chalk mark on the building
28
Encryption Solutions
• Encryption
• Cryptography
29
Encryption Algorithms
• An encryption algorithm is the logic behind
encryption programs
• Encryption program
– Program that transforms normal text into cipher
text
• Hash coding
– Process that uses a hash algorithm to calculate a
number from a message of any length
30
Asymmetric Encryption
• Asymmetric encryption encodes messages by
using two mathematically related numeric
keys
• Public key
– Freely distributed to the public at large
• Private key
– Belongs to the key owner, who keeps the key
secret
31
Asymmetric Encryption
(continued)
• Pretty Good Privacy (PGP)
– One of the most popular technologies used to
implement public-key encryption
32
Symmetric Encryption
• Symmetric encryption encodes a message with
one of several available algorithms that use a
single numeric key
• Data Encryption Standard (DES)
– Set of encryption algorithms adopted by the U.S.
government for encrypting sensitive information
• Triple Data Encryption Standard
– Offers good protection
– Cannot be cracked even with today’s supercomputers
33
Comparing Asymmetric and
Symmetric Encryption Systems
• Public-key (asymmetric) systems
– Provide several advantages over private-key
(symmetric) encryption methods
• Secure Sockets Layer (SSL)
– Provides secure information transfer through the
Internet
– Secures connections between two computers
• S-HTTP
– Sends individual messages securely
34
35
Ensuring Transaction Integrity
with Hash Functions
• Integrity violation
– Occurs whenever a message is altered while in
transit between the sender and receiver
• Hash algorithms are one-way functions
– There is no way to transform the hash value back
to the original message
• Message digest
– Small integer number that summarizes the
encrypted information
36
Ensuring Transaction Integrity with
Digital Signatures
• Hash algorithms are not a complete solution
– Anyone could:
• Intercept a purchase order
• Alter the shipping address and quantity ordered
• Re-create the message digest
• Send the message and new message digest on to the
merchant
• Digital signature
– An encrypted message digest
37
38
Security for Server Computers
• Web server
– Can compromise secrecy if it allows automatic
directory listings
– Can compromise security by requiring users to
enter a username and password
39
Other Programming Threats
• Buffer
– An area of memory set aside to hold data read
from a file or database
• Buffer overrun
– Occurs because the program contains an error or
bug that causes the overflow
• Mail bomb
– Occurs when hundreds or even thousands of
people each send a message to a particular
address
40
Firewalls
• Software or hardware and software
combination installed on a network to control
packet traffic
• Provides a defense between the network to
be protected and the Internet, or other
network that could pose a threat
41
Firewalls (continued)
• Characteristics
– All traffic from inside to outside and from outside to
inside the network must pass through the firewall
– Only authorized traffic is allowed to pass
– Firewall itself is immune to penetration
• Trusted networks are inside the firewall
• Untrusted networks are outside the firewall
42
Firewalls (continued)
• Packet-filter firewalls
– Examine data flowing back and forth between a
trusted network and the Internet
• Gateway servers
– Firewalls that filter traffic based on the application
requested
• Proxy server firewalls
– Firewalls that communicate with the Internet on
the private network’s behalf
43
Organizations that Promote
Computer Security
• CERT
– Responds to thousands of security incidents each
year
44
Other Organizations
• SANS Institute
– A cooperative research and educational
organization
• SANS Internet Storm Center
– Web site that provides current information on the
location and intensity of computer attacks
• Microsoft Security Research Group
– Privately sponsored site that offers free
information about computer security issues
45
Computer Forensics and Ethical
Hacking
• Computer forensics experts
• Computer forensics
46
Summary
• Assets that companies must protect include:
– Client computers
– Computer communication channels
– Web servers
• Communication channels, in general, and the
Internet, in particular, are especially
vulnerable to attacks
• Encryption
– Provides secrecy
47
Summary (continued)
• Web servers are susceptible to security
threats
• Programs that run on servers might:
– Damage databases
– Abnormally terminate server software
– Make subtle changes in proprietary information
48
THANK YOU
49