Chapter 10:

Electronic Commerce Security

Electronic Commerce,
Seventh Annual
Edition
 Objectives
In this chapter, you will learn about:
• Online security issues
• Security for client computers
• Security for the communication channels
between computers
• Security for server computers
• Organizations that promote computer,
network, and Internet security

2
 Online Security Issues Overview
• Computer security
– The protection of assets from unauthorized
access, use, alteration, or destruction
• Physical security
– Includes tangible protection devices
• Logical security
– Protection of assets using nonphysical means
• Threat
– Any act or object that poses a danger to computer
assets

3
 Managing Risk
• Countermeasure
– General name for a procedure that recognizes,
reduces, or eliminates a threat
• Eavesdropper
– Person or device that can listen in on and copy
Internet transmissions
• Crackers or hackers
– Write programs or manipulate technologies to
obtain unauthorized access to computers and
networks

4
5
Computer Security Classifications
• Secrecy
– Protecting against unauthorized data disclosure
and ensuring the authenticity of a data source
• Integrity
– Refers to preventing unauthorized data
modification
• Necessity
– Refers to preventing data delays or denials

6
 Security Policy and Integrated
Security
• A security policy is a written statement
describing:
– Which assets to protect and why they are being
protected
– Who is responsible for that protection
– Which behaviors are acceptable and which are not
• First step in creating a security policy
– Determine which assets to protect from which
threats

7
8
 Security Policy and Integrated
Security (continued)
• Elements of a security policy address:
– Authentication
– Access control
– Secrecy
– Data integrity
– Audits

9
 Security for Client Computers
• Stateless connection

– Each transmission of information is independent

• Session cookies

– Exist until the Web client ends connection

• Persistent cookies

– Remain on a client computer indefinitely

10
 Security for Client Computers
(continued)
• First-party cookies
– Cookies placed on a client computer by a Web
server site
• Third-party cookies
– Originates on a Web site other than the site being
visited
• Web bug
– Tiny graphic that a third-party Web site places on
another site’s Web page

11
12
 Active Content
• Active content refers to programs embedded
transparently in Web pages that cause an
action to occur
• Scripting languages
– Provide scripts, or commands, that are executed

• Applet
– Small application program

13
14
 Active Content (continued)

• Trojan horse
– Program hidden inside another program or Web
page that masks its true purpose
• Zombie
– Program that secretly takes over another
computer to launch attacks on other computers
– Attacks can be very difficult to trace to their
creators

15
 Java Applets
• Java
– Programming language developed by Sun
Microsystems

• Java sandbox
– Confines Java applet actions to a set of rules
defined by the security model

• Untrusted Java applets

– Applets not established as secure

16
 JavaScript
• Scripting language developed by Netscape to
enable Web page designers to build active
content
• Can be used for attacks by:
– Executing code that destroys a client’s hard disk
– Discloses e-mail stored in client mailboxes
– Sends sensitive information to an attacker’s Web
server

17
 ActiveX Controls
• An ActiveX control is an object containing programs
and properties that Web designers place on Web
pages

• ActiveX components can be constructed using

different languages programs but the most common
are C++ and Visual Basic

• The actions of ActiveX controls cannot be halted

once they begin execution

18
19
 Viruses, Worms, and Antivirus
Software
• Virus
– Software that attaches itself to another program
– Can cause damage when the host program is
activated
• Macro virus
– Type of virus coded as a small program (macro) and
is embedded in a file
• Antivirus software
– Detects viruses and worms

20
 Digital Certificates
• A digital certificate is a program embedded in
a Web page that verifies that the sender or
Web site is who or what it claims to be
• A certificate is signed code or messages that
provide proof that the holder is the person
identified by the certificate
• Certification authority (CA) issues digital
certificates

21
22
 Digital Certificates (continued)
• Main elements:
– Certificate owner’s identifying information
– Certificate owner’s public key
– Dates between which the certificate is valid
– Serial number of the certificate
– Name of the certificate issuer
– Digital signature of the certificate issuer

23
 Steganography

• Describes the process of hiding information

within another piece of information

• Provides a way of hiding an encrypted file

within another file

• Messages hidden using steganography are

difficult to detect

24
 Communication Channel Security
• Secrecy is the prevention of unauthorized
information disclosure
• Privacy is the protection of individual rights to
nondisclosure
• Sniffer programs
– Provide the means to record information passing
through a computer or router that is handling
Internet traffic

25
 Integrity Threats
• Integrity threats exist when an unauthorized
party can alter a message stream of information
• Cybervandalism
– Electronic defacing of an existing Web site’s page
• Masquerading or spoofing
– Pretending to be someone you are not
• Domain name servers (DNSs)
– Computers on the Internet that maintain directories
that link domain names to IP addresses

26
 Necessity Threats

• Purpose is to disrupt or deny normal

computer processing

• DoS attacks

– Remove information altogether

– Delete information from a transmission or file

27
 Threats to Wireless Networks
• Wardrivers
– Attackers drive around using their wireless-
equipped laptop computers to search for
accessible networks

• Warchalking
– When wardrivers find an open network they
sometimes place a chalk mark on the building

28
 Encryption Solutions
• Encryption

– Using a mathematically based program and a

secret key to produce a string of characters that is
unintelligible

• Cryptography

– Science that studies encryption

29
 Encryption Algorithms
• An encryption algorithm is the logic behind
encryption programs
• Encryption program
– Program that transforms normal text into cipher
text
• Hash coding
– Process that uses a hash algorithm to calculate a
number from a message of any length

30
 Asymmetric Encryption
• Asymmetric encryption encodes messages by
using two mathematically related numeric
keys

• Public key
– Freely distributed to the public at large

• Private key
– Belongs to the key owner, who keeps the key
secret

31
 Asymmetric Encryption
(continued)
• Pretty Good Privacy (PGP)
– One of the most popular technologies used to
implement public-key encryption

– Set of software tools that can use several different

encryption algorithms to perform public-key
encryption

– Can be used to encrypt e-mail messages

32
 Symmetric Encryption
• Symmetric encryption encodes a message with
one of several available algorithms that use a
single numeric key
• Data Encryption Standard (DES)
– Set of encryption algorithms adopted by the U.S.
government for encrypting sensitive information
• Triple Data Encryption Standard
– Offers good protection
– Cannot be cracked even with today’s supercomputers

33
 Comparing Asymmetric and
Symmetric Encryption Systems
• Public-key (asymmetric) systems
– Provide several advantages over private-key
(symmetric) encryption methods
• Secure Sockets Layer (SSL)
– Provides secure information transfer through the
Internet
– Secures connections between two computers
• S-HTTP
– Sends individual messages securely

34
35
 Ensuring Transaction Integrity
with Hash Functions
• Integrity violation
– Occurs whenever a message is altered while in
transit between the sender and receiver
• Hash algorithms are one-way functions
– There is no way to transform the hash value back
to the original message
• Message digest
– Small integer number that summarizes the
encrypted information

36
 Ensuring Transaction Integrity with
Digital Signatures
• Hash algorithms are not a complete solution
– Anyone could:
• Intercept a purchase order
• Alter the shipping address and quantity ordered
• Re-create the message digest
• Send the message and new message digest on to the
merchant
• Digital signature
– An encrypted message digest

37
38
 Security for Server Computers
• Web server
– Can compromise secrecy if it allows automatic
directory listings
– Can compromise security by requiring users to
enter a username and password

• Dictionary attack programs

– Cycle through an electronic dictionary, trying every
word in the book as a password

39
 Other Programming Threats
• Buffer
– An area of memory set aside to hold data read
from a file or database
• Buffer overrun
– Occurs because the program contains an error or
bug that causes the overflow
• Mail bomb
– Occurs when hundreds or even thousands of
people each send a message to a particular
address

40
 Firewalls
• Software or hardware and software
combination installed on a network to control
packet traffic
• Provides a defense between the network to
be protected and the Internet, or other
network that could pose a threat

41
 Firewalls (continued)
• Characteristics
– All traffic from inside to outside and from outside to
inside the network must pass through the firewall
– Only authorized traffic is allowed to pass
– Firewall itself is immune to penetration
• Trusted networks are inside the firewall
• Untrusted networks are outside the firewall

42
 Firewalls (continued)
• Packet-filter firewalls
– Examine data flowing back and forth between a
trusted network and the Internet
• Gateway servers
– Firewalls that filter traffic based on the application
requested
• Proxy server firewalls
– Firewalls that communicate with the Internet on
the private network’s behalf

43
 Organizations that Promote
Computer Security
• CERT
– Responds to thousands of security incidents each
year

– Helps Internet users and companies become more

knowledgeable about security risks

– Posts alerts to inform the Internet community

about security events

44
 Other Organizations
• SANS Institute
– A cooperative research and educational
organization
• SANS Internet Storm Center
– Web site that provides current information on the
location and intensity of computer attacks
• Microsoft Security Research Group
– Privately sponsored site that offers free
information about computer security issues

45
 Computer Forensics and Ethical
Hacking
• Computer forensics experts

– Hired to probe PCs and locate information that can

be used in legal proceedings

• Computer forensics

– The collection, preservation, and analysis of

computer-related evidence

46
 Summary
• Assets that companies must protect include:
– Client computers
– Computer communication channels
– Web servers
• Communication channels, in general, and the
Internet, in particular, are especially
vulnerable to attacks
• Encryption
– Provides secrecy

47
 Summary (continued)
• Web servers are susceptible to security
threats
• Programs that run on servers might:
– Damage databases
– Abnormally terminate server software
– Make subtle changes in proprietary information

• Security organizations include CERT and

SANS

48
THANK YOU

49