CSC 330 E-Commerce Teacher Ahmed Mumtaz Mustehsan Ahmed Mumtaz Mustehsan GM-IT CIIT Islamabad GM-IT CIIT Islamabad CIIT Virtual Campus, CIIT COMSATS Institute of Information TechnologyT1-Lecture-9

T1-Lecture-9 E Commerce Security Environment Chapter-04Part-I For Lecture Material/Slides Thanks to: Copyright © 2010 Pearson Education, Inc

Objectives Understand the scope of e-commerce crime and security problems. Describe the key dimensions of e-commerce security. Understand the tension between security and other values. Identify the key security threats in the e-commerce environment. T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-3

Online Robbery - Introduction In comparison to robbing a bank, internet banking can be robbed remotely and more safely Stealing a music / video CD from shop is harder than downloading from illegal websites If you take internet as a global market place; Many fake websites exists online to trap users by putting some attractive contents and extra ordinary deals and offers, making the remote users to provide their credit card information etc. One can not break into physical home easily and breach the privacy but if the password of social networking account is hacked then the privacy is compromised T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-4

Cyber Attack - Introduction Denial of Service Attack (DOS): When one computer sends or flood the high number of data packets to a targeted computer resulting in chocking the resources ( communication path, processor etc.) Distributed Denial of Service Attack (DDOS) when many computers attack on single websites, or online system from many locations in a single time resulting in overwhelming the system and creating congestion and many other impairments and making the system or website unavailable for legitimate users T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-5

Cyber Attack - Introduction Botnet: Artificially intelligent or robot computers can work together. A group of such computers (even in millions) capable of being managed remotely by single person attack on some online system or website. Example: In million computers were used in an organized attack on govt. of Estonia’s important servers T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-6

DDOS T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-7

CYBER Warfare Reference for study Russia – Estonia Cyber war Twitter DDoS Korean DDoS Taught at US Military academies ault.cfm ault.cfm bh-fed-03-dodge.pdf iwar_wise.pdf T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc /

Your PC may be part of Botnet Botnets are responsible for over 80% of the spam sent to the computer users Some computer users download those spam files because of having less knowledge Some computers become infected because of unavailability of antivirus software Some computers are compromised by means of using pirated software 10 % of the world’s billion-plus computers on internet are capable of being captured by stealth malware programs which are installed by clicking malicious links and downloading hidden files. T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-9

The E-commerce Security Environment Overall size and losses of cybercrime unclear Reporting issues 2008 CSI survey: 49% respondent firms detected security breach in last year Of those that shared numbers, average loss $288,000 Underground economy marketplace Stolen information stored on underground economy servers Credit cards, bank information, personal identity etc etc are sold at these servers. T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 10

Rates of different stolen objects at Underground e market T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 11

Types of Attacks Against Computer Systems (Cybercrime) T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc Source: Based on data from Computer Security Institute, 2009.

What Is Good E-commerce Security? To achieve highest degree of security Use of New technologies Organizational policies and procedures Industry standards and government laws Other factors to be looked in: Time value of Information Cost of security vs. potential loss Security often breaks at weakest link T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 13

The E-commerce Security Environment T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 14

Ideal E Commerce Environment Capable of making secure commercial transaction Achieving highest degree of security Adopting new technologies Giving awareness to users about online safety Defining and understanding industrial standards Implementing governments laws Prosecuting the violators of laws T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 15

Dimensions of E-commerce Security T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 16

Typical Transection facilitated by Technologies T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 17

The Tension Between Security and Other Values Security vs. ease of use ◦ The more security measures added, the more difficult a site is to use, and the slower it becomes Security vs. desire of individuals to act anonymously ◦ Use of technology by criminals to plan crimes or threaten nation-state T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 18

Security Threats in the E-commerce Environment Three key points of vulnerability: 1.Client 2.Server 3.Communications pipeline T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 19

A Typical E-commerce Transaction T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc SOURCE: Boncella, 2000.

Vulnerable Points in an E-commerce Environment T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc SOURCE: Boncella, 2000.

Most Common Security Threats Malicious code Viruses ◦ virus is a computer program that has the ability to replicate or make copies of itself, and spread to other files Worms ◦ worm is designed to spread from computer to computer Trojan horses ◦ Trojan horse appears to be nonthreatening, but then does something other than expected Bots, botnets Software Robots called bots (As Explained) T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 22

Most Common Security Threats in the E-commerce Environment Unwanted programs: Browser parasites ◦ Adware ◦ Spyware T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 23

T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 24

Spyware Software that sits on your computer ◦ Monitors everything that you do and sends out reports to Marketing agencies ◦ Usually ties to a POP-UP server Top Spyware ◦ I-Look Up ◦ CoolWebSearch ◦ N-CASE ◦ GATOR ◦ DoubleClick If you have ever loaded ICQ on your PC you have Spyware If you have ever loaded KAZAA on your PC you have Spyware If you have ever loaded Quicken or TurboTax you have Spyware T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 25

Most Common Security Threats Phishing ◦ Deceptive online attempt to obtain confidential information ◦ Social engineering, scams, spoofing legitimate Web sites ◦ Use information to commit fraudulent acts (access checking accounts), steal identity Hacking and cyber-vandalism ◦ Hackers vs. crackers ◦ hacker is an individual who intends to gain unauthorized access to a computer system T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 26

Most Common Security Threats cracker is the term typically used within the hacking community to demote a hacker with criminal intent Cyber-vandalism: intentionally disrupting, defacing, destroying Web site Types of hackers: white hats are “good” hackers that help organizations locate and fix security flaws black hats are hackers who act with the intention of causing harm grey hats are hackers who believe they are pursuing some greater good by breaking in and revealing system flaws T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 27

Most Common Security Threats Credit card fraud/theft Fear of stolen credit card information deters online purchases Hackers target merchant servers; use data to establish credit under false identity Online companies at higher risk than offline Spoofing: misrepresenting self by using fake address or other form of identification spoofing a Web site also called Pharming: Redirecting a Web link to a new, fake Web site Spam/junk Web sites Splogs T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 28

Snoop and Sniff T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 29

Most Common Security Threats Denial of service (DoS) attack Hackers flood site with useless traffic to overwhelm network Distributed denial of service (DDoS) attack Hackers use multiple computers to attack target network Sniffing Eavesdropping program that monitors information traveling over a network Insider jobs Single largest financial threat Poorly designed server and client software T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 30

The Virus: Computer Enemy Number One Most serious attack on a client computer or a server in an Internet environment is the virus A virus is a malicious code that replicates itself and can be used to disrupt the information infrastructure Viruses commonly compromise system integrity, circumvent security capabilities, and cause adverse operation by taking advantage of the information system of the network T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 31

Types of Viruses File virus is one that attacks executable files Boot virus attacks the boot sectors of the hard drive and diskettes Macro virus exploits the macro commands in software applications such as Microsoft Word T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 32

Levels of Virus Damage T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 33

Steps for Antivirus Strategy Establish a set of simple enforceable rules for others to follow Educate and train users on how to check for viruses on a disk Inform users of the existing and potential threats to the company’s systems and the sensitivity of information they contain Periodically update the latest antivirus software T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 34

Getting Rid of Viruses Get a good Virus Projection Software Free (not Recommended) ◦ Anti-Vir Anti-Vir ◦ Avast Avast ◦ AVG AVG Not Free ◦ Norton AntiVirus Norton AntiVirus ◦ MacAfee MacAfee Free for UMFK students and staff ◦ ◦ Update definition files often T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 35

Spyware Solutions Enforce strict user Web policies on surfing and downloading activities Install a desktop firewall on every laptop and desktop Do not give users administrator privileges Configure an gateway to block all executable e- mail attachments Ensure desktop antivirus software signatures are up to date - T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 36

End of: T1-Lecture-9 E Commerce Security Environment Chapter-04Part-I Thank You T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1- 37