1 Web Hacking Case Studies. 2 Web Site Hacking l Popular to get noticed, and to make a social or political point. l Used to embarrass press, rivals, or.

Slides:

Advertisements

Similar presentations

What Are the Functions of ATM Machines?

Advertisements

Overview of a Simple Development Method. Background Before discussing some specific methods we will consider a simple method that doesnt have a name but.

Online Holiday Shopping Brings Great Deals – and Fraud This lesson is part of the iKeepCurrent TM Program, provided by iKeepSafe TM.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)

Lesson 8 Getting a Credit Card. Key Terms APR Credit Credit Card Creditor Debtor Finance Charge Interest Rate Introductory Rate Late Fees Minimum Payment.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Business Models The emphasis is on business in e-business Part 2 – B2B Adomas Svirskas Vilnius University November 2005.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Copyright © 2002 Pearson Education, Inc.

1 Evaluation of Business Models Professor Joshua Livnat, Ph.D., CPA 311 Tisch Hall New York University 40 W. 4th St. NY NY Tel. (212) Fax.

Electronic Commerce Systems

Electronic Payment By: El Panda. What is an electronic payment? Electronic money (also known as e-currency, e-money, electronic cash, electronic currency,

“Electronic Payment System”

ELECTRONIC COMMERCE. CONTEXT: Definition of E-Commerce. History of E-Commerce. Advantages and Disadvantages of E-Commerce. Types of E-Commerce. E-Commerce.

S ELECTION OF WEB HOST AND WEB PAGE SYSTEM. W EB HOST stores all the pages of your website and makes them available to computers connected to the Internet.

Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.

Traditional and Electronic Payment Methods Chapter 3.

XML AND THE LEGAL FOUNDATIONS FOR ELECTRONIC COMMERCE: Making XML Pay: Revising Existing Electronic Payments Law to Accommodate Innovation Copyright (c)

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

Desktop 1 Owning the Desktop: Is.edu like.com? Scott Bradner Harvard University University Technology Security Officer 28 June 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

What is E-Commerce? Section 8.1. What is E-commerce? E-commerce is the exchange of goods, services, information, or other businesses through electronic.

BZUPAGES.COM Electronic Payment Systems Most of the electronic payment systems on internet use cryptography in one way or the other to ensure confidentiality.

Electronic Payment Systems

Web Based Applications

Defining Security Issues

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

PART THREE E-commerce in Action Norton University E-commerce in Action.

Information Systems Today, 2/C/e ©2008 Pearson Education Canada Lecture Outline eCommerce Highlights of Electronic Business 2-1.

© Oklahoma State Department of Education. All rights reserved.1 Credit Cards: More Than Plastic Standard 8. 1 Credit Cards and Online Shopping.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Chapter 10B Doing Business in the Online World.

By Chris Versaci CLOUD SECURITY. WHAT IS CLOUD COMPUTING? Cloud computing is a concept that involves a large number of computers connected through a real-time.

Chapter 10 Developing a Web-Based Online Shopping Application (I)

Honeypot and Intrusion Detection System

Computer Security and Penetration Testing

Traditional and Electronic Payment Methods Chapter 3.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Chapter 9B Doing Business in the Online World.

Copyrighted material John Tullis 10/21/2015 page 1 04/02/00 Merchant Servers Presentation John Tullis DePaul Instructor

7 tips to do secure online shopping. Shopping Online? How literate are you with online buying? Do you know to differentiate real and fake stuff? Do you.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Topic 5: Basic Security.

Chapter 11 Working with Credit Card Methods of Processing Credit Cards Preparing for Cyber Cash Authoring a Credit card Transaction.

E-Commerce. E-commerce at the consumer level  Online shopping (B2C transactions)  Online banking  Online Finance E-commerce at the business level 

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Alert against Online Shopping Frauds. Online Shopping A form of electronic commerce whereby consumers directly buy goods or services from a seller over.

Exploring E-Commerce Mohammed Arif Mazumder Sr. Lecturer Daffodil International University.

CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.

Society & Computers PowerPoint

Web Security. Introduction Webserver hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself These.

Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.

9 - 1 Copyright © 2006, The McGraw-Hill Companies, Inc. All rights reserved. Electronic Commerce Systems Chapter 9.

Electronic Money Lincoln Stein Whitehead Institute/MIT Center for Genome Research.

Electronic Commerce Chapter 9 – Computers: Understanding Technology.

Online Banking. Learning Objectives To learn how society has been affected by online banking.

E-commerce payment system facilitates the acceptance of electronically made payment methods for online transactions. Also known as Electronic Data Interchange.

Check By Phone Software - A Tool To Accept Checks Payments in Seconds Submitted By :

Credit card is one excellent tool to make your day to day living comfortable and worry free. Especially if you’re a business person and thinking of starting.

Part of Legislative Tools and Other Means To Combat Electronic Crime.

Paypal PayPal is an e-commerce business allowing payments and money transfers to be made through the Internet. With a PayPal account, you can send and.

Performing Risk Analysis and Testing: Outsource or In-house

Advantages and Disadvantage of Online shopping

Chapter 11 crime and security in the networked economy

Credit Cards: More Than Plastic

Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein

ECT455 Website Engineering

Presentation transcript:

1 Web Hacking Case Studies

2 Web Site Hacking l Popular to get noticed, and to make a social or political point. l Used to embarrass press, rivals, or others who the hackers disapprove of. l People get really concerned about Kevin Mitnick.

3 General Cases l People hacking web sites are usually, though not always, using old and well known security vulnerabilities. l Often times scripts are used to exploit problems, thus allowing a lower level of “hacker” to compromise the server. l Generally sites are vandalized, and occasionally information is stolen, but effects are usually localized.

4 General Situation l Many of the attacks can be avoided by reasonable or competent systems administrators. System or server configuration is usually a factor in the compromise. l Many attacks are unnoticed by the compromised site, due to lack of monitoring tools. l Systems administrators often times look at the local system, without considering the network and associated systems as a whole. * l Often times they don’t even look at the local system as a whole, but simply at the web server. *

5 Case Study: New York Times l Site compromised and defaced by HFG. l Content replaced with “3l33+” speak criticizing various columnists. l Interesting point is that the real messages were in HTML comments. l The messages also talked about how the site was compromised.. Via statd.

6 Comparable Case Studies l classifieds.penthouse.com –System compromised, and root obtained through rdist. l –Compromised through an S/Key vulnerability, ironically enough. l sps.motorola.com / –Compromised through an AIX hole, root obtained with -froot

7 Case Study: Yahoo l Site possibly compromised via a known web server hole in Apache. (General consensus) l Yahoo uses a web server based on apache, but varied off to handle its needs more exactly. Over time security problems were found and fixed in apache, but not propagated back to Yahoo. l The site compromised was running a PC-based Unix (FreeBSD) which made overflow code easier to build.

8 Overall Problems l Systems administrators too focused on exact task at hand, and not looking at the big picture. –This is often times a problem in a larger environment, as you have groups responsible for software, web sites, server management, security, firewalls, monitoring, networks, etc… l Lax administrators trusting all in-place security measures to protect them. (Lots of eggs, 1 Basket.) l Good analogy: Hard crunchy shell with a soft chewy center. (Paraphrase Marcus Ranum) l Unfortunately, VERY COMMON. l Fortunately, Easy to Fix.

9 Intro to E-Commerce l What is it? –Exchange of money or goods electronically. –From consumer to business, consumer to consumer, or business to business. l Examples: –Online purchasing –Content purchasing (Micro-Transactions) –Inter-Company EDI or Extranets –Stock management online –Auction/Classifieds

10 Simple Example l A site wants to put up an online store to well a new line of Widgets. Builds a pretty catalog and users can enter information. l Wants the site to be secure so has their provider install a secure web server for customers to use when placing orders. Will take credit card information and do real-time credit authorization. l Any Issues?

11 Simple Example Continued l What is the security of the provider? Is it a shared machine or a dedicated machine? l Is the order information stored in a database? Does this include credit information? What is the problem scope if the server is compromised? l Taxes? l How will credit authorization be handled? l What about product fulfillment? Who will ship the widgets? Will the fulfillment company have access to customer data? Are they secure?

12 Step by Step.. l The provider and machine security is similar to the problems that we have discussed, with the added issue that many companies cannot verify a providers claims and have to go off of face value. * l Storing customer information in a database is definitely an issue. Problems include: –Loss of customer confidentiality –Loss of orders if database attacked and destroyed –Potential compromise of customer credit information

13 More Steps l Credit authorization can be handled by many services, but some may be preferable to others. –As an example, CyberCash returns a “ticket” that can be stored, instead of the entire credit card information. This helps reduce the scope of liability, but introduces other problems. (Backorders..) l Product fulfillment is usually the biggest problem to handle. Companies will often times need to find a distributor to handle shipping, and these systems usually can’t be directly accessed. The problem that arises is backorders, and legally not being able to capture payment until a product is shipped.

14 Credit Card Processing l Two Basic Parts: Authorization & Capture l Authorization checks the card to see if the specified amount is accepted by the card company. –Returns approved, denied, or referral (call) l Capture –Transfers the actual money from the credit card company to the vendor or seller. (Legally cannot occur until product is delivered to consumer, or shipped from facility.)

15 Credit Cards Continued l Backend –There is obviously some data exchange between the company handling the transactions and the financial institutions to handle these tasks. l CyberCash or VeriFone have direct connections with lenders to handle this processing, as an example. Typically stores would not try to make direct connections to the banks as this would be a nightmare for banks and bank security.