4/20/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 5: Security Threats Insup Lee Department of Computer and Information Science University of Pennsylvania.

Slides:



Advertisements
Similar presentations
Threats and Protection Mechanisms
Advertisements

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 Chapter 5 Security Threats to Electronic Commerce.
Security Threats to Electronic Commerce
Security Threats to Electronic Commerce
Chapter 5 Security Threats to Electronic Commerce
Electronic Commerce Security Presented by: Chris Brawley Chris Avery.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
12/15/00EMTM 5531 EMTM 553: E-commerce Systems Lecture 5: Security Threats Insup Lee Department of Computer and Information Science University of Pennsylvania.
Chapter 10: Electronic Commerce Security
Security Threats to Electronic Commerce
Web server security Dr Jim Briggs WEBP security1.
Computer Security and Penetration Testing
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
1 6 Chapter 6 Implementing Security for Electronic Commerce.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Cyber Crimes.
PART THREE E-commerce in Action Norton University E-commerce in Action.
The Internet 8th Edition Tutorial 7 Security on the Internet and the Web.
Chapter 5 Security Threats to Electronic Commerce
BUSINESS B1 Information Security.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
1 E-Commerce Security Part I – Threats. 2 Objectives Threats to –intellectual property rights –client computers –communication channels between computers.
CS CS 5150 Software Engineering Lecture 18 Security.
E-commerce Vocabulary Terms. E-commerce Buying and selling of goods, services, or information via World Wide Web, , or other pathways on the Internet.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
Cryptography, Authentication and Digital Signatures
CHAPTER 7: PRIVACY, CRIME, AND SECURITY. Privacy in Cyberspace  Privacy: an individual’s ability to restrict or eliminate the collection, use and sale.
Dimensions of E – Commerce Security
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Course code: ABI 204 Introduction to E-Commerce Chapter 5: Security Threats to Electronic Commerce AMA University 1.
Chapter 7: E-Commerce Security and Payment system
Security, Social and Legal Issues Regarding Software and Internet.
Prepared by Natalie Rose1 Managing Information Resources, Control and Security Lecture 9.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Topic 5: Basic Security.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
1 6 Chapter 6 Implementing Security for Electronic Commerce.
Chap1: Is there a Security Problem in Computing?.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Chapter 10: Electronic Commerce Security Electronic Commerce, Sixth Edition.
Part V Electronic Commerce Security Online Security Issues Overview Managing Risk Computer Security Classifications. Security.
WEB SERVER SOFTWARE FEATURE SETS
9 1 ADVANCED WEB TOPICS Browser Extensions and Internet Security New Perspectives on THE INTERNET.
Computer Security By Duncan Hall.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
Security and Ethics Safeguards and Codes of Conduct.
1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.
Intellectual Property Rights TrademarksTrademarks: protects novel marks & designs used in marketing & advertising for an indefinite period as long as in.
UNIT-4 Computer Security Classification 2 Online Security Issues Overview Computer security – The protection of assets from unauthorized access, use,
Web Database Security Session 12 & 13 Matakuliah: Web Database Tahun: 2008.
E-Commerce & Bank Security By: Mark Reed COSC 480.
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
IT Security  .
Implementing Security for Electronic Commerce
Chapter 17 Risks, Security and Disaster Recovery
Chapter 5 Electronic Commerce | Security
Chapter 5 Electronic Commerce | Security
Operating System Concepts
Presentation transcript:

4/20/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 5: Security Threats Insup Lee Department of Computer and Information Science University of Pennsylvania

4/20/01EMTM 5532 Three Scenarios Alice buys a book from Bob’s book store. Inter-corporate trading for Charlie’s Plastic Company. Daisy electronic market.

4/20/01EMTM 5533 Alice Buys a Book Alice shops for a book on the internet using WWW. She finds the desired book from Bob’s book store and makes the order using a web form provided by Bob’s. Bob confirms that the order really comes from Alice’s. She sends her credit card number, suitably encrypted. The book is delivered through UPS.

4/20/01EMTM 5534 Inter-Corporate Trading Charlie’s Plastic Makers is a medium-sized company in Canada with long-established requirements for high-quality plastic which it buys from Plasticorp. Plasticorp aims to reduce costs of customer transactions by using secure messaging with its regular customers. Origin and confidentiality of all correspondence must be ensured.

4/20/01EMTM 5535 Daisy's Electronic Market Daisy is an entrepreneurial small businessperson who works from her home basement. She buys items from suppliers willing to do business wholly electronically, repackages them, and sells them through a WWW storefront. Effective marketing of the web page and very low overhead provide Daisy’s competitive edge.

4/20/01EMTM 5536 What are the issues? Accountability -- Security relevant activities on a system can be traced to individuals who may be held responsible for their actions Availability -- System resources are safeguarded from tampering and are available for authorized users at the time and in the format needed Access Control -- Access to the system resources is limited to authorized individuals, entities, or processes Confidentiality -- Information is not accessed by or disclosed to unauthorized individuals, entities, or processes Identification and Authentication -- Verification that the originator of a transaction is the originator Integrity -- Information is not undetectably altered or destroyed by an unauthorized person or process Non-repudiation -- Undeniable proof of participation by the sender and/or receiver in a transaction Privacy – individual rights to nondisclosure

4/20/01EMTM 5537 Security Overview (Figure 5-1) Countermeasures are procedures, either physical or logical, that recognize, reduce, or eliminate a threat

4/20/01EMTM 5538 What is Security? Dictionary Definition: protection or defense against attack, interference, espionage, etc. Computer Security Classification: –Confidentiality (or Secrecy) oProtecting against unauthorized data disclosure and ensuring the authenticity of the data’s source –Integrity oPreventing unauthorized data modification –Availability (or Necessity) oPreventing data delays or denials (removal)

4/20/01EMTM 5539 Goals of Security DATA Integrity DATA Availability DATA Confidentiality Source: GUNTER

4/20/01EMTM Security Policy and Integrated Security Security policy is a written statement describing what assets are to be protected and why, who is responsible, which behaviors are acceptable or not. The policy addresses –Physical security –Network security –Access authorizations –Virus protection –Disaster recovery

4/20/01EMTM Specific Elements of a Security Policy Authentication –Who is trying to access the site? Access Control –Who is allowed to logon and access the site? Secrecy –Who is permitted to view selected information Data integrity –Who is allowed to change data? Audit –What and who causes selected events to occur, and when?

4/20/01EMTM Intellectual Property Threats The Internet presents a tempting target for intellectual property threats –Very easy to reproduce an exact copy of anything found on the Internet –People are unaware of copyright restrictions, and unwittingly infringe on them oFair use allows limited use of copyright material when certain conditions are met Examples –Music online: Napster –Domain names

4/20/01EMTM Copyright and Intellectual Property Copyright –Protection of expression oLiterary and musical works oPantomimes and choreographic works oPictorial, graphic, and sculptural works oMotion pictures and other audiovisual works oSound recordings oArchitectural works

4/20/01EMTM Copyright and Intellectual Property Intellectual property –The ownership of ideas and control over the tangible or virtual representation of those ideas U.S. Copyright Act of 1976 –Protects previously stated items for a fixed period of time –Copyright Clearance Center oClearinghouse for U.S. copyright information

4/20/01EMTM Domain Name Threats Cybersquatting –The practice of registering a domain name that is the trademark of another person or company oCybersquatters hope that the owner of the trademark will pay huge dollar amounts to acquire the URL oSome Cybersquatters misrepresent themselves as the trademark owner for fraudulent purposes Name changing: obtaining domain name variations –E.g., LLBaen.com for LLBean.com Name stealing: illegal change to the ownership of a domain name

4/20/01EMTM Three components to security Three perspectives –User’s point of view –Server’s point of view –Both parties Three parts –Client-side security –Server-side security –Document/communication confidentiality

4/20/01EMTM What can go wrong? Risks that affect both client and server –Eavesdropping –Fraud –… Risks to the end user –Active content –Privacy infringement –… Risks to the web site –Webjacking –Server and LAN break-ins –Denial-of-service attacks –…

4/20/01EMTM Client-side security Measures to protect the user’s privacy and the integrity of his computer Example technological solutions –Protection from computer viruses and other malicious software –Limit the amount of personal information that browser’s can transmit without the user’s consent –Any others?

4/20/01EMTM Electronic Commerce Threats Client Threats –Active Content oPrograms that are embedded transparently in Web pages and cause actions to occur. oE.g., Display moving graphics, down-load and play audio, implemented Web-based spreadsheet programs. oPrograms that interpret or execute instructions embedded in downloaded objects oMalicious active content can be embedded into seemingly innocuous Web pages oJava applets, Active X controls, JavaScript, and VBScript oCookies remember user names, passwords, and other commonly referenced information

4/20/01EMTM Downloaded software Sandboxing: encapsulate programs in a box but be liberal on what to accept –Java sandbox confines Java applet actions to a security model- defined set of rules –Rules apply to all untrusted applets, applets that have not been proven secure Verification: analyze code before executing but then minimize runtime checks –proof-carrying code Certification: trust someone else to analyze code and execute with no checking –Signed Java applets contain embedded digital signatures which serve as a proof of identity

4/20/01EMTM ActiveX Controls ActiveX is an object, called a control, that contains programs and properties that perform certain tasks ActiveX controls only run on Windows 95, 98, or 2000 Once downloaded, ActiveX controls execute like any other program, having full access to your computer’s resources

4/20/01EMTM ActiveX Warning Dialog box Figure 5-6

4/20/01EMTM Graphics, Plug-ins, and Attachments Code can be embedded into graphic images causing harm to your computer Plug-ins are used to play audiovisual clips, animated graphics –Could contain ill-intentioned commands hidden within the object – attachments can contain destructive macros within the document

4/20/01EMTM Communication Channel Threats Secrecy Threats –Secrecy is the prevention of unauthorized information disclosure –Privacy is the protection of individual rights to nondisclosure –Theft of sensitive or personal information is a significant danger –Your IP address and browser you use are continually revealed while on the web

4/20/01EMTM Communication Channel Threats (2) Anonymizer –A Web site that provides a measure of secrecy as long as it’s used as the portal to the Internet – Integrity Threats –Also known as active wiretapping –Unauthorized party can alter data oChange the amount of a deposit or withdrawal

4/20/01EMTM Communication Channel Threats (3) Availability Threats –Also known as delay or denial threats –Disrupt normal computer processing oDeny processing entirely oSlow processing to intolerably slow speeds oRemove file entirely, or delete information from a transmission or file oDivert money from one bank account to another

4/20/01EMTM Server-side security Measures to protect the server and the machine it runs from break-ins, site vandalism, and denial-of- service attacks. Solutions range –installing firewall systems –tightening operating systems security measures –…

4/20/01EMTM Server Threats The more complex software becomes, the higher the probability that errors (bugs) exist in the code Servers run at various privilege levels –Highest levels provide greatest access and flexibility –Lowest levels provide a logical fence around a running program

4/20/01EMTM Server Threats (2) Confidentiality violations occur when the contents of a server’s folder names are revealed to a Web browser Administrators can turn off the folder name display feature to avoid secrecy violations Cookies should never be transmitted unprotected One of the most sensitive files on a Web server holds the username and password pairs The Web server administrator is responsible for ensuring that this, and other sensitive files, are secure

4/20/01EMTM IP Spoofing Definition: attacker sends packets with forged source IP address in the TCP/IP header, I.e., presenting to be someone you are not. IP spoofing is the basis for many DoS attacks Spoofed packets are very hard to track back to their true source

4/20/01EMTM Denial of Service Attacks SYN flood Land Ping of death Teardrop Smurf UDP flood Distributed DoS

4/20/01EMTM Displayed Folder Names Figure 5-9

4/20/01EMTM Database Threats Disclosure of valuable and private information could irreparably damage a company Security is often enforced through the use of privileges Some databases are inherently insecure and rely on the Web server to enforce security measures Multi-level security database with restrictions on information flow between levels

4/20/01EMTM Other Threats Common Gateway Interface (CGI) Threats –CGIs are programs that present a security threat if misused –CGI programs can reside almost anywhere on a Web server and therefore are often difficult to track down –CGI scripts do not run inside a sandbox, unlike JavaScript

4/20/01EMTM Other Threats (2) Other programming threats include –Programs executed by the server –Buffer overruns can cause errors –Runaway code segments oThe Internet Worm attack was a runaway code segment –Buffer overflow attacks occur when control is released by an authorized program, but the intruder code instructs control to be turned over to it

4/20/01EMTM Buffer Overflow Attack Figure 5-11

4/20/01EMTM CERT Coordination Center CERT (Computer Emergency Response Team) Located at SEI (Software Engineering Institute) at Carnegie Mellon University Responds to security events and incidents within the U.S. government and private sector Posts CERT alerts to inform Internet users about recent security events

4/20/01EMTM Q&AQ&A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.