Security Threats to Electronic Commerce Chapter 10 Security Threats to Electronic Commerce

Security Overview Computer security is the protection of assets from unauthorized access, use, alteration, or destruction. Two types of security: Physical security - includes tangible protection devices, such as alarms and guards. Logical security - protection of assets using nonphysical means.

Security Overview Any act or object that poses a danger to computer assets is known as a threat. Countermeasure is a procedure that recognizes, reduces, or eliminates a threat. Countermeasure dependent on impact of a threat and probability of occurrence.

Computer Security Classification Three computer security categories: Secrecy Integrity Necessity Security - protecting against unauthorized data disclosure and ensuring the authenticity of the data’s source. Integrity - preventing unauthorized data modification. Necessity - preventing data delays or denials.

Computer Security Classification Eavesdropper - a person or device that can listen in on and copy Internet transmissions. Crackers of hackers - people who write programs or manipulate technologies to obtain unauthorized access to computers and network. A security policy - written statement describing which assets to protect and why they are being protected, who is responsible for that protection, and which behaviors are acceptable and which are not. The first step an organization must take in creating a security policy is to determine what assets to protect and from whom.

Intellectual Property Threats Copyright is the protection of expression. Intellectual property is the ownership of ideas and control over the tangible or virtual representation of those ideas. Malaysia - Copyright Act. Copyright infringements on the Web occur because users are ignorant of what they can and cannot copy.

Domain Names Issues of intellectual property rights for Internet Domain Names: Cybersquatting - the practice of registering a domain name that is the trademark of another person or company in the hopes that the owner will pay huge amounts of money to acquire the URL. Name changing - occurs when someone registers purposely misspelled variations of well-known domain names - confusing to their customers. Name stealing - occurs when someone changes the ownership of the domain name assigned to another site and owner - after domain name ownership is changed the name stealer can manipulate the site.

Threats to the Security of Client Computers There are three types of electronic commerce threats: Client threats – from client computers Communication channel threats – to messages travelling Server threats – from hardware attached to the server

Client Threats Web pages were mainly static. The widespread use of active content has changed the function of Web pages. Sources of client threats: Active content Java, Java Applets, and JavaScript ActiveX Controls Graphics, plug-ins, and e-mail attachments

Active Content Active content refers to programs that are embedded transparently in Web pages and that cause actions to occur. Active content can display moving graphics, download and play audio, or implement Web-based spreadsheet programs. The best-known active content forms are Java applets, ActiveX controls, JavaScript, and VBScript. Active content also includes graphics and Web browser plug-ins.

Active Content A Trojan horse is a program hidden inside another program or Web page that masks its true purpose. A zombie is a program that secretly takes over another computer for the purpose of launching attacks on other computers. Malicious ‘cookies’ can destroy files stored on client computers.

Active Content

Active Content Plug-ins are programs that interpret or execute instructions embedded in downloaded graphics, sounds, and other objects. Active content, including all forms, enables Web pages to take action. Active content gives life to static Web pages.

Java, Java Applets, and JavaScript Java adds functionality to business applications and can handle transactions and a wide variety of actions on the client computer.

Java, Java Applets, and JavaScript Java applets that are loaded from a local file system are trusted. Trusted applets have full access to system resources on the client computer. Signed Java applets contain embedded digital signatures from a trusted third party, which are proof of the identity of the source of the applet.

Java, Java Applets, and JavaScript JavaScript is a scripting language to enable Web page designers to build active content. JavaScript can invoke privacy and integrity attacks by executing code that destroys your hard disk. JavaScript programs do not operate under the restrictions of the Java sandbox security model.

ActiveX Controls ActiveX is an object that contains programs and properties that Web designers place on Web pages to perform particular tasks. ActiveX controls run only on computers running Windows and only on browsers that support them. Because ActiveX controls have full access to your computer, they can cause secrecy, integrity, or necessity violations.

ActiveX Controls

Graphics, Plug-Ins, and E-mail Attachments Graphics, browser plug-ins, and e-mail attachments can harbor executable content. The code embedded in the graphic could be a potential threat. Plug-ins perform their duties by executing commands buried within the media they are manipulating. E-mail attachments provide a convenient way to send non-text information over a text-only system.

Virus A virus is software that attaches itself to another program and can cause damage when the host program is activated. Worm viruses replicate themselves on other machines. A macro virus is coded as a small program and is embedded in a file.

Communication Channel Threats The Internet is not at all secure. Messages on the Internet travel a random path from a source node to a destination node. Internet channel security threats include: secrecy integrity necessity

Secrecy Threats Secrecy is the prevention of unauthorized information disclosure. Privacy is the protection of individual rights to nondisclosure. Secrecy is a technical issue requiring sophisticated physical and logical mechanisms. Privacy protection is a legal matter.

Secrecy Threats Web users are continually revealing information about themselves when they use the Web. Several Web sites offer an “anonymous browser” service that hides personal information from sites that you visit. One of these sites, Anonymizer, provides a measure of secrecy to Web surfers who use the site as a portal.

Integrity Threats An integrity threat exists when an unauthorized party can alter a message stream of information. Cyber vandalism is an example of an integrity violation – deface Web site

Necessity Threats The purpose of a necessity threat is to disrupt normal computer processing or to deny processing entirely. Necessity threat is also known as a delay, denial, or denial-of-service (DOS) threats – the server is purposely bombarded with false requests and the server is unable to response to real request. Unauthorized user gain access to9 a server as an administrator – modify Web pages or copy data stored in server.

Server Threats Servers have vulnerabilities that can be exploited to cause destruction or to acquire information illegally. Server threats include: Web server threats - the contents of a server’s folder names are revealed to a Web browser. database threats - databases connected to the Web contain information that could damage a company if it were disclosed or altered. common gateway interface threats other programming threats - come from programs executed by the server, mail bomb (thousands of people send a message to a particular address).

Implementing Electronic Commerce Security Chapter 11 Implementing Electronic Commerce Security

Protecting Electronic Commerce Assets Security is a serious issue. Customers engaging in electronic commerce need to feel confident that their transactions are secure from prying eyes safe from alteration. The security policy must be regularly revised as threat conditions change. A security policy must protect a system’s privacy, integrity, and availability and authenticate users.

Protecting Intellectual Property Digital intellectual properties, including art, logos, and music posted on Web sites, are protected by laws. The U.S. Department of Justice maintains the Cybercrime site to provide information and updates on hacking, software piracy, and the latest security information, as well as the latest information on cyber crime prosecutions.

Protecting Intellectual Property Several methods being tested but provide partial protection. Promising – digital watermark. Watermark – digital code embedded undetectably in a digital image or audio file – encrypted to protect contents, or hidden behind bits.

Organizations Providing Digital Watermarking Verance Corporation Blue Spike Secure Digital Music Initiative Digimarc Corporation

Protecting Privacy Cookies – small pieces of text stored on client computers - contain private information that can include credit card data, passwords, and login information. 2 types – session cookie and persistent cookie. Anyone with access to that computer can read and interpret unencrypted cookies. Cookies – save information about a Web user from one session to another. The best way to protect your privacy is to disable cookies entirely.

Protecting Client Computers Client computers must be protected from threats. Active contents can be one of the most serious threats to client computers. Another threat to client computers is a malevolent server site masquerading as a legitimate Web site.

Monitoring Active Content Netscape Navigator and Microsoft Internet Explorer browsers are equipped to recognize when they are about to download Web page containing active content. When a user downloads Web pages and runs programs that are embedded in them, it gives the user a chance to confirm that the programs are from a known and trusted source.

Digital Certificates Digital certificate – attachment to an email message or an embedded program in a Web page that verifies that a user or Web site is who they claim to be. The digital certificate contains a means for sending an encrypted message to the entity that sent the original Web page or e-mail message. Digital signature – signed message or code. A Web site’s digital certificate is a shopper’s assurance that the Web site is the real store.

Digital Certificates

Digital Certificates

Certification Authority (CA) A certification authority issues a digital certificate to an organization or individual. A key is usually a long binary number to be used with the encryption algorithm. Longer keys provide significantly better protection than shorter keys.

Microsoft Internet Explorer Internet Explorer provides client-side protection inside the browser. Internet Explorer uses Microsoft Authenticode technology. Authenticode technology verifies that the program has a valid certificate.

Microsoft Internet Explorer

Microsoft Internet Explorer

Microsoft Internet Explorer

Netscape Navigator Netscape Navigator allows you to control whether active content is downloaded to your computer. If you allow Java or JavaScript active content, you will always receive an alert from Netscape Navigator.

Netscape Navigator

Netscape Navigator

Netscape Navigator

Using Antivirus Software Antivirus software is a defense strategy. One of the most likely places to find a virus is in an electronic mail attachment. Application service providers (ASPs), such as Critical Path and MessageClick, supply e-mail services to companies to eliminate e-mail virus problems.

Computer Forensics Experts A small group of firms whose job it is to break into client computers. Computer forensics experts are hired to probe PCs. The field of computer forensics is for the collection, preservation, and analysis of computer-related evidence.

Protecting Electronic Commerce Channels Providing commerce channel security means: Providing channel secrecy Guaranteeing message integrity Ensuring channel availability A complete security plan includes authentication Businesses must prevent eavesdroppers from reading the Internet messages that they intercept.

Encryption Encryption is the coding of information by a mathematically based program and a secret key to produce a string of characters that is unintelligible. The program that transforms text into cipher text is called an encryption program. Upon arrival, each message is decrypted using a decryption program.

Three Types of Encryption Hash coding - a process that uses a hash algorithm to calculate a hash value from a message – compare a sender and receiver hash to detect alteration. Asymmetric encryption, or public-key encryption, encodes messages by using two mathematically related numeric keys: a public key and a private key. Symmetric encryption, or private-key encryption, encodes a message using a single numeric key to encode and decode data.

Encryption Methods

Ensuring Transaction Integrity Integrity violations can occur whenever a message is altered while in transit between the sender and receiver. Ensuring transaction integrity, two separate algorithms are applied to a message: Hash function Digital signature

Protecting the Web Server The commerce server, along with the Web server, responds to requests from Web browsers through the HTTP protocol and CGI scripts. Security solutions for commerce servers: Access control and authentication Operating system controls Firewall

Access Control and Authentication Access control and authentication refers to controlling who and what has access to the commerce server. Authentication is performed using digital certificates. Web servers often provide access control list security to restrict file access to selected users.

Access Control and Authentication The server can authenticate a user in several ways: First, the certificate represents the user’s admittance voucher. Second, the sever checks the timestamp on the certificate to ensure that the certificate has not expired. Third, a sever can use a callback system to check the user’s client computer address and name. An access control list (ACL) is a list or database of people who can access the files and resources.

Access Control and Authentication

Firewalls A firewall is a computer and software combination that is installed at the entry point of a networked system. Controls inbound and outbound traffic through the system. Acting as a filter, firewalls permit selected message to flow into and out of the protected network. The firewall provides the first line of defense between a network and the Internet or other network that could pose a threat.

Types of Firewalls Packet-filter firewalls examine all the data flowing back and forth between the trusted network. Gateway servers are firewalls that filter traffic based on the application they request. Proxy severs are firewalls that communicate with the Internet on the private network’s behalf.

EXERCISE Select any electronic software package and visit the product information section on their Web site. List the security features which they advertise – pg. 47, no. 2 of the BI version. Locate a computer forenscic expert firm on the Web and determine from their Web site promotional material, the security strategies they employ.