1 / 57

Electronic Commerce COMP3210

Electronic Commerce COMP3210. Dr. Paul Walcott 08/11/04. The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave Hill Campus, Barbados. Contents. Online Security Issues Client computer security Communication Channel Security Server Computer Security.

curtisg
Download Presentation

Electronic Commerce COMP3210

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave Hill Campus, Barbados

  2. Contents • Online Security Issues • Client computer security • Communication Channel Security • Server Computer Security

  3. Man-in-The-Middle Exploit • Imagine sending an important containing valuable information to a colleague • A person intercepts this email and changes its contents • The intended recipient receives the email and acts on the wrong information. • This is called the man-in-the-middle exploit

  4. Definitions • We first list a number of important definitions [Sch2004]: • Computer security is the protection of assets from unauthorized access, use, alteration or destruction • Physical security includes tangible protection devices, such as alarms, guards, fireproof doors, and safes • Protection of assets using nonphysical means is called logical security

  5. Definitions (I) • A security threat is any act or object that poses a danger to computer assets • Countermeasure is the general name for a procedure, either physical or logical, that recognises, reduces, or eliminates a threat • An eavesdropper is a person or device that can listen in on and copy Internet transmissions • Crackers/hackers are people who write software to gain unauthorised access to computers and networks

  6. Physical Security • In the old days (50 years ago), computer security was more about physical security • Security guards • Security badges • Alarm systems • Surveillance systems • All terminals tended to be dumb and computers were not networked

  7. Managing Risk • It does not make sense to protect against threats that are deemed low risk – especially if the cost to protect the asset exceeds the cost of the asset • Example: it would be sensible to protect a network from a hurricane in Barbados, but not protect it from low (below 0 degrees) temperatures

  8. Risk Management Model High probability Contain and control I Prevent II High impact (cost) Low impact (cost) III Ignore IV Insurance or backup plan Low probability

  9. Risk Management Model (I) • This model shows four actions an organisation can take depending on the cost and probability of the physical threat • In this model • The threat posed by a hurricane in Barbados would be in quadrant II • The threat posed by temperatures dropping below freezing would be in quadrant IV

  10. Good Security Schemes • To implement a good security scheme you must • Identify risks • Determine how to protect those assets at risk • Calculate the amount to spend to protect against the identified risks

  11. Computer Security Classifications • There three main security classifications: • Secrecy • Protecting against unauthorised access • Integrity • Protecting against unauthorised modification • Necessity (denial of service/or avaliability) • Preventing data delays or denials (removals); e.g. if important information had to be received at a given time but a hacker delayed it by flooding an e-mail sever with email

  12. Security Policy • Every company concerned about protecting its assets should have a security policy • This is a document which describes • Which assets require protection and why • The person who is responsible for protecting it • And which behaviours are permissible and which are not

  13. Security Policy (I) • The security policy typically addresses: • Physical security • Network security • Access authorisation • Virus protection • And disaster recovery • This document should be updated regularly

  14. Requirements for Secure E-commerce • Secrecy • Prevent unauthorised individuals from reading messages and business plans, obtaining credit card numbers or accessing confidential information • Integrity • Provide a way of digitally determining whether information has been altered • Availability • Provide delivery assurance for each message so that a loss will not go undetected

  15. Requirements for Secure E-commerce • Key Management • All key information must be distributed and managed securely • Nonrepudiation • Provide undeniable, end-to-end proof of each message’s origin and recipient • Authentication • Securely identify clients and servers with digital signature and certificates

  16. Client Computer Security • This section outlines • security threats that may occur on client computers • how they work • and how to protect against them

  17. Active Content • Active content refers to programs that are embedded transparently in Web pages that cause actions to occur [Sch2004] • E.g. displaying moving graphics and downloading and playing audio • In e-commerce it is used to place items in a shopping cart and compute total invoice amounts

  18. Active Content (I) • Active content also • extends HTML functionality • Since they are programs that run on client computers they pose a security risk

  19. Active Content (II) • The best known examples are: • Cookies • Java applets • JavaScript • VBScript • ActiveX controls • Other examples include graphics, Web browser plug-ins and email attachments

  20. Active Content (III) • Since active content is embedded in Web pages (e.g. scripting languages) they can be transparent to browsers of the Web page • Crackers for example can include a Trojan horse • A Trojan horse is a program hidden inside another program or Web page that masks its true purpose

  21. Active Content (IV) • A Trojan horse could • Send private information on the client’s computer back to a server (a secrecy violation) • Could alter or erase information on the client’s computer (an integrity violation) • Alternatively, a zombie attack is a program that takes over another computer to launch an attack on other computers

  22. Cookies and Web Pages • Allowing active content to be added to Web Pages used for e-commerce can be dangerous since • Cookies (files) frequently store credit card numbers, usernames and passwords • Information stored in cookies can be read by the Server computer that stored then there • See http://www.cookiecentral.com/

  23. Cookies • Cookies were designed to solve the problem of the stateless nature of the HTTP protocol • To save information between one session and another

  24. Cookies • There are two types of time duration cookies • Session cookies • These exist until the Web client ends the session (or connection) • Persistent cookies • These remain on the client’s computer indefinitely • E-commerce uses both types of these cookies

  25. Cookies (I) • Cookies can also be categorised by source: • First-party cookies are cookies put on the client computer by the Web server • Third-party cookies are cookies put on the client computer by some other Web site • The third-party Web site usually provides some content on the Web site being viewed

  26. Cookies (II) • These third party Web site can then track visitors from one site to the next (because they have ads and cookies set up on many of these sites)

  27. Cookies (III) • To protect yourself against cookies (or cookie monsters) is to • Disable cookies altogether, however this will stop some sites from functioning correctly • Users would have to re-enter information every time they visit the Web site • Disable third-party cookies • Or use a third-party cookie blocker program that stores cookies selectively

  28. Java Applets • Applets are downloaded with Web pages and run on client computers • Once downloaded Java code can run on the clients computer which introduces a security hole • To counteract this Java has a security model called the Java sandbox which prevents applets from performing certain functions • Also applets are classified as “untrusted” if they have not been established as being secure

  29. Java Applets (I) • When running in the sandbox Java applets can not perform file input, output or delete operations • This scheme provides secrecy and integrity

  30. JavaScript • JavaScript is a scripting language developed by Netscape • When a Web page is downloaded and contains embedded JavaScript code, it runs on the user’s (client) computer • This code can be used to attack the client’s computer • destroy a user’s hard disk • Disclose email stored in mailboxes • Capture information stored in Web forms (e.g. credit card information)

  31. JavaScript (I) • Try the following JavaScript code: • <html> • <body> • <script type="text/javascript"> • askmeagain(); • function askmeagain() • { • alert("Ouch!"); • askmeagain(); • } • </script> • </body> • </html>

  32. ActiveX Controls • An ActiveX control is an object that contains programs • Only runs on Windows operating system • When downloaded the control is run on the client’s computer like any other program • They have full access to system resources • Can reformat hard disk • Rename or delete files • Shut down the computer

  33. ActiveX Controls (I) • Execution of ActiveX controls can not be halted once started • Web browsers can be configured to warn users when ActiveX controls are about to be downloaded

  34. Graphics and Plug-ins • Graphics, browser plug-ins and email attachments can include executable content • Some graphic file formats contain special instructions on how to render the graphic • The embedded code can be used to attack your computer • Plug-ins enhance your browser’s capabilities but can also pose a threat

  35. Viruses, Worms and Antivirus Software • A virus is software that attaches itself to another program • A macro virus is a type of virus that is coded as a macro • A worm is a type of virus that replicates itself on the computer it affects • Email attachments may include word processing files, spreadsheets, databases, images which may contain viruses • Viruses within Word and Excel macros (Visual Basic for Applications) can damage your computer

  36. Viruses, Worms and Antivirus Software • Viruses tend to prey on operating system (or Web server) vulnerabilities • To counteract viruses • Ensure you have installed the latest security patches • Ensure that you are running the latest Antivirus software with the latest virus updates

  37. Digital Certificates • A digital certificate is an attachment to a message which verifies the sender of the message • It also provides a means of sending encrypted messages

  38. Digital Certificates (I) • A digital certificate contains an encrypted message that • identifies the author • Indicates whether the certificate is valid or not • This provides a way to sign a message • In many countries including Barbados this is accepted as a signature

  39. Digital Certificates (II) • Digital certificates are issued by a certification authority (CA) • To individuals or organisations • Appropriate proof of identity must be provided

  40. Digital Certificates (III) • A digital certificate contains six main elements [Sch2004]: • The certificate’s owner’s identifying information, such as name, organisation and address • The certificate owner’s public key • Dates between which the certificate is valid • Serial number of the certificate • Name of the certificate issuer • Digital signature of the certificate issuer

  41. Digital Certificates (IV) • One of the oldest and best know CA is VeriSign

  42. Communication Channel Security • These threats come from various sources including: • Sniffer Programs • Backdoors • CyberVandalism • Masquerading or Spoofing • Denial-of-Service

  43. Sniffer Programs • These programs provide a means of recording packets passing through a computer or router • It is similar to telephone line tapping • Sniffer programs can • Read email messages • Read user logins and passwords • Read credit card numbers

  44. Backdoors • Some e-commerce programs contain backdoors • These backdoors are left intentionally or unintentionally by software developers • Backdoors provide a way for an unauthorised user to gain access to protected information including: • Credit card information • Proprietary company information (which could be sold for millions to competitors)

  45. CyberVandalism • This is the electronic defacing of Web site pages • Replace regular content • It’s parallel is the spraying of graffiti on public property

  46. Masquerading or Spoofing • This is when a person impersonates someone else • E.g. pretending that a Web site belongs to someone else, when it does not • On a domain name server a perpetrator might use a security hole in order to change the IP address of a given Web page • Any order entered on this new page could then be modified (e.g. change the shipping address of the goods) and the modified order sent to the original Web site.

  47. Denial-of-Service Threat • This threat disrupts normal computer processing • For example a zombie computer was used to flood a Web site with packets • This prevented legitimate users from using the Web site • This also may lead to a loss in business

  48. Communication Channel Security (I) • Solutions are provided in the form of (discussed in the next section): • Symmetric Encryption • Asymmetric Encryption • Digital Signatures • Message Hashing • Digital Certificates • Secure Socket Layer

  49. Server Computer Security • Server vulnerabilities come from • Web servers and their software • Backend programs such as • Databases programs

More Related