1 / 21

Electronic Commerce Security

Electronic Commerce Security. Chapter 10. Computer security. The protection of computer assets (hardware, software, data) from unauthorized access, use, alteration, or destruction. Two types of security:

stevie
Download Presentation

Electronic Commerce Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Electronic Commerce Security Chapter 10

  2. Computer security • The protection of computer assets (hardware, software, data) from unauthorized access, use, alteration, or destruction. • Two types of security: • Physical security: tangible/physical protection devices (alarms, guards, fireproof doors, safes or vaults) • Logical security: nonphysical means (software safeguards) of protecting the assets (user account, firewall, anti virus, data encryption)

  3. Computer security • Threat: • Any act or object that poses a danger to computer assets • Crackers or hackers: • People who write programs or manipulate technologies to obtain unauthorized access to computers and networks • Countermeasures: • Procedure, either physical or logical, that recognizes, reduces, or eliminates a threat • Security policy: • Written statement describing how a company plans to protect its computer assets (hardware, software, data) from unauthorized access, use, alteration, or destruction.

  4. Security policy

  5. Computer security • Computer security framework: • CIA Triad (Confidentiality (secrecy), Integrity, Availability (necessity)) • Confidentiality (secrecy): • Computer security issues related to unauthorized data disclosure. • Integrity: • Computer security issues related to unauthorized data modification. • Availability: • Computer security issues related to data (access) delay or denial.

  6. Threats • Cookies: • Information stored on your computer by a website you visit. • When you return to the site, your browser sends back the cookies that belong to the site. • By default, the activities of storing and sending cookies are invisible to you. • Session cookies: • Exists until the Web client ends the connection (logout) • Persistent cookies: • Remains on the client computer indefinitely • Security threats: • In a shared environment, like cyber café, assume a scenario where User X checks the “Remember me” box (that will create a persistent cookies to store his username & password to be used for future sessions) and closes the browser without logging out. If User Y uses the same system and has the same email provider, he will be able to see the contents of User X’s Inbox.

  7. Threats • Active content: • Programs that are embedded transparently in Web pages and that cause action to occur. • Examples: • Javascript • ActiveX control • Active content is launched in a Web browser automatically when that browser loads a Web page containing active content • Hackers can embed malicious active content in seemingly innocuous Web pages • Trojan horse: A program hidden inside another program or Web pages that masks its true purpose • Could snoop around a client computer and send back private information to a cooperating Web server – Confidentiality violation • Could alter or erase information on a client server – Integrity violation • Could take over the computer for the purpose of launching attack on another computers (after taking over a lot of computers (“zombies”), a hacker uses these “zombies” to send the target server with request messages for the purpose of saturating it so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable – Denial of Service (DoS) attack)

  8. Denial of Service (DoS) attack

  9. Threats • Virus: • Program that attaches itself to another program (object) and can cause damage when the host program (object) is activated (opened) • Example: • Web browser email programs display attachments by automatically executing an associated program (MS Word opens and displays a Word document). Word macro viruses inside the loaded files can damage a client computer and reveal confidential information when those files are opened. • Macro virus: • A type of virus that is coded as a small program and is embedded in a file (MS Word file, MS Excel file) • Worm: • A self-replicating malware (malicious software) computer program, which uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. • This is due to security shortcomings on the target computer (security holes in the operating systems). • Unlike a computer virus, it does not need to attach itself to an existing program.

  10. Threats • Backdoor: • Hidden access method to give developers or support personnel easy access to a system, without having to struggle with security controls • Example: Default username and password. Failure to change the default usernames and passwords when new equipment is deployed allow unauthorized access to the equipment • Hackers can install their own backdoor program on a system

  11. Threats • Sniffer programs: • Programs that can read email message and unencrypted messages (user logins, passwords, credit card numbers) • Programs that allow eavesdropping on traffic between networked computers • Physical treats: • Physically stealing information from fiber optic cable (see “Hacking fiber optic“ video in Youtube) • Wardrivers: • Attackers drive around in cars using their wireless equipped laptop computers to search for accessible networks (wireless network that do not turn on the encryption procedure (WEP, WPA) • A wireless equipped laptop computer can be used to launch a sniffer to intercept data sent on the network (read the Best Buy case on page 464)

  12. Threats • Masquerading or spoofing: • A hacker could create a fictitious Web site masquerading as www.amazon.com by exploiting a DNS security hole that substitutes her fake IP address for www.amazon.com’s real IP address. • All subsequent visits to www.amazon.com would be redirected to the fictitious site • The hacker could alter any orders to change the order and redirect shipment to another address

  13. Threats • Buffer overrun/buffer overflow: • A problem in which a computer program writes more data to a buffer than has been allocated for that buffer. As a result, data is written to an adjacent portion of memory, potentially overwriting other data. • Worm can cause an overflow condition that eventually consumed all resources until the affected computer could no longer function – Availability (necessity) violation • Mail bomb: • Targeting email server • Similar to DDoS attack • Hackers use zombies to send hundreds of thousands of email messages to a particular address to exceed the allowed email size limit, hence, cause email systems to malfunction – Availability (Necessity) violation

  14. Threats • Denial of Service (DoS)/Distributed Denial of Service (DDoS) attack • Sending a flood of data packets to the site servers (www.amazon.com, www.yahoo.com) to overwhelm the sites’ servers and choked off legitimate customers’ access

  15. Countermeasures • Antivirus software: • Software that detects viruses and worms and either deletes them or isolates them on the client computer so that they cannot run • Only effective if the antivirus data files are kept current so that the newest viruses are recognized and eliminated • Some Web sites (Yahoo!Mail) run the antiviruses • Digital certificates: • An attachment to an email message or a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be • It also contains a means to send an encrypted message to the entity that sent the original Web page or email message • Issued by certification authority (CA) (Verisign, Thawte) • A third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate • Confirms the legal existence of the organization (owner of the certificate)

  16. Countermeasures • Authentication: • Controlling who and what has access to the client • Verification of the identity of the entity requesting access to the computer • Using usernames and passwords • Access control list (ACL) of a resource: • A list usernames of people who can access the resource (file), as well as what operations are allowed on given resource (read only, read & write). • Each resource has its own access control list

  17. Countermeasures • Firewall: • Software or hardware-software combination that is installed in a network or a computer to control the packet traffic moving through it • Only authorized traffic as defined by the local security policy (the firewall security policy) is allowed to pass through it

  18. Countermeasures • Biometric security devices: • Devices that use an element of a person’s biological makeup to perform the identification • Fingerprint, face, iris, voice, and signature recognition devices for authentication

  19. Countermeasures • Encryption: • The coding of information to produce a string of characters that is unintelligible • Encryption program transforms normal text (plain text) into cipher text (the unintelligible string of characters) • Encryption program uses certain encryption algorithm (A mathematical procedure for performing encryption on data)

  20. Countermeasures • Hash function: • A hash algorithm is applied to the message to convert the message into a message digest (a small integer number that summarized the encrypted information), which is appended into the message • When the recipient receives the message and attached message digest, it calculates a message digest for the message by using the same hash algorithm • If the message digest that the recipient calculates matches the message digest attached to the message, the recipient knows the message is unaltered

  21. Countermeasures • Hash function: Bob Alice Message: “Hi Alice ...” Message: “Hi Alice ...” + Message digest: 2r4tyu67 Message: “Hi Alice ...” Message digest: 2r4tyu67 Hash function Hash function Message digest: 2r4tyu67 Message digest: 2r4tyu67 Message digest: 2r4tyu67 The same? Yes: The message sent = the message received

More Related