1 / 23

Electronic Commerce Security

Electronic Commerce Security. Chapter 10. Computer security. The protection of computer assets (hardware, software, data) from unauthorized access, use, alteration, or destruction. Two types of security:

cheryl
Télécharger la présentation

Electronic Commerce Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Commerce Security Chapter 10

  2. Computer security • The protection of computer assets (hardware, software, data) from unauthorized access, use, alteration, or destruction. • Two types of security: • Physical security: tangible/physical protection devices (alarms, guards, fireproof doors, safes or vaults) • Logical security: nonphysical means (software safeguards) of protecting the assets (user account, firewall, anti virus, data encryption) • Threat: • Any act or object that poses a danger to computer assets • Countermeasures: • Procedure, either physical or logical, that recognizes, reduces, or eliminates a threat

  3. Computer security • Crackers or hackers: • People who write programs or manipulate technologies to obtain unauthorized access to computers and networks • Elements of computer security: • CIA Triad (Confidentiality (secrecy), Integrity, Availability (necessity)) • Confidentiality (secrecy): • Protecting against unauthorized data disclosure. • Integrity: • Preventing unauthorized data modification. • Availability: • Preventing data (access) delay or denial.

  4. Computer security • Security policy: • Written statement describing how a company plans to protect its computer assets (hardware, software, data) from unauthorized access, use, alteration, or destruction.

  5. Security for client • Client: • Computer that can request and receive information from server • Must be protected from malicious software (malware) or data downloaded from the Internet • Must be protected from revealing information to malevolent server site masquerading as a legitimate Web site

  6. Security for client • Threats: • Cookies: • Information stored on your computer by a website you visit. • When you return to the site, your browser sends back the cookies that belong to the site. • By default, the activities of storing and sending cookies are invisible to you. • Session cookies: • Exists until the Web client ends the connection (logout) • Persistent cookies: • Remains on the client computer indefinitely • Security threats: • In a shared environment, like cyber café, assume a scenario where User X checks the “Remember me” box (that will create a persistent cookies to store his username & password to be used for future sessions) and closes the browser without logging out. If User Y uses the same system and has the same email provider, he will be able to see the contents of User X’s Inbox.

  7. Security for client • Threats: • Active content: • Programs that are embedded transparently in Web pages and that cause action to occur. • Examples: • Javascript • ActiveX control • Active content is launched in a Web browser automatically when that browser loads a Web page containing active content • Hackers can embed malicious active content in seemingly innocuous Web pages • Trojan horse: A program hidden inside another program or Web pages that masks its true purpose • Could snoop around a client computer and send back private information to a cooperating Web server – Confidentiality violation • Could alter or erase information on a client server – Integrity violation • Could take over the computer for the purpose of launching attack on another computers (after taking over a lot of computers (“zombies”), a hacker uses these “zombies” to send the target server with request messages for the purpose of saturating it so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable – Denial of Service (DoS) attack)

  8. Denial of Service (DoS) attack

  9. Security for client • Threats: • Virus: • Programs that attaches itself to another program (object) and can cause damage when the host program (object) is activated (opened) • Example: • Web browser email programs display attachments by automatically executing an associated program (MS Word opens and displays a Word document). Word macro viruses inside the loaded files can damage a client computer and reveal confidential information when those files are opened. • Macro virus: • A type of virus that is coded as a small program and is embedded in a file (MS Word file, MS Excel file) • Worm: • A self-replicating malware (malicious software) computer program, which uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. • This is due to security shortcomings on the target computer (security holes in the operating systems). • Unlike a computer virus, it does not need to attach itself to an existing program.

  10. Security for client • Threats: • Backdoor: • Hidden access method to give developers or support personnel easy access to a system, without having to struggle with security controls • Example: Default username and password • Hackers can install their own backdoor program on a system • Example: • Failure to change the default usernames and passwords when new equipment is deployed

  11. Security for client • Logical security for client: • Antivirus software: • Software that detects viruses and worms and either deletes them or isolates them on the client computer so that they cannot run • Only effective if the antivirus data files are kept current so that the newest viruses are recognized and eliminated • Some Web sites (Yahoo!Mail) run the antiviruses • Digital certificates: • An attachment to an email message or a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be • It also contains a means to send an encrypted message to the entity that sent the original Web page or email message • Issued by certification authority (CA) (Verisign, Thawte) • A third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate • Confirms the legal existence of the organization (owner of the certificate)

  12. Security for client • Logical security for client: • Authentication: • Controlling who and what has access to the client • Verification of the identity of the entity requesting access to the computer • Using usernames and passwords • Access control list (ACL) of a resource: • A list usernames of people who can access the resource (file), as well as what operations are allowed on given resource (read only, read & write). • Each resource has its own access control list

  13. Security for client • Logical security for client: • Firewall: • Software or hardware-software combination that is installed in a network or a computer to control the packet traffic moving through it • Only authorized traffic as defined by the local security policy (the firewall security policy) is allowed to pass through it

  14. Security for client • Physical security for client: • Biometric security devices: • Devices that use an element of a person’s biological makeup to perform the identification • Fingerprint, face, iris, voice, and signature recognition devices for authentication

  15. Security for communication channel • Ensuring security while the message is traveling on the communication channel (Internet) • Internet was not designed to be secure • The message traveling on the Internet is subject to: • Confidentiality (Secrecy) threat • Integrity threat • Availability (Necessity) threat

  16. Security for communication channel • Confidentiality (Secrecy) threat • Unauthorized information disclosure • Example: • Sniffer programs: • Programs that can read email message and unencrypted messages (user logins, passwords, credit card numbers) • Programs that allow eavesdropping on traffic between networked computers • Physical treats: • Stealing information from fiber optic cable (see “Hacking fiber optic“ video in Youtube) • Wardrivers: • Attackers drive around in cars using their wireless equipped laptop computers to search for accessible networks (wireless network that do not turn on the encryption procedure (WEP, WPA) • A wireless equipped laptop computer can be used to launch a sniffer to intercept data sent on the network (read the Best Buy case on page 464)

  17. Security for communication channel • Confidentiality (Secrecy) threat • Countermeasure: • Encryption: • The coding of information to produce a string of characters that is unintelligible • Encryption program transforms normal text (plain text) into cipher text (the unintelligible string of characters) • Encryption program uses certain encryption algorithm (A mathematical procedure for performing encryption on data)

  18. Security for communication channel • Integrity threat • Unauthorized information alteration • Includes confidentiality threat (viewer simply sees information she should not) • Example: • Masquerading or spoofing: • A hacker could create a fictitious Web site masquerading as www.amazon.com by exploiting a DNS security hole that substitutes her fake IP address for www.amazon.com’s real IP address. • All subsequent visits to www.amazon.com would be redirected to the fictitious site • The hacker could alter any orders to change the order and redirect shipment to another address

  19. Security for communication channel • Integrity threat • Countermeasure: • Hash function: • A hash algorithm is applied to the message to convert the message into a message digest (a small integer number that summarized the encrypted information), which is appended into the message • When the recipient receives the message and attached message digest, it calculates a message digest for the message by using the same hash algorithm • If the message digest that the recipient calculates matches the message digest attached to the message, the recipient knows the message is unaltered

  20. Security for communication channel • Availability (Necessity) threat • To disrupt normal computer processing, or deny processing entirely • Example: • Denial of Service (DoS)/Distributed Denial of Service (DDoS) attack • Sending a flood of data packets to the sites (www.amazon.com, www.yahoo.com) to overwhelm the sites’ servers and choked off legitimate customers’ access

  21. Security for server • Web server • Computer that stores and delivers Web pages (and other information e.g., audio, video) to Web clients • Web server threats • Cyber vandalism: • The electronic defacing of an existing Web site’s page (replacing a Web site’s regular content with his or her own content) – Integrity violation

  22. Security for server • Web server threats • Buffer overrun/buffer overflow: • A problem in which a computer program writes more data to a buffer than has been allocated for that buffer. As a result, data is written to an adjacent portion of memory, potentially overwriting other data. • Worm can cause an overflow condition that eventually consumed all resources until the affected computer could no longer function – Availability (necessity) violation • Mail bomb: • Targeting email server • Similar to DDoS attack • Hackers use zombies to send hundreds of thousands of email messages to a particular address to exceed the allowed email size limit, hence, cause email systems to malfunction – Availability (Necessity) violation

  23. Security for server • Server security = client security

More Related