e-commerce security threats and what you can do about it
TRANSCRIPT
E-COMMERCE SECURITY THREATS
And what you can do about it
Here are some numbers
• In America• 8 out of 10 US consumers use the internet to shop.• In 2012, $42.3 billion were spent online during Nov-Dec alone• $20.4 billion was lost to cyber crime in 2012
The Internet is a Dangerous Place
• 604,826 Million identities exposed per breach
• Targeted attacks (42% + from 2011)• 50% Small-Medium business
• 18% small business• 50% big business
• Bot Nets• 2011: 3.1 million• 2012: 3.4 million
Examples of Recent Security Breaches• Evernote: 10 million users’ data stolen. Passwords hashed +
salted. (Phishing)
• StratFor: 75,000 credit card numbers. 2.5 million emails. (Unsecure CMS plugin)
• Sony: 77 million users’ data. Usernames, passwords, and credit card numbers (security through obscurity)
• LivingSocial: 50 million users'. Name, email, DOB. Passwords hashed + salted.
• 100 major universities (Harvard, Stanford..): 120,000+ emails, username, passwords. SQL Injection
Means of Attack
Out of your control
• Physical server security
• Trustworthy employees
• Server updates
• Usage of a firewall and intrusion detection system.
Things you can control
• Enforcing robust password practices
• Avoiding security through obscurity
• Implementing encryption for data transfers
• Properly coded SQL
• Cross Site Scripting
• Social engineering
DDoS AttacksBecoming more and more popular amongst internet activists, a distributed denial-of-service attack is an attempt to make resources available for legitimate users.
Too much of a good thing?
Both legitimately and illegitimately a website can be DDoSed. (the SlashDot effect, or /b/)
• It is done by using a large network of “zombie” PCs to request your website at the same time, using up your bandwidth and processor power
• They can also flood TCP requests..
But how do I prevent it?
• Don’t be hated on the internet
• Implement caching, limit amount of requests per IP, and purchase hardware
Password Policy
• How long to guess your password?
• Require a complex password for you users
• Change default passwords (WordPress admin, Linksys..)
• Limiting login attempts is also advisable
• These tend to be reused by users
Popularity Password
1 Password
2 123456
3 12345678
4 abc123
5 qwerty
6 monkey
7 letmein
8 dragon
9 111111
10 baseball
Cool trickThis can help you make easy to remember passwords so you don’t have to keep on using the same one on every site.
http://xkcd.com/936/
Password Storage
• Those password your users use, you can just save them in your database, or can you?
Saving them in ‘clear text’ lets you and your employees see a person’s password which has numerous security and privacy implications. So what can you do?
• Hash them!
But this still leaves them venerable, to brute force and rainbow table attacks.
• Salt them!
Adding random characters to the end of the user’s password before hashing it, and keeping that saved in a separate database adds another step for an intruder to overcome.
Security Through Obscurity
• Security problems are usually a when they happen not if they do
• Hiding your password list in a secret remote text file on your server might be well hidden, but anyone can find it.
• You might be the only one who knows how that super awesome custom hashing algorithm you coded works, but that doesn’t mean someone can reverse engineer it and discover problems later.
• That IPX network protocol on your 110 baud modem? Just because it is old doesn’t mean no one else knows how to get in.
SSL EncryptionWhy would you want to encrypt data?
When users log on, they have to submit their username and password over the internet, and anyone along the way can read it.
Would you want your credit card number out in the open?
Asymmetric Encryption
• Authentication and Encryption
• They rely on the PKI(Public Key Infrastructure)• Vulnerable to MIM attacks.
• Costly• Buying a certificate• Processing requests
A Diffie–Hellman key exchange
You are not safe at Starbucks…
• So called “Man-in-the-Middle” attacks are carried out by eavesdropping on your connection
• Using packet sniffers, they can intercept the data you send out and receive
• For more sophisticated attacks they can also spoof an IP with the Address Resolution Protocol
• SSL/TSL prevents this
Cross Site Attacks
• Cross Site Scripting• Client side scripts executed on
webpages
• Cross Site Request Forgery• Unencrypted form links
• Prevention? • Whitelist and escape user input
SQL Injections
• Number one threat since 2010• According to Open Web
Application Security Project (OWASP)
• Easy to execute
• Severe organization impact
SQL Injections, how do they work?
• An innocent SQL Statement"SELECT * FROM users WHERE name = '" + userName + "';"
• Replace userName variable witha';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't;
• The new command becomesSELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';
• And that is how someone just deleted your user table!
SQL Injection Prevention
• Use parameters to restrict user input• SQLCommand("SELECT * FROM users WHERE name = '" + userName +
"';“)• Searches for the username “a';DROP TABLE users; SELECT * FROM
userinfo WHERE 't' ='t;”
• Grant necessary permission only• Authorize read on selected information• Example: deny SELECT ON sys.TABLES TO webdatabaselogon;
• Deny or limit xp_cmdshell
Dear Friend, I have an exciting business opportunity for you!How do they do it?
• Scammers may also attempt to trick you or your employees into handing out private information
• They may spoof their emails or phone calls to phish for specific data
• Fake letters to renew your domain name by an unknown host
Is there a way to avoid it?
• Not really, but being skeptical, and educated about new threats will let you avoid falling for these types of scams
• Spam filters are nice too
Pro Tips
Things to avoid
• Reusing the same password
• Falling for email scams
• Using unsecure connection methods
• Avoid giving too much information in error messages
• Letting users upload files
Things to do
• Change your default passwords
• Encrypt personal data
• Enforce user policies
• Examine security/event logs
• Validate your forms for malicious code
THE ENDAny questions?