E-Commerce Security

ISM 4480University of South Florida

2

Online Security Issues• Computer security:

– The protection of assets from unauthorized access, use, alteration, or destruction.

• Types of security:– Physical security: Securing tangible devices such as disk drive.– Logical security: Securing nonphysical assets such as data.

• Security policy:– A written statement describing (1) which assets to protect and why,

(2) who is responsible for protection, and (3) which behaviors are acceptable and which are not.

– First step is determining which assets to protect from which threats.

3

Dimensions of Security Policy• Access control:

– Preventing unauthorized people (hackers) from accessing internal/ sensitive data.

– Technology: Login validation, Firewalls.• Authentication:

– Securely identifying clients and servers logging into network.– Technology: Digital certificate, Digital signatures.

• Non-repudiation:– Providing undeniable proof of message origin and recipient.– Technology: Digital certificate, Digital signatures.

• Data integrity:– Preventing unauthorized modification of message during transit.– Technology: Encryption, Digital envelope.

4

Dimensions of Security Policy• Eavesdropping (secrecy):

– Preventing unauthorized people or device from reading or copying messages during transit.

– Technology: Virtual private network, encryption.• Viruses/Worms:

– Preventing unauthorized programs from infiltrating and damaging internal data/network.

– Technology: Virus checking software.

5

Managing Security Risks• Countermeasures are procedures to recognize, reduce, or eliminate

security threats.• Not all threats are worth active prevention; low impact risks (e.g., spam)

are better ignored or contained.

Impact (cost)Low High

Contain andControl Prevent

Insuranceor backupIgnore

Prob

abilit

yLo

wHi

gh

6

Three Areas of Security

Client ServerCommunication Channel

Java AppletsClient Scripts

(Javascript, VBscript)ActiveX Objects

Virus/Worms/ZombieCookies

PrivacyDenial of Service

Data IntegrityAuthentication

Non-repudiationWireless Networks

Access controlDictionary Attack

Trojan HorseEavesdroppingBuffer overflow

Solutions: Login validation, virus checkers, encryption, SSL, S-HTTPdigital certificates, digital signatures, browser settings, firewalls

7

Java Applets• Java: A high-level

programming language developed by Sun.

• Applets: Java programs that are downloaded with web pages and executed automatically in browsers whenever that page is loaded.

• Solution:– Java Sandbox: Confines

applet actions to a set of rules defined by a security model.

8

Javascript• Scripting language developed by Netscape to help Web designers

build active content on client platforms.• Useful for:

– Client data validation.– Building personalized interfaces.

• Can also be used for attacks by:– Executing code that destroys client’s hard disk.– Disclosing e-mail stored in client mailboxes.– Sending sensitive information to attacker’s server.

• Solution:– Browser permissions can be set to prevent client scripts from

executing.

9

ActiveX Controls• Object containing programs and properties that Web developers place on

Web pages to connect to databases and perform similar functions.• Commonly programmed using C++ and Visual Basic.• Provides complete access to operating system running Microsoft Windows.

– Can be programmed to delete files, reformat hard disk, send e-mails to people in users’ address book, shut down the computer, etc.

• Actions cannot be halted once they begin execution.

10

Computer Viruses• Virus:

– Malicious software that spreads by attaching itself to a valid program (e.g. e-mail) and causes damage when host program is activated (e.g., reformat hard disk, shut down computer, send spam).

• ILOVEYOU virus: – Created by 23-year old Filipino student.– Spread to 40M computers in 20 countries via e-mail sent to addresses

stored in Microsoft Outlook address book.– Destroyed digital music and photo files.– Searched for and forwarded user passwords to the attacker.– $9B in damages, mostly in worker productivity.

• Antivirus software is used to detect viruses and worms, but these software are never complete.

11

Other Threats• Trojan horse:

– Program hidden inside another program or Web page that masks its true purpose.

• Zombie:– Program that secretly takes over another computer to launch attacks

on other computers, making it difficult to trace the source of problem.• Steganography:

– Hiding information (e.g., a command) within a piece of valid information such as a graphic file.

– Hard to detect especially if hidden file is encrypted.– Used by Al Qaeda and other terrorist organizations?

12

Cookies• Cookies:

– Small text files written on client’s hard disk with information specified by the server.

– Can be written by a third-party site, by placing a tiny graphic on primary server’s pages (web bug).

• Two types:– Session cookies: Exist until the Web client ends connection– Persistent cookies: Remain on client computer indefinitely

• Can be used to store state information.• Can be misused to track client clickstream without knowledge and report

that to server.• Solutions:

– Browsers provide settings to turn off or review cookies prior to use.– Third party programs to block cookies selectively (e.g., Webwasher).– Cookie Pal displays all cookies for users to view/delete/manage.

13

Communication Channel Security• Privacy Threat:

– Unauthorized disclosure of private information.– Sniffer programs records information passing through a computer or

router that is handling Internet traffic.– Backdoors (e.g., open ports on Microsoft servers) utilized to “sniff”

incoming/outgoing IP traffic.– Solution: Anonymizer – makes web surfing anonymous.

• Denial of Service (DoS) Threats:– Goal is to disrupt, deny, or choke normal computer processing.– DoS attacks flood servers with worthless messages such that

legitimate data processing is slowed or timed out.

14

Comm. Channel Threats (cont.)• Data Integrity Threats:

– Active wiretapping: A message stream altered by an unauthorized party.– Cybervandalism: Electronic defacing of an existing Web site’s page.– Masquerading/spoofing: Pretending to be someone you are not by

changing IP addresses on data packets into a fake one.• Threats to Wireless Networks:

– If left unprotected, anyone in the vicinity of a wireless network can log in, access network resources, and cause harm.

– Wardrivers are attackers driving around with wireless-equipped laptops and sniffer utilities to search for accessible networks.

– Can be protected using Wireless Encryption Protocol (WEP), but many home users don’t set it up or don’t change factory login/passwords.

15

Solution: Encryption• Encryption:

– Coding messages into unintelligible ciphertext using a mathematical algorithm and a secret key for Internet transmission.

• Symmetric/Private Key:– Same key used for both encryption and decryption.– Examples: Data Encryption Standard (DES - US govt. standard),

Triple DES, Advanced Encryption Standard (AES - NIST standard).• Asymmetric/Public Key:

– Involves two mathematically related keys:• Public key (freely available to the public at large).• Private key (known only and kept secret by the key owner).

– Different keys used for encrypting (receiver’s public key) and decrypting (receiver’s private key) messages.

– Example: Pretty Good Privacy (PGP), RSA.– More secure than private key encryption, but significantly slower.

16

Secure Sockets Layer (SSL)• Netscape’s solution combining public and private key encryption to encrypt

entire client/server sessions.• SSL sessions indicated by URL starting with https://• Client and server messages encrypted using a private session key, while

initial “handshake” (authentication, etc.) done using public key.• Session layer protocol: Can secure FTP, HTTP form data, telnet, etc.• Session keys may be 40, 56, 128, or 168 bits long.• How it works:

– Browser requests server’s digital certificate (proof of identity).– Browser checks certificate fingerprint and serial # against its public key

to authenticate the server.– Browser generates a session key, which is sent to server encrypted

with server’s public key.– Session key is used for all communication between browser and

server, and dropped at the end of the session.

17

SSL: How It Works

18

Solution: Digital Certificates• Digital certificate:

– Program embedded in a Web page or e-mail attachment that verifies that the sender or Web site is who it claims to be (authentication).

– Uses public key encryption to validate message sender.• Key elements:

– Certificate owner’s name and public key.– Dates between which the certificate is valid.– Serial number of the certificate.– Certification authority (issuer of certificate).– Digital signature of the certification authority.

• Certificate authority (e.g., Verisign):– Trusted third party who guarantee a client’s or server’s identity.– Use varying identification (driver’s license, notarized signature) to offer

different classes of certificates (different key lengths).– Certificates expire after one year or can be revoked by CA.

19

Amazon.com’s Digital Certificate

20

Secure HTTP (S-HTTP)• CommerceNet’s proposed HTTP extension to enhance Internet security.• Encrypts individual messages (rather than entire sessions as in SSL).• During handshake, S-HTTP sets up special packet headers with multiple

security features (server authentication, client authentication, message integrity, etc.) which may be designated as required, optional, or refused.

• Authentication done using digital certificates issued by a trusted certification agency.

• All client or server messages are wrapped in a “secure envelope” with the necessary security fields.

• Application layer standard: Works only with HTTP (not with FTP, telnet).• Less used than SSL for e-commerce transactions.

21

Hash Coding• Hash coding:

– Helps detect data integrity problems.– A hash algorithm is used to calculate a hash value (message digest)

from a message (two messages may not have the same hash value).– One-way function: hash values cannot be decoded to original message.– Sender sends both message and hash values; receiver recomputes

hash value and compares with received hash value to determine if message was altered during transit.

– Example: MD5.• Digital signature:

– Combines public key encryption (for authentication), private key encryption (for message encryption) and hash coding (for data integrity).

– Strongest encryption technology available.

Digital Signatures

Buy 100 sharesof company X

XY%@4?2>

Plaintext M

Hash Value encrypted usingS’s private key

Session keyencrypted usingR’s public key

Buy 100 sharesof company X

WV6%$#21

Sessionkey

85TR&%$8F

Hash valuedecrypted usingS’s public key

GHJ&*96w()

Session keydecrypted usingR’s private key

Decrypted session key used to

decrypt message

85TR&%$8F

Hash value

XY%@4?2>

85TR&%$8F

Hash valuerecomputed from

message and comparedwith received hash value

?

56FG@%4D

Encrypted message, encrypted hash value and encrypted session

key send to R

Original message encrypted using

session key

56FG@%4D

Original message encrypted using

session key

23

Security for Server Computers• Server access:

– Displaying contents of server folders and allowing users to view files within (due to improper server configuration if index.htm file is missing).

– Dictionary attack programs: Cycle through an electronic dictionary, trying every word in the dictionary as password to hack in.

• Database threats:– Storing username/passwords (or other sensitive info) in unencrypted

tables, which may be available to a hacker.– A Trojan Horse program which may change database access rights.

• Buffer overflow:– Memory overflow caused by an error/bug that shuts down the server.– During overflow, hacker may overwrite critical registers with new info

that will take control of the server when it is rebooted for buffer overflow.

24

Firewalls• A hardware/software combination installed at the entry point of a secured

network (Intranet).• Only authorized traffic are allowed to pass through the firewall.• Packet-filter firewall:

– Filters inbound/outbound IP packets based on source and destination addresses/ports in packet headers and preconfigured filtering rules.

– Can be easily “spoofed”.• Gateway servers:

– Firewalls that filter traffic based on the application requested.• Proxy-server firewalls:

– An application that hides IP addresses/ports of internal servers from external hosts, and redirects/rejects access requests as programmed.

– More secure: Internal addresses are always hidden from hacker view.