Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
6 Security
LEARNING OUTCOMES
By the end of this topic, you should be able to:
1. Describe the key dimensions of e-commerce security;
2. Identify the key security threats in the e-commerce environment;
3. Examine how various forms of encryption technology help protect the
security of messages sent over the Internet;
4. Discuss the tools used to establish secure Internet communications
channels; and
5. Assess the tools used to protect networks, servers and clients.
X INTRODUCTION
Doing business on the web is riskier than doing business with local customers.
Stolen credit cards, disputed charges, off-shore shipping destinations, the power
of credit card companies to force merchants to pay for fraud, and the lack of
international laws governing global e-commerce problems are just some of the
security problems with which e-commerce merchants must take into
consideration.
In this topic, we will examine e-commerce security issues, identify the major
risks, and describe the variety of solutions currently available.
TOPIC 6 ONLINE SECURITY W 161
It is also less risky to steal online. The potential for anonymity on the Internet
cloaks many criminals in legitimate looking identities allowing them to place
fraudulent orders with online merchants, steal information by intercepting e-mail,
or simply to shut down e-commerce sites by using software viruses. In the end,
however, the actions of such cyber criminals are costly for businesses and
consumers, who are then subjected to higher prices and additional security
measures.
For instance, a recent survey conducted by Computer Crime and Security Survey
in 2007 on the response of 500 security practitioners in U.S corporations,
government agencies, financial institution, medical institutions and universities,
reported that 46% of the responding organisations experienced a computer
security incident within the last 12 months and incurred a total loss of $67
million. Insider abuse and virus are the most common attacks against computer
systems.
Not every cyber criminal is after money. In some cases, such criminals aim to just
deface, vandalise and/or disrupt a website, rather than actually steal goods or
services. The cost of such an attack includes not only the time and effort to make
repairs to the site but also damage done to the sites reputation and image as well
as revenues lost as a result of the attack.
To achieve the highest degree of security possible, new technologies are available
and should be used. But these technologies by themselves do not solve the
problem. Organisational policies and procedures are required to ensure the
technologies are not subverted. Finally, industry standards and government laws
are required to enforce payment mechanisms, as well as to investigate and
prosecute violators of laws designed to protect the transfer of property in
commercial transactions.
Table 6.1 gives the definitions for each dimension of e-commerce security. It also
summarises the perspectives of customer and merchant on the different
dimensions of e-commerce security.
164 X TOPIC 6 ONLINE SECURITY
Source: Adapted from Laudon, K. C., & Traver, C. G. (2009). E-commerce Business,
Technology, Society (5th ed.). Boston: Addison Wesley.
TOPIC 6 ONLINE SECURITY W 165
(a) Integrity
For example, if an unauthorised person intercepts and changes the contents of
an online communication, such as by redirecting a bank wire transfer into a
different account, the integrity of the message has been compromised because
the communication no longer represents what the original sender intended.
(b) Nonrepudiation
For instance, the availability of free e-mail accounts makes it easy for a
person to post comments or to send a message and perhaps later deny
doing so. Even when a customer uses a real name and an e-mail address, it
is easy for the customer to order merchandise online and then later deny
doing so. In most cases, because merchants typically do not obtain a
physical copy of a signature, the credit card issuer will side the customer
because the merchant has no legal, valid proof that the customer had
ordered the merchandise.
(c) Authenticity
How does the customer know that the Web site operator is who he/she
claims to be? How can the merchant be assured that the customer is really
who he/she says he/she is? Someone who claims to be someone they are
not is spoofing or misrepresenting themselves.
(d) Confidentiality
Confidentiality is sometimes confused with piracy as both are inter-related
(look at the definition provided for privacy).
(e) Privacy
E-commerce merchants have two concerns related to privacy:
(i) They must establish internal policies that govern their own use of
customer information; and
(ii) They must protect the information from illegitimate or unauthorised
use.
166 X TOPIC 6 ONLINE SECURITY
For example, if hackers break into an e-commerce site and gain access to
credit card or other information, this not only violates the confidentiality of
the data, but also the privacy of the individuals who supplied the
information.
(f) Availability
Customers may be wondering about the accessibility of the site while the
operator dwells over the operational aspect of the website.
Let us examine each form of security threats in detail in the following points.
Does a malware named as Trojan horse has similar shape to the famous
Greek mythology? The name given for the malware does not correspond
with the physical shape of the malware, but it corresponds to the function
of the malware (see Figure 6.4).
(i) Virus
A virus is a computer programme that has the ability to replicate or
make copies of itself and spread to other files. In addition to the
ability to replicate, most computer viruses deliver a payload.
What is a payload? If you do not know the meaning of the term, refer
below to find out its meaning.
(ii) Worm
Macro, file-infecting virus, and script viruses are often combined with
a worm. Instead of just spreading from file to file, a worm is designed
to spread from computer to computer. A worm does not necessarily
need to be activated by a user or a programme in order for it to
replicate itself.
(iv) Bots
What is a bot? Do you know the meaning of it? If you do not, refer
below.
Much more frequent malicious code attacks occur at the client level,
but the amount of damage is limited to a single machine.
(i) Adware
Adware is used to call for pop-up ads to display when user visits
certain site. For instance, adwares like ZongoSearch and PurityScan.
(iii) Spyware
Spyware is used to obtain information of the users such as the users
keystrokes, copies of email and instant messages, and screenshots.
For example, SpySherif, which disguises as a spyware removal
programme but is actually a malicious spyware.
Identity theft can also provide a thief with false credentials for immigration
or other applications. One of the biggest problems with identity theft is that
very often the crimes committed by the identity theft expert are often
attributed to the victim.
(S
Source: http://www.identitytheftcreditfraud.com/)
Now, let us shift our attention to the definition provided below for
phishing.
The most popular phishing attempt is the spear phishing email scam as
described below.
If you respond with a user name or password, or if you click links or open
attachments in a spear phishing e-mail, pop-up window, or website, you
might become a victim of identity theft and you might put your employer
or group at risk.
Source:
http://www.microsoft.com/hk/protect/yourself/phishing/spear.mspx
For instance, someone from a rich country sends an email to you asking for
your bank account number. The purpose is mentioned as to stash millions
TOPIC 6 ONLINE SECURITY W 173
of dollars for a short period of time and in return you will receive certain
amount of money.
Let us look at another three terms which are inter-related to the term
hacker.
Cyber criminal deals with any criminal act related to Internet, computers
and networks.
174 X TOPIC 6 ONLINE SECURITY
Source: http://www.crime-research.org/library/Cyber-terrorism.htm
The hacker phenomenon has diversified over time. Hackers activities have
also broadened beyond mere system intrusion to include theft of goods and
information, as well as vandalism and system damage. Groups of hackers
called tiger teams (will be explained later) are used by corporate security
departments to test their own security measures. By hiring hackers to break
into the system from the outside, the company can identify weaknesses in
the computer systems armour.
Hackers Descriptions
White hats hackers are known as good hackers because of their
White hats role in helping organisations to locate and fix security flaws. White
hats do their work under contract, with agreement from clients that
they will not be prosecuted for their efforts to break-in.
Grey hats Grey hats hackers are those who believe they are pursuing some
greater good by breaking in and revealing systems flaws. Grey
hats discover weaknesses in a systems security and then publish
the weakness without disrupting the site or attempting to profit
from their finds.
(ii) E-commerce
The fraud in e-commerce is slightly different compared to the
traditional credit card fraud. In e-commerce, the greatest threat to
consumers is that the merchants server with which the consumer is
176 X TOPIC 6 ONLINE SECURITY
Spoofing refers to the act of hackers who attempts to hide their true
identities by misrepresenting themselves through fake e-mail addresses or
masquerading as someone else.
Links that are designed to lead to one site can be reset to send users to a
totally unrelated site, one that benefits the hacker. Although spoofing does
not directly damage files or network servers, it threatens the integrity of a
site.
Customers become dissatisfied with the improper order shipment and the
company may have huge inventory fluctuations that impact its operations.
In addition to threatening integrity, spoofing also threatens authenticity by
TOPIC 6 ONLINE SECURITY W 177
Spam website (also known as junk website) appears on search results which
cloak its identity by using domain name similar to legitimate firm name
and redirect traffic to known-spammer redirection domains.
(g) Denial of Service (DOS) and Distributed Denial of Service (DDOS) Attacks
Let us look at the definitions of both terms in order to be able to
differentiate it clearly.
DOS attacks may cause a network to shut down, making it impossible for
users to access the site. For busy e-commerce sites such as e-Bay.com and
Buy.com, these attacks are costly as while the site is shut down, the sites
reputation is damaged profoundly.
Now, let us focus on smurf. Smurf, which is a type of DOS attack, brings a
network down by sending out a request to many broadcast addresses with
an address that can communicate with up to 255 host computers to verify
that the address is working. When the 255 hosts on each broadcast address
reply to the verification request, the hacker spoofs the IP address reply to
the verification request, listing a particular companys server as the
supposed reply address. Soon, the victim companys server is quickly
overwhelmed with thousands of PING responses (refer below) that tie it
up.
DOS and DDOS attacks are threats to a systems operation because they can
shut it down indefinitely. Major websites such as Yahoo! and even
Microsoft have recently experienced such attacks, making the companies
aware of their vulnerability and the need to introduce new measures to
prevent any future attacks.
(h) Sniffing
What is a sniffer? Refer below to know more on it.
Email wiretaps (refer below) are a new variation on the sniffing threat.
TOPIC 6 ONLINE SECURITY W 179
The same is true for e-commerce sites: Some of the largest disruptions to
service, destruction to sites, and diversion of customer credit data and
personal information have come from insiders who are once trusted
employees. Employees have access to privileged information, and in the
presence of sloppy internal security procedures, they are often able to roam
throughout an organisations system without leaving a trace.
SELF-CHECK 6.1
List all the common and damaging forms of security threats to e-commerce
sites.
ACTIVITY 6.1
EXERCISE 6.1
6.2.1 Encryption
What is an encryption? Read below for the definition of the term.
Encryption is the process of transforming plain text or data into cipher text
that cannot be read by anyone outside of the sender and the receiver.
This transformation of plain text to cipher text is accomplished by using the key
or cipher (algorithm) method as illustrated in Figure 6.6.
Encryption has been practiced since the earliest forms of writing and commercial
transaction. Ancient Egyptian and Phoenician commercial records were
encrypted using the following ciphers:
For instance, if we used the cipher letter plus two meaning replace every
letter in a word with a new letter two places forward, then the word
182 X TOPIC 6 ONLINE SECURITY
HELLO in plain text would be transformed into the following cipher text:
JGNNQ.
A more complicated cipher would be to break all words into two words
and spell the first word with every other letter beginning with the first
letter, and then spell the second word with all the remaining letters. In this
cipher, HELLO would be written as HLO EL.
In order to decipher the above messages, there are a number of deciphering tools
and they are:
x Symmetric Key Encryption;
x Public Key Cryptography;
x Public Key Encryption Using Hash Function and Digital Signature;
x Digital Envelope; and
x Digital Certificate and Public Key Infrastructure (PKI).
In symmetric key encryption, both the sender and the receiver use the same
key to encrypt and decrypt the message as can be seen in Figure 6.7. You
may wonder how the sender and the receiver have the same key. They
have to send it over some communication media or exchange the key in
person.
TOPIC 6 ONLINE SECURITY W 183
How did the enigma machine operate? The Enigma machine would
generate, in an everyday-basis, a new secret cipher that used both
substitution and transposition ciphers based on the settings made by a
mechanical device. As long as all Enigma machines around the world were
set to the same settings, they could communicate securely, and every day
the codes would change, hindering code-breakers from breaking the codes
in a timely-fashion.
184 X TOPIC 6 ONLINE SECURITY
The brute force algorithm consists in checking, at all positions in the text
between 0 and n-m, whether an occurrence of the pattern starts there or not.
Then, after each attempt, it shifts the pattern by exactly one position to the
right.
For this reason, modern digital encryption systems use keys with 56,128,
256, or 512 binary digits. With encryption keys of 512 digits, there are 2512
possibilities to check out. It is estimated that all the computers in the world
would need to work for ten years before stumbling upon the answer.
The most widely used symmetric key encryption on the Internet today is
the Data Encryption Standard (DES), which uses a 56-bit encryption key,
developed by the National Security Agency (NSA) and IBM in the 1950s.
To cope with much faster computers, it has been improved recently to
Triple DES, which essentially encrypts the message three times each with
separate key. There are many other symmetric key systems with keys up to
2048 bits. Like all symmetric key systems, DES requires the sender and the
receiver to exchange and share the same key, and requires a different set of
keys for each set of transactions.
186 X TOPIC 6 ONLINE SECURITY
(c) Public Key Encryption Using Hash Function and Digital Signature
In public key encryption as shown in Figure 6.10, some elements of security
are missing. Although we can be quite sure the message was not
understood or read by a third party (message confidentiality), there is no
TOPIC 6 ONLINE SECURITY W 187
guarantee the sender really is the sender that is, there is no authentication
of the sender. This means the sender could deny ever sending the message
(repudiation). And there is no assurance the message was not altered
somehow in transmit.
For example, the message Buy Sisco @ $25 could have been accidentally
or intentionally altered to read Sell Sisco @ &25. This suggests a potential
lack of integrity in the system.
The results of applying the hash function are sent by the sender to
the recipient. Upon receipt, the recipient applies the hash function to
the received message and checks to verify the same result is
produced. If so, the message has not been altered. The sender then
encrypts both the original message using the recipients public key,
producing a single block of cipher text.
Figure 6.10: Public key encryption using hash function and digital signature
Source: http://www.microsoft.com/mspress/books/sampchap/6429.aspx
The recipient of this signed cipher text first uses the senders public key to
authenticate the message. Once authenticated, the recipient uses his or her
private key to obtain the hash result and original message. As a final step,
the recipient applies the same hash function to the original text and
compares the result with the result sent by the sender. If the results are the
same, the recipient now knows the message has not been changed during
transmission. The message has integrity.
In the physical world, if someone asks who you are and you show a social
security number, they may well ask to see your identification cards picture
or a second form of certifiable or acceptable identification. If they really
doubt who you are, they may ask references to other authorities and
actually interview those authorities. Similarly in the digital world, we need
a way to know who people and institutions really are.
There are two methods to solve this problem of digital identity and they
are:
certificate itself (just like a hash digest) and signs it with the CAs
private key. This signed digest is called the signed certificate. We end
up with a totally unique cipher text document that there can be only
one signed certificate like this in the world.
There are several ways the certificates are used in commerce. Before
initiating a transaction, the customer can request the signed digital
certificate of the merchant and decrypt it using the merchants public
key to obtain both the message digest and the certificate as issued. If
the message digest matches the certificate, then the merchant and the
public key are authenticated. The merchant may in return request
certification of the user, in which case the user would send the
merchant his or her individual certificate. There are many types of
certificates: personal, institutional, web server, software publisher,
and CAs themselves.
You can easily obtain a public and private key at the Pretty Good
Privacy (PGP) site (www.pgpi.org.). PGP was invented in 1991, and
has become one of the most widely used e-mail public key encryption
software tools in the world. Using PGP software installed on your
computer, you can compress and encrypt your messages as well as
authenticate both yourself and the recipient.
Therefore, there are three limitations in using the encryption and they are:
For instance, your credit card number that you entered into a form would be
encrypted. Through a series of handshakes and communications, the browser
and the server establish one another s identity by exchanging digital
certificates, decide on the strongest shared form of encryption and then
proceed to communicate using an agreed-upon session key (refer below).
A session key is a unique symmetric encryption key chosen just for this
single secure session. The key can be used only once.
browser will request the merchant certificate once a secure session is called
for by the server.
While the SSL protocol provides secure transactions between merchant and
consumer, it only guarantees server side authentication as client
authentication is optional. In addition, SSL cannot provide irrefutability
that consumers can order goods or download information products, and
then claim the transaction which never occurred. Other protocols for
protecting financial transactions such as Secure Electronic Transaction
Protocol ( SET) have emerged that require all parties of a transaction to use
digital certificates.
However, you need to bear in mind that not all browsers and not all
websites support S-HTTP. You know you are dealing with a supporting
site when the URL starts with SHTTP. The use of this as part of an anchor
tag indicates that the target server is S-HTTP capable. A message which
uses S-HTTP maybe:
(i) Signed;
(ii) Authenticated;
(iii) Encrypted; and
(iv) In any combination of the mentioned ways.
194 X TOPIC 6 ONLINE SECURITY
As shown in Figure 6.12, a remote user can dial into a local Internet Service
Provider (ISP), and PPTP makes the connection from the ISP to the
corporate network as if the user had dialled into the corporate network
directly. The process of connecting one protocol (PPTP) through another
Internet Protocol (IP) is called as tunneling because PPTP creates a private
connection by adding an invisible wrapper around a message to hide its
content. As the message travels through the Internet between the ISP and
the corporate network, it is shielded from prying eyes by PPTPs encrypted
wrapper.
Firewalls and proxy servers are intended to build a wall around your network,
and the attached servers and clients, just like physical world firewalls which
protect you from fires for a limited period of time. Firewalls and proxy servers
share some similar functions, but they are quite different as explained below:
(a) Firewalls
Firewalls are software applications that act as filters between a companys
private network and the Internet as illustrated in Figure 6.13.
How does a dual home systems of proxy servers work? Let us look at
Figure 6.14 which shows the processes involved in the system.
TOPIC 6 ONLINE SECURITY W 197
access (or more commonly denies access by clients) to various areas of the
network.
It is not enough, however, to simply install the software once. Since new
viruses are being developed daily, routine updates are needed in order to
prevent new threats from being loaded.
SELF-CHECK 6.2
EXERCISE 6.2
1. What is encryption?
2. Give four different forms of encryption technology currently
in use.
3. Explain these two tools which are used to establish secure
Internet communication channels:
(a) SSL (Secure Sockets Layer)
(b) S-HTTP (Secure Hypertext Transfer Protocol)
You can visit the following websites to get more information on technology
solutions for e-commerce security:
(a) Encryption:
x http://tools.devshed.com/c/a/How-To/What-Is-Encryption-
Technology/
(b) Guide to intrusion detection and prevention systems:
x http://csrc.ncsl.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
(c) Articles on security topics:
x www.windowsecurity.com/
You will obviously want to start with the information assets that you
determined to be the highest priority in your risk assessment.
Below are the questions that might guide in developing the security policy:
(i) Who generates and controls this information in the firm?
(ii) What existing security policies are in place to protect the information?
(iii) What enhancements can you recommend to improve security of these
most valuable assets?
(iv) What level of risk are you willing to accept for each of these assets?
(v) Are you willing, for instance, to lose customer credit data once every
ten years?
(vi) Or will you pursue a hundred-year hurricane strategy by building a
security edifice for credit card data that can withstand the once in a
hundred-year disaster?
You will need to estimate how much it will cost to achieve this level of
acceptable risk. Remember, total and complete security may require
extraordinary financial resources.
To implement your plan, you will need a security organisational unit and a
security officer.
Tiger teams are often used by large corporate sites to evaluate the strength
of existing security procedures.
Before we move further, what is a tiger team? Does the team have any
similar characteristic to the real black striped orange-reddish coloured
animal?
204 X TOPIC 6 ONLINE SECURITY
A tiger team is a group whose sole job activity is attempting to break into a
site and stopping just short of actually making any unauthorised changes
to the site. Many small firms have sprung up in the last five years to
provide these services to large corporate sites.
ACTIVITY 6.2
Imagine you are the owner of an e-commerce website. What are some
of the signs that your site has been hacked?
EXERCISE 6.3
Visit the following websites for more information on organisations that promote
computer security:
TOPIC 6 ONLINE SECURITY W 205
The technology itself is not the key issue in managing the risk of e-commerce,
public laws and active enforcement of cyber crime statues are also required to
both raise the costs of illegal behaviour on the Internet and guard against
corporate abuse of information.