1 / 0

Security of E-Commerce

Security of E-Commerce. Jarek Francik Kingston University November 2012 (updated version). Outline…. Introduction : Can you feel safe in the e-world? e-risk : Where are we really exposed? Remedies : Some technical solutions (firewalls, SSL) Electronic Payment : How secure it may be?

tauret
Download Presentation

Security of E-Commerce

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of E-Commerce

    JarekFrancik Kingston University November 2012(updated version)
  2. Outline… Introduction: Can you feel safe in the e-world? e-risk:Where are we really exposed? Remedies:Some technical solutions (firewalls, SSL) Electronic Payment:How secure it may be? Conclusion:Can we feel safe in the e-world (revisited)?
  3. In 2010: 94% of organisations expect to implement security improvements to their computer systems 42% claim cyber security as their top risk poll data provided by Symantec
  4. "Computer security is difficult (maybe even impossible), but imagine for a moment that we've achieved it… Unfortunately, this still isn't enough. For this miraculous computer system to do anything useful, it is going to have to interact with users in some way, at some time, for some reason. And this interaction is the biggest security risk of them all. People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems“ (Schneier, 2000)

  5. INTRODUCTIONCan you feel safe in the e-world?

  6. customer’s bank shop’s bank on-line store ISP Alice’s desk warehouse Can you feel safe in the e-world?
  7. Can you feel safe in the e-world? Sniffer on Internet backbone Breaking into store database Eavesdroppingat ISP Line Tapping
  8. Can you feel safe in the e-world? Alice’s risks: The merchant may cheat:she will be billed for the order but will never get a CD In fact merchant cannot charge Alice’s card untilthey go through extensive application and verification procedure done by the credit card company Alice’s credit card number may be stolen:she will be billed for orders she never made In fact Alice is not liable or her liability is strongly limited in case of fraudulent card transactions Information provided by Alice may be used against her (spam!) The merchant may take over Alice’s web browser and use it to get information about her tastes and desires (spyware)
  9. Can you feel safe in the e-world? Merchants risks: Alice may be in fact the merchant’s competitor (or a robot) sniffing store’s inventory and price list Alice may be in fact Jason, a hacker who has stolen Alice’s credit card number and buys CD’s illegally Jason may break into the merchant’s computer and steal all credit card information; this opens the merchant to liability Jason may change the orders so that to obtain hundreds of CD’s (for the price of one) Jason may insert reverse charge orders and get money to his card Jason may sabotage the on-line shop by changing or destroying other customers’ orders Jason may sabotage the on-line shop by lowering prices on the store site
  10. "A company may have purchased the best security technologies that money can buy, trained their people so well that they lock up all their secrets before going home at night, and hired building guards from the best security firm in the business. The company is still totally vulnerable... the human factor is truly security's weakest link"  Mitnick and Simon (2002).
  11. Can you feel safe in the e-world? Kevin Mitnick, The Art of Deception
  12. Can you feel safe in the e-world? You can use encrypted transmission (SSL) to stop eavesdropping You can buy firewalls to protect your databases But how to defend against a ‘social engineering attack’? view Kevin Mitnick at http://www.youtube.com/watch?feature=player_embedded&v=8L76gTaReeg Kevin Mitnick / Declan McCullagh/CNET

  13. E-RISK:Where we are really exposed?

    source: http://tnaron.wordpress.com
  14. Where we are really exposed? Physical Security Reliability of equipment and network connection Direct access Accidental loss (e.g. memory sticks, laptops) Robbery (physical) Human Factor passwords lack of awareness what information is sensitive accidental leakage of information (not intended e-mails) disloyalty (dishonest or dissatisfied personnel)
  15. Where we are really exposed? Malware viruses, worms, Trojan horses and spyware Hacker Attacks Denial-of-service (DOS) attacks Access to sensitive data Altering the website Access to customer or partner information Corruption of business data
  16. Where we are really exposed? Methods of hacker attacks: Exploits - using system bugs or glitches, e.g.: Buffer overflows Input validation errors (SQL and code injections, directory traversal) Cross-site scripting HTTP header injections Eavesdropping, wi-fi eavesdropping Indirect attacks Backdoors Denial-of-service (DOS) attacks Social attack (social engineering) Direct access attacks (physical)
  17. Where we are really exposed? Impact of hacker attacks: Direct financial loss (fraud or litigation) Subsequent loss (result of unwelcome publicity) Loss of a market share (if customer confidence affected) Legal liability and criminal charges
  18. Where we are really exposed? CIA Security Goals: Confidentiality (secrecy, privacy) Access control and user authorisation Integrity Data integrity (authorisation and control for data modification) Origin integrity: proving your identity non-repudiation (you cannot deny you sent it...) Availability Accessibility of assets at appropriate time
  19. Where we are really exposed? Methodology: Review existing controls Identify areas where more work is needed Monitor technological progress Anticipate potential new threats Read the headlines!

  20. Customer reassurance

  21. Customer reassurance Provide information about the company(address, telephone, “about us”, “contact us”) Provide order, delivery & returns guarantee Present symbols of trust: quality labels, guarantees, secured payment Show off with recommendations and awards Privacy Protection
  22. Customer reassurance Legal Acts: Data Protection Act Computer Misuse Act Standards: ISO/IEC 27001

  23. REMEDIESSome technical solutions(and not only technical)

  24. Some technical solutions(and not only technical) Malware proper maintenance (antivir software, good practice) Human Factor 1. make them aware 2. make them aware 3. make them aware Physical Failures proper maintenance, procedures Hacker Attacks …
  25. Some technical solutions(and not only technical) The Web Security Problem Securing the server and the data that are on it restricted access minimised number of services available proper maintenance: frequent upgrades using a firewall Securing the information in transit encryption: SSL – Secure Socket Layer
  26. Some technical solutions(and not only technical) The Web Security Problem Securing the server and the data that are on it restricted access minimised number of services available proper maintenance: frequent upgrades using a firewall Securing the information in transit encryption: SSL – Secure Socket Layer
  27. Firewall A Firewall is: A Controlled Point of Access for All Traffic that Enters the Internal Network A Controlled Point of Access for All Traffic that Leaves the Internal Network
  28. Firewall Internet Firewall Internal Network
  29. INTERNET Where to place a firewall? Web Server FIREWALL FIREWALL
  30. Where to place a firewall? Perimeter Network Internet ExternalFirewall InternalFirewall
  31. plaintext cryptography encryption decryption ciphertext fubswrjudskb SSL Cryptography
  32. plaintext cryptography encryption decryption ciphertext fubswrjudskb SSL Cryptography Symmetrical Cryptography INTELLIGENCE PROBLEM (WWII): Alice wants to send a crypted message to Bob. They need to share the same key. Alice created a key, but how to let Bob know it?
  33. SSL Cryptography KEY MAY BE INTERCEPTED!!!
  34. plaintext cryptography encryption decryption private key public key ciphertext fubswrjudskb SSL Cryptography Asymmetrical Cryptography
  35. SSL Cryptography Asymmetrical Cryptography makes it possible to use separate keys for encryption and decryption. To exchange messages:- use public key to encrypt- use private key to decrypt
  36. ENCRYPTION KEY SSL Cryptography 1. Bob creates a pair of different keys DECRYPTIONKEY 2. Bob sends one of the keys to Alice 4. But only Bob has the decryption key! 3. Everyone can get Bob’s public key and use it to encrypt a message
  37. plaintext cryptography encryption decryption private key public key ciphertext fubswrjudskb SSL Cryptography Electronic Signature
  38. SSL Cryptography Asymmetrical Cryptography makes it possible to use separate keys for encryption and decryption. To exchange messages:- use public key to encrypt- use private key to decrypt To use electronic signature: - use private key to encrypt- use public key to decrypt
  39. B. CA signs with its private key 2. We know CA public key A. Server sends a visit card 1. Signed visit card is sent to us SSL Server Certification CERTIFICATION AUTHORITY (CA) WE WEB SERVER 3. We cannot decrypt the visit card unless it is signed by CA
  40. 6. We send encrypted SESSION KEY to server 1. Signed VISIT CARD is sent to us SSL: How It Works 2. We verify the VISIT CARD 3. We extract server PUBLIC KEY from the VISIT CARD 4. We generate a SESSION KEY 5. We encrypt the SESSION KEY with the server’s PUBLIC KEY 7. Server decrypts the SESSION KEY with its PRIVATE KEY 8. Now a two-way encrypted communication is possible
  41. 9 4 3 8 10 5 7 2 1234 0000 0001 9876 1 6 Electronic Payment Revisited CARD PAYMENT SYSTEM CUSTOMER’SBANK SHOP’S BANK SHOP CUSTOMER

  42. and now…

  43. and now…Can you feel safe in the e-world?

  44. Can you feel safe in the e-world? Web security is not "all or nothing" – it is a matter of degree More security – more reduced your risk Reduce risk as much as practical (affordable) Take additional measures for quick recoveryin case of a security incident Computer Security is not just a product you can purchase, it must be an integrated partof the organisation and its operation
  45. Books (images from Amazon)
  46. Appendix: Algorithm of Diffy & Hellman Bob and Alice want to agree a secret key however They have only a public channel to communicate PROBLEM: How to keep the agreed number secret if all the communication between them may be intercepted?
  47. Bob chooses y = 8 and calculates:Y = 9 8 mod 11 = 3 Alice chooses x = 6 and calculates:X = 9 6 mod 11 = 9 Bob calculates:k = 9 8 mod 11 = 3 Alice calculates:k = 3 6 mod 11 = 3 Appendix: Algorithm of Diffy & Hellman Choose n and g:n = 11 (takie że (n-1)/2 is a prime number)g = 9, so that n>g>1 k = 9 6*8 mod 11 = 3
More Related