Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)
-
Upload
aileen-marshall -
Category
Documents
-
view
215 -
download
1
Transcript of Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)
![Page 1: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/1.jpg)
Security of E-Commerce
Jarek FrancikKingston University
November 2012(updated version)
![Page 2: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/2.jpg)
Outline…
Introduction: Can you feel safe in the e-world?
e-risk:Where are we really exposed?
Remedies:Some technical solutions (firewalls, SSL)
Electronic Payment:How secure it may be?
Conclusion:Can we feel safe in the e-world (revisited)?
![Page 3: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/3.jpg)
In 2010:
94% of organisations expect to implement security improvements to their computer systems
42% claim cyber security as their top risk
poll data provided by Symantec
![Page 4: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/4.jpg)
"Computer security is difficult (maybe even impossible), but imagine for a moment that we've achieved it… Unfortunately, this still isn't enough. For this miraculous computer system to do anything useful, it is going to have to interact with users in some way, at some time, for some reason. And this interaction is the biggest security risk of them all. People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems“ (Schneier, 2000)
![Page 5: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/5.jpg)
![Page 6: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/6.jpg)
INTRODUCTIONCan you feel safe in the e-world?
![Page 7: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/7.jpg)
Can you feel safe in the e-world?
ISP
on-line store
warehouse
Alice’s desk
customer’s bank
shop’s bank
![Page 8: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/8.jpg)
Can you feel safe in the e-world?
Line Tapping
Eavesdropping at ISP
Sniffer on Internet backbone
Breaking into store database
![Page 9: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/9.jpg)
Can you feel safe in the e-world? Alice’s risks:
The merchant may cheat:she will be billed for the order but will never get a CD In fact merchant cannot charge Alice’s card untilthey go through extensive application and verification procedure done by the credit card company
Alice’s credit card number may be stolen:she will be billed for orders she never made
In fact Alice is not liable or her liability is strongly limited in case of fraudulent card transactions
Information provided by Alice may be used against her (spam!) The merchant may take over Alice’s web browser and use it to
get information about her tastes and desires (spyware)
![Page 10: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/10.jpg)
Can you feel safe in the e-world? Merchants risks:
Alice may be in fact the merchant’s competitor (or a robot) sniffing store’s inventory and price list
Alice may be in fact Jason, a hacker who has stolen Alice’s credit card number and buys CD’s illegally
Jason may break into the merchant’s computer and steal all credit card information; this opens the merchant to liability
Jason may change the orders so that to obtain hundreds of CD’s (for the price of one)
Jason may insert reverse charge orders and get money to his card
Jason may sabotage the on-line shop by changing or destroying other customers’ orders
Jason may sabotage the on-line shop by lowering prices on the store site
![Page 11: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/11.jpg)
"A company may have purchased the best security technologies that money can buy, trained their people so well that they lock up all their secrets before going home at night, and hired building guards from the best security firm in the business. The company is still totally vulnerable... the human factor is truly security's weakest link"
Mitnick and Simon (2002).
![Page 12: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/12.jpg)
Can you feel safe in the e-world?
Kevin Mitnick, The Art of Deception
![Page 13: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/13.jpg)
Can you feel safe in the e-world? You can use encrypted transmission (SSL)
to stop eavesdropping You can buy firewalls to protect your
databases But how to defend against a
‘social engineering attack’?
view Kevin Mitnick at http://www.youtube.com/watch?feature=player_embedded&v=8L76gTaReeg
Kevin Mitnick / Declan McCullagh/CNET
![Page 14: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/14.jpg)
E-RISK:Where we are really exposed?
source: http://tnaron.wordpress.com
![Page 15: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/15.jpg)
Where we are really exposed? Physical Security
Reliability of equipment and network connection Direct access Accidental loss (e.g. memory sticks, laptops) Robbery (physical)
Human Factor passwords lack of awareness what information is sensitive accidental leakage of information (not intended e-mails) disloyalty (dishonest or dissatisfied personnel)
![Page 16: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/16.jpg)
Where we are really exposed? Malware
viruses, worms, Trojan horses and spyware
Hacker Attacks Denial-of-service (DOS) attacks Access to sensitive data Altering the website Access to customer or partner information Corruption of business data
![Page 17: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/17.jpg)
Where we are really exposed? Methods of hacker attacks:
Exploits - using system bugs or glitches, e.g.: Buffer overflows Input validation errors (SQL and code injections, directory traversal) Cross-site scripting HTTP header injections
Eavesdropping, wi-fi eavesdropping Indirect attacks Backdoors Denial-of-service (DOS) attacks Social attack (social engineering) Direct access attacks (physical)
![Page 18: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/18.jpg)
Where we are really exposed? Impact of hacker attacks:
Direct financial loss (fraud or litigation) Subsequent loss (result of unwelcome publicity) Loss of a market share (if customer confidence affected) Legal liability and criminal charges
![Page 19: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/19.jpg)
Where we are really exposed?
CIA Security Goals: Confidentiality (secrecy, privacy)
Access control and user authorisation
Integrity Data integrity (authorisation and control for data modification) Origin integrity:
proving your identity non-repudiation (you cannot deny you sent it...)
Availability Accessibility of assets at appropriate time
![Page 20: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/20.jpg)
Where we are really exposed? Methodology:
Review existing controls Identify areas where more work is needed Monitor technological progress Anticipate potential new threats Read the headlines!
![Page 21: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/21.jpg)
Customer reassurance
![Page 22: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/22.jpg)
Customer reassurance
Provide information about the company(address, telephone, “about us”, “contact us”)
Provide order, delivery & returns guarantee Present symbols of trust: quality labels, guarantees,
secured payment Show off with recommendations and awards
Privacy Protection
![Page 23: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/23.jpg)
Customer reassurance
Legal Acts: Data Protection Act Computer Misuse Act
Standards: ISO/IEC 27001
![Page 24: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/24.jpg)
REMEDIESSome technical solutions(and not only technical)
![Page 25: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/25.jpg)
Some technical solutions(and not only technical)
Malware proper maintenance (antivir software, good practice)
Human Factor1. make them aware2. make them aware3. make them aware
Physical Failures proper maintenance, procedures
Hacker Attacks …
![Page 26: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/26.jpg)
Some technical solutions(and not only technical)
The Web Security Problem Securing the server and the data that are on it
restricted access minimised number of services available proper maintenance: frequent upgrades using a firewall
Securing the information in transit encryption: SSL – Secure Socket Layer
![Page 27: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/27.jpg)
Some technical solutions(and not only technical)
The Web Security Problem Securing the server and the data that are on it
restricted access minimised number of services available proper maintenance: frequent upgrades using a firewall
Securing the information in transit encryption: SSL – Secure Socket Layer
![Page 28: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/28.jpg)
Firewall
A Firewall is: A Controlled Point of Access for All Traffic
that Enters the Internal Network A Controlled Point of Access for All Traffic
that Leaves the Internal Network
![Page 29: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/29.jpg)
Firewall
InternetInternet
Internal NetworkInternal Network
Firewall
![Page 30: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/30.jpg)
Where to place a firewall?INTERNET
FIREWALL
Web ServerFIREWALL
![Page 31: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/31.jpg)
Where to place a firewall?
ExternalFirewall
InternalFirewall
Perimeter NetworkPerimeter Network
InternetInternet
![Page 32: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/32.jpg)
SSL Cryptography
encryption decryption
cryptography
plaintext
fubswrjudskb
ciphertext
![Page 33: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/33.jpg)
SSL Cryptography
encryption decryption
cryptography
plaintext
fubswrjudskb
ciphertext
Symmetrical Cryptography
INTELLIGENCE PROBLEM (WWII):
Alice wants to send a crypted message to Bob.
They need to share the same key.
Alice created a key, but how to let Bob know it?
INTELLIGENCE PROBLEM (WWII):
Alice wants to send a crypted message to Bob.
They need to share the same key.
Alice created a key, but how to let Bob know it?
![Page 34: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/34.jpg)
SSL Cryptography
KEY MAY BE INTERCEPTED!!!
![Page 35: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/35.jpg)
SSL Cryptography
encryption decryption
cryptography
plaintext
fubswrjudskb
ciphertext
Asymmetrical Cryptography
public key
private key
![Page 36: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/36.jpg)
SSL Cryptography
Asymmetrical Cryptography makes it possible to use separate keys for encryption and decryption.
To exchange messages:- use public key to encrypt- use private key to decrypt
![Page 37: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/37.jpg)
SSL Cryptography
1. Bob creates a pair of different keys
2. Bob sends one of the keys to Alice
3. Everyone can get Bob’s public key and use it to encrypt a message
4. But only Bob has the decryption key!
ENCRYPTION KEY
DECRYPTIONKEY
![Page 38: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/38.jpg)
SSL Cryptography
encryption decryption
cryptography
plaintext
fubswrjudskb
ciphertext
Electronic Signature
public key
private key
![Page 39: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/39.jpg)
SSL Cryptography
Asymmetrical Cryptography makes it possible to use separate keys for encryption and decryption.
To exchange messages:- use public key to encrypt- use private key to decrypt
To use electronic signature:
- use private key to encrypt- use public key to decrypt
![Page 40: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/40.jpg)
SSL Server Certification
1. Signed visit card is sent to us
WEB SERVERWE
A. Server sends a visit card
B. CA signs with its private key2. W
e know C
A public ke
y
3. We cannot decrypt the visit card unless it is signed by CA
CERTIFICATION AUTHORITY (CA)
![Page 41: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/41.jpg)
SSL: How It Works1. Signed VISIT CARD is sent to us
2. We verify the VISIT CARD
4. We generate a SESSION KEY
5. We encrypt the SESSION KEY with the server’s PUBLIC KEY
6. We send encrypted SESSION KEY to server
8. Now a two-way encrypted communication is possible
3. We extract server PUBLIC KEY from the VISIT CARD
7. Server decrypts the SESSION KEY with its PRIVATE KEY
![Page 42: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/42.jpg)
Electronic Payment Revisited
CUSTOMER SHOP
CUSTOMER’SBANK
SHOP’S BANK
CARD PAYMENT SYSTEM
11234 0000 0001 9876
2 7
34
5 10
6
89
![Page 43: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/43.jpg)
and now…
![Page 44: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/44.jpg)
and now…Can you feel safe in the e-world?
![Page 45: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/45.jpg)
Can you feel safe in the e-world? Web security is not "all or nothing"
– it is a matter of degree More security – more reduced your risk Reduce risk as much as practical (affordable) Take additional measures for quick recovery
in case of a security incident Computer Security is not just a product you
can purchase, it must be an integrated partof the organisation and its operation
![Page 46: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/46.jpg)
Books (images from Amazon)
![Page 47: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/47.jpg)
![Page 48: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/48.jpg)
Appendix: Algorithm of Diffy & Hellman
Bob and Alice want to agree a secret key
however
They have only a public channel to communicate
PROBLEM: How to keep the agreed number secret if all the communication between them may be intercepted?
![Page 49: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/49.jpg)
Appendix: Algorithm of Diffy & Hellman
1. Choose n and g:n = 11 (takie że (n-1)/2 is a prime number)g = 9, so that n>g>1
k = 9 6*8 mod 11 = 3
2. Alice chooses x = 6 and calculates:X = 9 6 mod 11 = 9
2. Bob chooses y = 8 and calculates:Y = 9 8 mod 11 = 3
3. Alice calculates:k = 3 6 mod 11 = 3
3. Bob calculates:k = 9 8 mod 11 = 3
![Page 50: Security of E-Commerce Jarek Francik Kingston University November 2012 (updated version)](https://reader036.fdocuments.net/reader036/viewer/2022062803/56649f495503460f94c6b7e9/html5/thumbnails/50.jpg)