11/20/2015. ACS 3907 E-Commerce. Security Problems. What could go wrong? Instructor: Kerry Augustine December 1 st Consumers

Transcription

1 ACS 3907 E-Commerce Instructor: Kerry Augustine December 1 st 2015 Security Problems 2 What could go wrong? Consumers Can t access website Lose money Frustrated with sellers Lose personal/credit info Stolen personal identity Merchants Sold product/service not paid for Certain functions stop working Shut down website Lose business/trust Lose client data! Develop bad reputation Lose clients and sponsors The Internet was not designed as a global marketplace with a billion users! 3 1

2 Examples of Cyber Crime Hacking Some hackers do it out of pride/joy Recently becoming more of organized crime Stolen data/information (proprietary, copyrights, intellectual property) Less risky to steal online Financial theft and identity theft Can rob remotely and almost anonymously (if don t get caught) Credit card fraud accumulated to ~$11 B in 2014 in U.S. Cyber stalking/harassment/spying Cyber warfare Attack on government and financial institutions 4 Examples of Cyber Crime While it Isn t Always About The MONEY It often is!!! Organized crime generates significant revenue from cybercrime! Estimated to exceed the drug trade! 5 Value of Stolen Information Sell stolen info to underground economy servers Goal is not always money; could be vandalism, disruption to website, damage organization s reputation 6 2

3 EC Security Environment Concept of theft is same in digital market However, ways to reduce risk is more complicated Layers of security: Data Technological solution Organizational policies/procedures Laws/industry standards Information has a time value protecting info for a day or year is sometimes enough Cost of security is high Security is a chain easiest target is the weakest link 7 Dimensions of EC Security Integrity = ability to ensure info has not been altered by an unauthorized party 8 Dimensions of EC Security Non-repudiation = ability to ensure EC participants don t deny their online actions 9 3

4 Dimensions of EC Security Authenticity = ability to identify the identity of party of transaction 10 Dimensions of EC Security Confidentiality = ability to ensure data are available only to those who are authorized to access them Right to have private info remain confidential If one s data is revealed (e.g. no longer confidential), it doesn t necessarily mean that person s privacy has been compromised 11 Dimensions of EC Security Privacy = ability to be in control of others access to info about ourselves Right to privacy 12 4

5 Dimensions of EC Security Privacy = ability to be in control of others access to info about ourselves Right to privacy 13 Dimensions of EC Security Availability = ability to ensure EC site continues to function as intended 14 Implementation Tradeoffs Security costs Development time (technical solution, policy enforcement) Ongoing computational overhead (data storage, technical support) Ongoing policy/procedural overhead Creates more opportunities for hackers Poorly designed software can (easily) result in increase in software complexity and size Demand of real time response needs Together contribute to flaws and vulnerabilities exploited by hackers Harder to use deter customers Implementation should be weighed against potential loss of what it is protecting 15 5

6 Cost of Cyber Security 16 A Typical E-commerce Transaction Figure 5.2, Page 269 Copyright 2013 Pearson Education, Inc. Slide 5-17 Vulnerable Points in an E-commerce Transaction Figure 5.3, Page 257 Copyright 2013 Pearson Education, Inc. Slide

7 Electronic Commerce Threats Advanced persistent threat (APT) usually refers to a group, such as a foreign government or organized crime, with both the capability and the intent to persistently and effectively target a specific entity. 19 Electronic Commerce Threats Client Threats Active Content Java applets, Active X controls, JavaScript, and VBScript Programs that interpret or execute instructions embedded in downloaded objects Malicious active content can be embedded into seemingly innocuous Web pages -- launched when you use your browser to view the page 20 Electronic Commerce Threats Client Threats -- Cookies remember user names, passwords, and other commonly referenced information Exercise Go to cookie FAQs on text links page or: Are cookies dangerous? How did they get to be called cookies? What are the benefits of cookies? 21 7

8 Graphics, Plug-ins, and Attachments Code can be embedded into graphic images causing harm to your computer Plug-ins are used to play audiovisual clips, animated graphics Could contain ill-intentioned commands hidden within the object attachments can contain destructive macros within the document 22 Communication Channel Threats Secrecy Threats Secrecy is the prevention of unauthorized information disclosure - technical issue Privacy is the protection of individual rights to nondisclosure - legal issue regarding rights Theft of sensitive or personal information is a significant danger Your IP address and browser you use are continually revealed while on the web 23 Communication Channel Threats An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable. It is a proxy server computer that acts as an intermediary and privacy shield between a client computer and the rest of the Internet. 1. Network Anonymizer: transfers your communications through a network of Internet computers between you and the destination. For example, a request to visit a web page might first go through computers A, B, and C before going to the website, with the resulting page transferred back though C, B, and A then to you. E.g., The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor's users employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy. 2. Single-point Anonymizer: This type of anonymizer passes your surfing through a single website to protect your identify, and often offers an encrypted communications channel for passage of results back to the user. E.g., Anonymouse 24 8

9 Spamhaus suffers largest DDoS attack in history entire internet affected (27-Mar-2013) Spamhaus, an IP blacklisting service, has been under a distributed denial-of-service (DDoS) attack for a week. Attack traffic has been rated at up to 300Gbps three times higher than the previous record, and six times greater than the typical attack recently targeting US banks. Attack traffic was rated at up to 300Gbps three times higher than the previous record, and six times greater than the typical attack recently targeting US banks. The result was a slow down in Internet traffic that was felt globally. 25 Communication Channel Threats Integrity Threats Also known as active wiretapping Unauthorized party can alter data Change the amount of a deposit or withdrawal Necessity Threats Also known as delay or denial threats Disrupt normal computer processing Deny processing entirely Slow processing to intolerably slow speeds Remove file entirely, or delete information from a transmission or file Divert money from one bank account to another 26 Server Threats The more complex software becomes, the higher the probability that errors (bugs) exist in the code Servers run at various privilege levels Highest levels provide greatest access and flexibility Lowest levels provide a logical fence around a running program Contents of a server s folder names are revealed to a browser Cookies should never be transmitted unprotected Sensitive files such as username and password pairs or credit card numbers Hacking and Cracking -- the Web server administrator is responsible for ensuring that all sensitive files, are secure. 27 9

10 Database Threats Once a user is authenticated to a database, selected database information is visible to the user. Security is often enforced through the use of privileges Some databases are inherently insecure and rely on the Web server to enforce security measures 28 Other Threats Common Gateway Interface (CGI) Threats CGIs are programs that present a security threat if misused CGI programs can reside almost anywhere on a Web server and therefore are often difficult to track down CGI scripts do not run inside a sandbox, unlike JavaScript 29 Other Threats Other programming threats include Programs executed by the server Buffer overruns can cause errors Runaway code segments The Internet Worm attack was a runaway code segment Buffer overflow attacks occur when control is released by an authorized program, but the intruder code instructs control to be turned over to it 30 10

11 Other Threats Employees are the most-cited culprits of incidents Percentage of respondents that point the finger at current employees jumped over 10% in one year ( ) PricewaterhouseCoopers (PwC) The Global State of Information Security Survey Example: Data Storage Problem How to handle extremely sensitive data? National project, health data, personal information Where to store data? Option 1: single, secured repository in project headquarters Option 2: multiple, smaller, secure repositories in individual provinces Pros/Cons? Points of failure? Risks? 32 Common Security Problems Malicious code/malware Unwanted programs Phishing and identity theft Hacking and cyber vandalism Credit card fraud/theft Spoofing Denial of service (DoS) and distributed DoS (DDoS) attacks Sniffing Insider attacks 33 11

12 Malware Includes a variety of threats e.g., viruses, bots Originally, hackers want to cause computers to malfunction Evolved intent became organized crime to steal: s Credentials Personal data Financial information Can be imbedded in ad chains and attachments Click on link Download and execute attachment Click on malicious site Usually attack client computers 34 Malware (cont.) Virus = program that replicates itself and spread to other files Can display message/image, delete files, reformat drive Macro virus affects specific applications File-infecting virus affects executables usually Script virus written by scripting language (e.g. VBscript) Usually combined with worms Worm = malware that spreads from computer to computer Doesn t necessarily need to be activated to replicate itself Trojan horse = program masking real intention E.g., game that masks intent to steal passwords Bots = malware that makes client computer act as slave Responds to attacker s commands E.g., send spam to others Botnet = network of captured computers 35 Unwanted programs Trojan = Programs installed without user consent, but fooled into installing it Usually difficult to uninstall Adware = typically pop-up ads displayed on certain sites Annoying Not usually criminal activity Browser parasite = monitor and change browser settings Often comes with adware E.g., homepages, sites visited Spyware = program that obtains user info via keystrokes, copies of s/chats, screenshots Often used for identity theft Can come from untrusted HTTP cookies 36 12

13 Phishing Like fishing for information Deceptive online attempt by third party to get confidential information for financial gain No malware involved Uses straightforward misrepresentation and fraud Analogous to a con artist, who tricks people into voluntarily giving what is requested E.g., scams, account verifications, quota exceeded Offers to give you something as long as you respond with certain information Hacking and Cyber Vandalism Hacker = individual who intends to gain unauthorized access to a computer Cracker = hacker with criminal intent Typically excited by thrill of breaking into corporate/govt sites Cyber vandalism = methods used to intentionally disrupt, deface, or destroy a site White hats = good hackers hired to help locate/fix security flaws by hacking into site externally Black hats = hackers who act with intention of causing harm E.g., reveal confidential or proprietary information due to belief that the info should be free Grey hats = hackers who believe they are pursuing greater cause by breaking in and revealing system flaws Reward: prestige of discovery of security flaws; recognition i.e. Anonymous 39 13

14 This is NOT Ethical Hacking! Individuals appearing in public as Anonymous, wearing Guy Fawkes masks. A member holding an Anonymous flier at Occupy Wall Street, a protest that the group actively supported, September 17, Credit Card Fraud Biggest fear for online shopping Few occurrences in actuality ~1.4% of all online card transactions Most common form today is to hack into corporate server where millions of credit card purchases are stored Hard to verify customer s identity in online environment 41 Spoofing Misrepresent oneself via fake s or use of fake name Pharming = spoofing a website E.g., link to a fake site Can harm businesses (e.g., steal customers, create bad reputation) Can harm customers (e.g., lose money) Spam/junk websites = sites that promise some product or service but are simply collection of ads Often contains malware Splogs = spam blogs Created to raise search engine rankings of affiliated sites 42 14

15 (D)DoS Denial of service attack = flood website with useless page requests to overwhelm servers Cause site to shut down Can cause site to lose money and customers Blackmail owners to pay for removal of attack Distributed denial of service attack = uses numerous computers as launch points for the attack Often involve botnets 43 Sniffing Eavesdropping program that monitors information traveling on a network Positive use: help identify trouble spot on network Negative (criminal) use: steal proprietary information (e.g., s, confidential files) wiretap = hidden code in s that allows someone to monitor all subsequent messages forwarded with original U.S. law allows ISPs to install wiretaps to access customer s Bill C-30 Canada 44 The Next Wave! CONSUMERIZATION of IT Consumerization will force more IT changes over the next 10 years than any other trend. - Gartner MOBILITY 45 15

16 Security in the Cloud Bypasses traditional IT You put your data where!!! On demand services (OPX Vs CAPX) Location of data Impacts on data privacy legislation Foreign government search Lack of control Moves IT from service provider to contract manager (SLA S, Security, IMA) Ability to audit Exit Strategy (How do you get your data out) 46 Bill C-51 Bill C-51, also known as the Anti-terrorism Act, 2015, was designed to, encourage and facilitate information sharing between Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada. The Conservative Party introduced the act in January 2015 after the Parliament Hill shooting October The government wants to allocate more power to police services and security institutions like the Canadian Security Intelligence Service (CSIS) to keep a closer eye on potentially dangerous terrorism situations and prevent future attacks. According to the act s official summary, Bill C-51 would ensure safer transportation services for Canadians, allow law enforcement to step in and arrest, without question, a person they suspect is about to carry out a terrorist attack, and it would increase the protection of witnesses who come forward with information on a potential terrorist attack. Essentially, the government would increase its role in national security to keep a constant watchful eye on potentially harmful situations and end them before anyone is hurt or killed. Civil liberty groups and other critics have claimed the bill stretches the definition of security to potentially include peaceful protests, further restricts freedom of expression, and raises privacy concerns, since the act would allow federal institutions such as Health Canada and Revenue Canada to share private information with the RCMP. Critics have also expressed grave concerns that it fails to define terrorism clearly, and in attempting to remove all terrorist propaganda from the Internet will effectively try to censor freedom of expression on the Internet. Amendments are currently being considered as government responds to protest