ELC 200 Day 10. Agenda Questions? Assignment 3 Posted Due October 8 (next class) assignment3.pdf assignment3.pdf Assignment 4 will be posted soon

ELC 200ELC 200Day 10Day 10

Agenda Questions? Assignment 3 Posted

Due October 8 (next class) assignment3.pdf

Assignment 4 will be posted soon Quiz 2 Oct 15

Test will be administered from Blackboard, You need not be present to take the quiz. Will be available from 12 Noon to 7 PM

Begin Discussion on eCommerce Security and Payment Systems

Chapter 5Chapter 5E-commerce Security and E-commerce Security and

Payment SystemsPayment Systems

Copyright © 2014 Pearson Education, Inc.

Learning Objectives Understand the scope of e-commerce crime and security problems. Describe the key dimensions of e-commerce security. Identify the key security threats in the e-commerce environment. Describe how technology helps protect the security of messages

sent over the Internet. Identify the tools used to establish secure Internet communications

channels, and protect networks, servers, and clients. Identify the major e-commerce payment systems in use today. Describe the features and functionality of electronic billing

presentment and payment systems.

Class Discussion

Cyberwar: MAD 2.0 What is the difference between hacking and

cyberwar? Why has cyberwar become more potentially

devastating in the past decade? Why has Google been the target of so many

cyberattacks? Is it possible to find a political solution to

MAD 2.0?

Copyright © 2014 Pearson Education, Inc. Slide 5-5

12-6© 2007 Prentice-Hall, Inc

CYBER Warfare China-US Cyber War Russia – Estonia Cyber war Twitter DDoS Korean DDoS Stuxnet Worm Taught at US Military academies

bh-fed-03-dodge.pdf iwar_wise.pdf http://www.westpoint.edu/crc/SitePages/Home.aspx

http://bostonherald.com/news_opinion/opinion/op_ed/2013/02/china_s_cyberwar_targets_us_biz

http://www.usnews.com/opinion/blogs/world-report/2013/01/14/estonia-shows-how-to-build-a-defense-against-cyberwarfare

http://www.wired.com/epicenter/2009/08/twitter-apparently-down/

http://www.scmagazineuk.com/north-korea-blamed-for-ddos-attacks-on-united-states-and-south-korea/article/139764/

http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force-behind-stuxnet

http://www.wired.com/politics/security/news/2008/05/nsa_cyberwargames?currentPage=all

The E-commerce Security Environment

Overall size and losses of cybercrime unclearReporting issues

2014 CSI survey: 77% of respondent firms detected breach in last year

Underground economy marketplaceStolen information stored on underground

economy servers



Current Underground Economy Data



US cybercrime: Rising Risks, reduced readinessKey findings from the 2104 US State of Cybercrime Survey

What is Good E-commerce Security? To achieve highest degree of security

New technologies (changes daily)Organizational policies and proceduresIndustry standards and government laws


The E-commerce Security Environment

Figure 5.1, Page 168



The Tension Between Security andOther Values

Ease of use:The more security measures added, the more

difficult a site is to use, and the slower it becomes

Public safety and criminal uses of the InternetUse of technology by criminals to plan crimes or

threaten nation-state


Security Threats in theE-commerce Environment

Three key points of vulnerability in e-commerce environment:1. Client

2. Server

3. Communications pipeline (Internet communications channels)


A Typical E-commerce Transaction


Vulnerable Points in an E-commerce Transaction




Snoop and Sniff

Most Common Security Threats in the

E-commerce Environment Malicious codeVirusesWormsTrojan horsesDrive-by downloadsBackdoorsBots, botnetsThreats at both client and server levels



DDOS

https://zeustracker.abuse.ch/https://feodotracker.abuse.ch/

Most Common Security Threats (cont.)

Potentially unwanted programs (PUPs) Browser parasitesAdwareSpyware

Phishing E-mail scamsSocial engineeringIdentity theft



Spyware infestation. Taken by Brandon Waddell.


http://malwaretips.com/blogs/pup-optional-opencandy-virus/


HackingHackers vs. crackersTypes of hackers: White, black, grey hatsHacktivism (Anonymous)

CybervandalismDisrupting, defacing, destroying Web site

Data breachLosing control over corporate information to

outsiders



Credit card fraud/theft Hackers target merchant servers; use data to establish credit under

false identity Hannaford hack

Spoofing (Pharming) Spam (junk) Web sites

http://www.buycheapr.com/us/result.jsp?ga=us5&q=chevelle+bumper

Denial of service (DoS) attack Hackers flood site with useless traffic to overwhelm network

Distributed denial of service (DDoS) attack



Sniffing Eavesdropping program that monitors information

traveling over a network

Insider attacks very common Poorly designed server and client software Social network security issues Mobile platform security issues

Same risks as any Internet device

Cloud security issues




The Players: Hackers, Crackers, and Other Attackers

Hackers Original hackers created the Unix operating system and

helped build the Internet, Usenet, and World Wide Web; and, used their skills to test the strength and integrity of computer systems

Over time, the term hacker came to be applied to rogue programmers who illegally break into computers and networks

Hacker underground http://www.defcon.org/ http://www.blackhat.com/ http://www.2600.com/


The Players: Hackers, Crackers, and Other Attackers (cont.)

Uber Haxor Wizard Internet Hackers Highly capable attackers Responsible for writing most of the attacker tools

CrackersPeople who engage in unlawful or damaging hacking short for “criminal hackers”

Other attackers “Script kiddies” are ego-driven, unskilled crackers who use

information and software (scripts) that they download from the Internet to inflict damage on targeted sites

Scorned by both the Law enforcement and Hackers communities


How Hackers Hack Many Techniques

Social Engineering Get someone to give you their password

Cracking Guessing passwords A six letter password (no caps)

> 300 million possibilities Merriam-Webster's citation files, which were begun in the 1880s, now contain 15.7 million

examples of words used in context and cover all aspects of the English vocabulary. http://www.m-w.com/help/faq/words_in.htm

Buffer Overflows Getting code to run on other PCs

Load a Trojan or BackDoor Snoop and Sniff

Steal data Denial of Service (DOS)

Crash or cripple a Computer from another computer Distributed Denial of Service (DDOS)

Crash or cripple a Computer from multiple distributed computers

Insight on Technology: Class Discussion

Think Your Smartphone Is Secure? What types of threats do smartphones face? Are there any particular vulnerabilities to this

type of device? Are apps more or less likely to be subject to

threats than traditional PC software programs? http://www.spyphone.com/ http://www.mobile-spy.com/ http://www.foxnews.com/tech/2011/12/01/is-your-smartphone-secretly-

spying-on/



Maine’s Anti-Hacker laws§432. Criminal invasion of computer privacy

1. A person is guilty of criminal invasion of computer privacy if the person intentionally accesses any computer resource knowing that the person is not authorized to do so. [1989, c. 620 (new).] 2. Criminal invasion of computer privacy is a Class D crime. [1989, c. 620 (new).]

§433. Aggravated criminal invasion of computer privacy 1. A person is guilty of aggravated criminal invasion of computer privacy if the person:

A. Intentionally makes an unauthorized copy of any computer program, computer software or computer information, knowing that the person is not authorized to do so; [1989, c. 620 (new).] B. Intentionally or knowingly damages any computer resource of another person, having no reasonable ground to believe that the person has the right to do so; or [1989, c. 620 (new).] C. Intentionally or knowingly introduces or allows the introduction of a computer virus into any computer resource, having no reasonable ground to believe that the person has the right to do so. [1989, c. 620 (new).][1989, c. 620 (new).]

2. Aggravated criminal invasion of computer privacy is a Class C crime. [1989, c. 620 (new).]

Technology Solutions Protecting Internet communications

Encryption

Securing channels of communicationSSL, VPNs

Protecting networksFirewalls

Protecting servers and clients


Tools Available to Achieve Site Security



Encryption Encryption

Transforms data into cipher text readable only by sender and receiver

Secures stored information and information transmission

Provides 4 of 6 key dimensions of e-commerce security Message integrity Nonrepudiation Authentication Confidentiality


Symmetric Key Encryption Sender and receiver use same digital key to encrypt

and decrypt message Requires different set of keys for each transaction Strength of encryption

Length of binary key used to encrypt data

Advanced Encryption Standard (AES) Most widely used symmetric key encryption Uses 128-, 192-, and 256-bit encryption keys

Other standards use keys with up to 2,048 bits


Public Key Encryption Uses two mathematically related digital keys

Public key (widely disseminated) Private key (kept secret by owner)

Both keys used to encrypt and decrypt message Once key used to encrypt message, same key

cannot be used to decrypt message Sender uses recipient’s public key to encrypt

message; recipient uses private key to decrypt it



What Is Encryption? A way to transform a message so that only the sender and recipient can

read, see, or understand it

Plaintext (cleartext): the message that is being protected

Encrypt (encipher): transform a plaintext into ciphertext

Encryption: a mathematical procedure that scrambles data so that it is extremely difficult for anyone other than authorized recipients to recover the original message

Key: a series of electronic signals stored on a PC’s hard disk or transmitted as blips of data over transmission lines

Plaintext + key = Ciphertext

Ciphertext – key = Plaintext

Public Key Cryptography: A Simple Case




Symmetric Key Encryption

Message“Hello”

EncryptionMethod &

Key

SymmetricKey

Party A

Party B

InterceptorNetwork

Encrypted Message

Encryption uses anon-secret encryption method and

a secret key


Simple example (encrypt) Every letter is converted to a two digit number

A=1, Z = 26 ANTHONY 01 14 20 08 15 14 25 Produce any 4 digit key 3654 (10N-1 choices =

9,999) Add together in blocks of 4 digits 0114 + 3654 = 3768 2008 + 3654 = 5662 1514 + 3654 = 5168 2500 + 3654 = 6154 (pad with 00 to make even)

Send 3768566251686154 to fellow Spy


Simple example (Decrypt) Received 3768566251686154 from fellow Spy

Break down in 4 digits groupings 3768 5662 5168 6154

Get right Key 3654 Subtract key from blocks of 4 digits 3768 - 3654 = 114 5662 - 3654 = 2008 5168 - 3654 = 1514 6154 - 3654 = 2500 If result is negative add 10000

Break down to 2 digits and decode 01 = A, 14 =N, 20 = T, 08 = H

Public Key Encryption Using Digital Signatures and Hash Digests

Hash function: Mathematical algorithm that produces fixed-length number called

message or hash digest

Hash digest of message sent to recipient along with message to verify integrity

Hash digest and message encrypted with recipient’s public key

Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation


Public Key Cryptography with Digital Signatures



Digital Certificates and Public Key Infrastructure (PKI)

Digital certificate includes: Name of subject/company Subject’s public key Digital certificate serial number Expiration date, issuance date Digital signature of CA

Public Key Infrastructure (PKI): CAs and digital certificate procedures PGP


Digital Certificates and Certification Authorities



Limits to Encryption Solutions Doesn’t protect storage of private key

PKI not effective against insiders, employeesProtection of private keys by individuals may be

haphazard

No guarantee that verifying computer of merchant is secure


Insight on Society: Class Discussion

Web Dogs and Anonymity: Identity 2.0 What are some of the benefits of continuing

the anonymity of the Internet? Who are the groups involved in creating an

identity system for the Internet? Who should control a central identity

system?


Securing Channels of Communication Secure Sockets Layer (SSL) and Transport

Layer Security (TLS) Establishes a secure, negotiated client-server

session in which URL of requested document, along with contents, is encrypted

Virtual Private Network (VPN) Allows remote users to securely access internal

network via the Internet


Secure Negotiated Sessions Using SSL/TLS



Protecting Networks Firewall

Hardware or softwareUses security policy to filter packets

Proxy servers (proxies)Software servers that handle all

communications originating from or being sent to the Internet


Protecting Servers and Clients Operating system security

enhancementsUpgrades, patches

Anti-virus softwareEasiest and least expensive way to prevent

threats to system integrityRequires daily updates


E-commerce Payment Systems Credit cards

Still the dominant online payment method in United States

Limitations of online credit card payment systemsSecurity, merchant riskCostSocial equity


How an Online Credit Transaction Works



Alternative Online Payment Systems Online stored value systems

Based on value stored in a consumer’s bank, checking, or credit card account

e.g.: PayPal

Other alternatives Amazon PaymentsGoogle Checkout


Mobile Payment Systems Use of mobile phones as payment devices

established in Europe, Japan, South Korea Near field communication (NFC)

Short-range (2”) wireless for sharing data between devices

Expanding in United States Google Wallet

Mobile app designed to work with NFC chips

PayPal Square


Digital Cash and Virtual Currencies Digital cash

Based on algorithm that generates unique tokens that can be used in “real” world

e.g.: Bitcoin

Virtual currenciesCirculate within internal virtual worlde.g.: Linden Dollars in Second Life, Facebook

Credits


Electronic Billing Presentment and Payment (EBPP)

Online payment systems for monthly bills 50% of all bill payments Two competing EBPP business models:

Biller-direct (dominant model) Consolidator

Both models are supported by EBPP infrastructure providers


Documents

ELC 200 Day 10. Agenda Questions? Assignment 3 Posted Due October 8 (next class) assignment3.pdf assignment3.pdf Assignment 4 will be posted soon