Chapter 10:
Electronic Commerce Security
Online Security Issues Overview
 Computer security
 The protection of assets from unauthorized access, use,
alteration, or destruction
 Physical security
 Includes tangible protection devices
 Logical security
 Protection of assets using nonphysical means
 Threat
 Any act or object that poses a danger to computer assets
Terms - Countermeasure
Managing Risk
 General name for a procedure that recognizes, reduces, or
eliminates a threat
 Eavesdropper
 Person or device that can listen in on and copy Internet
 Crackers or hackers
 Write programs or manipulate technologies to obtain
unauthorized access to computers and networks
Computer Security Classification
 Secrecy/Confidentiality
 Protecting against unauthorized
data disclosure
 Technical issues
 Privacy
 The ability to ensure the use of
information about oneself
 Legal Issues
 Integrity
 Preventing unauthorized data
modification by an unauthorized
 Necessity
 Preventing data delays or denials
 Nonrepudiation
 Ensure that e-commerce
participants do not deny (i.e.,
repudiate) their online actions
 Authenticity
 The ability to identify the identity
of a person or entity with whom you
are dealing on the Internet
Some solutions --
 Visit the Copyright Web site:
 Check out examples of copyright infringement:
 Audio arts
 Visual arts
 Digital arts
 Read comments Under “Info”
Security Threats in the
E-commerce Environment
Three key points of vulnerability
 the client
 communications pipeline
 the server
Active Content
 Active content refers to
programs embedded
transparently in Web pages
that cause an action to occur
 Scripting languages
 Provide scripts, or commands,
that are executed
 Applet
 Small application program
 Java
 Active X
 Trojan horse
 Program hidden inside another
program or Web page that
masks its true purpose
 Zombie
 Program that secretly takes
over another computer to
launch attacks on other
 Attacks can be very difficult
to trace to their creators
Viruses, Worms, and Antivirus Software
 Virus
 Software that attaches itself to another program
 Can cause damage when the host program is activated
 Macro virus
 Type of virus coded as a small program (macro) and is
embedded in a file
 Antivirus software
 Detects viruses and worms
Digital Certificates
 A digital certificate is a
program embedded in a Web
page that verifies that the
sender or Web site is who or
what it claims to be
 Main elements:
 Certificate owner’s identifying
 Certificate owner’s public key
 A certificate is signed code or
messages that provide proof
that the holder is the person
identified by the certificate
 Dates between which the
certificate is valid
 Certification authority (CA)
issues digital certificates
 Name of the certificate issuer
 Serial number of the
 Digital signature of the
certificate issuer
Communication Channel Security
 Recall that - Secrecy is the prevention of unauthorized information disclosure
 Privacy is the protection of individual rights to nondisclosure
 Sniffer programs
 Provide the means to record information passing through a
computer or router that is handling Internet traffic
Demonstration of working of a Java implementation of a Packet Sniffer
Other Threats
 Integrity threats exist when an
unauthorized party can alter a
message stream of information
 Cybervandalism
 Electronic defacing of an existing
Web site’s page
 Masquerading or spoofing
 Pretending to be someone you are
 Domain name servers (DNSs)
 Computers on the Internet that
maintain directories that link
domain names to IP addresses
A Web site that provides a
measure of secrecy as long
as it’s used as the portal to
the Internet
 Purpose is to disrupt or deny
normal computer processing
 DoS attacks
 Remove information altogether
 Delete information from a
transmission or file
Wireless Network Threats
 Wardrivers
 Attackers drive around using their
wireless-equipped laptop computers
to search for accessible networks
 Warchalking
 When wardrivers find an open
network they sometimes place a
chalk mark on the building
Tools Available to Achieve Site Security
Transforms plain text or data into cipher text that cannot be
read by anyone outside of the sender and the receiver.
Cipher text
to secure stored information
to secure information transmission.
text that has been encrypted and thus cannot be read by anyone
besides the sender and the receiver
Symmetric Key Encryption
DES standard most widely used
Group Exercise
 Julius Caesar supposedly used secret codes known
today as Caesar Cyphers. The simplest replaces A
with B, B with C etc. This is called a one-rotate
code. The following is encrypted using a simple
Caesar rotation cypher. See if you can decrypt it:
 Mjqqt hfjxfw. Mtb nx dtzw hnumjw? Xyfd fbfd
kwtr ymj xjsfyj ytifd.
Public key cryptography
uses two mathematically related digital
keys: a public key and a private key.
The private key is kept secret by the
owner, and the public key is widely
Both keys can be used to encrypt and
decrypt a message.
A key used to encrypt a message, cannot
be used to unencrypt the message
Public Key Cryptography with Digital Signatures
Public Key Cryptography: Creating a Digital Envelope
Securing Channels of Communications
Secure Sockets Layer (SSL)
is the most common form of
securing channels
Secure negotiated session
client-server session where
the requested document
URL, contents, forms, and
cookies are encrypted.
Session key is a unique
symmetric encryption key
chosen for a single secure
 Software or hardware and
software combination installed on a
network to control packet traffic
 Packet-filter firewalls
 Provides a defense between the
network to be protected and the
Internet, or other network that
could pose a threat
 Characteristics
 Gateway servers
 All traffic from inside to outside
and from outside to inside the
network must pass through the
 Only authorized traffic is allowed
to pass
 Firewall itself is immune to
 Trusted networks are inside the
 Untrusted networks are outside
the firewall
 Examine data flowing back and
forth between a trusted network
and the Internet
 Firewalls that filter traffic based
on the application requested
 Proxy server firewalls
 Firewalls that communicate with
the Internet on the private
network’s behalf
Security Policy and Integrated Security
 A security policy is a written
statement describing:
 Which assets to protect and
why they are being protected
 Who is responsible for that
 Which behaviors are
acceptable and which are not
 First step in creating a
security policy
 Elements of a security policy
 Authentication
 Access control
 Secrecy
 Data integrity
 Audits
 Determine which assets to
protect from which threats
Protection of Information Assets CISA 2006 Exam Preparation
Tension Between Security and Other Values
Ease of use
Often security slows down processors and adds significantly to
data storage demands. Too much security can harm profitability;
not enough can mean going out of business.
Public Safety & Criminal Use
claims of individuals to act anonymously vs. needs of public
officials to maintain public safety in light of criminals or
Some questions
 Can internet security measures actually create
opportunities for criminals to steal? How?
 Why are some online merchants hesitant to ship to
international addresses?
 What are some steps a company can take to thwart cybercriminals from within a business?
 Is a computer with anti-virus software protected from
viruses? Why or why not?
 What are the differences between encryption and
 Discuss the role of administration in implementing a
security policy?
Security for Server Computers
 Web server
 Can compromise secrecy if it allows automatic directory
 Can compromise security by requiring users to enter a
username and password
 Dictionary attack programs
 Cycle through an electronic dictionary, trying every word
in the book as a password
Other Programming Threats
 Buffer
 An area of memory set aside to hold data read from a file
or database
 Buffer overrun
 Occurs because the program contains an error or bug that
causes the overflow
 Mail bomb
 Occurs when hundreds or even thousands of people each
send a message to a particular address
Organizations that Promote Computer Security
 Responds to thousands of security incidents each year
 Helps Internet users and companies become more knowledgeable
about security risks
 Posts alerts to inform the Internet community about security
 SANS Institute
 A cooperative research and educational organization
 SANS Internet Storm Center
 Web site that provides current information on the location and
intensity of computer attacks
 Microsoft Security Research Group
 Privately sponsored site that offers free information about
computer security issues

Chapter 10: Electronic Commerce Security