Electronic Commerce Security Week of July 15-July 21 Internet Security: o Computer security is the protection of assets from unauthorized access, use, alteration, or destruction. Before the Internet and the networked computer, business only needed physical security. Today, they need both physical and logical security. Physical security includes tangible protection devices, such as alarms, guards, fireproof doors, security fences, safes or vaults, and bombproof buildings (p. 441). Logical security is the protection of assets using nonphysical means (p. 441). o A countermeasure is the general name for a procedure, either physical or logical, that recognizes, reduces, or eliminates a security threat. The higher the probability or the more severe the impact of a threat, the more you should be willing to spend on countermeasures against that threat. Focus on Figure 10-1 Risk Management Model (p. 441). o A cracker is a technologically skilled person who uses their skill to obtain unauthorized entry into a computer or network (p. 442). o The terms cracker and hacker basically mean the same thing. A white hat hacker is someone who breaks into a computer or network so that they may alert the company of a security problem and allow the company to fix the problem. A black hat hacker is someone who puts their skills to ill purpose (p. 442). Security Policy: o A security policy is a written statement describing which assets to protect and why they are being protected, who is responsible for that protection, and which behaviors are acceptable and which are not (p. 442). The policy includes physical security, network security, access authorization, virus protection, and disaster recovery. The security policy should change as the company and the threats change. o Steps to establishing a security policy (p. 443): Determine which assets need protection. Who should have access to what assets Take inventory of what resources are available to protect the assets Finally, the organization commits these resources and writes up a plan. Security for Clients: o Client computers need protection different from security for companies (p. 444). o Cookies: The Internet works on stateless connections in which all transmissions are independent of all other transmissions. In other words, the current transmission has no knowledge of the previous transmissions. Cookies are small text files stored on the client computer so that data from one session can be passed to future sessions (p. 445). For example, you want to buy something online and enter your Zip code. Two days later, you go back to the site and the site remembers your Zip code. This means your Zip code was likely saved in a cookie. Too often, cookies are used to pass private information about you to advertisers. As a result, they should be blocked. o A Web bug is a tiny graphic (often invisible) that a third-party Web site places on another site’s Web page. When a site visitor loads the Web page, the Web bug is delivered by the third party site, which can then place a cookie on the visitor’s computer (p. 447). o Active Content: Active content refers to programs that are embedded transparently in Web pages and that cause action to occur (p. 448). These actions are often written to damage the computer (p. 448). A Trojan horse is a small program written into a program or Web page to mask its true purpose (p. 448). A zombie is a Trojan horse that secretly takes over another computer for the purpose of launching attacks on other computers (p. 448). These programs are written in scripting languages such as JavaScript or through ActiveX controls (p. 450). o Plug-ins are programs that enhance the capabilities (ex. playing audio or video, animating graphics) of browsers to handle Web content that a browser cannot handle (p. 450). o A virus is software that attaches itself to another program and can cause damage when the host program is activated (p. 451). o A worm is a type of virus that replicates itself on the computer it infects (p. 451). Protecting the Client Computer: o Antivirus software detects viruses and worms and either deletes them or isolates them on the client computer so they cannot run (p. 452). o A digital certificate is a signed message or code attached to an e-mail message or a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be (p. 456). A digital certificate is issued by a certification authority such as VeriSign (p. 456). o Biometric security devices use an element of a person’s biological makeup to perform the identification. Examples include eye scanners and fingerprint readers (p. 459). Miscellaneous threats: o Sniffer programs are software programs that record sensitive or personal information (credit card information, address, phone, etc.) passing through a computer (p. 460). o Backdoors are holes left either intentionally or unintentionally within a software program that people are aware of the hole can use to steal sensitive or personal information (p. 460). o Cybervandalism is the electronic defacing of an existing Web site’s page usually by replacing the regular content with content placed there by the hacker (p. 462). o Spoofing is pretending to be someone you are not, or representing a Web site as an original when it is a fake (p. 462). o Phishing is the sending of mass e-mails that include a link that appears to be real (such as paypa1.com instead of paypal.com). When a user clicks on the link, they are taken to a page where they are encouraged to provide personal information (p. 462). o In wireless networks, wardriving involves hackers drive around with wireless laptops searching for wireless networks that are not very secure (p. 463). Read an article (http://news.bbc.co.uk/1/hi/sci/tech/1860241.stm) about a British security company that realized that the majority of wireless networks could be accessed with a laptop and a Pringles can. o Dictionary attack programs cycle through every word in an electronic dictionary trying to guess a user’s password. This is one reason that people should avoid using common words as their passwords (p. 475). Protecting Against Sophisticated Threats: o Encryption is the coding of information by using a mathematically-based program and a secret key to produce a string of characters that is unintelligible. In order to read the message, both the sender and the receiver must have the key (p. 464). o Secure Sockets Layer (SSL) is an encryption technology used on the World Wide Web to allow the client and the Web server to exchange data privately (p. 468). By the way, you should only submit your credit card information to a site protected by SSL. You will know they have SSL if the Web address begins with https:// (not http://). o Web servers should be protected with an access control list (ACL). An ACL is a list of files and other resources and the usernames of people who can access those files and resources. In other words, it is a list of who can access what (p. 479). o A firewall is software (or a combination of hardware and software) that is installed on a network to control the data moving through it (p. 479). A good firewall prevents access to a network by unauthorized users and allows access to legitimate users (p. 480).