Exercise 16: Authentication and Encryption systems

1. Visit an e-commerce website and survey the mode of payment allowed. Would you trust the site with your business?

A site that I have used multiple times is UMART Online. It is an online computer shop. They accept payment by Cash/EFTPos/Cheque. They do have a physical presence as well with multiple stores around Australia. Their method of payment by credit card requires filling in a paper based form, with your credit card details, faxing it to them, and if your order is over $500 sending in a photocopy of your Drivers Licence.

This method is a little confronting, when looked at from a security perspective, with Identity theft concerns. But their prices made it seem just to good.

2. Global e-commerce presents challenges exempt from domestic e-commerce. What security concerns add to the complexity of international e-business?

Access by unauthorized users is the area of risk that approaches the level of "significant" and is perceived to present the greatest overall security risk to e-Commerce. (Isaca)

According to (Isaca), the security impact of e-Commerce can be placed into two categories:

• Improper or unauthorized use of the organization's e-Commerce offering (i.e., web site)
• Using connectivity to the Internet as the path to the organization's internal, private systems for unauthorized access

3. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?

Knowing when to trust a website depends in part on who publishes the website, what information they want, and what you want from the site. If you're not sure whether to trust a website, consider these questions:

• Are you visiting a secure site?
• Is the website certified by an Internet trust organization?
• Is the website owned by a company or organization that you know well?
• Does the website ask you for personal information?
• On a retail website, is there a way to contact someone by phone or mail?
• If you don't recognize the site, do you have other information to help you decide?

According to Microsoft a website might not be trustworthy if:

• The site is referred to you through an e‑mail message from someone you don't know.
• The site offers objectionable content, such as pornography or illegal materials.
• The site makes offers that seem too good to be true, indicating a possible scam or the sale of illegal or pirated products.
• You are lured to the site by a bait and switch scheme, in which the product or service is not what you were expecting.
• You are asked for a credit card as a verification of identity or for personal information that does not seem necessary.
• You are asked to provide a credit card number without proof that the transaction is secure.

4. Visit 10 e-commerce websites. How many mention security on their home page? Is privacy mentioned? How many of them belong to the TRUSTe association?
5. Visit the Verisign web site - what solutions does it offer for e-commerce?

Verisign provides SSL Certificates and other security services. Their site mentions 2 related products and services.

• Secure Site SSL Services
• Verisign Secured Seal

6. Visit your e-mail or WWW browser provider site and search for security. What technologies does your particular product support?
I took the following screen shot of the Bigpond Security information page. I guess that they are primarily Windows based. I make this statement based upon the Windows Only stipulation on the Bigpond Security trial.




7. Visit the TRUSTe web site. Describe what services and solutions are offered.

TRUSTe provides services to alleviate privacy concerns relating to company communications, by ensuring that those communications align with privacy standards.

The TRUSTe motto of "Their Privacy Is Your Business" identifies the goal of Building Customer Trust to ensure future Revenue.

8. Get the latest PGP software from http://web.mit.edu/network/pgp.html; install it on two machines and encrypt a message on one machine and decrypt it on the other.
9. The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?

Other methods of user validation include biometric authentication (fingerprints, palm prints, voice analysis, iris scans etc) and handheld password tokens.(Authentication Tools)

References Authentication Tools. Retrieved 1 July 2009, from http://www.cromwell-intl.com/security/security-authentication.html ISACA. e-Commerce Security - A Global Status Report. Retrieved 1 July 2009, from http://www.isaca.org/Template.cfm?Section=Deliverables&Template=/ContentManagement/ContentDisplay.cfm&ContentID=8547 Microsoft. When to trust a website. Retrieved 1 July 2009, from http://windowshelp.microsoft.com/Windows/en-US/Help/dfe83943-3394-48fb-8a4b-406f0b479c331033.mspx TRUSTe. Privacy Is Everyone's Business. Retrieved 1 July 2009, from http://www.truste.org/about/our_services.php Verisign. E-Commerce Security: What Is It? Retrieved 30 June 2009, from http://www.verisign.com.au/ssl-certificates/e-commerce-security/

Exercise 15: Review questions

1. Can a simple firewall be designed from standard computer equipment?

   (Wikipedia) A firewall is a dedicated appliance, or software running on a computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules.

   It is a software or hardware that is normally placed between a protected network and a not protected network and acts like a gate to protect assets to ensure that nothing private goes out and nothing malicious comes in.

   A firewall's basic task is to regulate some of the flow of traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ).

   There are several types of firewall technigues:

   • Packet Filter - looks at each packet entering or leaving a network and accepts or rejects it based upon user defined rules.
   • Application Gateway - Applies security mechanisms to specific applications. These can impose a performance degradation.
   • Circuit-level gateway - Applies security mechanisms to a TCP or UDP connection.
   • Proxy Server - intercepts all messages entering and leaving network. Effectively hides true network addresses.

2. What hardware components would you need for a proxy server?

Strictly speaking no hardware components are required explicitly for a proxy server. This is because the functions of proxy, firewall, and caching can be in separate server programs or combined in a single package. Different server programs can be in different computers. For example, a proxy server may in the same machine with a firewall server or it may be on a separate server and forward requests through the firewall.(Whatis.com)

3. What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?

As identified above a firewall acts like a gate to protect assets to ensure that nothing private goes out and nothing malicious comes in.

• Adtran's NetVanta line provides varying levels of network firewall protection based on the enterprise client's security needs. The hardware-based solution provides corporate protection, including VPN and regulatory compliance, for on-site and remote employees.
• Check Point's line of network firewalls includes Power-1 Appliances for large data centers, VPN product lines and UTM appliances. Its line of Integrated Appliance Solutions provides integrated software and hardware solutions for customized firewall protection
• Cisco's firewall offerings are designed to work with only Cisco networks and include the hardware-based ASA 5500, router and switch firewalls such as the Cisco Firewall Services Module and the software-based Cisco IOS
4. Accessing a firewall vendor site, find out what solutions are offered: http://www.checkpoint.com

   Solutions are provided for

   • Home and Home Office
   • Small & Mid-sized Business
   • Enterprise
   • Government
   • Compliance
   http://www.microsoft.com/catalog/display.asp?subid=22&site=10538&x=44&y=21

   This URL is broken.

5. Does the company you work for (or the school you attend) utilise a proxy server for Internet access? Is the proxy server intended to keep hackers out of the network, or control employees’ access to the Internet?

Yes, firewall used to keep hackers out.

We are using content filtering with a product called surf control to restrict internet content.

6. Find out if your university or workplace has a backup policy in place. Is it followed and enforced?

   My workplace does enforce a backup policy. Full cyclic backups are done on a nightly and weekly basis. Monthly backups are kept for 12 months.

7. Most of the antivirus software perform an active scanning of the user activity on the Internet, detecting downloads and attachments in e-mails. Hackers have readily available resources to create new viruses. How easy is it to find a virus writing kit? Search the Internet and find such a tool. For example, see what you can find at http://vx.netlux.org/dat/vct.shtml

This website produced a list of 195 virus creation tools.

8. Download a virus checker and read the documentation.

I have AVG free installed on all my computers at home. Work uses Symantec Corporate edition.

9. How does it operate?

x

10. What is the process of updating the virus signature file?

Using the software tool provided.


11. How does the publisher charge for the product/service?

Currently there are a purported 80 million users of AVG Free. AVG does provide a subscription model that is more fully featured.

References AVG. Retrieved 30 June 2009, from http://free.avg.com/
SearchSecurityChannel.com. Partner Program Directory. Retrieved 20 July 2009, from http://searchsecuritychannel.techtarget.com/generic/0,295582,sid97_gci1316089,00.html
Wikipedia. Firewall. Retrieved 30 June 2009, from http://en.wikipedia.org/wiki/Firewall_(networking)
Whatis.com. proxy server. Retrieved 30 June 2009, from http://whatis.techtarget.com/definition/0,,sid9_gci212840,00.html

Exercise 14: Electronic payments and security II

1. You can learn more about Cookies at: http://home.netscape.com/newsref/std/cookie_spec.html

Unfortunately this URL is a little out of date. But the 404 message below is very nice.


2. You can learn more about electronic payment systems with Reading 9 on Electronic Reserve on the CSU Library Service Web site at: http://www.csu.edu.au/division/library/eservices/ereserve.htm The article is by Schneider, P & Perry, JT 2001, ‘Electronic payment systems’, Chapter 7, in Electronic Commerce, Course Technology, Boston.

As we have been informed before by Ken, we can ignore the readings. Consequently there is nothing to do here.

Exercise 12: Designing for a secure framework

1. Find out about SET and the use of RSA 128-bit encryption for e-commerce.

According to (Wikipedia) Secure Electronic Transaction (SET) was a standard protocol for securing credit card transactions over insecure networks, specifically, the Internet. SET was not itself a payment system, but rather a set of security protocols and formats that enables users to employ the existing credit card payment infrastructure on an open network in a secure fashion. However, it failed to gain traction.

SET was developed by SETco, led by VISA and MasterCard (and involving other companies such as GTE, IBM, Microsoft, Netscape, RSA and VeriSign) starting in 1996. SET was based on X.509 certificates with several extensions. The first version was finalised in May 1997 and a pilot test was announced in July 1998.

SET was intended to become the de facto standard of payment method on the Internet between the merchants, the buyers, and the credit-card companies. Despite heavy publicity, it failed to win market share. Reasons for this include:

• Network effect - need to install client software (an e wallet).
• Cost and complexity for merchants to offer support and comparatively low cost and simplicity of the existing SSL based alternative.
• Client-side certificate distribution logistics.

According to (Wikipedia) RSA keys are typically 1024-2048 bits long. RSA is an algorithm for public-key cryptography. It is the first algorithm known to be suitable for signing as well as encryption, and one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.

2. Design a Web application form for a new credit card.
   

x

3. What can you find out about network and host-based intrusion detection systems?

(Wikipedia)says that one can think of a HIDS as an agent that monitors whether anything or anyone, whether internal or external, has circumvented the system's security policy.

According to (Wikipedia)a network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.

The NIDS does this by reading all the incoming packets and trying to find suspicious patterns. If, for example, a large number of TCP connection requests to a very large number of different ports are observed, one could assume that there is someone conducting a port scan of some or all of the computer(s) in the network. It also (mostly) tries to detect incoming shellcodes in the same manner that an ordinary intrusion detection systems does.

A NIDS is not limited to inspecting incoming network traffic only. Often valuable information about an ongoing intrusion can be learned from outgoing or local traffic as well. Some attacks might even be staged from the inside of the monitored network or network segment, and are therefore not regarded as incoming traffic at all.

References
Wikipedia. Host-based intrusion detection system. Retrieved 30 June 2009, from http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system
Wikipedia. Network intrusion detection system. Retrieved 30 June 2009, from http://en.wikipedia.org/wiki/Network_intrusion_detection_system
Wikipedia. RSA. Retrieved 20 July 2009, from http://en.wikipedia.org/wiki/RSA
Wikipedia. Secure Electronic Transaction. Retrieved 20 July 2009, from http://en.wikipedia.org/wiki/Secure_Electronic_Transaction