Friday, May 28, 2010

Exercise 9 : Electronic Payments and Security I

Questions:
  1.  Find out about SET and the use of RSA 128-bit encryption for e-commerce
  2. What can you find out about network and host-based intrusion detection systems?
  3. what is "phishing"?
  4. What is SET and how does it compare to SSL as  platform for secure electronic transaction? is SET is the common use?
  5. What are cookies and how they are used to improve security? Can the use of cookies be a security risk?
  6. What makes a firewall a good security investment? Accessing the internet, find two or three firewall vendors. Do they provide hardware, software or both?
  7. What measures should e-commerce provide to create trust among their potentioal customers? What measures can be verified by the customer?
  8. Get the latest PGP information from http://en.wikipedia.org/wiki/Pretty_Good_Privacy. The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft.
 Answers:

  1. SET stands for Secure Electronic Transaction and is a standard developed to ensure secure credit card transactions. SET is endorsed and developed by Microsoft, Visa and MasterCard. SET is based on the use of digital signatures to verify the buyers identity, to minimize the risk of unauthorized transactions and to ensure the privacy of the buyer's credit card details during the transaction. SET protocol relies on two different encryption mechanism and authentication mechanism. SET uses 56 bits session keys which are transmitted asymmetrically and the remainder transaction uses symmetric encryption in the form of Data Encryption Standard (DES).

    RSA stands for the trio's name which first defined the algorithm :Rivest, Shamir and Adleman. RSA is an algorithm utilized for public-key cryptography. It is suitable for signing as well as encrypting messages. this flexibility makes it useful in many applications, making it widely used in e-commerce protocols. RSA is using a 128-bit encryption this means that it is utilizing 128 bit-long key to encrypt the data.  A longer key provides better protection against brute force attacks to crack open the encryption.

    References:

    Secure Electronic Transaction. Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 25, 2010 from http://en.wikipedia.org/wiki/Secure_Electronic_Transaction

    Secure Electronic Transaction: An Overview. Retrieved on May 25, 2010 fromhttp://www.davidreilly.com/topics/electronic_commerce/essays/secure_electronic_transactions.html

    RSA. Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 25, 2010 from http://en.wikipedia.org/wiki/RSA


  2. Network Based Intrusion Detection System(IDS) is the system that reads and scans incoming packets from the network to the host computer to find suspicious patterns, signatures or rules that indicates an Intrusion is taking place from the network. IDS attack recognition module uses four techniques in recognizing signatures:
    1. pattern, expression or byte code matching
    2. Frequency or threshold crossing
    3. Correlation of lesser events
    4. Statistical anomaly detection.
    If an attack has been detected, IDS will continue with the specified actions such as showing a notification to the administrator, connection termination or session logs and records.

    A Host-Based Intrusion Detection System monitors threats  that present in the host computer. It detects and scans resources that are used by  running programs to identify any possible threat that is present in the computer. Host-Based IDS uses an object database of the system objects which it should monitor. To improve its accuracy, Host Based IDS commonly keeps track of all the events that have occur. Host Based IDS is superior in detecting threats and risks compared to a Network-Based IDS as it could thoroughly check the running programs and compare it with its object database, and being host-based, it does not require additional hardware to be implemented. However on Host-Based IDS, intrusion detection takes longer compared to the Network-Based IDS.

    Reference:
    Network Intrusion Detection System. Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 3, 2010 from http://en.wikipedia.org/wiki/Network_intrusion_detection_system

    Network vs Host-Based Intrusion Detection. Retrieved on May 3, 2010 from http://documents.iss.net/whitepapers/nvh_ids.pdf

    Host-Based Intrusion Detection System. Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 3, 2010 from http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system


  3. Phishing : criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by concealed as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

    Phishing is typically carried out by e-mail or instant messages and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication. it may require tremendous skill to detect that the website is fake.

    A phishing technique was described in detail in 1987, and the first recorded use of the term "phishing" was made in 1996. The term is a variant of fishing, probably influenced by phreaking and alludes to baits used to "catch" financial information and passwords.

    References:

    What is Phishing?. Retrieved on May 26, 2010 from http://www.webopedia.com/TERM/P/phishing.html

    Phishing. Retrieved on May 26, 2010 from http://en.wikipedia.org/wiki/Phishing
  4. Secure Electronic Transaction (SET) is system that ensures the security of financial transaction via the internet. During a financial transaction, purchaser, merchants and purchaser's bank are verified and the transaction is conducted after the parties involved exchanges digital certificates. This process makes the transaction transparent, secure and confidential.

    Secure Socket Layer(SSL) on is a standard that encrypts the data between Web Server and a Web Browser. It helps improve the communication in the Internet. SSL is built in over the all of the major browsers and web-servers which turns on the SSL capabilities by simply installing the digital certificate.

    Although more secure, SET is less common is use than SSL because of its high cost as well as its complexity to be implemented. implementation of SET involves the installation specific client software to handle SETs.

    Reference:
    Secure Electronic Transaction. Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 25, 2010 from http://en.wikipedia.org/wiki/Secure_Electronic_Transaction

    Secure Electronic Transaction: An Overview. Retrieved on May 25, 2010 fromhttp://www.davidreilly.com/topics/electronic_commerce/essays/secure_electronic_transactions.html

    SSL versus SET, Clough G. (n.d), retrieved on May 25, 2010 from : http://www.savagerun.com/SSLSET.htm

    What is secure electronic transaction?, retrieved on May 25, 2010 from : http://searchfinancialsecurity.techtarget.com/sDefinition/0,,sid185_gci214194,00.html



  5. A cookie, also known as a web cookie, browser cookie, and HTTP cookie, is a text string stored by a user’s web browser. A cookie consists of one or more name value pairs containing bits of information, which may be encrypted for information privacy and data security purpose. A cookie can be used for authentication, session tracking, storing site preferences, and shopping carts contents, the identifier for a server-based session or anything else that can be accomplished through storing textual data.
    As text, cookies are not executable. Because they are not executed, they cannot replicate themselves and are not virues.However, due to the browser mechanism to set and read cookies; they can be used as spyware. Anti-spyware products may warn users about some cookies because cookies can be used to track people—a privacy concern.
    Some drawbacks of cookies are as follows:-
    Besides privacy concerns, cookies also have some technical drawbacks. In particular, they do not always accurately identify users, they can be used for security attacks, and they are at odds with the Representational State Transfer (REST) software architectural style.
          a.      Inaccurate identification
    If more than one browser is used on a computer, each usually has a separate storage area for cookies. Hence cookies do not identify a person, but a combination of a user account, a computer, and a Web browser. Thus, anyone who uses multiple accounts, computers, or browsers has multiple sets of cookies.
    b.        Cookie hijacking A cookie can be stolen by another computer that is allowed reading from the network Cross-site scripting: a cookie that should be only exchanged between a server and a client is sent to another party.Cookie poisoning: an attacker sends a server an invalid cookie, possibly modifying a valid cookie it previously received from the server.
    c.        Cookie theft The cookie specifications constrain cookies to be sent back only to the servers in the same domain as the server from which they originate. However, the value of cookies can be sent to other servers using means different from the Cookie header.
    d.      Cookie poisoning While cookies are supposed to be stored and sent back to the server unchanged, an attacker may modify the value of cookies before sending them back to the server. If, for example, a cookie contains the total value a user has to pay for the items in their shopping basket, changing this value exposes the server to the risk of making the attacker pay less than the supposed price. The process of tampering with the value of cookies is called cookie poisoning, and is sometimes used after cookie theft to make an attack persistent.
    In cross-site cooking, the attacker exploits a browser bug to send an invalid cookie to a server.
          e.     Cross-site cooking
          f.      Inconsistent state on client and server
    g.     Cookie expiry

    References:
    HTTP cookie. Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 25, 2010 from http://en.wikipedia.org/wiki/HTTP_cookie

    What are Computer Cookies?, Kayne R. (2010), Retrieved on May 25, 2010 from http://www.wisegeek.com/what-are-computer-cookies.htm

  6. A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices which is configured to permit or deny computer applications based upon a set of rules and other criteria.
    Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
    Some firewall vendors that could be found over the internet:
    - Zone Alarm PRO firewall 2010:  provides firewall and anti-spy protection software only.
    - Prisma Firewall : provides firewall software only.
    - WatchGuard FireBox X6500e : tprovides both hardware and software for the firewall

    Reference:
    Firewall (computing). Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 7, 2010 from http://en.wikipedia.org/wiki/Firewall_(computing)

    Best Firewall Software - Editors choice. Retreived on May 7, 2010 from


  7. In order to create trust among the potential customers, e-commerce should provide necessary security measurement on both networking and transactional basis. According to Gaebler.com, there are three ways to convey trust on the electronic business:
    E-commerce Security
    To prevent customer's from virus or network intrusion, the corporate should deploy different security products to protect their internal infrastructure (e.g. servers, database, etc) from external attacks and to secure the data transactions between the web servers and clients' browsers. Protection of internal infrastructure can be achieved by implementing firewalls, intrusion detection systems, etc. Data transactions in the Web can be secured by SSL, digital certificates, etc.
    Privacy in e-commerce transactions
    Customers are concerned about the purpose and the way that the company will use their personal details and financial information. The company can set out its privacy policy and ask for customer's agreement in his membership registration.
    E-commerce reliability
    Last but not the least, the key to success is to fulfill customer's needs as soon as possible. This is the matter of service levels. Good reputation can be cultivated by timely delivery of goods, great customer services, etc.
    Quality certifications are also necessary to be provided and available to be verified by the customer. There are third parties to certify and provide the certificates of trust and seals of approval for e-commerce web sites for example, TRUSTe (www.truste.org), BBBOnline (www.bbbonline.org), Verisign (www.verisign.com), etc. Customers can verify the e-commerce web sites through these certificates as baseline measurement.

    References:
    Gaebler.com. (2010). Conveying Trustworthiness in E-Commerce. Retrieved 28 May 2010 from: http://www.gaebler.com/Conveying-Trustworthiness-in-E-Commerce.htm



  8. Pretty Good Privacy (PGP) was created by Philip Zimmermann in 1991.It is a computer program that provides cryptographic privacy and authentication. PGP is often used for signing, encrypting and decrypting e-mails to increase the security of e-mail communications.
    PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and, finally, public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a user name and/or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include both options through an automated key management server are:-Compatibility, Digital, signatures, Certificates, Security quality

    In August 2002, several ex-PGP team members formed a new company, PGP Corporation, and bought the PGP assets (except for the command line version) from NAI. The new company was funded by Rob Theis of Doll Capital Management (DCM) and Terry Garnett of Venrock Associates. PGP Corporation supports existing PGP users and honors NAI's support contracts. Zimmermann now serves as a special advisor and consultant to PGP Corporation, as well as continuing to run his own consulting company. In 2003, PGP Corporation created a new server-based product called PGP Universal. In mid-2004, PGP Corporation shipped its own command line version called PGP Command Line, which integrates with the other PGP Encryption Platform applications. In 2005, PGP Corporation made its first acquisition—the German software company Glueck and Kanja Technology AG, which is now PGP Deutschland AG. In 2010, PGP Corporation acquired Hamburg-based certificate authority TC TrustCenter and its parent company, ChosenSecurity, to form its PGP TrustCenter division Since the 2002 purchase of NAI's PGP assets, PGP Corporation has offered worldwide PGP technical support from its offices. On April 29, 2010 Symantec Corp. announced that it will acquire PGP for $300 million with the intent of integrating it into its Enterprise Security Group.

     


Posted by Okky Satya at 5:37 AM
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)