E commerce information security
1 / 28

E-commerce and Security-CIPS Conference Spring 1999 - PowerPoint PPT Presentation

  • Uploaded on

E-Commerce & Information Security Marc Rogers M.A. EDS Systemhouse Inc. Dept. of Psychology University of Manitoba Agenda E-Commerce Security & Vulnerabilities Attack Trends Computer Crime Impact Survey Attacker Profile Case Studies Conclusions E-Commerce & Security

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'E-commerce and Security-CIPS Conference Spring 1999' - paul

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
E commerce information security l.jpg

E-Commerce & Information Security

Marc Rogers M.A. EDS Systemhouse Inc.

Dept. of Psychology University of Manitoba

Agenda l.jpg

  • E-Commerce Security & Vulnerabilities

  • Attack Trends

  • Computer Crime Impact Survey

  • Attacker Profile

  • Case Studies

  • Conclusions

E commerce security l.jpg
E-Commerce & Security

  • A national poll of 1,000 Americans

  • 13 percent of those polled indicated they have no fears about electronic commerce.

  • The most popular concern was "privacy and security," which was cited by 53 percent of the sample.

    *Source: Market Facts Inc.

E commerce security4 l.jpg
E-Commerce & Security

  • Securing e-commerce must occur on five fronts:

    • (1) securing the data transaction,

    • (2) securing the Web clients,

    • (3) securing the Web server,

    • (4) securing the network server operating system.

    • (5) securing the data in storage

E commerce security5 l.jpg
E-Commerce & Security

  • To date only the data transaction protocols have gained recognition and development of secure properties (SET, SSL).

  • Security is only as strong as the weakest component.

  • A failure to secure any one of the five components of electronic commerce may result in the entire system being insecure.

  • If one component is much more secure than others then criminals will attack the weakest component (the path of least resistance).

E commerce security6 l.jpg
E-Commerce & Security

  • Webservers

    • Flaws, shortcomings, or even features in a Web server can provide a gateway for a malicious intruder to break into corporate systems

  • Webclients

    • Java applets, ActiveX controls, JavaScripts, VBScripts, browser plug-ins, and e-mail attachments all pose potential security and privacy hazards for e-commerce end-users.

E commerce security7 l.jpg
E-Commerce & Security

  • Network Server Operating System

    • If the OS is insecure then data is at risk.

  • Data Storage

    • If the data is stored in clear text or on unprotected servers it is at risk (i.e., insider threat, trojan horse etc.).

E commerce security8 l.jpg
E-Commerce & Security


Department of Justice

E commerce security9 l.jpg
E-Commerce & Security

  • Data Transaction Protocols:

    • Lack of “one” international standard security protocol

    • S.E.T. closest thing, but….

      • Interoperability?

      • Certificate Management?

Research and surveys l.jpg
Research and Surveys

  • Security an obvious concern

  • What is actually happening?

  • Is the sky really falling?

  • Information Security too “marketing driven”

  • Research and “objective” surveys

Cert cc l.jpg

  • CERT/CC Study 1989-95

  • Researcher:

    • J. D. Howard Ph.D. Carnegie Melon University

  • Empirical study of : “ The Analysis of Security Incidents on the Internet”

Cert cc12 l.jpg

Total number of incidents analyzed 4,567

  • False Alarms: 268 (5.9 %)

  • Remaining: 4,299 (94.1%)

  • Unauthorized Access: 89.4 %

  • Unauthorized Use: 10.6 %

Cert cc13 l.jpg

  • Attacks take advantage of vulnerabilities

    • Implementation

    • Design

    • Configuration

  • 4 Results of an Attack

    • Corruption of Information

    • Disclosure of Information

    • Theft of Service

    • Denial of Service

Cert cc14 l.jpg

  • Attacks are becoming more sophisticated

    Progressed from simple user

    command, script and

    password cracking (sniffers,

    crackers) in 1993-94, to

    intricate techniques

    that fooled the basic

    operations of IP (spoofing


  • But Hackers less skilled

Cert cc15 l.jpg

  • Attackers have become more difficult to locate and identify.

    • Earlier attacks the “hackers” tended to be a few individuals confined to a specific location or groups of locations. Due to this confinement they were usually easy to identify.

    • More recent sophisticated attacks, combined with the exponential increase in the size of the Internet which allow “hackers” to operate in many different locations allows hackers to operate in near obscurity.

Cert cc16 l.jpg

  • Attacks have a 3 phase approach:

    • 1) Gain access to an account on a target system

    • 2) Exploit vulnerabilities to gain privileged (root/admin) access on the system

    • 3) Use the privileged access to attack other systems across the network.

Cert cc17 l.jpg

  • Unauthorized use incidents increasing 9% per year greater than the growth of Internet hosts.

  • 1996 13 million hosts

  • Estimated by Jan 2001 = 200 million hosts

Csi fbi 1998 99 l.jpg
CSI/FBI 1998-99

  • Joint survey between CSI and the FBI International Computer Crime Squad.

  • Surveyed fortune 500 corporations.

  • Financial, and Medical Institutions, Government Agencies.

Csi fbi 1998 9919 l.jpg
CSI/FBI 1998-99

  • 62 % reported computer security breaches

  • 51% of respondents acknowledged suffering financial loss from breaches.

  • 31% able to quantify their losses

  • Total loss $123,779,000.00 USD

  • 57% reported Internet connections as the point of attack in 1998-99 as compared to 37% in 1997-98.

Case study l.jpg
Case Study

  • March 1997

  • Carlos Felipe Salgado Jr. AKA “SMAK”

    • 36 yrs old

    • Daly City, California

  • Account compromised at University of California at San Francisco (UCSF)

  • San Diego ISP compromised

  • Packet Sniffer detected

  • Case study22 l.jpg
    Case Study

    • “SMAK” wants to sell CC numbers

    • FBI use informant to obtain some sample CC numbers (710) for $1.00/ea

    • CC numbers are legit

    • “SMAK” claims to have compromised systems in Asia, Latin America, Germany, and Europe

    • Used trojans

    Case study23 l.jpg
    Case Study

    • Informant sets up deal btwn “SMAK” and the FBI (posing as MAFIA)

    • Agreement to pay $260,000.00 for remaining CC numbers

    • Exchange to take place at San Francisco Intl. Airport

    • “SMAK” edgy - makes encrypted CDROM with the database

    Case study24 l.jpg
    Case Study

    • “SMAK” arrested with CDROM and key was discovered to be passage from a book he had in his possession

    • He admitted criminal activity

    • Cooperative

    Case study25 l.jpg
    Case Study

    • 86,326 Account numbers

    • 32,526 Visa numbers

    • 1,214 Issuers were impacted

      (Banks, CU’s, Brokerage, S&L’s)

    Case study27 l.jpg
    Case Study

    • FBI concluded: “On-line commerce tempting target for those willing and able to exploit its weaknesses.”

    • Salgado Sentenced:

      • 2 1/2 years incarceration

      • 5 years probation

      • Fines and restitution orders

      • No access to computers and related Devices

    Conclusions l.jpg

    • E-commerce growing in record numbers

    • Primary concern is security

    • Only as strong as weakest link (Webclients, Webservers, Data Storage)

    • Strong motivation to attack systems

    • Contrary to media and some vendors - sky is not falling…but beware of dark alleys