Electronic Commerce Securityand Computer Forensics David Dampier Department of Computer Science & Engineering Center for Computer Security Research email@example.com http://www.cse.msstate.edu/~security
Pervasive Inexpensive Easy to use No one in charge Robust Used extensively today Intrinsically insecure Expensive to secure Hard to secure - an afterthought No one responsible Ill defined boundaries Laws of use not clear Paradox of the Internet
What is EC Security? • A special case of network security • A special case of client server security • An evolving area of computer science • Digital cash • Internet banking • Store fronts versus Store reality • International market place … • Still an area of immense temptation for the criminal element
What are the threats? • First - the traditional threats apply • Confidentiality, Integrity, Availability, Accountability • Malicious code • Network vulnerabilities • Others ??? • Second - Additional privacy concerns surface (…ethics concerns) • cookies • buying habits and profiling • shared databases (???) • short term and long term storage of sensitive data • others ...
More threats ... • Authentication takes on a new role • Who is the buyer? • Who is the seller? • Is the seller real? • Where is the seller? • Non-repudiation is important • Accountability for seller and buyer actions • Availability • loss of access equals loss of revenue • recovery procedures are very important • The greatest threat to E-Commerce today (arguable perhaps…)
A Simple View Client Server • E-Commerce protection must include data in transit; • data in processing; and, data in storage • over an open network • in a client server environment
Security Requirements include • Transaction integrity • Confidentiality of the transaction • Mutual authentication of all parties (customer, store, bank) • Non-repudiation • Timely service • Record keeping • Protection of the systems against intrusion
Client Side Security • Essentially “web browser” security • Two main risks have emerged • Vulnerabilities in the Web Browser software • Risk of Active Content • Active Content (mobile code) • Java and Java Applets • Active X controls • Push technology • MS Macros • Plugin’s
Secure Transport • Secure Channels • Secure Sockets Layer (SSL) • Secure HTTP (S-HTTP) • Smart Cards carrying a private key for encryption • E-Cash protocols
Web Server Side • Typically a front end web server, backend database, and interface software (e.g., CGI scripts). • Firewalls are most useful here - but varying degrees of strength and responsiveness • Operating system security an issue (for both the network OS and the server OS)
Solution Sets ... • Encryption plays a very big role • SSL, S-HTTP • Digital Signatures • Certificates (X.509 - PKI) • PGP • Firewalls • Trusted OS and products • Disaster recovery plans • Education and awareness • Law
Public Key Infrastructure • Enables the Use of Public Key Technology • Parts • Certificate Maintenance Issuance, Reissuance, Revocation • Certificate Availability • Interoperations
Jane Doe Acme public Answer:Public Key Infrastructure • Getting public-key materials private Where they are needed When they are needed
Internet PKI for Dummies PKI for Dummies Doing Business With Keys Xyl?wk$ 4417 5712 1238 51961 amazon.com public private Sold 4417 5712 1238 51961 But where did the key come from?
Identity Card Something you have Something you are ATM Card Something you have Something you know Jane Doe Acme public Certificate: ID? Or ATM Card? A Certificate is Three Things • An ID Card • A Notarized Signature • A Scrambling Device Mississippi Jane Doe 105 Lee Street Anywhere, MS 39759 plaintext X&8uj*l.
Internet Jane Doe Acme public PKI for Dummies PKI for Dummies Doing Business With Certificates Xyl?wk$ 4417 5712 1238 51961 public amazon.com private Sold! 4417 5712 1238 51961 But where did the certificate come from?
Certifying Authorities • Public Key technology is powerful - but you can’t keep everyone’s public key on your hard drive • hundreds of thousands of users globally • expiration and maintenance issues • More practical to rely on trusted “third parties” - Certifying authorities
Certifying Authorities • A commercial enterprise that vouches for the identities of individuals and organizations. • Browsers have public keys of well known CA’s built in. • Certificates are (for most practical purposes) viewed as “untamperable” and “unforgeable” • VeriSign, AT&T, BBN, CeriSign, and others (check your browser)
A Process for Secure EC • Assess your risks • Secure the Infrastructure • Secure your Internet Connections • Secure Electronic Commerce • Disaster Recovery - David Cullinane - “Electronic Commerce Security, 1999
Assessing Risk - • Conduct a Threat and Vulnerability Analysis • What are the threats to your information assets • How vulnerable are each of those threats • What would be the business impact if each of the threats were to occur • What controls are available/needed to mitigate the threats • Identify and Prioritize (...and build a plan) • address the threats and vulnerabilities • insure plan is consistent with business objectives and cost • plan fits with organizational culture?
Secure the Infrastructure • Concerned with OS security, external connectivity, & network security ... • Develop an Information Security Architecture • “…a structure for implementing security across an enterprise” • defines the organization of the information security program • the foundation of a solid information security program
Secure Internet Connection • Based on Firewall protection primarily • Recall - firewalls vary in trust and capability • Defense in depth is suggested • Tradeoff between security and ease of access is a business and risk decision • There is no cookbook solution
Disaster Recovery • Continuity of operation plans • Written down, practiced, realistic and implementable • Backups • Hot/Cold sites • Usually overlooked • Finding out what happened.
Basics of Computer Forensics Mississippi State University Dept Of Computer Science and Engineering
What is Forensics? • Forensics is the application of scientific techniques of investigation to the problem of finding, preserving and exploiting evidence to establish an evidentiary basis for arguing about facts in court cases
What is Computer Forensics? • Computer forensics is forensics applied to information stored or transported on computers • It “Involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis” • Procedures are followed, but flexibility is expected and encouraged, because the unusual will be encountered.
Categories of Computer Crime • Computer used to conduct the crime • Child Pornography/Exploitation • Threatening letters • Fraud • Embezzlement • Theft of intellectual property • Computer is the target of the crime • Incident Reponse • Security Breach
What is the evidence? • Bytes • Files • Present • Deleted • Encrypted • Fragments of Files • Words • Sentences • Paragraphs
Where do we find it? • Storage Media • Hard Disks • Floppy Disks • CDs, Zip disks, tapes, etc. • Thumb Drives • RAM • Log Files
What do we do with it? • Acquire the evidence without altering or damaging the original. • Authenticate that your recovered evidence is the same as the originally seized data. • Analyze the data without modifying it. • Be prepared to testify about it in a court of law.
Acquire the evidence • How do we seize the computer? • How do we handle computer evidence? • What is chain of custody? • Evidence collection • Evidence Identification • Transportation • Storage • Documenting the Investigation
Authenticate the Evidence • Prove that the evidence is indeed what the criminal left behind. • Readable text or pictures don’t magically appear at random. • Calculate a hash value for the data • CRC • MD5
Analysis • Always work from an image of the evidence and never from the original. • Prevent damage to the evidence • Make two backups of the evidence in most cases. • Analyze everything, you may need clues from something seemingly unrelated.
Analysis (cont.) • Existing Files • mislabelled • Deleted Files • Show up in directory listing with in place of first letter • “Dave.txt” appears as “ ave.txt” • Free Space • Slack Space • Swap Space
0 0 0 1 1 1 2 2 2 3 3 3 4 4 4 5 5 5 511 511 511 Storage Media Basics • Sector: 512 Bytes • Cluster (Block): 2 or more clusters (up to 64) …
0 0 0 1 1 1 2 2 2 3 3 3 4 4 4 5 5 5 511 511 511 Slack Space • RAM Slack: That portion of a sector that is not overwritten in memory. • Disk Slack: Those sectors of the cluster that are not needed to store file. RAM Slack … EOF Disk Slack EOF
0 0 1 1 2 2 3 3 4 4 5 5 511 511 Slack Space • File Slack: Last cluster of file isn’t filled up completely, so data from the last use of that cluster isn’t overwritten. • File Slack = Disk Slack + RAM Slack File Slack RAM Slack Disk Slack EOF
Free Space • That portion of the Media that is not currently in use. • Could have been used before, but not overwritten. • Especially true today with very large disks • Can we really erase a hard drive? • Even if formatted, the data is not lost.
Data Hiding • Obfuscating Data • Encrypted • Compressed • Hiding Data • In plain sight – innocent looking data has alternate meaning • Within File system
Data Hiding in File System • In a File • Steganography • Invisible names • Misleading names • Obscurity • No names • Not in file • Slack, swap, free space • Removable Media
Password crackers Hard Drive Tools Fdisk on Linux Viewers QVP Diskview Thumbsplus Unerase tools CD-R Utilities Text search tools Drive Imaging Safeback Linux dd Disk Wiping Forensic Toolkits Forensic Computers Tools
Contact Information Dr. David Dampier Department of Computer Science and Engineering Box 9637, 300 Butler Hall Mississippi State, MS 39762-9637 (011)(662)325-2756 Dampier@cse.msstate.edu