e commerce information security l.
Skip this Video
Loading SlideShow in 5 Seconds..
E-Commerce & Information Security PowerPoint Presentation
Download Presentation
E-Commerce & Information Security

Loading in 2 Seconds...

play fullscreen
1 / 28

E-Commerce & Information Security - PowerPoint PPT Presentation

  • Updated on

E-Commerce & Information Security Marc Rogers M.A. EDS Systemhouse Inc. Dept. of Psychology University of Manitoba Agenda E-Commerce Security & Vulnerabilities Attack Trends Computer Crime Impact Survey Attacker Profile Case Studies Conclusions E-Commerce & Security

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

E-Commerce & Information Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
e commerce information security

E-Commerce & Information Security

Marc Rogers M.A. EDS Systemhouse Inc.

Dept. of Psychology University of Manitoba

  • E-Commerce Security & Vulnerabilities
  • Attack Trends
  • Computer Crime Impact Survey
  • Attacker Profile
  • Case Studies
  • Conclusions
e commerce security
E-Commerce & Security
  • A national poll of 1,000 Americans
  • 13 percent of those polled indicated they have no fears about electronic commerce.
  • The most popular concern was "privacy and security," which was cited by 53 percent of the sample.

*Source: Market Facts Inc.

e commerce security4
E-Commerce & Security
  • Securing e-commerce must occur on five fronts:
    • (1) securing the data transaction,
    • (2) securing the Web clients,
    • (3) securing the Web server,
    • (4) securing the network server operating system.
    • (5) securing the data in storage
e commerce security5
E-Commerce & Security
  • To date only the data transaction protocols have gained recognition and development of secure properties (SET, SSL).
  • Security is only as strong as the weakest component.
  • A failure to secure any one of the five components of electronic commerce may result in the entire system being insecure.
  • If one component is much more secure than others then criminals will attack the weakest component (the path of least resistance).
e commerce security6
E-Commerce & Security
  • Webservers
    • Flaws, shortcomings, or even features in a Web server can provide a gateway for a malicious intruder to break into corporate systems
  • Webclients
    • Java applets, ActiveX controls, JavaScripts, VBScripts, browser plug-ins, and e-mail attachments all pose potential security and privacy hazards for e-commerce end-users.
e commerce security7
E-Commerce & Security
  • Network Server Operating System
    • If the OS is insecure then data is at risk.
  • Data Storage
    • If the data is stored in clear text or on unprotected servers it is at risk (i.e., insider threat, trojan horse etc.).
e commerce security8
E-Commerce & Security


Department of Justice

e commerce security9
E-Commerce & Security
  • Data Transaction Protocols:
    • Lack of “one” international standard security protocol
    • S.E.T. closest thing, but….
      • Interoperability?
      • Certificate Management?
research and surveys
Research and Surveys
  • Security an obvious concern
  • What is actually happening?
  • Is the sky really falling?
  • Information Security too “marketing driven”
  • Research and “objective” surveys
cert cc
  • CERT/CC Study 1989-95
  • Researcher:
    • J. D. Howard Ph.D. Carnegie Melon University
  • Empirical study of : “ The Analysis of Security Incidents on the Internet”
cert cc12

Total number of incidents analyzed 4,567

  • False Alarms: 268 (5.9 %)
  • Remaining: 4,299 (94.1%)
  • Unauthorized Access: 89.4 %
  • Unauthorized Use: 10.6 %
cert cc13
  • Attacks take advantage of vulnerabilities
    • Implementation
    • Design
    • Configuration
  • 4 Results of an Attack
    • Corruption of Information
    • Disclosure of Information
    • Theft of Service
    • Denial of Service
cert cc14
  • Attacks are becoming more sophisticated

Progressed from simple user

command, script and

password cracking (sniffers,

crackers) in 1993-94, to

intricate techniques

that fooled the basic

operations of IP (spoofing


  • But Hackers less skilled
cert cc15
  • Attackers have become more difficult to locate and identify.
      • Earlier attacks the “hackers” tended to be a few individuals confined to a specific location or groups of locations. Due to this confinement they were usually easy to identify.
      • More recent sophisticated attacks, combined with the exponential increase in the size of the Internet which allow “hackers” to operate in many different locations allows hackers to operate in near obscurity.
cert cc16
  • Attacks have a 3 phase approach:
      • 1) Gain access to an account on a target system
      • 2) Exploit vulnerabilities to gain privileged (root/admin) access on the system
      • 3) Use the privileged access to attack other systems across the network.
cert cc17
  • Unauthorized use incidents increasing 9% per year greater than the growth of Internet hosts.
  • 1996 13 million hosts
  • Estimated by Jan 2001 = 200 million hosts
csi fbi 1998 99
CSI/FBI 1998-99
  • Joint survey between CSI and the FBI International Computer Crime Squad.
  • Surveyed fortune 500 corporations.
  • Financial, and Medical Institutions, Government Agencies.
csi fbi 1998 9919
CSI/FBI 1998-99
  • 62 % reported computer security breaches
  • 51% of respondents acknowledged suffering financial loss from breaches.
  • 31% able to quantify their losses
  • Total loss $123,779,000.00 USD
  • 57% reported Internet connections as the point of attack in 1998-99 as compared to 37% in 1997-98.
case study
Case Study
  • March 1997
  • Carlos Felipe Salgado Jr. AKA “SMAK”
      • 36 yrs old
      • Daly City, California
  • Account compromised at University of California at San Francisco (UCSF)
  • San Diego ISP compromised
  • Packet Sniffer detected
case study22
Case Study
  • “SMAK” wants to sell CC numbers
  • FBI use informant to obtain some sample CC numbers (710) for $1.00/ea
  • CC numbers are legit
  • “SMAK” claims to have compromised systems in Asia, Latin America, Germany, and Europe
  • Used trojans
case study23
Case Study
  • Informant sets up deal btwn “SMAK” and the FBI (posing as MAFIA)
  • Agreement to pay $260,000.00 for remaining CC numbers
  • Exchange to take place at San Francisco Intl. Airport
  • “SMAK” edgy - makes encrypted CDROM with the database
case study24
Case Study
  • “SMAK” arrested with CDROM and key was discovered to be passage from a book he had in his possession
  • He admitted criminal activity
  • Cooperative
case study25
Case Study
  • 86,326 Account numbers
  • 32,526 Visa numbers
  • 1,214 Issuers were impacted

(Banks, CU’s, Brokerage, S&L’s)

case study27
Case Study
  • FBI concluded: “On-line commerce tempting target for those willing and able to exploit its weaknesses.”
  • Salgado Sentenced:
    • 2 1/2 years incarceration
    • 5 years probation
    • Fines and restitution orders
    • No access to computers and related Devices
  • E-commerce growing in record numbers
  • Primary concern is security
  • Only as strong as weakest link (Webclients, Webservers, Data Storage)
  • Strong motivation to attack systems
  • Contrary to media and some vendors - sky is not falling…but beware of dark alleys