E-Commerce & Information Security Marc Rogers M.A. EDS Systemhouse Inc. Dept. of Psychology University of Manitoba
Agenda • E-Commerce Security & Vulnerabilities • Attack Trends • Computer Crime Impact Survey • Attacker Profile • Case Studies • Conclusions
E-Commerce & Security • A national poll of 1,000 Americans • 13 percent of those polled indicated they have no fears about electronic commerce. • The most popular concern was "privacy and security," which was cited by 53 percent of the sample. *Source: Market Facts Inc.
E-Commerce & Security • Securing e-commerce must occur on five fronts: • (1) securing the data transaction, • (2) securing the Web clients, • (3) securing the Web server, • (4) securing the network server operating system. • (5) securing the data in storage
E-Commerce & Security • To date only the data transaction protocols have gained recognition and development of secure properties (SET, SSL). • Security is only as strong as the weakest component. • A failure to secure any one of the five components of electronic commerce may result in the entire system being insecure. • If one component is much more secure than others then criminals will attack the weakest component (the path of least resistance).
E-Commerce & Security • Network Server Operating System • If the OS is insecure then data is at risk. • Data Storage • If the data is stored in clear text or on unprotected servers it is at risk (i.e., insider threat, trojan horse etc.).
E-Commerce & Security VALUJET Department of Justice
E-Commerce & Security • Data Transaction Protocols: • Lack of “one” international standard security protocol • S.E.T. closest thing, but…. • Interoperability? • Certificate Management?
Research and Surveys • Security an obvious concern • What is actually happening? • Is the sky really falling? • Information Security too “marketing driven” • Research and “objective” surveys
CERT/CC • CERT/CC Study 1989-95 • Researcher: • J. D. Howard Ph.D. Carnegie Melon University • Empirical study of : “ The Analysis of Security Incidents on the Internet”
CERT/CC Total number of incidents analyzed 4,567 • False Alarms: 268 (5.9 %) • Remaining: 4,299 (94.1%) • Unauthorized Access: 89.4 % • Unauthorized Use: 10.6 %
CERT/CC • Attacks take advantage of vulnerabilities • Implementation • Design • Configuration • 4 Results of an Attack • Corruption of Information • Disclosure of Information • Theft of Service • Denial of Service
CERT/CC • Attacks are becoming more sophisticated Progressed from simple user command, script and password cracking (sniffers, crackers) in 1993-94, to intricate techniques that fooled the basic operations of IP (spoofing etc.) • But Hackers less skilled
CERT/CC • Attackers have become more difficult to locate and identify. • Earlier attacks the “hackers” tended to be a few individuals confined to a specific location or groups of locations. Due to this confinement they were usually easy to identify. • More recent sophisticated attacks, combined with the exponential increase in the size of the Internet which allow “hackers” to operate in many different locations allows hackers to operate in near obscurity.
CERT/CC • Attacks have a 3 phase approach: • 1) Gain access to an account on a target system • 2) Exploit vulnerabilities to gain privileged (root/admin) access on the system • 3) Use the privileged access to attack other systems across the network.
CERT/CC • Unauthorized use incidents increasing 9% per year greater than the growth of Internet hosts. • 1996 13 million hosts • Estimated by Jan 2001 = 200 million hosts
CSI/FBI 1998-99 • Joint survey between CSI and the FBI International Computer Crime Squad. • Surveyed fortune 500 corporations. • Financial, and Medical Institutions, Government Agencies.
CSI/FBI 1998-99 • 62 % reported computer security breaches • 51% of respondents acknowledged suffering financial loss from breaches. • 31% able to quantify their losses • Total loss $123,779,000.00 USD • 57% reported Internet connections as the point of attack in 1998-99 as compared to 37% in 1997-98.
Case Study • March 1997 • Carlos Felipe Salgado Jr. AKA “SMAK” • 36 yrs old • Daly City, California • Account compromised at University of California at San Francisco (UCSF) • San Diego ISP compromised • Packet Sniffer detected
Case Study • “SMAK” wants to sell CC numbers • FBI use informant to obtain some sample CC numbers (710) for $1.00/ea • CC numbers are legit • “SMAK” claims to have compromised systems in Asia, Latin America, Germany, and Europe • Used trojans
Case Study • Informant sets up deal btwn “SMAK” and the FBI (posing as MAFIA) • Agreement to pay $260,000.00 for remaining CC numbers • Exchange to take place at San Francisco Intl. Airport • “SMAK” edgy - makes encrypted CDROM with the database
Case Study • “SMAK” arrested with CDROM and key was discovered to be passage from a book he had in his possession • He admitted criminal activity • Cooperative
Case Study • 86,326 Account numbers • 32,526 Visa numbers • 1,214 Issuers were impacted (Banks, CU’s, Brokerage, S&L’s)
Case Study • FBI concluded: “On-line commerce tempting target for those willing and able to exploit its weaknesses.” • Salgado Sentenced: • 2 1/2 years incarceration • 5 years probation • Fines and restitution orders • No access to computers and related Devices
Conclusions • E-commerce growing in record numbers • Primary concern is security • Only as strong as weakest link (Webclients, Webservers, Data Storage) • Strong motivation to attack systems • Contrary to media and some vendors - sky is not falling…but beware of dark alleys