Friday, April 2, 2010

Exercise 9: Electronic payments and security

1. Find out about SET and the use of RSA 128-bit encryption for e-commerce.

Given the ever growing popularity of e-commerce and the emergence of online services such as internet banking and online investing and even online shopping, there is also a growing need for internet security with the emergence of cybercrime, which Reynolds (2010) describes as criminal activity in which a computer or a computer network is used as a tool to commit a crime or is the target of criminal activity. Unfortunately no one really knows the extent of cybercrime as many crimes go unreported.However, what is know that this this type is on the increase, requiring a subsequent increase in computer security measures. This topic provides an insight into the security measures which can be implemenetd, the types of intrusions which can occur and the protocols which can be used to counteract these intrusions.

One such protocol is Secure Electronic Transaction (SET). According to the Wikipedia (2010) article on SET, this protocol allows parties to cryptographically identify themselves to each other and exchange information securely. SET used a blinding algorithm that, in effect, would have let merchants substitute a certificate for a user's credit-card number. If SET were used, the merchant itself would never have had to know the credit-card numbers being sent from the buyer, which would have provided verified good payment but protected customers and credit companies from fraud.

When SET is implemented in a transaction there are secure keys used to both encrypt and decrypt the data, these keys use cryptographic algorithms to enable the secure transfer of data over an insecure network. The most well known public key cryptography system is RSA. The Wikipedia article on RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) desribes it as an algorithm for public-key cryptograph. It is the first algorithm known to be suitable for signing as well as encryption, and was one of the first great advances in public key cryptography. RSA is widely used in e-commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations. As such, when implementing RSA in the process of encryption it is important to consider the key size as this will be a critical factor in determining the security of the cryptography put in place, RSA 128-bit encryption is the recommended minimum symmetric security level for online transactions, this uses at minimum a 3027 bit asymmetric key. Although protocols such as SET assist in the protection and security of data across open media channels the networks themselves are also under threat to malicious activities such as denial of service attacks, unwanted traffic monitoring and port scanning. These malicious activities can pose major threats to the privacy of data and in turn the security of the individuals.

2. What can you find out about network and host-based intrusion detection systems?

To assist in the detection and prevention of such activities Intrusion Detection Systems (IDS) may be put in place. Boer and Pels (2005) state that IDSs are a valuable asset in the security of systems and/or networks. An IDA attempts to monitor and possibly prevent attempts to intrude into or otherwise compromise your system and network resources. Boer and Pels (2005) identify three types of IDSs. Firstly those that monitor the network for malicious traffic refrred to as Network-based IDS or NIDS. Secondly there are IDSs that monitor activity on a single host (Host-based IDS or HIDS) and finally systems that correlate events from different Host- or
Network-based IDSs referred to as distributed IDS or DIDS.


Network Intrusion Detection Systems are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network.
A NIDS reads all the incoming packets and tries to find suspicious patterns known as signatures or rules. If, for example, a large number of TCP connection requests to a very large number of different ports are observed, one could assume that there is someone conducting a port scan of some or all of the computer(s) in the network. It also (mostly) tries to detect incoming shellcodes in the same manner that an ordinary intrusion detection system does. A NIDS is not limited to inspecting incoming network traffic only. Often valuable information about an ongoing intrusion can be learned from outgoing or local traffic as well. Some attacks might even be staged from the inside of the monitored network or network segment, and are therefore not regarded as incoming traffic at all.

Host Intrusion Detection Systems are run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator of suspicious activity is detected.
Just like a NIDS will dynamically inspect network packets, a HIDS might detect which program accesses what resources and discover that, for example, a word-processor has suddenly and inexplicably started modifying the system password database. Similarly a HIDS might look at the state of a system, its stored information, whether in RAM, in the file system, log files or elsewhere; and check that the contents of these appear as expected.


3. What is ‘phishing’?

According to Webopedia (2010) entry on Phishing, it is act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organisation already has. The web site, however, is bogus and set up only to steal the user’s information.

For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user’s account was about to be suspended unless he clicked on the provided link and updated the credit card information that the genuine eBay already had. Because it is relatively simple to make a web site look like a legitimate organisations site by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay’s site to update their account information. By spamming large groups of people, the “phisher” counted on the e-mail being read by a percentage of people who actually had listed credit card numberswith eBay legitimately.

4. What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?

As already presented in question one of this exercise, SET, is a standard protocol for securing credit card transactions over insecure networks, specifically, the Internet. SET is not a payment system, but rather a set of security protocols and formats that enable users to employ the existing credit card payment infrastructure on an open network in a secure fashion. SET allowed parties to cryptographically identify themselves to each other and exchange information securely. SET used a blinding algorithm that, in effect, would have let merchants substitute a certificate for a user's credit-card number. If SET were used, the merchant itself would never have had to know the credit-card numbers being sent from the buyer, which would have provided verified good payment but protected customers and credit companies from fraud. According to Wikipedia, SET has not gain traction and is not in common use.

Secure Sockets Layer (SSL) security technology helps to improve the safety of Internet communications. Like SET, SSL is a standard for encrypted client/server communication between network devices. Also like SET, SSL network protocol, SSL runs on top of TCP/IP. Bidgoli (2008) states that web sites commonly use SSL to guard private information such as credit card numbers.SSL is built into all major browsers and web servers; therefore simply installing a digital certificate turns on their SSL capabilities. This of course makes SSL easier for a business to use at the outset. These are the sorts of market advantages that perhaps develop when a protocol like SSL has been invented by and has the support of the major computer players like Microsoft and Netscape rather than “conventional” credit extending companies such as Visa and MasterCard, who were the devlopers of SET. It seems as though SSL is the old kid on the block, and SET is the newer standard. In my brief research it would also seem as though SET is more secure than SSL, however this additional security comes with greater technological complexity and cost. Whilst SET is not in common use now, it may see more use in the future

5. What are cookies and how are they used to improve security? Can the use of cookies be a security risk?

According to the Wikipedia (2010) article on HTTP cookies, a cookie is is a small piece of text stored on a user's computer by a web browser. A cookie consists of one or more name-value pairs containing bits of information. The cookie is sent as an HTTP header by a web server to a web browser and then sent back unchanged by the browser each time it accesses that server. A cookie can be used for authentication, session tracking (state maintenance), storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing textual data.

As text, cookies are not executable. Because they are not executed, they cannot replicate themselves and are not viruses. Due to the browser mechanism to set and read cookies, they can be used as spyware. Anti-spyware products may warn users about some cookies because cookies can be used to track people or violate privacy concerns. In addition to this there can be some drawbacks of cookies. They do not always accurately identify users and they may be used for security attacks including cookie hijacking, cookie theft, cookie poisoning. Further information on these security risks of cookies may be read at http://en.wikipedia.org/wiki/HTTP_cookie.

6. What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?

According to Reynolds (2010), installation of a corporate firewall is the most comon security precaution taken by businesses. A firewall stands guard between the internal network of the organisation and the internet and limits network access based on the orgnaisationals access policy. After examioning the websites of a number of firewall vendors it would appear that firewalls can be established through the use of software, hardware, or a combination of both. Firewalls make a good security investment becase any internet traffic that is not permitted explicitly into the internal netwrok is denied entry. Similarly, most firewalls can be configured so that internal network users can be blocked from gaining access to certain website based on content uch as sex, violence and so on (Reynolds, 2010).

7. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?

According to Reynolds (2010), there are a number of measures that e-commerce can provide to create trust among their potential customers. First and foremost the organisation must establish a security policy, which defines an organisations security requirements as well as the controls and sacntions required to meet those requirements. Secondly, the organisation ay educate their employees, contractors and part-time workers so that they will be motivated to understand and follow the security policies of the organsiation. Users must understand that they are key part of the security system and that they have certain responsibilities including the guarding of passwords, prohibiting of others using their passwords, applying strict access controls and reporting all unusual activity to the organisations IT security group. Thirdly, the orgnaisation can implement preventative measures which make computer break-ins so difficult thatthe attacker eventually gives up. This may include the installation of a firewall, the installation of intrusion prevention systems, the installation of antivirus software on personal computers and condcuting periodic IT security audits. Fourthly, the organisation may impleent detection systems to catch intruders in the act and finally the organisation should have a clearly defined response plan. This will help keep any security incident under technical and emotional control. In addition to the aforemention procedural considerations, an e-commerce vendor should also consider the following security measures:

• Maintain an audit of all logs
• Encrypt email messages
• Secure client security
• Secure server security
• Secure data transport security
• Secure operating system security
• Use secure transport protocols e.g. SSL or SETs
• Secure browsers with security and scrambling features.

A customer’s operating system security (ie firewall and antivirus) can onviously be verified by customer. In terms of verifying security of online transactions, most browsers are now enabled to display the security settings of various websites, allowing customers to view the secuirty level of a website including encryption being utilised.

8. Get the latest PGP information from http://en.wikipedia.org/wiki/Pretty_Good_Privacy.

According to this website Pretty Good Privacy (PGP) is a computer program that provides cryptographic privacy and authentication. PGP is often used for signing, encrypting and decrypting e-mails to increase the security of e-mail communications. It was created by Philip Zimmermann in 1991. The website provides a history of PGP and its usage. PGP is a freely available encryption program that protects the privacy of files and electronic mail. It uses powerful public key cryptography and works on virtually every platform. PGP has become very popular both in the U.S. and abroad. Because it uses state-of-the-art public key cryptography, PGP can be used to authenticate messages, as well as keep them secret. With PGP, you can digitally "sign" a message when you send it. By checking the digital signature at the other end, the recipient can be sure that the message was not changed during transmission and that the message actually came from you.

The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?I

In the brief reserach I did on this, it would appear that digital certifcicates and passports are the most common tools utilsiied for validating legitimate users and avoiding identity theft. I spent approximately half an hour searching for alternatives to this, and have to admit I wasn't able to find a whole lot. In addition to these aforementioned methods, authentication can be conducted through the use of logon passwords, single sign-on (SSO) systems, biometrics and a public key infrastructure (PKI).



No comments:

Post a Comment