lesson 3 security needs for successful e-commerce
TRANSCRIPT
Lesson 3 Security Needs for Successful
E-Commerce
Overview
PrivacyMultilevel Security Anonymity Privacy and the GovernmentMedical AnonymityAuthenticationAuthentication vs IntegrityAuditing
Privacy
Personal – US Govt Privacy Act—democracy is built upon the notion of privacy
– EU Data Protection Act of 1995--stiffer than US Privacy Act
– Most Businesses believe personal privacy is bad for business
Business – Trade secrets: long term (Coke patent)– Product development data: few years– Financial health: weeks-months– Negotiations: weeks-months– Marketing, product plans, business strategies: months-years
Privacy
Government – Military secrets : short term– Names of spies: until spies’ children are dead
Multilevel Security
US Military schema– U/FOUO, C,S, TS, TS/SCI
-- Classification modifiers: NOFORN, LIMDIS (limited distribution),
-- WNINTEL (warning notice intel sources and methods)
MLS is easy to do on paper, but not easy in computers
Security in the real world doesn’t fit into hierarchical boxes
Anonymity Complete anonymity: no SSN, lack of
birth records Pseudonymity: Swiss bank accountTrue anonymity on Internet is probably
impossibleCommercial in banking: cost passed on to
consumerMedical: health insurance portability and accessibility
act (HIPPA)
Privacy and the Government
USA Patriots Act Export Laws on Cryptography (40 bit, 128 bit) We are losing more of our privacy every day Philosphical issues
-- The social ills of privacy outweigh the social good?
-- Can Govt limit a technology because it may hinder law enforcement
Bottom-line: a balance between privacy and safety
Medical Anonymity
Computerized patient data is bad for privacy
Allows for hackers to stealBut good for patient care and
portability--moving from treatment facility to other facilities
AuthenticationAuthentication is about: Continuity of relationships Knowing who to trust and not to trust Making sense of a complex world Logging onto a network computer is an authentication
process Two types of authentication
Session authentication –face to face, phone, email Transaction authentication – is the transaction valid (ie charge
card, cashing a check)
Authentication on the WEB
URL Problems:
Is www.nwa.com = www.northwestairlines.com?
Northwest Airlines A Travel Agency
Competitor names embedded in WEB pages The most important security problem to solve is
authentication across a digital network.
Authentication vs Integrity
We mix the two up or use them interchangeably—they are not! Authentication has to do with origin (of the data)
Integrity has to do with the “state” of the data, i.e. has it been changed Integrity is important in: Stocks Phone directories Medical records Financial Records Employment Records Have you ever received those “incredible” email stories? Heard
about www.urbanlegends.com?
Auditing
Designed to aid forensics So you can detect a successful attack or system compromise Figure out what happened to bring attacker to justice Electronic currency: “Will we repave cowpaths by just moving
cash, checks, debit cards, credit cards, gift certificates, and letters of credit, to the internet?
Consider these items: – ATMs– Credit card authentication and validation– Digital cash via “points” system (pseudo currencies)– Solution are reactive not pro-active
A Distributed DoS in ActionClient Hacker
BroadcastHost
BroadcastHost
MasterHost
MasterHost
BroadcastHost
BroadcastHost
BroadcastHost
Master ControlPrograms
BroadcastAgents
Registration Phase
*Hello**Hello* *Hello**Hello*
VerifyVerifyRegistrationRegistration
PONGPONG PONGPONGpngpng
The Internet
The Attack Phase
Target
Client Hacker
BroadcastHost
BroadcastHost
BroadcastHost
BroadcastHost
BroadcastHost
BroadcastAgents
The Internet
AttackAttackTargetTarget
AttackAttackTargetTarget
AttackAttackTargetTarget
UDP FloodAttack
UDP FloodAttack
UDP FloodAttack
UDP FloodAttack
COLLATERAL DAMAGECOLLATERAL DAMAGE
How CODE RED WorksFirst infected system
How CODE RED WorksFirst infected system
100 system probes
Scans to find new victims
How CODE RED WorksFirst infected system
Scans to find new victims
- Each new victim starts scanning process over again
- 20th to EOM, primary target is www.whitehouse.gov
How NIMDA Works
First infected system
How NIMDA Works
First infected system
Attacking system
tftp Admin.dll from attacking system(contains NIMDA payload)
How NIMDA Works
First infected system
Sends infectedemail attachment
NIMDA attachesto web pages on infected server
Infected systemscans network for
vulnerable IIS web servers
NIMDA propagatesvia open file shares
How NIMDA Works
- NIMDA prefers to target its neighbors
- Very rapid propagation
Summary
Privacy -- consumers want it Multilevel Security -- government demands it Anonymity -- not guaranteed Privacy and the Government -- balancing act Medical Anonymity - Good…Bad Authentication - most important security problem to solve
Authentication vs Integrity -- not the same Auditing -- aids forensics