Modification of Data Although the loss of data could be damaging, modification could be worse.What if somebody obtained access to your system and modified files?. Modifications to files
Trang 1It is possible that crackers will break into your system and format your hard drive It is fairly likely that a careless programmer or administrator will delete something by acci-dent, and it is almost certain that you will occasionally lose a hard disk drive Hard disk
drives rotate thousands of times per minute, and, occasionally, they fail Murphy’s Law would tell you that the one that fails will be the most important one, long after you last made a backup
You can take various measures to reduce the chance of data loss Secure your servers against crackers Keep the number of staff with access to your machine to a minimum
Hire only competent, careful people Buy good quality drives Use RAID so that multi-ple drives can act like one faster, more reliable drive
Regardless of the cause, there is only one real protection against data loss—backups
Backing up data is not rocket science On the contrary, it is tedious, dull, and hopefully useless, but it is vital Make sure that your data is regularly backed up, and make sure that you have tested your backup procedure to be certain that you can recover Make sure that your backups are stored away from your computers Although it is unlikely that your premises will burn down or suffer some other catastrophic fate, storing a backup offsite is
a fairly cheap insurance policy
Modification of Data
Although the loss of data could be damaging, modification could be worse.What if somebody obtained access to your system and modified files? Although wholesale dele-tion will probably be noticed and can be remedied from your backup, how long will it take you to notice modification?
Modifications to files could include changes to data files or executable files A crack-er’s motivation for altering a data file might be to graffiti your site or to obtain fraudu-lent benefits Replacing executable files with sabotaged versions might give a cracker who has gained access once a secret backdoor for future visits
You can protect data from modification as it travels over the network by computing a signature.This does not stop somebody from modifying the data, but if the recipient checks that the signature still matches when the file arrives, he will know whether the file has been modified If the data is being encrypted to protect it from unauthorized viewing, this will also make it very difficult to modify en route without detection
Protecting files stored on your server from modification requires that you use the file permission facilities your operating system provides and protect the system from unau-thorized access Using file permissions, users can be auunau-thorized to use the system, but not
be given free rein to modify system files and other users’ files.The lack of a proper per-missions system is one of the reasons that Windows 95 and 98 are not suitable as server operating systems
Detecting modification can be difficult If at some point you realize that your system’s security has been breached, how will you know whether important files have been mod-ified? Some files, such as the data files that store your databases, are intended to change over time Many others are intended to stay the same from the time you install them,
Trang 2278 Chapter 13 E-commerce Security Issues
unless you deliberately upgrade them Modification of both programs and data can be insidious, but although programs can be reinstalled if you suspect modification, you can-not know which version of your data was “clean.”
File integrity assessment software, such as Tripwire, records information about impor-tant files in a known safe state, probably immediately after installation, and can be used at
a later time to verify that files are unchanged.You can download commercial or condi-tional free versions from
http://www.tripwire.com
Denial of Service
One of the most difficult threats to guard against is denial of service Denial of Service (DoS) occurs when somebody’s actions make it difficult or impossible for users to access
a service, or delay their access to a time-critical service
Early in the year 2000, there was a famous spate of Distributed Denial of Service (DDoS)
attacks against high profile Web sites.Targets included Yahoo!, eBay, Amazon, E-Trade, and Buy.com Sites such as these are accustomed to traffic levels that most of us can only dream of, but are still vulnerable to being shut down for hours by a DoS attack
Although crackers generally have little to gain from shutting down a Web site, the pro-prietor might be losing money, time, and reputation
One of the reasons that these attacks are so difficult to guard against is that there are a huge number of ways of carrying them out Methods could include installing a program
on a target machine that uses most of the system’s processor time, reverse spamming, or
using one of the automated tools A reverse spam involves somebody sending out fake
spam with the target listed as the sender.This way, the target will have thousands of angry replies to deal with
Automated tools exist to launch distributed DoS attacks on a target.Without needing much knowledge, somebody can scan a large number of machines for known vulnerabil-ities, compromise a machine, and install the tool Because the process is automated, an attacker can install the tool on a single host in under five seconds.When enough machines have been co-opted, all are instructed to flood the target with network traffic Guarding against DoS attacks is difficult in general.With a little research, you can find the default ports used by the common DDoS tools and close them.Your router might provide mechanisms such as limiting the percentage of traffic that uses particular proto-cols such as ICMP Detecting hosts on your network being used to attack others is easier than protecting your machines from attack If every network administrator could be relied on to vigilantly monitor his own network, DDoS would not be such a problem Because there are so many possible methods of attack, the only really effective defense
is to monitor normal traffic behavior and have a pool of experts available to take coun-termeasures when abnormal things occur
Trang 3Errors in Software
It is possible that the software you have bought, obtained, or written has serious errors in
it Given the short development times normally allowed to Web projects, it is highly
like-ly that this software has some errors Any business that is highlike-ly reliant on computerized processes is vulnerable to buggy software
Errors in software can lead to all sorts of unpredictable behavior including service unavailability, security breaches, financial losses, and poor service to customers
Common causes of errors that you can look for include poor specifications, faulty assumptions made by developers, and inadequate testing
Poor Specifications
The more sparse or ambiguous your design documentation is, the more likely you are to end up with errors in the final product Although it might seem superfluous to you to specify that when a customer’s credit card is declined, the order should not be sent to the customer, at least one big-budget site had this bug.The less experience your devel-opers have with the type of system they are working on, the more precise your specifica-tion needs to be
Assumptions Made by Developers
The designers and programmers of a system need to make many assumptions Hopefully, they will document their assumptions and usually be right Sometimes though, people make poor assumptions.These might include assumptions that input data will be valid, will not include unusual characters, or will be less than a particular size It could also include assumptions about timing such as the likelihood of two conflicting actions occurring at the same time or that a complex processing task will always take more time than a simple task
Assumptions like these can slip through because they are usually true A cracker could take advantage of a buffer overrun because a programmer assumed a maximum length for input data, or a legitimate user could get confusing error messages and leave because
it did not occur to your developers that a person’s name might have an apostrophe in it
These sort of errors can be found and fixed with a combination of good testing and detailed code review
Historically, the operating system or application level weaknesses exploited by crackers have usually related either to buffer overflows or race conditions
Poor Testing
It is rarely possible to test for all possible input conditions, on all possible types of hard-ware, running all possible operating systems with all possible user settings.This is even more true than usual with Web-based systems
What is needed is a well-designed test plan that tests all the functions of your software
on a representative sample of common machine types A well-planned set of tests should
Trang 4280 Chapter 13 E-commerce Security Issues
aim to test every line of code in your project at least once Ideally, this test suite should
be automated so that it can be run on your selected test machines with little effort The greatest problem with testing is that it is unglamorous and repetitive Although some people enjoy breaking things, few people enjoy breaking the same thing over and over again It is important that people other than the original developers are involved in testing One of the major goals of testing is to uncover faulty assumptions made by the developers A fresh person is much more likely to have different assumptions In addition
to this, professionals are rarely keen to find flaws in their own work
Repudiation
The final risk we will consider is repudiation Repudiation occurs when a party involved
in a transaction denies having taken part E-commerce examples might include a person ordering goods off a Web site and then denying having authorized the charge on his credit card, or a person agreeing to something in email and then claiming that somebody else forged the email
Ideally, financial transactions should provide the peace of mind of nonrepudiation to both parties Neither party could deny their part in a transaction, or, more precisely, both parties could conclusively prove the actions of the other to a third party, such as a court
In practice, this rarely happens
Authentication provides some surety about whom you are dealing with If issued by a trusted organization, digital certificates of authentication can provide greater confidence Messages sent by each party also need to be tamperproof.There is not much value in being able to demonstrate that Corp Pty Ltd sent you a message if you cannot also demonstrate that what you received was exactly what they sent As mentioned
previous-ly, signing or encrypting messages makes them difficult to surreptitiously alter
For transactions between parties with an ongoing relationship, digital certificates together with either encrypted or signed communications are an effective way of limit-ing repudiation For onoff transactions, such as the initial contact between an e-commerce Web site and a stranger bearing a credit card, they are not so practical
An e-commerce company should be willing to hand over proof of its identity and a few hundred dollars to a certifying authority such as VeriSign
(http://www.verisign.com/) or Thawte (http://www.thawte.com/) in order to assure visitors of the company’s bona fides.Would that same company be willing to turn away every customer who was not willing to do the same in order to prove his identity? For small transactions, merchants are generally willing to accept a certain level of fraud or repudiation risk rather than turn away business
An alliance between VISA, a number of financial organizations, and software compa-nies, has been promoting a standard called Secure Electronic Transaction since 1997 One component of the SET system is that cardholders can obtain digital certificates from their card issuers If SET takes off, it could reduce the risk of repudiation and other credit card fraud in Internet transactions
Trang 5Unfortunately, although the specification has existed for many years, there seems to be little push from banks to issue SET-compliant certificates to their cardholders No retail-ers seem willing to reject all customretail-ers without SET software, and there is little enthusi-asm from consumers to adopt the software.There is very little reason for consumers to queue up at their local bank and spend time installing digital wallet software on their machines unless retailers are going to reject their customers without such software
Balancing Usability, Performance, Cost, and Security
By its very nature, the Web is risky It is designed to allow numerous anonymous users to request services from your machines Most of those requests will be perfectly legitimate requests for Web pages, but connecting your machines to the Internet will allow people
to attempt other types of connections
Although it can be tempting to assume that the highest possible level of security is appropriate, this is rarely the case If you wanted to be really secure, you would keep all your computers turned off, disconnected from all networks, in a locked safe In order to make your computers available and usable, some relaxation of security is required
There is a trade-off to be made between security, usability, cost, and performance
Making a service more secure can reduce usability by, for instance, limiting what people can do or requiring them to identify themselves Increasing security can also reduce the level of performance of your machines Running software to make your system more secure—such as encryption, intrusion detection systems, virus scanners, and extensive logging—uses resources It takes a lot more processing power to provide an encrypted session, such as an SSL connection to a Web site, than to provide a normal one.These performance losses can be countered by spending more money on faster machines or hardware specifically designed for encryption
You can view performance, usability, cost, and security as competing goals.You need
to examine the trade-offs required and make sensible decisions to come up with a com-promise Depending on the value of your information, your budget, how many visitors you expect to serve, and what obstacles you think legitimate users will be willing to put
up with, you can come up with a compromise position
Creating a Security Policy
A security policy is a document that describes
n The general philosophy towards security in your organization
n What is to be protected—software, hardware, data
n Who is responsible for protecting these items
n Standards for security and metrics, which measure how well those standards are being met