Escolar Documentos
Profissional Documentos
Cultura Documentos
business technology
business.
technology. society
society.
Fourth Edition
Kenneth C. Laudon
Carol Guercio Traver
Slide 5-1
Chapter 5
Online Security System
Slide 5-2
Cyberwar in Estonia
Class Discussion
Slide 5-3
Computer-generated
C
t
t d Si
Simulation
l ti off a DDoS
DD S
Attack
Slide 5-4
Slide 5-5
Slide 5-6
Slide 5-7
Slide 5-8
Slide 5-9
Slide 5-10
Customer and
C
dM
Merchant
h
Perspectives
P
i
on the
h
Different Dimensions of E-commerce
E commerce Security
Table 5.1, Page 264
Slide 5-11
Security vs
vs. ease of use: the more security measures
added, the more difficult a site is to use, and the
slower it becomes
Too much security can harm profitability, while not
g security
y can p
put yyou out of business
enough
Tension between the desire of individuals to act
anonymously (to hide their identity) and the needs to
maintain public safety that can be threatened by
criminals or terrorists.
Th IInternet is
The
i b
both
h anonymous and
d pervasive,
i
an
ideal communication tool for criminal and terrorist
groups (Coll and Glasser
Glasser, 2005).
2005)
Slide 5-12
Three keyy p
points of vulnerability:
y
Client
Server
Communications channel
Slide 5-13
Slide 5-14
Slide 5-15
Slide 5-16
Malicious Code
Try to impair computers, steal email addresses, logon
credentials, personal data, and financial info.
Viruses: computer programs that have ability to
replicate and spread to other files; most also deliver a
payload of some sort (destructive or benign);
include macro viruses
viruses, file-infecting viruses
viruses, and
script viruses
Worms: Designed to spread from computer to
computer; can replicate without being executed by a
user or program like virus
Trojan
j horse: Appears
pp
to be benign,
g , but then does
something other than expected
Bots: Can be covertly installed on computer;
responds to external commands sent by the attacker
to create a network of compromised computers for
sending spam, generating a DDoS attack, and
stealing info from computers
See Table 5.3 for notable examples of malicious
Slide 5-17
Copyright code
2007 Pearson Education, Inc.
Unwanted Programs
Slide 5-18
Mostt popular
M
l type:
t
e-mailil scam lletter,
tt e.g.,
Nigerians rich former oil minister seeking a bank
account to deposit millions of dollars,
dollars fake
account verification emails from eBay or CitiBank
g to g
give up
pp
personal account info, bank
asking
account no., and credit card no.
One of fastest growing forms of e-commerce crime
197,000 unique new phishing emails sent
within the first 6 months of 2007, 18% increase
compared to 2ndd half of 2006.
Slide 5-19
Slide 5-20
A E
An
Example
l off a Phishing
Phi hi Attack
Att k
Slide 5-21
White hats
hats hired by corporate to find weaknesses in
the firms computer system
Black hats hackers with intention of causing
g harm
Grey hats hackers breaking in and revealing system
flaws without disrupting site or attempting to profit from
th i fi
their
finds.
d
Slide 5-22
Slide 5-23
Spoofing
p
g ((Pharming)
g)
Slide 5-24
Hackers
H
k
flflood
dW
Web
b site
it with
ith useless
l
ttraffic
ffi tto iinundate
d t
and overwhelm network
D i l off Service
Denial
S
i
Ping Flooding
Attacker sends a flood of pings to the intended victim
The p
ping
gp
packets will saturate the victims bandwidth
Internet
g System(s)
y
( )
Attacking
Victim System
Denial of Service
SMURF ATTACK
Uses a ping packet with two extra twist
Attacker
Att k chooses
h
an unwitting
itti victim
i ti
Spoofs the source address
ICMP = Internet Control
Message Protocol
Sends request to network in broadcast mode
INTERNET
1 SYN
PERPETRATOR
VICTIM
C
DD S Att
DDoS
Attack
k Ill
Illustrated
t t d
Hacker
1 Hacker scans
Internet for
unsecured systems
that can be
compromised
Unsecured Computers
Internet
Scanning
Program
DD S Att
DDoS
Attack
k Ill
Illustrated
t t d
Hacker
Zombies
Hacker secretly
installs zombie
agent programs,
turning unsecured
p
computers
into
zombies
2
Internet
DD S Att
DDoS
Attack
k Ill
Illustrated
t t d
Hacker
Master
Server
3 Hacker selects
a Master Server to
send commands to
the zombies
Zombies
Internet
DD S Att
DDoS
Attack
k Ill
Illustrated
t t d
Hacker
Master
Server
4 Using client
program, hacker sends
commands to Master
Server to launch zombie
attack against
a
g
targeted system
Zombies
Internet
Targeted
System
DD S Att
DDoS
Attack
k Ill
Illustrated
t t d
Hacker
Master
Server
Master Server
sends signal to
zombies to launch
attack on targeted
system
y
5
Zombies
Internet
Targeted
System
DD S Att
DDoS
Attack
k Ill
Illustrated
t t d
Hacker
Master
Server
Zombies
Targeted system is
overwhelmed by bogus
requests that shut it
down for legitimate
users
Request Denied
Internet
Targeted
System
User
Other Security
y Threats
Slide 5-34
Technology Solutions
Slide 5-35
Slide 5-36
Message integrity
Nonrepudiation
Authentication
Confidentiality
y
Slide 5-37
Slide 5-38
Slide 5-40
Slide 5-42
Public key
y encryption
yp
p
provides confidentiality,
y, but
not authentication, integrity, and nonrepudiation
Application
pp
of hash function ((mathematical
algorithm) by sender prior to encryption produces
hash (message) digest that recipient can use to
verify integrity of data
Hash function produces a fixed-length number
called hash or message digest
digest.
Examples of hash function include MD4 and
MD5.
Double encryption with senders private key
((digital
g
signature)
g
) helps
p ensure authenticity
y and
nonrepudiation
Slide 5-43
Message Digest
Message
ag
Large
Message
M
Digest
Function
1011010
Small
(e.g., 128 bits)
Message Digest
A
Message
M
Digest
Function
Digest A
Digest B
If A =B
B =>
> Digest A = Digest B
2004 D. A. Menasc. All Rights Reserved.
Message Digest
Message
M
Digest
Function
Digest A
Slide 5-47
Digital Envelopes
Slide 5-48
Slide 5-49
Name of subject/company
Subjects public key
Digital certificate serial number
Expiration date
Issuance date
Digital signature of certification authority (trusted third
party institution) that issues certificate
Other identifying information
Slide 5-50
Slide 5-51
Slide 5-52
Slide 5-54
Slide 5-55
Slide 5-56
Slide 5-57
Slide 5-58
Slide 5-59
Slide 5-60
Slide 5-61
Slide 5-63