Exercise 9 : Electronic payments and security

1. Find out about SET and the use of RSA 128-bit encryption for e-commerce.

Secure Electronic Transaction (SET)

SET is an open standard security protocol for protecting the privacy, and ensuring the authenticity and integrity, of electronic transactions. SET uses digital certificates, signatures and wallets to conduct a series of security checks to authenticate credit card transactions. It was developed in the late 1990s by SETco a company formed by VISA and MasterCard and others, including IBM, Microsoft and Netscape. Despite this backing the protocol has failed to be widely implemented due to its cost, complexity and the need to install additional client software.

RSA 128-bit encryption

RSA (named after its authors: Rivest, Shamir and Adleman) is a public key cryptography algorithm developed in 1977 while 128-bit refers to the size of the key used to encrypt. This form of encryption is considered to be secure and is therefore extensively used in e-commerce protocols. RSA states that “in the U.S., 128-bit encryption is used in products such as Netscape Communications Navigator and Microsoft Corporation’s Internet Explorer to support secure online banking and other applications that require high levels of privacy”.



2. What can you find out about network and host-based intrusion detection systems?

Network Intrusion Detection System (NIDS)

NIDS dynamically monitor network traffic to multiple hosts. They analyse the individual network packets in an attempt to detect malicious or hostile activity such as:

Denial of Service (DoS) attacks
intruders (hackers/crackers) breaking into the system
port scans probing the network for open ports
Robert Graham outlines the following actions that may occur once a NIDS has detected an attack:

Reconfigure firewall Configure the firewall to filter out the IP address of the intruder. However, this still allows the intruder to attack from other addresses. Checkpoint firewall’s support a “Suspicious Activity Monitoring Protocol (SAMP)” for configuring firewalls. Checkpoint has their “OPSEC” standard for re-configuring firewalls to block the offending IP address.
chime Beep or play a .WAV file. For example, you might hear a recording “You are under attack”.

SNMP Trap Send an SNMP Trap datagram to a management console like HP OpenView, Tivoli, Cabletron Spectrum, etc.

NT Event Send an event to the WinNT event log.
syslog Send an event to the UNIX syslog event system.
send e-mail Send e-mail to an administrator to notify of the attack.
page Page (using normal pagers) the system administrator.
Log the attack Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information).
Save evidence Save a tracefile of the raw packets for later analysis.
Launch program Launch a separate program to handle the event.
Terminate the TCP session Forge a TCP FIN packet to force a connection to terminate
Examples of NIDS include:

Snort ISS
Shoki
Cisco Secure IDS
Dragon Enterasys
ISS Real Secure





Host-based Intrusion Detection System (HIDS)

HIDS consist of a software agent which monitors the internal activity of the host on which it is installed. HIDS monitor the host’s state and activity such as:

system calls
application logs
file-system modifications
Examples of HIDS include:

ELM 3.0 TNT software
INTRUST Event admin Aelita
OSSEC






3. What is ‘phishing’?

Phishing is a richly evocative term describing the use of “bait” to “reel in” the gullible and unwary and “catch” their sensitive information for use in identity theft and fraud. Phishing involves sending unsolicited spoofed electronic communications, email and IM, that pretend to come from a legitimate source. These fake communications direct users, via embedded links, to fake websites that are designed to extract sensitive information such as:

login information (usernames and passwords)
account numbers (bank, social security etc)
credit card details
address and telephone details
email detail
dates of birth


4. What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?

SET is described in Q. 1 where I note that it is not in common use.

Secure Socket Layer (SSL)

A crypographic protocol that runs in the transport layer of the IP suite. It provides secure communications over the internet by establishing an encrypted link. It was developed in 1993 by Netscape and is now supported by most browsers. Transport Layer Security (TLS) appeared in 1999 as an upgrade of SSL. Wikipedia notes “the TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. TLS provides RSA security with 1024 and 2048 bit strengths.

SET v SSL

SET is more secure than SSL
The merchant does not handle credit card details with SET thus reducing the chance of fraud
SSL is easier to implement than SET as it does not require the installation of Client software such as the e-wallet in SET


5. What are cookies and how are they used to improve security? Can the use of cookies be a security risk?

A cookie is a text string, containing one or more value pairs, that is sent by a web server and stored by a browser on a client computer. Wikipedia highlights that cookies provide functions such as:

authentication
session tracking (state maintenance)
storing site preferences
shopping cart contents
the identifier for a server-based session
anything else that can be accomplished through storing textual data
Cookies may pose a risk to security as:

they can be used by spyware to track a user’s browsing history
any sensitive information that is not encrypted may be accessed


6. What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?

A firewall is an essential security investment as it provides a protective barrier by preventing unauthorised access to your computer or network. Firewalls may be software, hardware or a combination of both.

Example firewall vendors:

CISCO - Cisco ASA 5500 Series Adaptive Security Appliances is a hardware product that includes a firewall
Check Point ® Software Technologies Ltd - ZoneAlarm ® Pro Firewall 2010 part of a suite of software security products
Microsoft - provides a software firewall (Windows Firewall) with Windows 7, Windows Vista or Windows XP Service Pack 2 (SP2) and higher


7. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?

To build customers’ trust e-commerce sites must ensure that customers can:

view the security policy details of the website
verify the authenticity of the site to counter phishing
view security certificates such as SSL and Extended Validation (EV) SSL
provide HTTPS
view and accept the privacy policy statement


8. Get the latest PGP information. The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?

Some I am familiar with, from working both on site and remotely, are authentication via a:

security token e.g. Digipass and Vasco token - login to a secure site is via a combination of a user name, token PIN and token code that is generated via the key fob
smart card with an embedded chip
biometrics – fingerprint and retinal scan, voice recognition
some banks also require account holders to register so that a PIN may be sent via SMS to a mobile phone to authenticate each online transaction
References:

Firewalls
http://www.webopedia.com/didyouknow/hardware_software/2004/firewall_types.asp
NIDS
http://www.linuxsecurity.com/resource_files/intrusion_detection/network-intrusion-detection.html
http://www.windowsecurity.com/articles/Intrusion_Detection_Systems_IDS_Part_I__network_intrusions_attack_symptoms_IDS_tasks_and_IDS_architecture.html
(Wikipedia) http://en.wikipedia.org/wiki/Network_intrusion_detection_system
RSA http://www.rsa.com/press_release.aspx?id=716
SET
http://www.davidreilly.com/topics/electronic_commerce/essays/secure_electronic_transactions.html
http://ecommerce.hostip.info/pages/925/Secure-Electronic-Transaction-SET.html
SET v SSL
http://www.savagerun.com/SSLSET.htm