Internet Security Against Hacking Systems

Download as doc, pdf, or txt
Download as doc, pdf, or txt
You are on page 1of 12

www.1000projects.

com
www.fullinterview.com
www.chetanasprojects.com

A Paper Presentation
on

INTERNET SECURITY AGAINST HACKING SYSTEMS

ABSTRACT

The internet has been a wide usage in all the fields in the present competitive world. It
is being used in the education, research, business and what not, in everything. But
providing security for the users information or transactions or any other data in any of
the field has become a paramount. This paper gives a vivid picture of “E-commerce”
and the vulnerabilities they are facing in providing a secure system for the users. In
other words, how the security attacks are made either by the hackers or the intruders,
the ways how they attack and exploit to illegitimate means.
This paper is an overview of the security and privacy concerns based on the
experiences as developers of E-commerce. E-commerce is a business middleware that
accelerates the development of any business transaction-oriented application, from the
smallest retailer to the distributor, to the consumer (user). These transactions may

www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
apply b between manufacturers and distributors or suppliers. Here, the user needs to
be assured with the privacy of his/her information. In this article, we focus on possible
attack scenarios in an e-Commerce system and provide preventive strategies,
including security features that one can implement.
Here we present you the better ways of how to defend from the attacks and
protect your personal data without depending on the network provider’s security with
the help of personnel firewalls and honey pots.

INTRODUCTION
E-Commerce refers to the exchange of goods and services over the Internet. All major
retail brands have an online presence, and many brands have no associated bricks and
mortar presence. However, e-Commerce also applies to business to business
transactions, for example, between manufacturers and suppliers or distributors.
E-Commerce provides an integrated platform that runs both their customer
facing online shopping sites, and their internal distributor or supplier portals as shown
in Figure.

www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com

E-Commerce systems are relevant for the services industry. For example,
online banking and brokerage services allow customers to retrieve bank statements
online, transfer funds, pay credit card bills, apply for and receive approval for a new
mortgage, buy and sell securities, and get financial guidance and information.

SECURITY OVERVIEW AND ITS FEATURES:

A secure system accomplishes its task with no unintended side effects. Using the
analogy of a house to represent the system, you decide to carve out a piece of your
front door to give your pets' easy access to the outdoors. However, the hole is too
large, giving access to burglars. You have created an unintended implication and
therefore, an insecure system. While security features do not guarantee a secure
system, they are necessary to build a secure system. Security features have four
categories:

• Authentication: Verifies who you say you are. It enforces that you are the only
one allowed to logon to your Internet banking account.
• Authorization: Allows only you to manipulate your resources in specific ways.
This prevents you from increasing the balance of your account or deleting a bill.
• Encryption: Deals with information hiding. It ensures you cannot spy on others
during Internet banking transactions.

www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
• Auditing: Keeps a record of operations. Merchants use auditing to prove that you
bought specific merchandise.

The victims and the accused (the players):


In a typical e-Commerce experience, a shopper proceeds to a Web site to browse a
catalog and make a purchase. This simple activity illustrates the four major players in
e-Commerce security. One player is the shopper who uses his browser to locate the
site. The site is usually operated by a merchant, also a player, whose business is to sell
merchandise to make a profit. As the merchant business is selling goods and services,
not building software, he usually purchases most of the software to run his site from
third-party software vendors. The software vendor is the last of the three legitimate
players.

A threat is a possible attack against a system. It does not necessarily mean


that the system is vulnerable to the attack. An attacker can threaten to throw eggs
against your brick house, but it is harmless. Vulnerability is a weakness in the system,
but it is not necessarily be known by the attacker. Vulnerabilities exist at entry and
exit points in the system. In a house, the vulnerable points are the doors and windows.
Points the attacker can target
As mentioned, the vulnerability of a system exists at the entry and exit points
within the system. Figure shows an e-Commerce system with several points that the
attacker can target:

www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
• Shopper
• Shopper' computer
• Network connection between shopper and Web site's server
• Web site's server
• Software vendor

Tricking the shopper: Some of the easiest and most profitable attacks are based
on tricking the shopper, also known as social engineering techniques. These attacks
involve surveillance of the shopper's behavior, gathering information to use against the
shopper. For example, a mother's maiden name is a common challenge question used
by numerous sites. If one of these sites is tricked into giving away a password once
the challenge question is provided, then not only has this site been compromised, but
it is also likely that the shopper used the same logon ID and password on other sites.
Snooping the shopper's computer: Millions of computers are added to the Internet
every month. Most users' knowledge of security vulnerabilities of their systems is
vague at best. A popular technique for gaining entry into the shopper's system is to
use a tool, such as SATAN, to perform port scans on a computer that detect entry
points into the machine. Based on the opened ports found, the attacker can use
various techniques to gain entry into the user's system. Upon entry, they scan your file
system for personal information, such as passwords. A user that purchases firewall
software to protect his computer may find there are conflicts with other software on his
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
system. To resolve the conflict, the user disables enough capabilities to render the
firewall software useless.
Sniffing the network: In this scheme, the attacker monitors the data between the
shopper's computer and the server. There are points in the network where this attack
is more practical than others. If the attacker sits in the middle of the network, then
within the scope of the Internet, this attack becomes impractical. A request from the
client to the server computer is broken up into small pieces known as packets as it
leaves the client's computer and is reconstructed at the server. The packets of request
are sent through different routes. The attacker cannot access all the packets of a
request and cannot decipher what message was sent.
Guessing passwords: Another common attack is to guess a user's password. This
style of attack is manual or automated. Manual attacks are laborious, and only
successful if the attacker knows something about the shopper. For example, if the
shopper uses their child's name as the password.
Using server root exploits: Root exploits refer to techniques that gain super user
access to the server. This is the most coveted type of exploit because the possibilities
are limitless. When you attack a shopper or his computer, you can only affect one
individual. With a root exploit, you gain control of the merchants and all the shoppers'
information on the site. There are two main types of root exploits: buffer overflow
attacks and executing scripts against a server.

DEFENSES
Despite the existence of hackers and crackers, e-Commerce remains a safe and secure
activity. The resources available to large companies involved in e-Commerce are
enormous. These companies will pursue every legal route to protect their customers.
Figure 6 shows a high-level illustration of defenses available against attacks.

www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com

Education: Your system is only as secure as the people who use it. If a shopper
chooses a weak password, or does not keep their password confidential, then an
attacker can pose as that user. Users need to use good judgment when giving out
information, and be educated about possible phishing schemes and other social
engineering attacks.
Personal firewalls: When connecting your computer to a network, it becomes
vulnerable to attack. A personal firewall helps protect your computer by limiting the
types of traffic initiated by and directed to your computer. The intruder can also scan
the hard drive to detect any stored passwords.
Secure Socket Layer (SSL): Secure Socket Layer (SSL) is a protocol that encrypts
data between the shopper's computer and the site's server. When an SSL-protected
page is requested, the browser identifies the server as a trusted entity and initiates a
handshake to pass encryption key information back and forth. Now, on subsequent
requests to the server, the information flowing back and forth is encrypted so that a
hacker sniffing the network cannot read the contents.
The SSL certificate is issued to the server by a certificate authority authorized by the
government. When a request is made from the shopper's browser to the site's server
using https://..., the shopper's browser checks if this site has a certificate it can
recognize. If the site is not recognized by trusted certificate authority, then the
browser issues a warning as shown in Figure

www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com

Figure

For example in mozilla:

Figure Secure icon in Mozilla Firefox

Server firewalls: A firewall is like the moat surrounding a castle. It ensures that
requests can only enter the system from specified ports, and in some cases, ensures
that all accesses are only from certain physical machines. A common technique is to
setup a demilitarized zone (DMZ) using two firewalls. The outer firewall has ports open
that allow ingoing and outgoing HTTP requests. This allows the client browser to
communicate with the server. A second firewall sits behind the e-Commerce servers.
This firewall is heavily fortified, and only requests from trusted servers on specific
ports are allowed through. Both firewalls use intrusion detection software to detect any
unauthorized access attempts.

www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com

Figure shows the firewalls and honey pots.

Password policies: Ensure that password policies are enforced for shoppers and
internal users. You may choose to have different policies provided by federal
information standard, shoppers versus your internal users. For example, you may
choose to lockout an administrator after 3 failed login attempts instead of 6. These
password policies protect against attacks that attempt to guess the user's password.
They ensure that passwords are sufficiently strong enough so that they cannot be
easily guessed.
Site development best practices
There are many established policies and standards for avoiding security issues.
However, they are not required by law. Some of the basic rules include:

• Never store a user's password in plain text or encrypted text on the system.
Instead, use a one-way hashing algorithm to prevent password extraction.
• Employ external security consultants (ethical hackers) to analyze your system.
• Standards, such as the Federal Information Processing Standard (FIPS),
describe guidelines for implementing features. For example, FIPS makes
recommendations on password policies, etc.

Security best practices remain largely an art rather than a science, but there are some
good guidelines and standards that all developers of e-Commerce software should
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
follow.
Using cookies:
One of the issues faced by Web site designers is maintaining a secure session with a
client over subsequent requests. Because HTTP is stateless, unless some kind of
session token is passed back and forth on every request, the server has no way to link
together requests made by the same person. Cookies are a popular mechanism for
this. An identifier for the user or session is stored in a cookie and read on every
request. You can use cookies to store user preference information, such as language
and currency. The primary use of cookies is to store authentication and session
information, your information, and your preferences. A secondary and controversial
usage of cookies is to track the activities of users.
Using an online security checklist
Use this security checklist to protect yourself as a shopper: some of the checks will be
like:

1. Whenever you logon, register, or enter private information, such as credit card
data, ensure your browser is communicating with the server using SSL.
2. Use a password of at least 6 characters, and ensure that it contains some
numeric and special characters (for example, c0113g3).
3. Avoid reusing the same user ID and password at multiple Web sites.
4. If you are authenticated (logged on) to a site, always logoff after you finish.
5. Use a credit card for online purchases. Most credit card companies will help you
with non-existent or damaged products.

Using threat models to prevent exploits: When architecting and developing a


system, it is important to use threat models to identify all possible security threats on
the server. Think of the server like your house. It has doors and windows to allow for
entry and exit. These are the points that a burglar will attack. A threat model seeks to
identify these points in the server and to develop possible attacks.
Threat models are particularly important when relying on a third party vendor for all or

www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
part of the site's infrastructure. This ensures that the suite of threat models is
complete and up-to-date.

Conclusion

This article outlined the key players and security attacks and defenses in an e-
Commerce system. Current technology allows for secure site design. It is up to the
development team to be both proactive and reactive in handling security threats, and
up to the shopper to be vigilant when shopping online.
Resources

• Learn about social factors in computer security. Schneier, Bruce. Secrets and
Lies: Digital Security In A Networked World, John Wiley and Sons, Inc., 2000.

• A good introduction to computer security. Pfleeger, Charles P., Security in


Computing, Second Edition, Prentice-Hall, Inc., 1996.

• Low level tips for writing secure code. Howard, Michael and LeBland, David,
Writing Secure Code, Second Edition, Microsoft Press, 2003.

• An example of a denial of service attack. Yahoo on Trail of Site Hackers, Reuters


News Service, February 8, 2000.
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com
www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com

References:

www.googlesearch.com

www.MSNET.com

www.netsecurity.com

www.1000projects.com
www.fullinterview.com
www.chetanasprojects.com

You might also like