EVALUATION OF SECURITY OF

AND

Presented by:

1. SABYASACHI DASGUPTA (207225)2. SABARISH D.G (207224)3. RUMA GHOSH (207223)4. RUDRAJIT BHATTACHARYA (207222)5. RITESH SINGH (207221)

e-COMMERCE:

e-commerce can be defined as : e-Commerce refers to the exchange of goods

and services over the Internet. All major retail brands have an online presence. However, e-Commerce also applies to business to business transactions, for example, between manufacturers and suppliers or distributors. e-Commerce systems are also relevant for the services industry. For example, online banking and brokerage services allow customers to retrieve bank statements online, transfer funds, pay credit card bills, apply for and receive approval for a new mortgage, buy and sell securities, and get financial guidance and information.

Amazon and eBay

Both and are online shopping websites. Through them people can search various goods and check the prices. Then, if wanted, they can place an order and the goods are purchased. Then they are delivered to the buyer’s address provided to those websites.

basically, they are a micro part of the e-commerce concentrating only in the area of online shopping.

What are the benefits of e-shopping?

1. Companies have the opportunity to give your customer more information about their purchase, both in terms of product information and in delivery tracking, you can provide direct links to shipping services with tracking numbers and much more.

2. With many of the emerging payment technologies companies will also be able to offer smaller priced items for sale, that is, access to a complete new story for 50 paisa is now practical in eCommerce, but it would be silly to do with mail-order.

3. If companies sell electronic products, like software, your customer doesn't have to wait for overnight delivery services, you can give them immediate delivery once the payment has been cleared.

4. The main advantage of online shopping is that it allows people to browse through many items and categories without leaving their house, to compare the prices of as many shops as they want, and also to order as many items as they can afford without having to worry about how they will transport them, because the online shopping websites also deliver the things to the buyer's home.

5. Furthermore, the Internet is open 24 hours a day, 365 days a year, so you don't have to hurry or worry about finding a parking spot.

What's the risk?

The tremendous increase in online transactions has been accompanied by an equal rise in the number and type of attacks against the security of online payment systems. Some of these attacks have utilized vulnerabilities that have been published in reusable third-party components utilized by websites, such as shopping cart software. Other attacks have used vulnerabilities that are common in any web application, such as SQL injection or cross-site scripting. This article discusses these vulnerabilities with examples, either from the set of known vulnerabilities, or those discovered during the author's penetration testing assignments.

The different types of vulnerabilities discussed here are SQL injection, cross-site scripting, information disclosure, path disclosure, price manipulation, and buffer overflows. Successful exploitation of these vulnerabilities can lead to a wide range of results. Information and path disclosure vulnerabilities will typically act as initial stages leading to further exploitation. SQL injection or price manipulation attacks could cripple the website, compromise confidentiality, and in worst cases cause the e-commerce business to shut down completely.

Points the attacker can

target:

• As mentioned, the vulnerability of a system exists at the entry and exit points within the system. Figure 1 shows an e-Commerce system with several points that the attacker can target:

• Shopper • Shopper' computer • Network connection between shopper and Web

site's server • Web site's server • Software vendor

Figure 1. Points the attacker can target

1. Tricking the shopper

Some of the easiest and most profitable attacks are based on tricking the shopper, also known as social engineering techniques. These attacks involve surveillance of the shopper's behavior, gathering information to use against the shopper. For example, a mother's maiden name is a common challenge question used by numerous sites. If one of these sites is tricked into giving away a password once the challenge question is provided, then not only has this site been compromised, but it is also likely that the shopper used the same logon ID and password on other sites. A common scenario is that the attacker calls the shopper, pretending to be a representative from a site visited, and extracts information. The attacker then calls a customer service representative at the site, posing as the shopper and providing personal information. The attacker then asks for the password to be reset to a specific value.

Another common form of social engineering attacks are phishing schemes. Typo pirates play on the names of famous sites to collect authentication and registration information. For example, http://www.ibm.com/shop is registered by the attacker as www.ibn.com/shop. A shopper mistypes and enters the illegitimate site and provides confidential information. Alternatively, the attacker sends emails spoofed to look like they came from legitimate sites. The link inside the email maps to a rogue site that collects the information.

2. Snooping the shopper's computer

Millions of computers are added to the Internet every month. Most users' knowledge of security vulnerabilities of their systems is vague at best. Additionally, software and hardware vendors, in their quest to ensure that their products are easy to install, will ship products with security features disabled. In most cases, enabling security features requires a non-technical user to read manuals written for the technologist. The confused user does not attempt to enable the security features. This creates a treasure trove for attackers. A popular technique for gaining entry into the shopper's system is to use a tool, such as SATAN, to perform port scans on a computer that detect entry points into the machine. Based on the opened ports found, the attacker can use various techniques to gain entry into the user's system. Upon entry, they scan your file system for personal information, such as passwords.While software and hardware security solutions available protect the public's systems, they are not silver bullets. A user that purchases firewall software to protect his computer may find there are conflicts with other software on his system. To resolve the conflict, the user disables enough capabilities to render the firewall software useless.

3. Sniffing the network

In this scheme, the attacker monitors the data between the shopper's computer and the server. He collects data about the shopper or steals personal information, such as credit card numbers.There are points in the network where this attack is more practical than others. If the attacker sits in the middle of the network, then within the scope of the Internet, this attack becomes impractical. A request from the client to the server computer is broken up into small pieces known as packets as it leaves the client's computer and is reconstructed at the server. The packets of a request is sent through different routes. The attacker cannot access all the packets of a request and cannot decipher what message was sent. Take the example of a shopper in Toronto purchasing goods from a store in Los Angeles. Some packets for a request are routed through New York, where others are routed through Chicago. A more practical location for this attack is near the shopper's computer or the server. Wireless hubs make attacks on the shopper's computer network the better choice because most wireless hubs are shipped with security features disabled. This allows an attacker to easily scan unencrypted traffic from the user's computer.

Figure 2. Attacker sniffing the network between client and server

4. Guessing passwords

Another common attack is to guess a user's password. This style of attack is manual or automated. Manual attacks are laborious, and only successful if the attacker knows something about the shopper. For example, if the shopper uses their child's name as the password. Automated attacks have a higher likelihood of success, because the probability of guessing a user ID/password becomes more significant as the number of tries increases. Tools exist that use all the words in the dictionary to test user ID/password combinations, or that attack popular user ID/password combinations. The attacker can automate to go against multiple sites at one time.

5. Using denial of service attacks

The denial of service attack is one of the best examples of impacting site availability. It involves getting the server to perform a large number of mundane tasks, exceeding the capacity of the server to cope with any other task. For example, if everyone in a large meeting asks you your name all at once, and every time you answer, they ask you again. You have experienced a personal denial of service attack. To ask a computer its name, you use ping. You can use ping to build an effective DoS attack. The smart hacker gets the server to use more computational resources in processing the request than the adversary does in generating the request. Distributed DoS is a type of attack used on popular sites, such as Yahoo!®. In this type of attack, the hacker infects computers on the Internet via a virus or other means. The infected computer becomes slaves to the hacker. The hacker controls them at a predetermined time to bombard the target server with useless, but intensive resource consuming requests. This attack not only causes the target site to experience problems, but also the entire Internet as the number of packets is routed via many different paths to the target.

Figure 3. Denial of service attacks

6. Using known server bugs

The attacker analyzes the site to find what types of software are used on the site. He then proceeds to find what patches were issued for the software. Additionally, he searches on how to exploit a system without the patch. He proceeds to try each of the exploits. The sophisticated attacker finds a weakness in a similar type of software, and tries to use that to exploit the system. This is a simple, but effective attack. With millions of servers online, what is the probability that a system administrator forgot to apply a patch?

7. Using server root exploits

Root exploits refer to techniques that gain super user access to the server. This is the most coveted type of exploit because the possibilities are limitless. When you attack a shopper or his computer, you can only affect one individual. With a root exploit, you gain control of the merchants and all the shoppers' information on the site. There are two main types of root exploits: buffer overflow attacks and executing scripts against a server. In a buffer overflow attack, the hacker takes advantage of specific type of computer program bug that involves the allocation of storage during program execution. The technique involves tricking the server into execute code written by the attacker. The other technique uses knowledge of scripts that are executed by the server. This is easily and freely found in the programming guides for the server. The attacker tries to construct scripts in the URL of his browser to retrieve information from his server. This technique is frequently used when the attacker is trying to retrieve data from the server's database.

8. SQL Injection

SQL injection refers to the insertion of SQL meta-characters in user input, such that the attacker's queries are executed by the back-end database. Typically, attackers will first determine if a site is vulnerable to such an attack by sending in the single-quote (') character. The results from an SQL injection attack on a vulnerable site may range from a detailed error message, which discloses the back-end technology being used, or allowing the attacker to access restricted areas of the site because he manipulated the query to an always-true Boolean value, or it may even allow the execution of operating system commands.

9. Price Manipulation

This is a vulnerability that is almost completely unique to online shopping carts and payment gateways. In the most common occurrence of this vulnerability, the total payable price of the purchased goods is stored in a hidden HTML field of a dynamically generated web page. An attacker can use a web application proxy

to simply modify the amount that is payable, when this information flows from the user's browser to the web server. Shown below is a snapshot of just such a vulnerability that was discovered in one of the author's penetration testing assignments.

10. Buffer overflows

Buffer overflow vulnerabilities are not very common in shopping cart or other web applications using Perl, PHP, ASP, etc. However, sending in a large number of bytes to web applications that are not geared to deal with them can have unexpected consequences. In one of the author's penetration testing assignments, it was possible to disclose the path of the PHP functions being used by sending in a very large value in the input fields. As the sanitized snapshot below shows, when 6000 or more bytes were fed into a particular field, the back-end PHP script was unable to process them and the error that was displayed revealed the location of these PHP functions. Using this error information it was possible to access the restricted 'admin' folder. From the structure of the web site and the visible hyperlinks there would have been no way to determine that there existed the 'admin' directory within the 'func' sub-directory below the main $Document Root.

11. Remote command execution

The most devastating web application vulnerabilities occur when the CGI script allows an attacker to execute operating system commands due to inadequate input validation. This is most common with the use of the 'system' call in Perl and PHP scripts. Using a command separator and other shell metacharacters, it is possible for the attacker to execute commands with the privileges of the web server.

12. Weak Authentication and Authorization

Authentication mechanisms that do not prohibit multiple failed logins can be attacked using tools]. Similarly, if the web site uses HTTP Basic Authentication or does not pass session IDs over SSL (Secure Sockets Layer), an attacker can sniff the traffic to discover user's authentication and/or authorization credentials. Since HTTP is a stateless protocol, web applications commonly maintain state using session IDs or transaction IDs stored in a cookie on the user's system. Thus this session ID becomes the only way that the web application can determine the online identity of the user. If the session ID is stolen or it can be predicted, then an attacker can take over a genuine user's online identity vis-à-vis the vulnerable web site. Where the algorithm used to generate the session ID is weak, it is trivial to write a Perl script to enumerate through the possible session ID space and break the application's authentication and authorization schemes.

What amazon and ebay are

doing:

Amazon and ebay both are quite serious about their security and protection of privacy. They have considered the possible threats and took countermeasures to prevent them. They also have some of the best security prefessionals and sys admins in their organisations.

COMPARISON BETWEEN AMAZON

AND EBAY SECURITY COUNTERMEASURES

1. implementation of Firewall

2. connection or transaction over SSL

3. Password policies4. Intrusion detection and

audits of security logs 5. Using threat models to

prevent exploits 6. Digital Signatures and

Certificates

1.Implementation of firewall

2.3-tier modular network

3.connection or transaction over SSL

4.Use of cookies5.Password policies6.Digital Signatures and

Certificates

A BRIEF DESCRIPTION OF

THE COUNTERMEASURE

TAKEN:

Personal firewalls When connecting your computer to a

network, it becomes vulnerable to attack. A personal firewall helps protect your computer by limiting the types of traffic initiated by and directed to your computer. The intruder can also scan the hard drive to detect any stored passwords.

Secure Socket Layer (SSL)Secure Socket Layer (SSL) is a protocol that encrypts data between the shopper's computer and the site's server. When an SSL-protected page is requested, the browser identifies the server as a trusted entity and initiates a handshake to pass encryption key information back and forth. Now, on subsequent requests to the server, the information flowing back and forth is encrypted so that a hacker sniffing the network cannot read the contents. The SSL certificate is issued to the server by a certificate authority authorized by the government. When a request is made from the shopper's browser to the site's server using https://..., the shopper's browser checks if this site has a certificate it can recognize. If the site is not recognized by a trusted certificate authority, then the browser issues a warning

Server firewalls

A firewall is like the moat surrounding a castle. It ensures that requests can only enter the system from specified ports, and in some cases, ensures that all accesses are only from certain physical machines. A common technique is to setup a demilitarized zone (DMZ) using two firewalls. The outer firewall has ports open that allow ingoing and outgoing HTTP requests. This allows the client browser to communicate with the server. A second firewall sits behind the e-Commerce servers. This firewall is heavily fortified, and only requests from trusted servers on specific ports are allowed through. Both firewalls use intrusion detection software to detect any unauthorized access attempts. Another common technique used in conjunction with a DMZ is a honey pot server. A honey pot is a resource (for example, a fake payment server) placed in the DMZ to fool the hacker into thinking he has penetrated the inner wall. These servers are closely monitored, and any access by an attacker is detected.

Password policiesEnsure that password policies are enforced for shoppers and internal users. A sample password policy, defined as part of the Federal Information Processing Standard (FIPS), is shown in the

table on the next slide.

PASSWORD POLICY

Intrusion detection and audits of security logs

One of the cornerstones of an effective security strategy is to prevent attacks and to detect potential attackers. This helps understand the nature of the system's traffic, or as a starting point for litigation against the attackers. Suppose that you have implemented a password policy, such as the FIPS policy described in the section above. If a shopper makes 6 failed logon attempts, then his account is locked out. In this scenario, the company sends an email to the customer, informing them that his account is locked. This event should also be logged in the system, either by sending an email to the administrator, writing the event to a security log, or both.

Security policies and standards

There are many established policies and standards for avoiding security issues. However, they are not required by law. Some basic rules include:

• Never store a user's password in plain text or encrypted text on the system. Instead, use a one-way hashing algorithm to prevent password extraction.

• Employ external security consultants (ethical hackers) to analyze your system.

• Standards, such as the Federal Information Processing Standard (FIPS), describe guidelines for implementing features. For example, FIPS makes recommendations on password policies.

• Ensure that a sufficiently robust encryption algorithm, such as triple DES or AES, is used to encrypt all confidential information stored on the system.

• When developing third-party software for e-Commerce applications, use external auditors to verify that appropriate processes and techniques are being followed.

• Recently, there has been an effort to consolidate these best practices as the Common Criteria for IT Security Evaluation (CC). CC seems to be gaining attraction. It is directly applicable to the development of specific e-Commerce sites and to the development of third party software used as an infrastructure in e-Commerce sites.

Using cookies

One of the issues faced by Web site designers is maintaining a secure session with a client over subsequent requests. Because HTTP is stateless, unless some kind of session token is passed back and forth on every request, the server has no way to link together requests made by the same person. Cookies are a popular mechanism for this. An identifier for the user or session is stored in a cookie and read on every request. You can use cookies to store user preference information, such as language and currency. This simplifies Web page development because you do not have to be concerned about passing this information back to the server. The primary use of cookies is to store authentication and session information, your information, and your preferences. A secondary and controversial usage of cookies is to track the activities of users.

Using threat models to prevent exploits

When architecting and developing a system, it is important to use threat models to identify all possible security threats on the server. Think of the server like your house. It has doors and windows to allow for entry and exit. These are the points that a burglar will attack. A threat model seeks to identify these points in the server and to develop possible attacks. Threat models are particularly important when relying on a third party vendor for all or part of the site's infrastructure. This ensures that the suite of threat models is complete and up-to-date.

Digital Signatures and Certificates

Digital signatures meet the need for authentication and integrity. To vastly simplify matters (as throughout this page), a plain text message is run through a hash function and so given a value: the message digest. This digest, the hash function and the plain text encrypted with the recipient's public key is sent to the recipient. The recipient decodes the message with their private key, and runs the message through the supplied hash function to that the message digest value remains unchanged (message has not been tampered with). Very often, the message is also timestamped by a third party agency, which provides non-repudiation.What about authentication? How does a customer know that the website receiving sensitive information is not set up by some other party posing as the e-merchant? They check the digital certificate. This is a digital document issued by the CA (certification authority: Verisign, Thawte, etc.) that uniquely identifies the merchant. Digital certificates are sold for emails, e-merchants and web-servers.

What does the statistics say:

CUPERTINO, Calif. – Sept. 20, 2004 - Symantec Corp. (Nasdaq: SYMC), the global leader in information security, its newest Internet Security Threat Report. The sixth quarterly report provides analysis and discussion of trends in Internet attacks, vulnerabilities, and malicious code activity for the period of Jan. 1, 2008 to march 30, 2008.

Increased Threats to e-Commerce: During this reporting period, e-Commerce was the single most targeted industry, with nearly 16 percent of attacks against it. This represents a 400-percentage increase from the four percent reported during the previous six months. This rise may indicate a shift from attacks motivated by notoriety to attacks motivated by economic gain. This possibility is further illustrated by an increase in phishing scams and spyware designed to steal confidential information and pass it along to attackers.

Conclusion:

Both the websites are well equipped for the prevention of internet security threats. But though, in the digital world, nothing is fullproof. So, both of them should consider some necessory actions, which are:

1. To employ professional sys Admins2. To use latest security patches3. Using modular networks4. Constant evaluation of their website security5. Mock attack practice6. Staying prepared from social engineering7. And using the latest security available.

THANK YOU