E-Commerce and Web SecurityE-Commerce and Web Security

Lesson 14

Threats to Web SitesThreats to Web Sites Employee Misbehavior (deliberate or otherwise) Crackers Angry Customers Political Activism Terrorism Criminals Competitors Nonhostile acts

“acts of God”“acts of Clod”– Death by backhoe or Pile driver– Operator error– Poorly executed updates, maintenance

Web DefacementWeb Defacement

Web Defacement -- HactivismWeb Defacement -- Hactivism

E-commerceE-commerce

Risks to Sonia in previous slideRisks to Sonia in previous slide

The risk that the information she provides for this transaction will be used against her at some future time. For example, the address that she gives may end up on a mailing list and used to send her unwanted physical or electronic mail.

The risk that the merchant might take over Sonia’s web browser and use it to surreptitiously glean information from her computer about her.

The risk that the merchant may experiment with Sonia’s sensitivity to price or determine the other stores where she is shopping, allowing the merchant to selectively raise the prices that are offered to Sonia so that they will be as high as she is willing to pay – and definitely higher than the prices that are charged the “average” customer.

Risks to the merchantRisks to the merchant Sonia might in fact be a competitor, or an automated program that is systematically

scanning the store’s inventory and obtaining a complete price list. Sonia might be Jason, a 14-year-old computer prankster who has stolen Sonia’s credit

card number and is using it illegally to improve his CD collection. Jason might break into the merchant’s computer where Sonia’s card number is kept

and steal it, making the merchant open to liability. Jason could have broken into the merchant’s computer and be issuing fraudulent

orders. Jason might have his own credit card and having compromised the merchant’s

computer, he issues reverse charge orders into Jason’s account. The credits appear on Jason’s card and he quickly removes the cash.

Jason might alter the store’s database or WWW pages so the CD’s received are not the ones the customers ordered.

Jason might sabotage the online store by lowering the prices of the merchandise to below the store’s cost.

Threats at key points to E-commerceThreats at key points to E-commerce

Threats to E-businessThreats to E-business

TheInternet

Client

ServerMobile CodeOpen Shares

Interception of DataMan-in-the-Middle

Spoofing

CGI problemsCoding problems

SubversionMisconfigurations

Open directories/sharesAccess control

Default accounts

A type of Social EngineeringA type of Social Engineering

<script>password = prompt(“Please enter your dial-up password”,””);<script>

Web-based vulnerabilitiesWeb-based vulnerabilities

Manually inspect web pagesView Page Sourceoften find comments which may contain– email addresses, comments, old passwords, phone

numbers

Finding well-known vulnerabilitiesFinding well-known vulnerabilities

Automated ScriptsPhfscan.c

– an example script that implemented an interface to a white-pages like service used to look up name and address information. User could, however, trick it to execute commands locally by “escaping” the script by using a newline character in the input.

Cgiscan.c– scans for a number of the older scripts such as:

PHF - (see above) count.cgi - buffer overflow, allow remote execution test-cgi - list all files and directories in scripts directory (thus may be able to

find other, more serious, vulnerabilities) PHP - one vulnerability allowed you to view any file on system

also a buffer overflow problem

Taking down a web site using only a browser: -from “Hacking Exposed”

Taking down a web site using only a browser: -from “Hacking Exposed”

Sample ColdFusion problem (problem is in how they handle their input validation for passwords)

Point your browser to the Administrator logon page of a typical ColdFusion serverEdit the HTML by using File | Edit Page Change the ACTION tag by prepending the server name/address to the URLChange the HTML tag holding the password so the size and maxlength properties are in the 1,000,000 rangePreview and save the HTML fileGenerate close to 1,000,000 characters and input to password field.Watch CPU utilization go to 100% (or if you make it 1,000,000,000 watch it die instantly)

Misuse of hidden tagsMisuse of hidden tags Poor shopping-cart design can allow attackers to falsify values if

hidden HTML tags are the sole mechanism for assigning the price to an item. Ex:

<input type=hidden name=“price” value=“199.99”>A simple change using Netscape Composer would allow the user to modify the price to 1.99

Modify the width value of fields to some arbitrary large number then submit large string. May be able to crash the server.

Tips for the E-Commerce ConsumerTips for the E-Commerce Consumer

Buy only from a reputable site. Avoid responding to e-mails asking you for personal info

such as address, credit card numbers, and SSN’s When conducting an online transaction, ensure your

Web browser has established an encrypted session. Carefully examine credit card statements for, particularly

those cards you use for online purchases. Select good passwords for accounts.

Tips for the E-Commerce MerchantTips for the E-Commerce Merchant

Ensure all patches and updates (OS and applications) are applied.

Servers should be protected by firewalls and IDS. Common applications should be thoroughly reviewed for

possible vulnerabilities. Customer data should be kept on a separate server, not the

same server that houses the Web application. Customer data should be encrypted. Web servers and their supporting systems should be tested

on a regular basis by trained security professionals.

Tips for Merchant (cont)Tips for Merchant (cont)

Eliminate default accounts Prohibit poor/easily guessed passwords Deactivate all unnecessary services Ensure file access permissions are properly set Enable audit logging Run system file integrity checks

SummarySummary

What is the Importance and Significance of this material?

How does this topic fit into the subject of “Voice and Data Security”?