Security in e-commerce


Published on

Presentation by Luc de Graeve at the Gordon institute of business science in 2001.

This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Comment on our background and the kind of work we do - technology focused
  • Comment on our background and the kind of work we do - technology focused
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Security in e-commerce

    1. 1. Security in e-Commerce
    2. 2. <ul><li>1. CASE STUDY </li></ul><ul><li>Wake up call February 2000 </li></ul><ul><li>2. THE BASICS </li></ul><ul><li>Understanding the ‘Net </li></ul><ul><li>Understanding DoS </li></ul><ul><li>3. THE NEW KID ON THE BLOCK - HELLO DDoS </li></ul><ul><li>Introducing Co-ordinated Distributed Attacks </li></ul><ul><li>Profile of a typical attack </li></ul><ul><li>Common DDoS attack tools </li></ul><ul><li>4. DEFENDING YOURSELF & YOUR FRIENDS </li></ul><ul><li>Strategies for availability </li></ul><ul><li>Join the team - global defense efforts </li></ul><ul><li>Getting greasy </li></ul><ul><li>5 . RESPONDING TO DoS ATTACKS </li></ul><ul><li>What to do when your number’s up </li></ul><ul><li>6. THE BOTTOM LINE </li></ul><ul><li>Questions & Conclusions </li></ul>AGENDA
    3. 3. Introduction <ul><li>About me </li></ul><ul><li>SensePost </li></ul><ul><li>Objective </li></ul><ul><li>Approach </li></ul><ul><li>References: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul>discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention - Charles Tomlinson - Rudimentary Treatise on the Construction of Locks - 1850
    4. 21. Just in case you missed out on the whole ordeal last week, we were hacked 4 times by an elite group called r 139. So we thought we would help the hackers out by hacking our own page to save them some time...
    5. 23. We’re trying to make banking… Simpler. Better. Faster.
    6. 24. We’re trying to break banking… Simpler. Better. Faster.
    7. 25. What Hackers do: <ul><li>Steal </li></ul><ul><ul><li>Information - to use and to sell </li></ul></ul><ul><ul><li>Money from accounts </li></ul></ul><ul><ul><li>Goods through e-buying </li></ul></ul><ul><ul><li>Resource - time and equipment </li></ul></ul><ul><li>Talk, Boast </li></ul><ul><li>Leave backdoors open </li></ul><ul><ul><li>Launch new attacks </li></ul></ul>
    8. 26. How do they do it? <ul><li>Social engineering </li></ul><ul><li>Networking </li></ul><ul><li>Resources from the web... </li></ul>
    9. 29. <ul><li>Information gathering </li></ul><ul><li>Foot printing </li></ul><ul><li>ID servers/services by portscan </li></ul><ul><li>ID OS, services types (MS, IIS) </li></ul><ul><li>Check vulnerability databases </li></ul><ul><li>Run vulnerability checker (whisker) </li></ul><ul><li>Search for exploit tool / build exploit tool </li></ul><ul><li>Use tool </li></ul><ul><li>Gain control </li></ul><ul><li>De- face, delete, cover tracks. </li></ul>How do they do it 2?
    10. 30. February Fun <ul><li>Major attack launched between February 7 and 14 2000 </li></ul><ul><li>Approximately 1,200 sites affected </li></ul><ul><li>Including a number of high profile sites: </li></ul><ul><ul><li>, Yahoo, eBay, Amazon, Dell, </li></ul></ul><ul><li>Simple bandwidth usage </li></ul><ul><li>Yahoo! Attack lasted from about 10:30 a.m. till 1 p.m. </li></ul><ul><ul><li>requests totaled roughly 1 gigabit per second </li></ul></ul><ul><li>Canadian teen “Mafiaboy” arrested in April </li></ul><ul><ul><li>pleads guilty to 55 charges in Montreal, November 2000 </li></ul></ul><ul><ul><li>Faces 2 years & US$650 </li></ul></ul>
    11. 31. February Fun - the aftermath <ul><li>FBI estimates that DoS attacks during February 2000 cost $1.2 billion </li></ul><ul><li>eBay‘s share price fell 25% the day after its Website was taken down costing them a total of US1,2bn. They reportedly spent US$ 100 000 in securing their site against further attacks. </li></ul>
    12. 32. DoS using Amplifiers - SMURF check:
    13. 33. New Kid on the block - DDoS
    14. 34. Profile of a typical attack <ul><li>Initiate a scan phase in which a large number of hosts (100,000 or more) are probed for a known vulnerability. </li></ul><ul><li>Compromise the vulnerable hosts to gain access. </li></ul><ul><li>Rootkit </li></ul><ul><li>Install the tool on each host. </li></ul><ul><li>Use the compromised hosts for further scanning and compromises. </li></ul><ul><li>Via automated processes a single host can be compromised in under 5 seconds </li></ul>
    15. 35. Building an attack network <ul><li>August 1999, a trinoo network of 2,200 systems used against the University of Minnessota and others </li></ul><ul><li>Assuming 3 to 6 seconds for each host, pre-selection of the target systems, gives 2 - 4 hours to set up </li></ul>
    16. 36. The challenge of DDoS <ul><li>You may be down </li></ul><ul><li>Spoofed addresses </li></ul><ul><ul><li>Technically difficult to trace </li></ul></ul><ul><li>Diverse network ownership </li></ul><ul><ul><li>You don’t control the infrastructure </li></ul></ul><ul><ul><li>Neither does your ISP </li></ul></ul><ul><li>Different Time Zones </li></ul><ul><ul><li>Hello, is that Singapore? </li></ul></ul><ul><li>Language </li></ul><ul><ul><li>Sprechen Sie Deutsch? </li></ul></ul><ul><li>National boundaries </li></ul><ul><li>Differing legislation </li></ul><ul><li>Protecting legitimate users </li></ul><ul><ul><li>You can’t block </li></ul></ul>
    17. 37. Future Imperfect - predictions 2001 Marcus H. Sachs US Department of Defense 2001 will also see continued development of distributed denial of service attack networks. These attack networks will no longer rely on manual establishment by the attacker, but will automatically establish themselves through the use of mobile code and html scripting.
    18. 38. Future Imperfect - predictions 2001 Peter G. Neumann SRI International We are likely to see some organized, possibly collaborative, attacks that do some real damage, perhaps to our critical infrastructures, perhaps to our financial systems, perhaps to government systems all of which have significant vulnerabilities.
    19. 39. Future Imperfect - predictions 2001 Bruce Moulton Fidelity Investments Hactivism and other cyber attacks emanating from countries with weak or non-existent legal sanctions and investigative capabilities will escalate. This is likely to be the root of at least one headline-grabbing cyber incident (much bigger than DDOS or LoveBug) that will send a loud wake-up call to the commercial sector.
    20. 40. Commercial Crime <ul><li>Commercial crime up 3.5% from last year </li></ul><ul><ul><li>R 3.4 billion in the first half of '99 alone </li></ul></ul><ul><li>84.3% of cases involved fraud </li></ul><ul><ul><li>25,000 incidents </li></ul></ul><ul><ul><li>R 2.9 billion </li></ul></ul><ul><li>Gauteng occupies a first position with regard to Commercial Crime </li></ul><ul><li> </li></ul>SECURITY STATISTICS
    21. 41. Computer Crime <ul><li>61% of the organizations surveyed have experienced losses due to unauthorized computer use. </li></ul><ul><li>The average loss resulting from security breaches in all categories was approximately $ 1,000,000 </li></ul><ul><li>FBI / CSI Survey, 1999 </li></ul>SECURITY STATISTICS
    22. 42. CyberCrime Costs Money SECURITY STATISTICS “ Just ask Edgars, the clothing retail group, which lost more than R1m after a computer programmer brought down more than 600 stores for an entire day.” Financial Mail - April 2000
    23. 43. Computers & Commercial Crime <ul><li>KPMG: </li></ul><ul><li>‘ 63% of top-level managers in South Africa rate their company's dependence on IT for the successful running of business as &quot;Extremely High” ’ </li></ul>SECURITY STATISTICS
    24. 44. Did they have it coming? <ul><li>Access control 93% </li></ul><ul><li>Biometrics 9% </li></ul><ul><li>Encrypted files 61% </li></ul><ul><li>Anti-virus software 98% </li></ul><ul><li>Reusable passwords 61% </li></ul><ul><li>Firewalls 91% </li></ul><ul><li>Encrypted log-in/sessions 46% </li></ul><ul><li>Physical security 91% </li></ul><ul><li>PCMCIA, smart cords, one-time tokens 39% </li></ul><ul><li>Intrusion detection 42% </li></ul><ul><li>Digital Ids, certificates 34% </li></ul><ul><li>FBI / CSI Survey, 1999 </li></ul>SECURITY STATISTICS
    25. 45. Threat Distribution - USA <ul><li>Theft of proprietary info 20% </li></ul><ul><li>Sabotage of data or networks 15% </li></ul><ul><li>Telecom eavesdropping 10% </li></ul><ul><li>System penetration by outsider 24% </li></ul><ul><li>Insider abuse of net access 76% </li></ul><ul><li>Financial fraud 11% </li></ul><ul><li>Denial of service 25% </li></ul><ul><li>Virus contamination 70% </li></ul><ul><li>Unauthorized access to info by insider 43% </li></ul><ul><li>Telecom fraud 13% </li></ul><ul><li>Active wiretapping 2% </li></ul><ul><li>Laptop theft 54% </li></ul>SECURITY STATISTICS
    26. 46. Threat Distribution - RSA SECURITY STATISTICS <ul><ul><li>Some form of breach 89% </li></ul></ul><ul><ul><li>Virus incident 87% </li></ul></ul><ul><ul><li>Theft of equipment 80% </li></ul></ul><ul><ul><li>E-mail intrusion 27% </li></ul></ul><ul><ul><li>Loss of company documents 12% </li></ul></ul><ul><ul><li>Breach of confidentiality 8% </li></ul></ul><ul><ul><li>External systems attack 8% </li></ul></ul><ul><ul><li>Internal systems attack 6% </li></ul></ul>
    27. 47. The value of statistics <ul><li>What we know: </li></ul><ul><ul><li>There is a threat to our Information Resources </li></ul></ul><ul><ul><li>The threat has direct financial implications </li></ul></ul><ul><ul><li>The threat is growing </li></ul></ul><ul><ul><li>A large part of the threat is internal </li></ul></ul><ul><ul><li>There are a number of distinguishable trends </li></ul></ul><ul><li>What we don’t know: </li></ul><ul><ul><li>How accurate are the statistics? </li></ul></ul><ul><ul><li>Are international statistics relevant in SA? </li></ul></ul><ul><ul><li>Are international solutions relevant in SA? </li></ul></ul><ul><ul><li>What does this all mean to me? </li></ul></ul><ul><li>You need to determine your own unique risk profile </li></ul>SECURITY STATISTICS
    28. 48. <ul><li>Loss in productivity </li></ul><ul><li>Human resources </li></ul><ul><ul><li>Internal & external </li></ul></ul><ul><li>Loss of reputation </li></ul><ul><li>Lost confidence </li></ul><ul><ul><li>in your service & in e-business in general </li></ul></ul><ul><li>Lost transaction revenue </li></ul><ul><li>Lost customer base </li></ul><ul><li>Share price manipulation </li></ul><ul><ul><li>Share holders, staff, working capital </li></ul></ul><ul><li>Liability costs </li></ul>What me worry?!
    29. 49. Whoah Cowboy!, February 2000: „ The Internet has now taken a drastic &quot;hit&quot; to its reliability and integrity due to the recent DDoS attacks. It is only through the cooperation and unification of all Internet users that we will find the solution-and stop DDoS from taking the Internet out from under our commerce, education, communities, and individuals.“ But has it really been all that bad?
    30. 50. The New Wave is here <ul><li>We’re already seeing examples of the new generation of threats: </li></ul><ul><li>DDoS </li></ul><ul><ul><li>Yahoo / Ebay </li></ul></ul><ul><li>Trojans & Worms </li></ul><ul><ul><li>Microsoft </li></ul></ul><ul><li>Semantic </li></ul><ul><ul><li>Emulex Corp. </li></ul></ul><ul><ul><li>NIKE </li></ul></ul><ul><ul><li>Air Traffic Control </li></ul></ul><ul><li>Corporate Backdoors </li></ul><ul><ul><li>Microsoft NSA backdoor? </li></ul></ul><ul><ul><li>3COM Switch undocumented access </li></ul></ul>TRENDS & FUTURE THREATS
    31. 51. What is Information Risk? DEFINING RISK The magnitude of the risk is a product of the value of the information and the degree to which the vulnerability can be exploited.
    32. 52. <ul><li>What is Risk? </li></ul><ul><ul><li>Valuable resources + exploitable technology </li></ul></ul><ul><li>What is “Secure”? </li></ul><ul><ul><li>When the financial losses incurred are at an acceptable level </li></ul></ul><ul><li>Your “Risk-Profile”: </li></ul><ul><ul><li>The value of your Information </li></ul></ul><ul><ul><li>The degree of technological vulnerability </li></ul></ul><ul><ul><li>A level of loss that is acceptable to you </li></ul></ul><ul><ul><ul><li>Unique to your organisation. Today. </li></ul></ul></ul>Determining your own risk DEFINING RISK
    33. 53. Objectives of a Risk Assessment <ul><li>Understand your own unique risk-profile . </li></ul><ul><li>D etermine whether a given system : </li></ul><ul><ul><li>safeguards assets. </li></ul></ul><ul><ul><li>maintain s data integrity. </li></ul></ul><ul><ul><li>allow the goals of an organisation to be achieved. </li></ul></ul><ul><li>Identify significant computer security threats </li></ul><ul><li>Measure yourself against defined standard </li></ul><ul><ul><li>Internal (policy) </li></ul></ul><ul><ul><li>External (certification) </li></ul></ul><ul><li>Make informed decisions on how to spend </li></ul><ul><ul><li>Time </li></ul></ul><ul><ul><li>Money </li></ul></ul><ul><ul><li>People </li></ul></ul>ASSESING YOUR RISK
    34. 54. An effective Assessment <ul><li>Independent and Objective </li></ul><ul><li>Business aware but technology focused </li></ul><ul><li>Prove its worth </li></ul><ul><li>Concrete, practical recommendations </li></ul><ul><li>Finite </li></ul><ul><li>Honest </li></ul><ul><li>Recursive... </li></ul>ASSESING YOUR RISK
    35. 55. Recursive Assessments <ul><li>Delta Testing </li></ul><ul><ul><li>Monitor the effect of changes </li></ul></ul><ul><li>New exploits and vulnerabilities </li></ul><ul><ul><li>Staying secure in a global battlefield </li></ul></ul><ul><li>Improved Methodologies </li></ul><ul><ul><li>Tools, techniques, philosophies etc. </li></ul></ul><ul><li>Innovation </li></ul><ul><ul><li>A chance to get to know you </li></ul></ul><ul><li>Extended Scope </li></ul><ul><ul><li>There’s never enough time </li></ul></ul><ul><li>Enhanced Scope </li></ul><ul><ul><li>Moving toward a zero-defect environment </li></ul></ul>ASSESING YOUR RISK
    36. 56. . <ul><li>Content removed </li></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    37. 57. Planning for disaster <ul><li>Be convinced that the Internet is not a friendly place </li></ul><ul><li>Be prepared to detect of failure (malicious or accidental) </li></ul><ul><li>Mirror critical resources </li></ul><ul><ul><li>geographically remote from the original </li></ul></ul><ul><li>Create transparent alternative entry points </li></ul><ul><li>Implement switching in the case of failure </li></ul><ul><ul><li>Must be considered during the design phase </li></ul></ul><ul><li>Analyse, plan, communicate, test </li></ul>
    38. 58. Things to consider <ul><li>The Internet is probably not your main income generator </li></ul><ul><li>There’s more then one way to skin a cat </li></ul><ul><ul><li>Physical attacks on infrastructure </li></ul></ul><ul><ul><li>Hardware theft </li></ul></ul><ul><ul><li>DNS & other upstream services </li></ul></ul><ul><ul><li>Viruses & other content born attack </li></ul></ul><ul><ul><li>Get &quot;Slashdotted&quot; </li></ul></ul><ul><li>Who’s responsible for your family jewels? </li></ul><ul><li>It could get worse: </li></ul><ul><ul><li>Imagine MS-based worm attack </li></ul></ul><ul><ul><li> </li></ul></ul>
    39. 59. THE BOTTOM LINE <ul><li>1. Take security seriously </li></ul><ul><li>2. Don’t panic! </li></ul><ul><li>3. Value your information </li></ul><ul><li>4. Evaluate your risk </li></ul><ul><li>5. Be requirement driven, not technology driven </li></ul>THE BOTTOM LINE
    40. 60. questions?
    41. 61. <ul><li>Information Systems Audit & Control Association: </li></ul><ul><ul><li> </li></ul></ul><ul><li>Configuring Cisco routers: </li></ul><ul><ul><li> </li></ul></ul><ul><li>Archive of DDoS attack tools: </li></ul><ul><ul><li> </li></ul></ul><ul><li>CERT: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>Paul Ferguson's DDoS resource page: </li></ul><ul><ul><li> </li></ul></ul><ul><li>Test whether your network space can be used as an amplifier: </li></ul><ul><ul><li> </li></ul></ul><ul><li>RFCs: </li></ul><ul><ul><li> </li></ul></ul>Useful References