This document discusses various topics relating to web security, including:
1) Different types of web pages like static, dynamic, and active pages and the technologies used to create them like JavaScript, Java, and CGI.
2) Security issues associated with technologies like ActiveX, Java applets, JavaScript, and cookies.
3) Protocols for secure communication like HTTPS, digital certificates, and single sign-on systems.
4) Methods for secure electronic commerce including SET and digital cash technologies.
In the Middle of Printers: (In)security of Pull Printing SolutionsPositive Hack Days
This document summarizes three examples of security assessments of pull printing solutions. In each example, the assistant found vulnerabilities like weak encryption, lack of authentication, and ability to tamper with job accountability data. Vendors were generally responsive when notified, with one example fixing issues within a few days. The document provides best practices for developers to use strong encryption and authentication in proprietary protocols. It also gives tips for testers and owners to help secure pull printing deployments.
State management allows information to be maintained across multiple requests in ASP.NET. There are two types: client-side uses client resources like view state, cookies, query strings; server-side uses server resources like session state and application state. Session state stores information on the server and can be accessed across page requests by the same user, while application state is common to all users. Cookies are used to store user-specific information on the client machine.
Introduction to Linked Data and Web Payments Brent Shambaugh
These slides contain an introduction to Linked Data and Web Payments. Web Payments concepts come from the Web Payments Community group chaired by Manu Sporny on the W3C website.
Founded in 2006, VTC Intecom is a subsidiary of Vietnam Multimedia Corporation (VTC), one of the largest corporations in Vietnam. VTC Intecom provides digital content products and services which include diverse offerings of online payment methods, online games, integrated portal solutions for e-government and more. VTC Intecom has over 16 million active accounts for digital content services and its annual income is over USD100 million. Customers can use VTC Pay - Payment Gateway and eWallet to make online transactions quickly, easily and securely via their eWallet accounts, domestic ATM cards, international cards, telecommunications prepaid cards,Vcoin prepaid cards, or hundreds of partnering merchant websites that integrate with VTC Pay.
Founded in 2006, VTC Intecom is a subsidiary of Vietnam Multimedia Corporation (VTC), one of the largest corporations in Vietnam. VTC Intecom provides digital content products and services which include diverse offerings of online payment methods, online games, integrated portal solutions for e-government and more. VTC Intecom has over 16 million active accounts for digital content services and its annual income is over USD100 million. Customers can use VTC Pay - Payment Gateway and eWallet to make online transactions quickly, easily and securely via their eWallet accounts, domestic ATM cards, international cards, telecommunications prepaid cards,Vcoin prepaid cards, or hundreds of partnering merchant websites that integrate with VTC Pay.
This document provides an overview of network security topics including diffing, sniffing, session hijacking, spoofing, SSL, TLS, IPSec, and VPNs. It discusses how these attacks work and methods to protect against them, such as encryption. Network layer security protocols like IPSec are described, which uses authentication headers or encapsulating security payloads to provide security services to packets. Transport layer security protocols SSL and TLS are also summarized, including how they establish encrypted sessions between clients and servers.
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
The web is moving towards a 100% Encrypted Web—but can we get it, right? Understanding the surge in use of https for malware and phishing, the renewed importance of revocation checking, the role of browser UI design in protecting users, the renewed importance of identity in TLS certificates, and the latest industry studies and initiatives for a safer Internet.
In the Middle of Printers: (In)security of Pull Printing SolutionsPositive Hack Days
This document summarizes three examples of security assessments of pull printing solutions. In each example, the assistant found vulnerabilities like weak encryption, lack of authentication, and ability to tamper with job accountability data. Vendors were generally responsive when notified, with one example fixing issues within a few days. The document provides best practices for developers to use strong encryption and authentication in proprietary protocols. It also gives tips for testers and owners to help secure pull printing deployments.
State management allows information to be maintained across multiple requests in ASP.NET. There are two types: client-side uses client resources like view state, cookies, query strings; server-side uses server resources like session state and application state. Session state stores information on the server and can be accessed across page requests by the same user, while application state is common to all users. Cookies are used to store user-specific information on the client machine.
Introduction to Linked Data and Web Payments Brent Shambaugh
These slides contain an introduction to Linked Data and Web Payments. Web Payments concepts come from the Web Payments Community group chaired by Manu Sporny on the W3C website.
Founded in 2006, VTC Intecom is a subsidiary of Vietnam Multimedia Corporation (VTC), one of the largest corporations in Vietnam. VTC Intecom provides digital content products and services which include diverse offerings of online payment methods, online games, integrated portal solutions for e-government and more. VTC Intecom has over 16 million active accounts for digital content services and its annual income is over USD100 million. Customers can use VTC Pay - Payment Gateway and eWallet to make online transactions quickly, easily and securely via their eWallet accounts, domestic ATM cards, international cards, telecommunications prepaid cards,Vcoin prepaid cards, or hundreds of partnering merchant websites that integrate with VTC Pay.
Founded in 2006, VTC Intecom is a subsidiary of Vietnam Multimedia Corporation (VTC), one of the largest corporations in Vietnam. VTC Intecom provides digital content products and services which include diverse offerings of online payment methods, online games, integrated portal solutions for e-government and more. VTC Intecom has over 16 million active accounts for digital content services and its annual income is over USD100 million. Customers can use VTC Pay - Payment Gateway and eWallet to make online transactions quickly, easily and securely via their eWallet accounts, domestic ATM cards, international cards, telecommunications prepaid cards,Vcoin prepaid cards, or hundreds of partnering merchant websites that integrate with VTC Pay.
This document provides an overview of network security topics including diffing, sniffing, session hijacking, spoofing, SSL, TLS, IPSec, and VPNs. It discusses how these attacks work and methods to protect against them, such as encryption. Network layer security protocols like IPSec are described, which uses authentication headers or encapsulating security payloads to provide security services to packets. Transport layer security protocols SSL and TLS are also summarized, including how they establish encrypted sessions between clients and servers.
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
The web is moving towards a 100% Encrypted Web—but can we get it, right? Understanding the surge in use of https for malware and phishing, the renewed importance of revocation checking, the role of browser UI design in protecting users, the renewed importance of identity in TLS certificates, and the latest industry studies and initiatives for a safer Internet.
This document provides an overview of network security topics including attacks like diffing, sniffing, session hijacking and spoofing. It discusses protocols for secure communication including SSL, TLS and IPSec. SSL and TLS provide security at the transport layer by encrypting data between a client and server. IPSec provides security at the network layer for both transport and tunnel modes. Authentication Header and Encapsulating Security Payload are the two security protocols used in IPSec.
eWallet Platform is innovative processing system for electronic wallets (electronic accounts) with Web and Mobile Apps interfaces.
This is a tool for end-users to pay for goods and services (restaurants, cinemas, shopping malls, online shopping, tickets, etc.) and also to make instant p2p money transfers, based on own electronic money issuing processing (Prepaid Payment Instruments).
For retailers: efficient and easy-to-integrate tool for accepting online & offline and also mobile (iOS, Android) payments.
Deriving products/services/technologies:
- e-money (Prepaid Payment Instruments) issuing and processing,
- e-wallets for end users and for merchants,
- p2p transfers,
- pre-paid card (based on MasterCard, Visa) as an access tool for e-wallet could be linked.
www.walletfactory.eu
www.mWallet.pro
Distributed architectures make security difficult. JWT, OAuth2 and OIDC are standards that help in securing microservices. Microservices are deployed as containers. So container security too is critical to secure microservices. Learn how to holistically secure microservices.
Creating An E-Commerce web application using BlockchainIRJET Journal
This document summarizes a research paper that explores using blockchain technology to develop e-commerce platforms. It discusses how blockchain can solve security issues, lack of trust in intermediaries, intermediary fees, and high transaction costs that are problems in the e-commerce sector. The paper describes using the Truffle framework, Solidity programming language, and Ethereum smart contracts to build a blockchain-based e-commerce application. It also discusses integrating the application with front-end tools like React JS and Web3.js. In summary, the paper proposes that a blockchain-powered e-commerce platform can provide a secure, trustworthy and cost-effective solution for online shopping.
This document summarizes a presentation on securing internet banking applications. It discusses common attack patterns used by criminals, such as malware that intercepts authentication credentials or manipulates transactions. It also examines vulnerabilities in security features implemented by banks, such as allowing transaction details to be modified after authorization. The presentation provides recommendations for strengthening user authentication, transaction authorization, and other defenses. It also covers changes coming from PSD2, including new risks from third party services initiating payments or accessing bank accounts. The overarching message is that security controls must be rigorously implemented to avoid vulnerabilities that undermine their effectiveness.
This document discusses the differences between websites and web applications. Websites contain static content that is the same for all visitors, while web applications include user interaction and data processing. A web application is stored on web servers and uses tools like databases, JavaScript and PHP. Examples given are Google Docs and social networks like Facebook. The document also covers proxy servers and how they can cache web content to improve performance and reduce server load. Proxy servers act as intermediaries by forwarding requests from internal clients to external servers.
Conferencia de Santiago Troncoso expuesta en la última edición de VoIP2DAY en la que nos explica cómo WebRTC hereda todas las amenazas de los servicios VoIP tradicionales junto con los ataques web existentes y nos da algunas claves sobre cómo mantener la seguridad de los servicios.
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"Quobis
WebRTC inherits all the threats of traditional VoIP services together with existing web attacks. In this session Antón Román will explain this together with ad-hoc WebRTC attacks and ways to deal with Identity and keep the services secure.
- VoIP attacks Denial of service. Fraud. Illegal interception. Illegal control.
- Adhoc WebRTC attacks: malicious HTML code. Webservers. Forced DoS. Cam/mic control. Etc.
- Protection: Role of border elements (SBC, media gateways,...). WebRTC Portal and web servers. Browser mechanisms
- Identity Management: Anonymous calls. OpenID and third parties. Telco identity. Real implementations
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)Ericom Software
WebSockets couples the performance and flexibility of TCP with the reach of HTTP Prediction: WebSockets will replace simple TCP as preferred underlying protocol.
To see how Websockets are used in a popular HTML5-based remote access solution, by visiting the following URL: http://j.mp/1luquBQ
Abdullah Alghamdi is a System Engineer from Saudi Arabia with over 5 years of experience managing shared hosting servers, cloud services, and a big data project hosted in STC's cloud. He has a Bachelor's degree in Computer Science and certifications in OpenStack, DNS configuration/troubleshooting, VMware vSphere, and data center virtualization. His responsibilities have included troubleshooting issues for customers, adding/deleting domains, monitoring servers, and designing secure network infrastructure.
The document discusses eWise's client-side aggregation technology and Aegis platform. eWise's technology uses a Personal Data Vault implemented on the end-user device to aggregate user data without disclosing credentials to third parties. All aggregation and encryption occurs on the user's device. The Aegis platform goes beyond PSD2 XS2A by allowing aggregation of both direct banking APIs and indirect channels to provide a more comprehensive view of users' financial data and accounts.
The document describes a proposed biometric electronic wallet for storing digital currencies. It begins with background on Bitcoin and existing Bitcoin wallet solutions. It then proposes a system that uses a biometric external USB sensor and AES encryption to securely store the wallet.dat file containing private keys and transaction data. This would improve security over existing wallets by requiring biometric authentication to access sensitive wallet information and encrypting the file during transactions. The goal is to provide stronger protection against hackers stealing Bitcoin holdings from the wallet.
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...Paris Open Source Summit
#Cloud , #DevOps & Infrastructure - Track - Cloud Native Infrastructure
When deploying microservices, you need to provide a solution for authentication and authorization so you can control who is using your service.
A lot of possibilities exist, but often involves development inside microservice code. Using a Single-Sign On software is another way to achieve the mircoservice protection, either using OAuth2/OpenID Connect protocol, either using a SSO specific protocol.
We sill demonstrate how this can work with LemonLDAP::NG, a free/open source SSO software mostly developed in France.
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
LemonLDAP::NG is an open source software that provides single sign-on and identity federation capabilities. It allows users to authenticate once and access multiple applications securely. It supports standards like CAS, SAML and OpenID Connect for authentication. LemonLDAP::NG also provides ways to protect APIs and web services using tokens validated by handlers. It has been an OW2 project since 2003 and supports protocols for federation between identity providers.
IRJET- An Overview of Web Sockets: The Future of Real-Time CommunicationIRJET Journal
This document provides an overview of web sockets and how they enable real-time communication between clients and servers. It discusses how earlier methods like HTTP polling and long polling were inefficient for real-time updates. Web sockets allow for full-duplex communication over a single socket connection. The document analyzes network traffic from a cryptocurrency price tracking website to demonstrate how web sockets reduce overhead compared to earlier techniques and enable real-time updates with minimal bandwidth.
The document summarizes the OWASP 2013 top 10 list of web application security risks. It provides descriptions and examples for each of the top 10 risks: 1) Injection, 2) Broken Authentication and Session Management, 3) Cross-Site Scripting (XSS), 4) Insecure Direct Object References, 5) Cross-Site Request Forgery (CSRF), 6) Security Misconfiguration, 7) Sensitive Data Exposure, 8) Missing Function Level Access Control, 9) Using Components with Known Vulnerabilities, and 10) Unvalidated Redirects and Forwards. Protection strategies are also outlined for each risk.
IRJET- Transaction based Block Chain CryptocurrencyIRJET Journal
This document proposes a transaction-based blockchain cryptocurrency. It aims to build a transaction-based blockchain architecture to discover cryptocurrencies in a decentralized way. The proposed system would overcome mining transactions by having nodes store the ledger, allowing node-to-node transactions to be monitored. Transactions would be sent through an encrypted channel using elliptic curve cryptography. The system would run locally and provide security, acting as a proof of concept for building blockchain applications.
The second generation blockchain technology enables not only financial transactions, but document storage and identity management. This presentation presents how to achieve ti using Billon's distributed ledger technology with hybrid private blockchain in its core. With Billon's technology it is possible to create a distributed database meeting EU regulatory requirements for durable medium and GDPR.
The document provides an overview and comparison of different solutions for wireless guest access management, including WLC native guest, CMX Connect, EMSP, and ISE Guest Portal. It discusses features, use cases, limitations, and configuration examples for each solution. Key information covered includes supported authentication methods, customization options, scalability limits, and integration with external servers.
This document is a table of contents and introduction for a book titled "jQuery Fundamentals" by Rebecca Murphey. The book covers jQuery basics, core concepts, events, effects, Ajax, plugins, and advanced topics. It includes over 50 code examples to demonstrate jQuery syntax and techniques. The book is available under a Creative Commons license and the source code is hosted on GitHub.
This document provides a preface and table of contents for a book on jQuery concepts. The preface explains that the book is intended to teach intermediate and advanced jQuery concepts through code examples. It highlights some stylistic approaches used in the book, such as emphasizing code over text explanations and using color coding. It also defines some key terms that will be used, and recommends reviewing the jQuery documentation and understanding how the text() method works before reading the book. The table of contents then outlines the book's 12 chapters and their respective sections, which cover topics like selecting, traversing, manipulating, events, plugins and more.
This document provides an overview of network security topics including attacks like diffing, sniffing, session hijacking and spoofing. It discusses protocols for secure communication including SSL, TLS and IPSec. SSL and TLS provide security at the transport layer by encrypting data between a client and server. IPSec provides security at the network layer for both transport and tunnel modes. Authentication Header and Encapsulating Security Payload are the two security protocols used in IPSec.
eWallet Platform is innovative processing system for electronic wallets (electronic accounts) with Web and Mobile Apps interfaces.
This is a tool for end-users to pay for goods and services (restaurants, cinemas, shopping malls, online shopping, tickets, etc.) and also to make instant p2p money transfers, based on own electronic money issuing processing (Prepaid Payment Instruments).
For retailers: efficient and easy-to-integrate tool for accepting online & offline and also mobile (iOS, Android) payments.
Deriving products/services/technologies:
- e-money (Prepaid Payment Instruments) issuing and processing,
- e-wallets for end users and for merchants,
- p2p transfers,
- pre-paid card (based on MasterCard, Visa) as an access tool for e-wallet could be linked.
www.walletfactory.eu
www.mWallet.pro
Distributed architectures make security difficult. JWT, OAuth2 and OIDC are standards that help in securing microservices. Microservices are deployed as containers. So container security too is critical to secure microservices. Learn how to holistically secure microservices.
Creating An E-Commerce web application using BlockchainIRJET Journal
This document summarizes a research paper that explores using blockchain technology to develop e-commerce platforms. It discusses how blockchain can solve security issues, lack of trust in intermediaries, intermediary fees, and high transaction costs that are problems in the e-commerce sector. The paper describes using the Truffle framework, Solidity programming language, and Ethereum smart contracts to build a blockchain-based e-commerce application. It also discusses integrating the application with front-end tools like React JS and Web3.js. In summary, the paper proposes that a blockchain-powered e-commerce platform can provide a secure, trustworthy and cost-effective solution for online shopping.
This document summarizes a presentation on securing internet banking applications. It discusses common attack patterns used by criminals, such as malware that intercepts authentication credentials or manipulates transactions. It also examines vulnerabilities in security features implemented by banks, such as allowing transaction details to be modified after authorization. The presentation provides recommendations for strengthening user authentication, transaction authorization, and other defenses. It also covers changes coming from PSD2, including new risks from third party services initiating payments or accessing bank accounts. The overarching message is that security controls must be rigorously implemented to avoid vulnerabilities that undermine their effectiveness.
This document discusses the differences between websites and web applications. Websites contain static content that is the same for all visitors, while web applications include user interaction and data processing. A web application is stored on web servers and uses tools like databases, JavaScript and PHP. Examples given are Google Docs and social networks like Facebook. The document also covers proxy servers and how they can cache web content to improve performance and reduce server load. Proxy servers act as intermediaries by forwarding requests from internal clients to external servers.
Conferencia de Santiago Troncoso expuesta en la última edición de VoIP2DAY en la que nos explica cómo WebRTC hereda todas las amenazas de los servicios VoIP tradicionales junto con los ataques web existentes y nos da algunas claves sobre cómo mantener la seguridad de los servicios.
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"Quobis
WebRTC inherits all the threats of traditional VoIP services together with existing web attacks. In this session Antón Román will explain this together with ad-hoc WebRTC attacks and ways to deal with Identity and keep the services secure.
- VoIP attacks Denial of service. Fraud. Illegal interception. Illegal control.
- Adhoc WebRTC attacks: malicious HTML code. Webservers. Forced DoS. Cam/mic control. Etc.
- Protection: Role of border elements (SBC, media gateways,...). WebRTC Portal and web servers. Browser mechanisms
- Identity Management: Anonymous calls. OpenID and third parties. Telco identity. Real implementations
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)Ericom Software
WebSockets couples the performance and flexibility of TCP with the reach of HTTP Prediction: WebSockets will replace simple TCP as preferred underlying protocol.
To see how Websockets are used in a popular HTML5-based remote access solution, by visiting the following URL: http://j.mp/1luquBQ
Abdullah Alghamdi is a System Engineer from Saudi Arabia with over 5 years of experience managing shared hosting servers, cloud services, and a big data project hosted in STC's cloud. He has a Bachelor's degree in Computer Science and certifications in OpenStack, DNS configuration/troubleshooting, VMware vSphere, and data center virtualization. His responsibilities have included troubleshooting issues for customers, adding/deleting domains, monitoring servers, and designing secure network infrastructure.
The document discusses eWise's client-side aggregation technology and Aegis platform. eWise's technology uses a Personal Data Vault implemented on the end-user device to aggregate user data without disclosing credentials to third parties. All aggregation and encryption occurs on the user's device. The Aegis platform goes beyond PSD2 XS2A by allowing aggregation of both direct banking APIs and indirect channels to provide a more comprehensive view of users' financial data and accounts.
The document describes a proposed biometric electronic wallet for storing digital currencies. It begins with background on Bitcoin and existing Bitcoin wallet solutions. It then proposes a system that uses a biometric external USB sensor and AES encryption to securely store the wallet.dat file containing private keys and transaction data. This would improve security over existing wallets by requiring biometric authentication to access sensitive wallet information and encrypting the file during transactions. The goal is to provide stronger protection against hackers stealing Bitcoin holdings from the wallet.
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...Paris Open Source Summit
#Cloud , #DevOps & Infrastructure - Track - Cloud Native Infrastructure
When deploying microservices, you need to provide a solution for authentication and authorization so you can control who is using your service.
A lot of possibilities exist, but often involves development inside microservice code. Using a Single-Sign On software is another way to achieve the mircoservice protection, either using OAuth2/OpenID Connect protocol, either using a SSO specific protocol.
We sill demonstrate how this can work with LemonLDAP::NG, a free/open source SSO software mostly developed in France.
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
LemonLDAP::NG is an open source software that provides single sign-on and identity federation capabilities. It allows users to authenticate once and access multiple applications securely. It supports standards like CAS, SAML and OpenID Connect for authentication. LemonLDAP::NG also provides ways to protect APIs and web services using tokens validated by handlers. It has been an OW2 project since 2003 and supports protocols for federation between identity providers.
IRJET- An Overview of Web Sockets: The Future of Real-Time CommunicationIRJET Journal
This document provides an overview of web sockets and how they enable real-time communication between clients and servers. It discusses how earlier methods like HTTP polling and long polling were inefficient for real-time updates. Web sockets allow for full-duplex communication over a single socket connection. The document analyzes network traffic from a cryptocurrency price tracking website to demonstrate how web sockets reduce overhead compared to earlier techniques and enable real-time updates with minimal bandwidth.
The document summarizes the OWASP 2013 top 10 list of web application security risks. It provides descriptions and examples for each of the top 10 risks: 1) Injection, 2) Broken Authentication and Session Management, 3) Cross-Site Scripting (XSS), 4) Insecure Direct Object References, 5) Cross-Site Request Forgery (CSRF), 6) Security Misconfiguration, 7) Sensitive Data Exposure, 8) Missing Function Level Access Control, 9) Using Components with Known Vulnerabilities, and 10) Unvalidated Redirects and Forwards. Protection strategies are also outlined for each risk.
IRJET- Transaction based Block Chain CryptocurrencyIRJET Journal
This document proposes a transaction-based blockchain cryptocurrency. It aims to build a transaction-based blockchain architecture to discover cryptocurrencies in a decentralized way. The proposed system would overcome mining transactions by having nodes store the ledger, allowing node-to-node transactions to be monitored. Transactions would be sent through an encrypted channel using elliptic curve cryptography. The system would run locally and provide security, acting as a proof of concept for building blockchain applications.
The second generation blockchain technology enables not only financial transactions, but document storage and identity management. This presentation presents how to achieve ti using Billon's distributed ledger technology with hybrid private blockchain in its core. With Billon's technology it is possible to create a distributed database meeting EU regulatory requirements for durable medium and GDPR.
The document provides an overview and comparison of different solutions for wireless guest access management, including WLC native guest, CMX Connect, EMSP, and ISE Guest Portal. It discusses features, use cases, limitations, and configuration examples for each solution. Key information covered includes supported authentication methods, customization options, scalability limits, and integration with external servers.
This document is a table of contents and introduction for a book titled "jQuery Fundamentals" by Rebecca Murphey. The book covers jQuery basics, core concepts, events, effects, Ajax, plugins, and advanced topics. It includes over 50 code examples to demonstrate jQuery syntax and techniques. The book is available under a Creative Commons license and the source code is hosted on GitHub.
This document provides a preface and table of contents for a book on jQuery concepts. The preface explains that the book is intended to teach intermediate and advanced jQuery concepts through code examples. It highlights some stylistic approaches used in the book, such as emphasizing code over text explanations and using color coding. It also defines some key terms that will be used, and recommends reviewing the jQuery documentation and understanding how the text() method works before reading the book. The table of contents then outlines the book's 12 chapters and their respective sections, which cover topics like selecting, traversing, manipulating, events, plugins and more.
This document proposes techniques for embedding unique codewords in electronic documents to discourage illicit copying and distribution. It describes three coding methods - line-shift coding, word-shift coding, and feature coding - that alter document formatting or text elements in subtle, hard-to-detect ways. Experimental results show the line-shift coding method can reliably decode documents even after photocopying, enabling identification of the intended recipient. The techniques aim to make unauthorized distribution at least as difficult as obtaining documents legitimately from the publisher.
This document discusses the field of computer forensics. It defines computer forensics as the collection, preservation, and analysis of computer-related evidence. The goal is to provide solid legal evidence that can be admitted in court and understood by laypeople. Computer forensics is used to investigate various incidents including human behavior like fraud, physical events like hardware failures, and organizational issues like staff changes. It aims to determine the root cause of system disruptions and failures.
This document discusses techniques for data hiding, which involves embedding additional data into digital media files like images, audio, or text. It describes several constraints on data hiding, such as the amount of data to hide, ensuring the data remains intact if the file is modified, and preventing unauthorized access to the hidden data. The document outlines traditional and novel data hiding techniques and evaluates them for applications like copyright protection, tamper-proofing, and adding supplemental data to files. It also discusses tradeoffs between hiding more data versus making the data more robust against modifications to the file.
This document summarizes an analysis of over 200,000 websites engaged in badware behavior according to Google's Safe Browsing initiative. The analysis found that over half of infected sites were located in China, with the top three Chinese network blocks accounting for 68% of infections in that country. In contrast, infected sites in the US were more distributed. Compared to the previous year, the total number of infected sites increased, likely due to expanded scanning and increased malware distribution through websites.
Steganography has been used for over 2500 years to hide secret messages. The paper explores steganography's history from ancient times through modern digital applications. It discusses early examples like Johannes Trithemius' steganographic treatise in the 15th century. Modern uses include microdots, digital images, audio, and digital watermarks for copyright protection. Terrorist groups may use steganography but there is no public evidence yet. Steganography continues to evolve with technology while attackers work to defeat new techniques.
The document discusses various cryptographic techniques including symmetric and asymmetric encryption. Symmetric encryption uses the same key for encryption and decryption, while asymmetric encryption uses two different keys. The document then describes the Data Encryption Standard (DES) algorithm and its variants, including Triple DES. It also covers the Advanced Encryption Standard (AES) algorithm, its design principles, and modes of operation for block ciphers like ECB, CBC, CFB and OFB.
This document discusses the topic of steganography, which is hiding secret messages within other harmless messages. It outlines different techniques for hiding messages in text, images, and audio files. For text, it describes line shift coding, word shift coding, and feature coding methods. For images, it explains least significant bit insertion and exploiting the limitations of the human visual system. For audio, it mentions low-bit encoding and other techniques like phase coding and spread spectrum. It also discusses steganalysis, which aims to detect and destroy hidden messages within files.
This document discusses the need for computer security and provides an introduction to key concepts. It explains that security is necessary to protect vital information, provide authentication and access control, and ensure availability of resources. The document then outlines common security threats like firewall exploits, software bugs, and denial of service attacks. It also discusses basic security components of confidentiality, integrity, and availability as well as goals of preventing attacks, detecting violations, and enabling recovery.
The document discusses various types of malicious programs including buffer overflows, viruses, worms, Trojan horses, backdoors, and logic bombs. It describes how buffer overflows can corrupt the program stack and be exploited by attackers. It explains that viruses attach themselves to other programs and replicate, worms replicate across networks, and Trojan horses masquerade as legitimate programs. It also outlines different approaches for antivirus software including signature-based, heuristic, activity monitoring, and full-featured protection.
This document discusses various topics related to computer security authorization, including multilevel security models like Bell-LaPadula and Biba's model, covert channels, inference control, CAPTCHAs, firewalls, and intrusion detection systems. It also provides an overview of network layers like the network layer, transport layer, TCP, and UDP. The key models discussed are Bell-LaPadula for confidentiality and Biba's model for integrity. Covert channels, inference control, and intrusion detection systems are described as techniques for authorization and access control.
This document discusses various methods of authentication, including message authentication, entity authentication, and digital signatures. It describes techniques such as hashing, message authentication codes (MACs), digital signatures using RSA, and challenge-response authentication. It also covers other authentication methods such as passwords, biometrics, and zero-knowledge proofs. The goal of authentication is to verify the identity of entities and ensure the integrity and authenticity of messages.
This document discusses the discrete-time Fourier transform (DTFT). It begins by introducing the DTFT and how it can be used to represent aperiodic signals as the sum of complex exponentials. Several properties of the DTFT are then discussed, including linearity, time/frequency shifting, periodicity, and conjugate symmetry. Examples are provided to illustrate how to compute the DTFT of simple signals. The document also discusses how the DTFT can be used to represent periodic signals and impulse trains.
This document discusses the continuous-time Fourier transform. It begins by developing the Fourier transform representation of aperiodic signals as the limit of Fourier series coefficients as the period increases. It then defines the Fourier transform pairs and discusses properties like convergence. Several examples of calculating the Fourier transform of common signals like exponentials, pulses and periodic signals are provided. Key concepts like the sinc function are also introduced.
Chapter3 - Fourier Series Representation of Periodic SignalsAttaporn Ninsuwan
This document discusses Fourier series representation of periodic signals. It introduces continuous-time periodic signals and their representation as a linear combination of harmonically related complex exponentials. The coefficients in the Fourier series representation can be determined by multiplying both sides of the representation by complex exponentials and integrating over one period. The key steps are: 1) multiplying both sides by e-jω0t, 2) integrating both sides from 0 to T=2π/ω0, and 3) using the fact that the integral equals T when k=n and 0 otherwise to obtain an expression for the coefficients an. Examples are provided to illustrate these concepts.
This document discusses linear time-invariant (LTI) systems in discrete time. It introduces the convolution sum representation of LTI systems, where the output of an LTI system with impulse response h[n] and input x[n] is given by y[n]=x[n]*h[n]=∑k x[k]h[n-k]. Several examples are worked through to demonstrate calculating the output of an LTI system given its impulse response and input. The document also discusses representing discrete time signals as the sum of shifted unit impulse functions and properties of LTI systems like time-invariance.
1. The document discusses signals and systems, including continuous-time and discrete-time signals. It covers topics like transformations of signals, exponential and sinusoidal signals, and basic properties of systems.
2. Continuous-time signals are represented as functions of time t, while discrete-time signals are represented as sequences indexed by integer n. Exponential and sinusoidal signals can be represented using complex exponential functions.
3. The document provides examples and formulas for calculating energy, power, and other properties of signals. It also describes how signals can be transformed through operations like time shifting, scaling, reversal, and periodicity.
This document discusses protections against executing arbitrary PHP code on hardened PHP environments after code execution is achieved. It introduces new techniques to overcome many protections by combining local PHP exploits that leak information and cause memory corruption. Specifically, it shows how important memory structures can be leaked and manipulated to deactivate protections within PHP, Suhosin, the C library, filesystems, compilers, and the operating system kernel.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
This presentation was provided by Steph Pollock of The American Psychological Association’s Journals Program, and Damita Snow, of The American Society of Civil Engineers (ASCE), for the initial session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session One: 'Setting Expectations: a DEIA Primer,' was held June 6, 2024.
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
Walmart Business+ and Spark Good for Nonprofits.pdfTechSoup
"Learn about all the ways Walmart supports nonprofit organizations.
You will hear from Liz Willett, the Head of Nonprofits, and hear about what Walmart is doing to help nonprofits, including Walmart Business and Spark Good. Walmart Business+ is a new offer for nonprofits that offers discounts and also streamlines nonprofits order and expense tracking, saving time and money.
The webinar may also give some examples on how nonprofits can best leverage Walmart Business+.
The event will cover the following::
Walmart Business + (https://business.walmart.com/plus) is a new shopping experience for nonprofits, schools, and local business customers that connects an exclusive online shopping experience to stores. Benefits include free delivery and shipping, a 'Spend Analytics” feature, special discounts, deals and tax-exempt shopping.
Special TechSoup offer for a free 180 days membership, and up to $150 in discounts on eligible orders.
Spark Good (walmart.com/sparkgood) is a charitable platform that enables nonprofits to receive donations directly from customers and associates.
Answers about how you can do more with Walmart!"
How to Manage Your Lost Opportunities in Odoo 17 CRMCeline George
Odoo 17 CRM allows us to track why we lose sales opportunities with "Lost Reasons." This helps analyze our sales process and identify areas for improvement. Here's how to configure lost reasons in Odoo 17 CRM
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
The simplified electron and muon model, Oscillating Spacetime: The Foundation...RitikBhardwaj56
Discover the Simplified Electron and Muon Model: A New Wave-Based Approach to Understanding Particles delves into a groundbreaking theory that presents electrons and muons as rotating soliton waves within oscillating spacetime. Geared towards students, researchers, and science buffs, this book breaks down complex ideas into simple explanations. It covers topics such as electron waves, temporal dynamics, and the implications of this model on particle physics. With clear illustrations and easy-to-follow explanations, readers will gain a new outlook on the universe's fundamental nature.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
How to Setup Warehouse & Location in Odoo 17 InventoryCeline George
In this slide, we'll explore how to set up warehouses and locations in Odoo 17 Inventory. This will help us manage our stock effectively, track inventory levels, and streamline warehouse operations.
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Ch7-Computer Security
1. 1
241-427-SV-2-2553-COE-PSU 1
241-427 Computer Security
Chapter VII: Web Security Issues
Dr. Sangsuree Vasupongayya
241-427-SV-2-2553-COE-PSU 2
Outline
o Basic concepts
o Type of web pages
n Static Web pages
n Dynamic Web pages
n Active Web pages
o ActiveX, Java, JavaScript, CGI
o Certificates, cookies
o SHTTP vs HTTPs
o Secure Electronic Commerce
n Secure Electronic Transaction
n Digital cash
o Single sign-on
2. 2
241-427-SV-2-2553-COE-PSU 3
WWW security
o Internet has grown
n Availability of private or confidential information
n Computer espionage
n Malicious users
n Gaining advantages associated with information
o How can I protect my web site?
241-427-SV-2-2553-COE-PSU 4
Basic concepts
o Transactions and communications between browser
and Web server via HTTP protocol
o Browser à HTTP request
o Web server à HTTP response
GET/files/new/image1 HTTP/1.1
Accept: image/gif
Accept: image/jpeg
HTTP /1.1 200 OK
Date: Tue, 19-01-10 13:00:00 GMT
Server: MyServer
Content-length:3010
…….. (actual data)….
Web Browser Web Server
3. 3
241-427-SV-2-2553-COE-PSU 5
Types of web pages
o Static web pages
n Contents do not change often
n Good for showing information
o Dynamic web pages
n Contents of a dynamic Web page can vary all day
depending on a number of parameters
n Involves server-side programming
o Invokes a program resided on its hard disk
o Access databases
o Output HTML
n Techniques
o Microsoft’s Active Server Pages (ASP)
o Sun Microsystems’s Java Servlets and Java Server
Pages (JSP)
241-427-SV-2-2553-COE-PSU 6
Dynamic Web Page
Web browser Web server
HTTP Request
Invokes an application
Program in response to
The HTTP request
The program executes
And produces HTML output
HTTP Response
4. 4
241-427-SV-2-2553-COE-PSU 7
Active Web pages
o Web server sends back an HTTP response that
contains
n an HTML page
n A small program (script): executes on the client
computer inside the Web browser
o Two common types of script languages
n ActiveX & Java
o Web-based program is CGI (Common Gateway
Interface)
n Can be written in many programming languages
241-427-SV-2-2553-COE-PSU 8
ActiveX
o Scripting language that makes it easier for web
developers to create unique, interactive
applications and web sites
o Can be used with many languages
n Java, VB, C++
o Developed by Microsoft initially to distributed
software over the Internet
o ActiveX objects (controls)
n interactive graphical items on a web page
n Executables
n .OCX
o Security concerns
n No restrictions on a control’s action
5. 5
241-427-SV-2-2553-COE-PSU 9
ActiveX (cont.)
o If the user attempts to load a control that has not
been signed by a known and trusted authority
o The browser will warn the user and prompt for
acceptance or cancellation
241-427-SV-2-2553-COE-PSU 10
ActiveX (cont.)
o Less-obvious activity w/o knowledge of the user
o E.g.,
n Send personal or confidential information from the
user’s computer over the Internet
o Limited activity logging of some browsers
n Difficult to identifying the dangerous control
o What can we do?
n Denying all ActiveX control downloads
n Requiring the browser to prompt the user before
download
6. 6
241-427-SV-2-2553-COE-PSU 11
Java
o Java programs (applets)
n Stored on the web server and downloaded for
execution on the user’s computer when the
associated web pages are loaded into a browser
o Has restrictions on what it can do
n Only allowed to communicate with the server that
uploaded them
n Limitation of back-end system access e.g., system
command execution, device driver access, system
library loading
o However, several security holes from programming
bugs have been found
241-427-SV-2-2553-COE-PSU 12
JavaScript
o JacaScript
n A set of extensions to increase the functionality of the
browsers
n An interpreted language
n Not distributed as compiled programs
n Often used to open, close windows, change browser
settings, download and start Java programs
o Privacy related security vulnerabilities
n File Theft (IE 4.0, 4.01)
n User file access (IE 4.0)
7. 7
241-427-SV-2-2553-COE-PSU 13
CGI
o a program that resides on the web server as
opposed to the user’s system
n Form handling, advertisement switching
o Server can
n Redirect data to any email address, to maintain data,
to adjust the content, other dynamic page creation
activity
o Majority of the weaknesses impact the web server
n Program execute on the server
o What can we do?
n CGI wrappers: scripts specifically designed to
perform security checks on the primary CGI script
o Verifying the ownership of the CGI process
o Restricting the activity of the script
o Sbox, cgiwrap, suEXEC
241-427-SV-2-2553-COE-PSU 14
Applet vs ActiveX
o In the past, applets have
a lot of restrictions
o Signed applets are
allowed more access to
the client computer
o Applet is downloaded
with an active Web page,
executed inside the
browser, destroyed when
the user exits that Web
page
o ActiveX controls are free
to do what they want
o Once downloaded, an
ActiveX control remains
on the client computer
until it is explicitly
deleted
8. 8
241-427-SV-2-2553-COE-PSU 15
User Certification
o Unique digital identification
n Presented to other users or web sites
n Relies on public key cryptography
o Purpose
n encrypting and decrypting e-mail
n digitally sign e-mail
n uniquely identify one’s self
o Legally binding electronic signatures
241-427-SV-2-2553-COE-PSU 16
CA in Thailand
o Thailand KPI association
n http://thpki.org/about_us.php
o G-CA http://www.gca.thaigov.net/
o Thai Digital ID http://www.thaidigitalid.com/
o CAT CA http://www.thaipki.com/
o TOT CA http://www.ca.tot.co.th/about.php
9. 9
241-427-SV-2-2553-COE-PSU 17
Certificate error
241-427-SV-2-2553-COE-PSU 18
Type of certificate error
o Security certificate has been revoked
o Address does not match the address in the security
certificate
o Security certificate is out of date
o Security certificate is not from a trusted source : issued
by a certification authority that is not recognized by the
browser
o Other problems
10. 10
241-427-SV-2-2553-COE-PSU 19
Cookies
o A mechanism to proved a sort of memory to the
browser process
o Since, HTTP is stateless (no information)
n How can you remember information from page to
page e.g., shopping carts, travel itineraries, user
names & passwords
o Cookies act as a notepad by recording information
that can be accessed by multiple pages
o Cookie
n Small piece of information (at most 4K bytes)
n Containing site-specific information
241-427-SV-2-2553-COE-PSU 20
Web cookies
o Many sites provide the user with a Web cookie
n A numerical value that is stored and managed by the
user’s browser on the user machine
n The website users the cookie value as an index into a
database where it retains information about the user
n Once the user returns to a website for which he/she
has a cookies, the cookie is automatically passed by
the user’s browser to the website
n Thus, the website can act as a single sign-on that is
the user is authenticated based on the possession of
the user’s web cookie
11. 11
241-427-SV-2-2553-COE-PSU 21
Security issues of cookies
o Significant amount of information about the user
n User’s IP address, the brand & version of the user’s
browser, the brand & version of the user’s OS, the
web site the user last accessed
n Can be used to create a personal profile, interests,
habits
n Can be done w/o violating the security rules
n Privacy issues
o Cookies keep username & password
n Compromise of the access controls
o What can we do?
n Limit the lifetime of each cookie
n Notify when a cookie is required
241-427-SV-2-2553-COE-PSU 22
Privacy setting
12. 12
241-427-SV-2-2553-COE-PSU 23
SHTTP
o Secure Hyper Text Transfer Protocol
n A set of security mechanisms defined for protecting
the Internet traffic
o Data entry forms & Internet-based transactions
n Works at the application layers
n Supports both authentication and encryption of HTTP
traffic between client and server
o HTTPS is an HTTP request sent by using SSL
o Not very successful
241-427-SV-2-2553-COE-PSU 24
Secure electronic commerce
o Electronic commerce
n Business between two parties electronically
n Both partitas not see face-to-face
o Security issues
n Destruction of data:
o protecting data against accidental or malicious loss
n Modification of data
n Unauthorized disclosure of information
n Non-repudiation
n Interference of operation
o Data must not be sent to unintended recipients
n Misrepresentation
n Inappropriate use of date
13. 13
241-427-SV-2-2553-COE-PSU 25
Interesting applications
o Banking (relies heavily on encryption)
o Stock brokerages
o Gambling
n Authentication & encryption
o Shopping mall
n Shipping cart
n A single transaction on various items from several
locations
241-427-SV-2-2553-COE-PSU 26
Secure Electronic Transaction
o SET: an open encryption and security specification
designed to protect credit card transactions on the
Internet
o Not a payment system
o A set of security protocols and formats that enable
users to employ the existing credit card payment
infrastructure on an open network in a secure
fashion
o Provides 3 services
n A secure communications channel among all parties
involved in a transaction
n Trust by the use of X509 digital certificates
n Privacy: information is only available to parties in a
transaction when and where necessary
14. 14
241-427-SV-2-2553-COE-PSU 27
SET Requirements
o Provide confidentiality of payment and ordering
information (via encryption)
o Ensure the integrity of all transmitted data (via digital
signatures)
o Provide authentication that a cardholder is a legitimate
user of a credit card account (via digital signatures &
certificates)
n Card holder and account number
o Provide authentication that a merchant can accept credit
card transactions through its relationship with a financial
institution (via digital signatures & certificates)
o Ensure the use of the best security practices and system
design techniques not interfere with the user of other
security mechanisms e.g., IPSec or SSL/TLS
o Independent of hardware platform, OS and Web
software
241-427-SV-2-2553-COE-PSU 28
Key Features of SET
o Confidentiality of information
n DES encrypts credit card number
o Integrity of data
n RSA digital signature,
n SHA-1 hash codes, HMAC using SHA-1
o Cardholder account authentication
n X509v3 digital certificates with RSA signatures
o Merchant authentication
n X509v3 digital certificates with RSA signatures
15. 15
241-427-SV-2-2553-COE-PSU 29
SET participants
241-427-SV-2-2553-COE-PSU 30
SET participants
o Cardholder: buyer
o Merchant: seller
o Issuer: financial institution
n provides the cardholder with payment care
o Acquirer: financial institution
n Establishes an account with a merchant
n Processes payment card authorizations & payments
o Payment gateway
n Operated by the acquirer or a trusted third party
o Certification authority
n Issue X.509v3 public -key certificates for cardholders,
merchants and payment gateways
16. 16
241-427-SV-2-2553-COE-PSU 31
A simplified SET model
241-427-SV-2-2553-COE-PSU 32
SSL versus SET
o Exchange of data in an
encrypted form
o Two parties exchange
certificates
o Not very strong
authentication
o Possible risk of merchant
fraud, since customer
gives financial data to
merchant
o Merchant is liable for
customer fraud
o High practical usage
o E-commerce related
payment mechanism
o All parties must be certified
by a trusted third party
o Strong authentication
mechanism
o Unlikely risk of merchant
fraud, since customer gives
financial data to payment
gateway
o Payment gateway is liable
for customer fraud
o Low practical use
17. 17
241-427-SV-2-2553-COE-PSU 33
How is electronic money (e-money) possible?
o Because of public-key cryptography & digital signatures
o Banks and customers use their keys
n to encrypt (for security)
n sign (for identification)
blocks of digital data that represent money orders
o A bank "signs" money orders using its private key and
customers and merchants verify the signed money
orders using the bank's widely published public key
o Customers sign deposits and withdraws using their
private key and the bank uses the customer's public
key to verify the signed withdraws and deposits
241-427-SV-2-2553-COE-PSU 34
Digital cash
o One way of making payments on the Internet
o Money represented by computer files
o Type
n Identified electronic money
n Anonymous electronic money
Bank
Customer
Merchant
(a) Obtaining
electronic money
from a bank
(b) Makin purchase using
electronic money
(c) The merchant getting
paid from the bank
18. 18
241-427-SV-2-2553-COE-PSU 35
Identified electronic money
o Similar to credit card
n The electronic money is issued by the bank with a
serial number
n The bank knows who was the customer and how he
uses it
o Problems
n Privacy issues
241-427-SV-2-2553-COE-PSU 36
Anonymous electronic money
o Also called as blinded money
o Similar to real hard cash (no trace, no trail)
o Instead of the bank created the serial number,
the customer is the one who creates the serial
number
1. Customer generates a random number, then generate a
blinded number
2. Customer sends the blinded number to the bank
3. The bank sends the e-money with the blinded number
back
4. The customer use the original number
5. The bank and the merchant cannot trace the money
o Problem: double spending
19. 19
241-427-SV-2-2553-COE-PSU 37
Online v.s. Offline e-money
o Classified based on involvement of the bank
o Online electronic money
n The bank is actively participated in the transaction
between the customer and the merchant
n The bank can confirm in real time whether the e-money
is valid (the money is not already spent)
o Offline electronic money
n The bank is not actively participated in the transaction
n The customer purchases something from the merchant
using his/her e-money
n The merchant accepts the e-money without validating it
online
n The merchant process the e-money later at a fixed time
everyday
241-427-SV-2-2553-COE-PSU 38
Double Spending Problem
o For online electronic money
n Double spending problem is not possible because the
bank is a part of the transaction
o For identified offline e-money
n Double spending problem can happen
n However the customer can be tracked from the serial
numbers (generated by the bank)
o For anonymous offline electronic money
n Double spending problem can happen
n Cannot be tracked
n Not practical
20. 20
241-427-SV-2-2553-COE-PSU 39
Single sign-on
o Many web sites require users to enter their
authentication information (usually a password)
o Problem :
n Many users do not like to enter passwords repeatedly
n Users have trouble to remember many passwords
o Solution:
n Users only authenticate once and their “credentials”
stay with them wherever they go on the internet
n Subsequent authentication would be transparent to the
user
n No further authentication is needed for authorized
applications
n Microsoft passport or Security Assertion Markup
Language (SAML)
241-427-SV-2-2553-COE-PSU 40
Trusting the Web
o Web-based business transaction guidelines
n Ethical business practices
o Reputation of the company
o Standard business practices
n Transaction integrity
o Information should be safe from interception,
modification, deletion by unauthorized individual or
errors
n Protection of privacy
o Information must be kept confidential
o Safe from unauthorized or accidental disclosure