This document provides an overview of e-commerce security through a 70 slide presentation. The presentation covers: an introduction to e-commerce and how it enables new forms of business and communication; how security is needed to enable e-commerce through enabling trust; a primer on information security concepts like confidentiality, integrity and availability; common e-commerce threats and how cryptography can address them; and types of malicious software. The goal is to provide a high-level introduction to considerations around securing e-commerce transactions and systems.
Presentation by Luc de Graeve at the Gordon institute of business science in 2001.
This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.
Presentation by Luc de Graeve at the Gordon institute of business science in 2001.
This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.
The presentation discussed the what is e-commerce security and its dimensions, threat concerns, ways to protect e-commerce site from hacking and fraud. It also includes the different e-commerce payment methods.
Security @ ecommerce sites are essential as hell, we are living in a a world with ethical and illegal hackers. This presentation will give you insights what we should do to prevent our ecommerce sites from external attacks.
The E-commerce environment allows companies such as Amazon, EBay, PayPal, financial institutions, and other e-commerce companies alike to allocate services to the consumer over the Internet resulting in the luxury of consumers not visiting a physical store. However, with that luxury also welcomes the risk of threats such as hackers and their various attacks on e-commerce sites and its consumers. To mitigate such risks, adequate security tools are implemented by companies to protect consumers from being victims of identity theft. However, some of the security tools implemented can have limitations in regards to protecting the required assets. In addition, companies offering e-commerce services should invest in additional security controls to implement into their network infrastructure to ensure a safe online environment for their consumers.
The presentation discussed the what is e-commerce security and its dimensions, threat concerns, ways to protect e-commerce site from hacking and fraud. It also includes the different e-commerce payment methods.
Security @ ecommerce sites are essential as hell, we are living in a a world with ethical and illegal hackers. This presentation will give you insights what we should do to prevent our ecommerce sites from external attacks.
The E-commerce environment allows companies such as Amazon, EBay, PayPal, financial institutions, and other e-commerce companies alike to allocate services to the consumer over the Internet resulting in the luxury of consumers not visiting a physical store. However, with that luxury also welcomes the risk of threats such as hackers and their various attacks on e-commerce sites and its consumers. To mitigate such risks, adequate security tools are implemented by companies to protect consumers from being victims of identity theft. However, some of the security tools implemented can have limitations in regards to protecting the required assets. In addition, companies offering e-commerce services should invest in additional security controls to implement into their network infrastructure to ensure a safe online environment for their consumers.
En este escrito de formación número 7 se habla de lo que es la inteligencia humana y de lo que implican los aspectos espirituales del hombre con relación a su inteligencia
Presentación realizada durante el 8 Seminario de Prensa organizado por Instituto Roche ' Explorando las conexiones: neurociencias, medios sociales y sanidad 2.0' en el Parador de Bayona el día 8 de Junio de 2012
CATALOGO JLC - Repuestos maquinas de Jardin y Bosque - Jorge L Carranza SAMartin Funes
Repuestos para motosierras, motoguadañas y bordeadoras. Cortadoras de césped
Mini tractores - Motores 2 y 4 tiempos.
Parts of chain saw. Lawn and garden.
Carburators. Walbro, Zama, Tillotson
Stihl, Husqvarna, Poulan, MTD, Gamma, Raisman, Briggs & Stratton
BSidesPGH - Never Surrender - Reducing Social Engineering RiskRob Ragan
The weakest link in the security chain is often between the keyboard and the chair. People are a problem. We have a natural instinct as humans to trust someone's word. Although various technical means have been developed to cope with security threats, human factors have been comparatively neglected.
Once you put a human in a security chain, you have a weakness. That problem should be addressed by security practitioners, not every member of an organization. Very few would disagree that social engineering is the the most common and least challenging way to compromise an organization, but most accept the notion that there isn't much they can do about it. False!
This talk will focus on the psychological, technical, and physical involvement of social engineering, and also look at how we can remove the human element of the human problem. We will explore what organizations are doing wrong, also the processes and technical controls that can be put in place to achieve a strong social engineering defense.
We'll template a solution that can be customized. What will really help? What is the truth? What if we don't want to surrender our organization to social engineers?
Case Study: The Role of Human Error in Information SecurityPECB
It has become an established fact that the human factor is the most important element to secure in any organization if security is to be maintained. This case study will take real-life examples (with no names used!) and examine some actual security incidents caused by human error and elaborate on the root cause and prevention tips resulting from these events.
Main points covered:
• Incident detection
• Incident reporting
• Incident triage
• Lessons learned
Presenter:
Our presenter for this webinar will be Anthony English, who is one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance. He sits on the Standards Council of Canada (SCC) IT Security Techniques committee (MC/ ISO/IEC/JTC 1/SC 27), the Disaster Recovery Institute Canada (DRIC) Certification Committee, Cloud Security Alliance committee on the security of health care data in the cloud and is an Exam Development Volunteer for ISC2. Anthony has worked in utilities, law enforcement, consulting, education, health care, lottery and gaming, auditing and the financial sector.
Recorded Webinar: https://youtu.be/fWZd_wd3HOk
What is Information Security and why you should care ...James Mulhern
An interactive introduction to Information Security and Cyber Security for BTEC students studying IT at Swindon College in the UK. The session illustrates the breadth and diversity of the subject and opportunities it can offer. The session illustrates things might not always be as they seem and the impacts can be far more reaching than at first imagined.
Join us on our upcoming BYOP (Bring Your Own Pizza) "Application Security Meetup" to hear about the latest cyber security breaches, trends and technologies in modern application development.
Agenda:
17:00 - 17:10 - Opening words - by Lior Mazor (Organizer)
17:10 - 17:35 - 'Recent cyber security attacks in Israel' - by Lior Mazor (Organizer)
17:35 - 18:00 - ‘How to deliver a secure product’ - by Michael Furman (Tufin)
18:00 - 18:30 - 'Hacking serverless - Introduction to Serverless Application Security' - by Yossi Shenhav (Komodo)
18:30-19:00 - ‘Post Apocalypse: Exploiting web messaging implementations’ - by Chen Gour-Arie (enso security)
Learn the five steps all businesses must follow to protect themselves from costly data breaches. This will be the first of a monthly series to educational webinars for small business leaders. Knowing is the first step in protecting your business.
Learn the five steps all businesses must follow to protect themselves from costly data breaches. This will be the first of a monthly series to educational webinars for small business leaders. Knowing is the first step in protecting your business.
Trending it security threats in the public sectorCore Security
State and local information security leaders continue to be challenged with the “new norm,” to do more with less, while remaining on top of technology trends driving the marketplace. Traditional information security approaches often have limited impact and require more attention and resources.
Please join Grayson Walters, Information Security Officer of Virginia Department of Taxation, and Eric Cowperthwaite, Vice President of Advanced Security and Strategy at Core Security as they discuss some of the top IT security trends and developments in the public sector, more specifically, within state and local governments.
With the new interconnected age comes new risks for cyber attacks and other fraudulent activity. Do you know what you need to keep your end users protected? Digital Insight discusses security and compliance in the interconnected age.
Data Security in the Insurance Industry: what you need to know about data pro...XeniT Solutions nv
With the amount of personal and sensitive customer information needed to accurately ensure a client, it’s no wonder the Insurance industry is a target for data security threats.
While all businesses across every industry are at risk, there are a few things that make the insurance industry particularly attractive – and susceptible – to data breaches and cyber-attacks.
- The sheer volume of information available
- The highly sensitive nature of the information
- Large amounts of unstructured data
In this webinar, our speakers illustrated the state of art, including the technical and legal framework, to protect your most relevant information from cyberattacks. You will learn:
- How to define a roadmap that optimizes the impact of cyber security expenditure
- How to adopt a general risk management approach to identify Cyber security risks
- What are the most relevant technologies available today to protect your data
Accompanying slides for Chapter 8 "Malicious Software" of the book "Information Systems Security" (http://www.papasotiriou.gr/product/asfaleia-pliroforiakon-sistimaton-237775), March 2004
PKI : The role of TTPs for the Development of secure Transaction SystemsJohn ILIADIS
Workshop on Software Process Improvement and Formal Methods in Security and Safety, Athens, Greece, March 1998, EPIC Project (Exchanging process information experiences across SMEs by conferencing on the Internet"), 1997-1998, European Commission, ESPRIT Programme
Fifth European Intensive Programme on Information and Communication Technologies Security (IPICS 2002), organised by the University of the Aegean, Greece and IFIP. July 2002, Samos island, Greece
Certificate Revocation: What Is It And What Should It BeJohn ILIADIS
Fifth European Intensive Programme on Information and Communication Technologies Security (IPICS 2002), organised by the University of the Aegean, Greece and IFIP. July 2002, Samos island, Greece
ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...John ILIADIS
Invited lecture, PhD Workshop held at the Department of Information and Communication Systems Engineering, University of the Aegean, Samos, Greece, October 2003.
Invited lecture, 2nd Annual Scientific Symposium of the Students of Information and Communication Systems Department, University of the Aegean, Samos, Greece, November 2007
Addressing security issues in programming languages for mobile code - Confere...John ILIADIS
The services offered to the Internet community have been constantly increasing the last few years. This is mainly due to the fact that mobile code has matured enough in order to provide the Internet users with high quality applications that can be executed remotely. When a user downloads and executes code from various Internet sources, security issues arise. In this paper, we are addressing the latter and we present a comparative evaluation of the methods used by Java, Safe-Tcl and ActiveX in order to confront with these issues, based on current security functions and implementations as well as on future adjustments and extensions.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
2. Presentation Outline
– Introduction to E-Commerce
– Enabling E-Commerce through Security
– A Short Primer on Information Security
– Confronting with E-Commerce Threats
– A Survey of E-Payment and M-Payment Systems
– Case Study: ATM Fraud
E-Commerce Security: A Primer
John Iliadis
Slide 2/70
4. E-Commerce: Business and Technology Innovation
E-commerce introduces new methods in:
–
–
–
–
–
Communications
Business Transactions
Market Structure
Education
Work
E-Commerce Security: A Primer
John Iliadis
Slide 4/70
5. E-Commerce Pros
– Fast and easy access to information for
individuals
– Reduces costs
– Opens up new markets
– Increases competition
– Lowers prices
E-Commerce Security: A Primer
John Iliadis
Slide 5/70
6. E-Commerce Cons
– Cyberspace is anarchic
– E-commerce also reduces costs for fraudsters
– It retracts the trustful nature of business which we were
used to practice
• Contracts,
• Invoices,
• Person to person contact,
• Existing legal framework for doing business
– “Digital divide” cultural, gender and race gap in the use
of Internet)
E-Commerce Security: A Primer
John Iliadis
Slide 6/70
7. Adoption of E-Commerce in Greece
– 38% of the participant companies use
electronic commerce practices
• 12.5% integrated e-commerce to their
business
• the rest 25.5% are opportunistic users of ecommerce
– 47% of the companies are planning to adopt
electronic commerce while the 33% of those
are planning to do so within the next year.
Study by ELTRUN, AUEB, Greece (2001); statistical sample: 240
Greek companies
E-Commerce Security: A Primer
John Iliadis
Slide 7/70
8. E-commerce & Trust
What is Trust?
– Trust allows us to reasonably rely on the
information or actions of another party.
– Trust is an intrinsic and subjective property
which may be propagated but not transferred
E-Commerce Security: A Primer
John Iliadis
Slide 8/70
9. E-Commerce & Trust (2)
Trust in traditional commerce environment
– Contracts, invoices, person to person contact,
existing legal framework for doing business in a
trustful manner
Trust in e-commerce
– No apparent legal framework, at least for B2C
commerce; under development
– Distant transactions between unknown parties
• Lack of identification, the way customers
were used to practice it
• Lack of authentication, the way customers
were used to practice it
E-Commerce Security: A Primer
John Iliadis
Slide 9/70
10. Inherent Need for Trust
– The need for maximising trust is inherent,
because trust enables business, but…
• More Trust = More Risk
– We need to analyse and manage the risk
(eliminate, accept or transfer the risk)
– Risk Management is well understood in
contemporary organisations
E-Commerce Security: A Primer
John Iliadis
Slide 10/70
12. Management Decisions & Risk Analysis
– There is no 100% security
– Need for a solution that balances cost and security
requirements
– Information Security is not a hindering factor, it is
an enabler
E-Commerce Security: A Primer
John Iliadis
Slide 12/70
13. Costs of Information Security
– Implementation costs
– Costs of incorporating procedures, services and
mechanisms to existing systems
– Costs of deploying new procedures, services and
mechanisms
– Functional costs
• Hardware
• Software
• People
• Change Management
• New Business Processes
E-Commerce Security: A Primer
John Iliadis
Slide 13/70
14. Where do Security Requirements come from?
– Risk analysis, based on
• Existing business processes
• Interviews with company executives
• Legal issues (e.g. privacy laws)
• Corporate image
• Potential enemies (likelihood of a security attack)
E-Commerce Security: A Primer
John Iliadis
Slide 14/70
15. Security Life-Cycle
– Risk analysis
– Security policy
– Overall system re-engineering
– Security management of deployed system
– Incident Response
– Business Continuity Planning
E-Commerce Security: A Primer
John Iliadis
Slide 15/70
16. Risk Analysis!
What is at risk
– Qualitative analysis
– Quantitative analysis
What vulnerabilities can be exploited
– Technical
– Process
– People
Risk management
– Eliminate/reduce risk
– Accept risk
– Transfer risk
Managing risk becomes part of
the everyday business process
E-Commerce Security: A Primer
John Iliadis
Slide 16/70
17. Information Security Policy
– The basis for all information security efforts
– Directs how issues should be addressed and
technologies used
– The least expensive control to execute, but the most
difficult to implement
– Shaping policy is difficult because policies must:
• Never conflict with laws
• Stand up in court, if challenged
• Be properly administered
E-Commerce Security: A Primer
John Iliadis
Slide 17/70
18. Need for E-Commerce Security
– The number of cyber attacks skyrocketed
from approximately 22,000 in 2000 to over
82,000 in 2002
– First quarter of 2003 the number was
already over 43,000
Source: US Computer Emergency Response Team (US CERT)
E-Commerce Security: A Primer
John Iliadis
Slide 18/70
19. A Short Primer on
Information Security
E-Commerce Security: A Primer
John Iliadis
Slide 19/70
20. A Short Primer on Information Security
– …it is not about technology, or at least not only about
technology
– It is about building Information Systems in a way that
risk is being managed (eliminated, accepted,
transferred)
– Basic Information Security properties: CIA
• Confidentiality
• Integrity
• Availability
E-Commerce Security: A Primer
John Iliadis
Slide 20/70
21. …more Information Security services
– Authentication: verification of one’s identity
– Access Control: control over what information or resources can be
accessed by specific people
– Non-repudiation: the inability to deny having done something (e.g.
sent an email, received an email, digitally signed stg, etc)
– Privacy: confidentiality of personal information
– Anonymity: confidentiality of identity
E-Commerce Security: A Primer
John Iliadis
Slide 21/70
22. Challenges for Information Security
Information Systems
Then
Now
•Centralised, Closed,
•private or semi-private, no
access allowed,
•wide spectrum of proprietary
networking/communication
protocols,
•expensive,
•targeted user group,
•early Internet instances.
•Distributed, Open,
•no ownership,
•no central control,
•resilience,
•access to anyone,
•standardised protocols,
•Internet access,
•low-cost access.
E-Commerce Security: A Primer
John Iliadis
Slide 22/70
23. Some General Principles
– Security must have a total approach—you’re only as
strong as your weakest link
– The risks do not only stem from external sources; most
of the times, they stem from internal sources (e.g.
disgruntled employees)
– Security is not a cousin of Obscurity (“… the only good
locks are open, public and accessible ones”, W. Diffie)
E-Commerce Security: A Primer
John Iliadis
Slide 23/70
24. Bottom Up Approach to Security
– Systems’ administrators attempting to improve the
security of their systems
– technical expertise of the persons involved
– Seldom works since it lacks critical features:
• Management support
• Employees’ support
E-Commerce Security: A Primer
John Iliadis
Slide 24/70
25. Top-down Approach to Security
Initiated by higher-level management:
– Issue policy and procedures
– Dictate the expected outcomes
– Determine who is accountable for each action
Advantages:
– Strong management support
– Dedicated IT personnel
– Dedicated funding
– Clear planning
– Support from employees
E-Commerce Security: A Primer
John Iliadis
Slide 25/70
26. Security Project Team
– Chief Security Officer
– Chief Information Officer
– Risk assessment specialists
– Security administrators
– Security engineers
– System administrators
– End users (!)
E-Commerce Security: A Primer
John Iliadis
Slide 26/70
27. A Short Introduction to Cryptography
– Symmetric Cryptosystems
– Asymmetric Cryptosystems
– Digital Signatures
E-Commerce Security: A Primer
John Iliadis
Slide 27/70
28. A Short Introduction to Cryptography:
Symmetric Cryptosystems
Symmetric key: “pass21”
ENCRYPT
Network
Alice
Encrypted
document
document
Symmetric key: “pass21”
Network
DECRYPT
Bob
E-Commerce Security: A Primer
John Iliadis
Encrypted
document
Slide 28/70
29. A Short Introduction to Cryptography:
Symmetric Cryptosystems
– Both Alice and Bob have the same key (pass21)
– Encryption/decryption:
• Step 1: Alice encrypts the document with key
“pass21” and sends to Bob (e.g. over e-mail) the
encrypted document
• Step2: Bob receives (e.g. e-mail) the encrypted
document and uses key “pass21” to decrypt it and
retrieve the original document
– Alice has got to communicate to Bob the key (“pass21”)
in a secure manner, i.e. no one else must know what
they key was (mail?).
E-Commerce Security: A Primer
John Iliadis
Slide 29/70
30. A Short Introduction to Cryptography:
Asymmetric Cryptosystems
Alice’s asymmetric PUBLIC key “pert35”
Alice
Alice’s asymmetric PRIVATE key “proe34”
Bob’s asymmetric PUBLIC key “dfgsd34”
Bob
E-Commerce Security: A Primer
John Iliadis
Bob’s asymmetric PRIVATE key “3trer4”
Slide 30/70
31. A Short Introduction to Cryptography:
Asymmetric Cryptosystems
Bob’s asymmetric PUBLIC key “dfgsd34”
ENCRYPT
Network
Alice
Encrypted
document
document
Bob’s asymmetric
PRIVATE key “3trer4”
Network
DECRYPT
Bob
E-Commerce Security: A Primer
John Iliadis
Encrypted
document
Slide 31/70
32. A Short Introduction to Cryptography:
Asymmetric Cryptosystems
– Alice has a public and private keypair
– Bob has another public and private keypair
– Encryption/decryption:
• Step 1: Alice encrypts the document with Bob’s
public key “dfgsd34” and sends to Bob (e.g. over email) the encrypted document
• Step2: Bob receives (e.g. e-mail) the encrypted
document and uses his private key “3trer4” to
decrypt it and retrieve the original document
– Bob has got to communicate to Alice his public key
(“dfgsd34”) in a secure manner, i.e. no one else must
be able to tamper with the key (mail?).
E-Commerce Security: A Primer
John Iliadis
Slide 32/70
33. Symmetric versus Asymmetric Cryptosystems
– Symmetric cryptosystems
• they involve the use of one key only, shared between
A(lice) and B(ob),
• this key must be confidential, i.e. known only to A(lice)
and B(ob).
– Asymmetric cryptosystems
• they involve the use of a keypair (public+private key)
for each party, i.e. Alice has a public and a private
key, while Bob has his own public and his own private
key,
• Bob’s public key must be made known to Alice in a
way that Alice can be sure that the integrity of Bob’s
public key has not been violated.
E-Commerce Security: A Primer
John Iliadis
Slide 33/70
34. Digital Signatures
Alice’s asymmetric PRIVATE key “3trer4”
SIGN
Network
Alice
Signed
document
document
Alice’s asymmetric
PUBLIC key “dfgsd34”
Network
VERIFY SIGNATURE
Bob
E-Commerce Security: A Primer
John Iliadis
Signed
document
Slide 34/70
35. Certification Service Provider
Alice’s asymmetric
PRIVATE key “3trer4”
Alice’s asymmetric
PUBLIC key “dfgsd34”
Signed by CSP
Alice
E-Commerce Security: A Primer
John Iliadis
Bob’s asymmetric
PRIVATE key “a3fd43”
Bob’s asymmetric
PUBLIC key “dr34w5”
Signed by CSP
Bob
Slide 35/70
37. Some Threats in Electronic Transactions
–
–
–
–
–
–
–
Monitoring of communication lines
Shared key guessing
Shared key stealing
Unauthorised modification of information in transit
Masquerade - Web spoofing
Password stealing
Unauthorised access
E-Commerce Security: A Primer
John Iliadis
Slide 37/70
38. Insecure Electronic Transactions
Entity1
(e.g. Internet user)
Network
Entity2
(e.g. e-banking
Site)
insecure communication channel
E-Commerce Security: A Primer
John Iliadis
Slide 38/70
39. Facing Threats using Cryptography
– monitoring of communication lines
Encryption with randomly generated shared session key
– shared session key stealing/guessing
-cryptographically secure random key generators
-encryption of shared session key with the public key of
the receiving entity
– Non-authorised modification of (in-transit) information
secure hashing algorithms for message authentication
codes
E-Commerce Security: A Primer
John Iliadis
Slide 39/70
40. Facing Threats (cont.)
– Masquerade - Web spoofing
Exchange of X509v3 certificates and verification against
a Directory
– Password stealing
Passwords are never transmitted in the network
– Unauthorised access
Local Access Control List. Authentication using
certificates
E-Commerce Security: A Primer
John Iliadis
Slide 40/70
41. Securing electronic transactions using Public
Key Infrastructure
Entity1
(e.g. Internet user)
Network
Issuing certificates
Entity2
(e.g. e-banking
Site)
Issuing certificates
CSP
E-Commerce Security: A Primer
John Iliadis
Slide 41/70
42. Certification Service Provider : The
Cornerstone of Public Key Infrastructure
TTP : “an impartial organisation delivering business
confidence, through commercial and technical security
features, to an electronic transaction”
CSPs are Trusted Third Parties that control the life cycle of
certificates
E-Commerce Security: A Primer
John Iliadis
Slide 42/70
43. Fashion and PKI: Current trends…
– It’s fashionable
– It’s easy to deploy…
– It meets several security requirements, through
a wide set of security services ranging from
confidentiality to public notary
– It’s a panacea!
E-Commerce Security: A Primer
John Iliadis
Slide 43/70
44. Fashion and PKI: Current trends (cont.)
…however:
– Typical installations and operation of CSP
software, withour prior analysis of requirements
and without designing a Security Policy and a
Certificate Policy, are a present tense situation,
at least on an internal company-wide level. The
resulting problems will soon be present and
tense. PKI is nor a cure-all, neither a magical
solution to security problems
E-Commerce Security: A Primer
John Iliadis
Slide 44/70
45. Malicious Software
…the software that contains the necessary
instructions to carry out an attack to a computer
system
…attack: the violation (or attempt to violate) the
confidentiality, integrity or availability of a system
E-Commerce Security: A Primer
John Iliadis
Slide 45/70
46. Species of Malicious Software
Viral software
Non-viral software
•Boot sector viruses
•Trapdoors
•Parasitic Viruses
•Logic Bombs
•Multipartite Viruses
•Trojan Horses
•Resident Viruses
•Worms
•Stealth Viruses
•Bacteria
•Encrypted Viruses
•Hoaxes
•Polymorphic Viruses
•Retro-Viruses
•Overwritters
•Macro Viruses
E-Commerce Security: A Primer
John Iliadis
Slide 46/70
47. Confronting with Malicious Software
•
•
•
•
•
Security Awareness
Antivirus Software
Operating System logs
Strict access control
Forbid the execution of
mobile code/programs
downloaded from the
Internet
• Firewalls
E-Commerce Security: A Primer
John Iliadis
• Intrusion Detection Tools
• Documented procedure
for recovery from
Malicious Software
infection
• Co-operation with the
organisations that
produce antivirus products
Slide 47/70
48. Confronting with Attempts to Intrude
Intrusion Detection Systems
– Anomaly Detection
They detect a series of actions that are unusual to
occur, at least in that sequence
– Misuse Models
They detect a series of actions that are known to
violate the security policy
– Specification based
They detect a series of actions that do not comply
with the specifications the IDS has been made
aware of
E-Commerce Security: A Primer
John Iliadis
Slide 48/70
49. E-commerce and Legal Issues
• Basic liability for online activities (Computer
Misuse Act, UK)
• Legal restrictions on the movement and use of
cryptographic technology (USA)
• Digital signature and electronic signature laws
• Electronic `money'
• Corporate re-organisation and the IT security
manager (Data Protection Act)
• Regulation of CAs/TTPs
• Data privacy legislation
• Taxation of e-commerce
E-Commerce Security: A Primer
John Iliadis
Slide 49/70
50. Social Engineering
… the process of using social skills to convince
people to reveal access credentials or other
valuable information to the attacker
E-Commerce Security: A Primer
John Iliadis
Slide 50/70
51. Securing E-Commerce: Summary
Network Security
–
–
–
–
–
–
Firewalls
Packet—filtering routers
Application-level proxy
VPNs
Intrusion Detection Systems (IDS)
Network-based IDS
E-Commerce Security: A Primer
John Iliadis
Slide 51/70
53. E-Commerce Security Survey on Greek SMEs (1)
– Questioned whether there has been a security violation
in their network:
• 62% answered no
• 21% answered yes
• 16% answered “Don’t answer”
– Protection measures based on
• Internal knowhow (76%)
• External consultants (24%)
– less than 50% of authorities have elaborated plans for
the continuation of their business activities
Source: E-business forum, Work cycle B, Task Force TF B1,
“Information & Communication Systems Security in e-Business”
E-Commerce Security: A Primer
John Iliadis
Slide 53/70
54. E-Commerce Security Survey on Greek SMEs (2)
– 47% of authorities have contacted the Personal Data Protection
Agency within the framework of business activities
– 45% of businesses stated that their website/ webpage contains a
privacy statement
– almost all businesses stated that they believe that fears and
hesitations on the protection of personal data have dissuaded
consumers from making internet transactions.
Source: E-business forum, Work cycle B, Task Force TF B1, “Information &
Communication Systems Security in e-Business”
E-Commerce Security: A Primer
John Iliadis
Slide 54/70
55. A Survey of E-Payment and
M-Payment Systems
E-Commerce Security: A Primer
John Iliadis
Slide 55/70
56. Secure Electronic Transaction Protocols
–
–
–
–
–
–
–
Visa 3-D Secure international.visa.com/fb/paytech/secure/
Bank Internet Payment System (BIPS, www.fstc.com)
Fix (www.fixprotocol.org)
Homebanking Computer Interface (HBCI, www.hbci.de)
Open Financial Exchange (www.ofx.net/ofx/default.asp)
Secure Electronic Transaction (SET, 56www.setco.org)
Universal Cardholder Authentication Field (UCAF,
http://www.mastercardintl.com/newtechnology/
ecommercesecurity/spa/ucaf.html)
– Jalda (www.jalda.com)
– Magic Axess (www.magicaxess.com)
E-Commerce Security: A Primer
John Iliadis
Slide 56/70
57. Secure Electronic Transaction Protocols (2)
– XMLPay (www.verisign.com/developer/xml/xmlpay
.html)
– OBI (Opening Buying on the Internet,
www.openbuy.org)
– IOTP (Internet Open Trading Protocol, www.iotp.org/)
– Echeck (www.echeck.org)
E-Commerce Security: A Primer
John Iliadis
Slide 57/70
58. E-payments: a definition
“… the term electronic payments includes any
payment to businesses, banks or public services
from citizens or businesses, which are executed
through a telecommunications or electronic
network using modern technology”
Source : e-Business Forum, Ε΄ Work Cycle: Work Group Ε3,
Summary of Final Results on Electronic Payment: Problems and
Perspectives
E-Commerce Security: A Primer
John Iliadis
Slide 58/70
59. E-payments in Greece: a survey
Cash on Delivery
The results in the chart above stem from a study of the Work Group E3, of eBusiness forum. The sample data was 30 electronic stores, selling a
variety of goods.
E-Commerce Security: A Primer
John Iliadis
Slide 59/70
60. E-payment systems
– E-cash payment systems
– Micropayment systems
– Mobile payment systems
E-Commerce Security: A Primer
John Iliadis
Slide 60/70
61. E-payment Systems: E-cash payment systems
– Ecash (www.digicash.com)
– CAFÉ (www.semper.org/sirene/projects/cafe/)
– NetCash (www.isi.edu/gost/gost-group/)
– Mondex (www.mondex.com)
– AMADIGI (www.oakington.com/amadigi.htm)
– SmartAxis (www.smartaxis.com)
– Bibit (www.bibit.com)
– CyberCash (www.cybercash.com)
E-Commerce Security: A Primer
John Iliadis
Slide 61/70
62. Micropayment Systems
– Millicent (www.millicent.com)
– PayWord (theory.lcs.mit.edu/~cis/pubs/rivest/
RivestShamir-mpay.ps)
– MicroMint (theory.lcs.mit.edu/~cis/pubs/rivest/
RivestShamir-mpay.ps)
– CEPS (www.ecbs.org)
– CLIP (www.europay.com)
– Visa Cash (international.visa.com/ps/products/vcash/)
– VISA Direct (www.visa.de/presse/presse_15112002.
htm)
– Yahoo PayDirect (paydirect.yahoo.com)
E-Commerce Security: A Primer
John Iliadis
Slide 62/70
63. MicroPayment Systems (2)
–
–
–
–
–
–
–
–
–
–
iPIN (www.ipin.com)
W-HA (www.w-ha.com)
WISP (www.trivnet.com)
Telia PayIT (www.telia.se)
AvA (www.leskiosques.com/V2/k_webwap/ava/index.htm)
Cartio MicroPayments (www.cartio.com)
InternetCash (www.internetcash.com)
Coulomb IMPS (www.coulomb.co.uk)
Geldkarte (www.scard.de)
Proton (www.protonworld.com)
E-Commerce Security: A Primer
John Iliadis
Slide 63/70
64. Mobile payment systems
– TELEPAY (www.ertico.com/activiti/projects/telepay
/home.htm)
– Sm-PaySoc (www.smpaysoc.org)
– Sonera (www.sonera.fi/english/)
– PayBox (www.paybox.net)
– PayByTel (www.paybytel.net)
– M-pay bill (http://mpay-bill.vodafone.co.uk)
– Mobipay (www.mobipay.com)
– Visa Movíl (www.visa.es)
– Street Cash (www.streetcash.de)
E-Commerce Security: A Primer
John Iliadis
Slide 64/70
65. Mobile payment systems (2)
– Safetrader (www.ehpt.com)
– EartPort (www.earthport.com)
– SPA - Secure Payment Application (http://www.mastercardintl
.com/spa/)
– EMPS (http://www.nordea.fi/E/Merita/sijoita/uutta/990524.ASP
)
– GiSMo (www.gismo.net)
– Fundamo (www.fundamo.com)
– Faircash (www.e-faircash.com)
– eCharge Phone (www.echarge.com)
– Genion m-payment (www.genion.de)
E-Commerce Security: A Primer
John Iliadis
Slide 65/70
66. Mobile payment systems (3)
–
–
–
–
–
–
Easybuy (http://www.gsmagazine.com/timeasybuy.htm)
NewGenPay (www.newgenpay.com)
eTopup.com (www.etopup.com)
MoxMo (www.moxmo.com)
Beam Trust (www.beamtrust.com)
i-mode (www.nttdocomo.co.jp/english/p_s/imode/index.html)
E-Commerce Security: A Primer
John Iliadis
Slide 66/70
67. Case Study: ATM Fraud
E-Commerce Security: A Primer
John Iliadis
Slide 67/70
68. Case Study: Automatic Teller Machines
Security awareness is of paramount importance; the
best security countermeasures can become
useless due to the human factor
Social Engineering
– Sign posted at an ATM (Maryville, Tennessee,
USA) reading
"Due to recent fraud attempts at this ATM
machine, we require you to swipe your card in
the reader below before using the machine“,
– Enquiries over the phone, regarding personal
data of the subject, on behalf of the bank and
for verification purposes,
E-Commerce Security: A Primer
John Iliadis
Slide 68/70
69. Case Study: Automatic Teller Machines (2)
– Card retained in ATM (plastic flap was glued
over the slot, blocking the card from exiting). As
the customer struggles to get the card, a
passer-by approaches, offers help and asks the
customer his PIN number. After faking an effort
to remove the card, the passer-by leaves, and
when the customer leaves the area too, the
malevolent passer-by returns to collect the
card,
– shoulder surfing,
– card traps (skimming),
– physical violence.
E-Commerce Security: A Primer
John Iliadis
Slide 69/70