1. Find out about SET and the use of RSA 128-bit encryption for e-commerce.
SET stands for Secure Electronic Transaction which is a standard protocol developed by SETco, led by VISA and MasterCard
RSA 128-bit is to employ an asymmetric encryption system in public-key cryptography. It is the first algorithm know to be suitable for signing as well as encryption, and was one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocol and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.
2. What can you find out about network and host-based intrusion detection systems?
Network intrusion detection system (NIDS) is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. In a NIDS, the sensors are located at choke points in the network to be monitored, often in the demilitarized (DMZ) or at network borders. The sensor captures all network traffic and analyzes the content of individual packets for malicious traffic.
While the host-based intrusion detection system (HIDS) consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modification (binaries, password files, capability/ACL databases) and other host activities and state
3. What is ‘phishing’?
Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
Communication purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by email or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
4. What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?
SET is a standard protocol for securing credit card transactions over insecure networks. SET was intended to become the standard of payment method on the Internet between the merchants, the buyers and the credit-card companies. However, it failed to win market share for its cost and complexity which needs to install client software. It also requires client-side certificate distribution.
Secure Socket Layer (SSL) is cryptographic protocols that provide security for communications over networks such as Internet. SSL encrypts the segments of network connections at the Transport Layer end-to-end. Comparing to the low cost and simplicity of SSL, SET failed to win the market share.
5. What are cookies and how are they used to improve security? Can the use of cookies be a security risk?
Cookies which are know as web cookies, browser cookies and HTTP cookies, is a text string stored by a user’s web browser. A cookie consists of one or more name-value pairs containing bits of information, which may be encrypted for information privacy and data security purpose.
Cookies are supposed to be stored and sent back to the server unchanged, an attacker may modify the value of cookies before sending them back to the server. If, for example, a cookie contains the total value a user has to pay for the items in their shopping basket, changing the value exposes the server to the risk of making the attacker pay less than the supposed price. The process of tampering with the value of cookies is called “cookie poisoning”, and is sometimes used after cookie theft to make an attack persistent.
6. What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?
A firewall is a dedicated appliance, or software running on a computer, which inspect network traffic passing through it, and denies or permits passage based on a set of rules. There are several techniques employed by firewall that makes it a good security device:
Packet filter: Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules.
Application gateway: Applies security mechanisms to specific applications, such as FTP an Telnet servers. This is very effective but may impose performance degradation.
Circuit-level gateway: Applies security mechanisms to specific applications, such as FTP or UDP connection is established. Once the connection has been made, packets can flow between the hosts with further checking.
Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
The two big firewall vendors are Cisco, Checkpoint. They provide both hardware firewalls and software firewall applications.
7. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?
The most common security measures to establish trust among their potential customers are digital signatures and certificates.
Digital signatures meet the need for authentication and integrity. To vastly simplify matters, a plan text message is run through a hash function and so given a value: the message digest. This digest, the hash function and the plan text encrypted with recipient’s public key is sent to the recipient. The recipient decodes the message with their private key, and runs the message through the supplied has function to that the message digest value remains unchanged.
Sensitive information has to be protected through at least three transactions:
Credit card details supplied by the customer, wither to the merchant or payment gateway. Handled by the server’s SSL and merchant/server’s digital certificates.
Credit card details passed to the bank for processing. Handled by the complex security measures of the payment gateway.
Order and customer details supplied to the merchant, either directly or from the payment gateway/credit card processing company. Handled by SSL, server security, digital certificates.
8. Get the latest PGP information from http://en.wikipedia.org/wiki/Pretty_Good_Privacy
The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?
PGP which stands for Pretty Good Privacy is a computer program that provides cryptographic privacy and authentication. PGP is often used for signing, encrypting and decrypting emails to increase the security of email communications. Other than digital certificates and passports, there are some tools that can help users to avoid identity theft:
Verification Engine – it is an easy tool to provide an extra layer of protection which double checks websites’ digital certificates. It checks to ensure that the name that the certificate was issued to matches the name in the web address.
Stronger Authentication – dual authentication is a way to verify that you are logging onto the correct website. You will need to answer some additional question if you try to log on from a different location. This is called a security seal to help customers avoid pharming or phishing attacks.
Another kind of strong two-factor authentication is the one-time password token now being offered by PayPal. The key chain-sized token generates a 6-digit number that is used in combination with a user ID and password to log on to the account, which makes it very difficult for phishers to gain access to an online account.
Security toolbars – it works as part of your web browsers which block fraudulent sites and allow users to easily report suspicious sites.
Anti-Spyware and Anti-Rootkits – it searches and destroys any free software that identifies the most common kinds of software that track your online activity and helps you to remove them. It can also avoid your computer from remote hacker to control your machine.
Reference
Wikipedia. (2010). Secure Electronic Transaction. Retrieved Apr 18, 2010, from http://en.wikipedia.org/wiki/Secure_Electronic_Transaction
Wikipedia. (2010). RSA. Retrieved Apr 18, 2010, from http://en.wikipedia.org/wiki/RSA
Wikipedia. (2010). Intrusion Detection System. Retrieved Apr 18, 2010, from http://en.wikipedia.org/wiki/Intrusion_detection_system
Wikipedia (2010). Transport Layer Security. Retrieved Apr 20, 2010, from http://en.wikipedia.org/wiki/Transport_Layer_Security
Wikipedia. (2010). HTTP cookie. Retrieved Apr 20, 2010, from http://en.wikipedia.org/wiki/HTTP_cookie
Wikipedia. (2010). Firewall (Computing). Retrieved Apr 20, 2010, from http://en.wikipedia.org/wiki/Firewall_(computing)
Ecommerce –Digest.Com. (2010). Ecommerce Security Issues. Retrieved Apr 21, 2010, from http://www.ecommerce-digest.com/ecommerce-security-issues.html
Phishinginfo.org. (2010). Tips and Tools for Avoiding Online Identity Theft. Retrieved Apr 22, 2010, from http://www.phishinginfo.org/tips.html
Elevator Pitch 2
15 years ago
No comments:
Post a Comment