Topic 7 - Exercise 9

1. Find out about SET and the use of RSA 128-bit encryption for e-commerce.

Secure Electronic Transaction (SET) was a standard protocol for securing credit card transactions over insecure networks, specifically, the Internet. SET was developed by SETco, led by VISA and MasterCard (and involving other companies such as GTE, IBM, Microsoft, Netscape, RSA and VeriSign) starting in 1996. SET was based on X.509 certificates with several extensions. The first version was finalized in May 1997 and a pilot test was announced in July 1998.

How SET works:

1. The consumer accesses the merchant's web site, goes through the various goods on display and selects what he or she wants. Perhaps there is a virtual shopping cart where he or she drops all the items to be purchased. At the end, the customer proceeds to the virtual checkout counter. A screen pops up giving details, including the cost of all the items the shopper is purchasing, plus taxes and shipping costs.

2. Then the screen asks for the payment method and the consumer chooses to pay through a credit card using SET.

3. Immediately, a special software on the consumer's PC called Digital Wallet is invoked, and it asks the customer to choose one credit card from the many he or she possesses.

4. The consumer chooses a card, and the electronic transaction using SET is underway. A few seconds later,       there is a confirmation that this order has been processed.

RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) is an algorithm for public-key cryptography[1]. It is the first algorithm known to be suitable for signing as well as encryption, and was one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.

2. What can you find out about network and host-based intrusion detection systems?

Both network and host-based intrusion detection systems are implemented to protect the host and network infrastructure against malicious attacks. In either case, these products look for attack signatures, specific patterns that usually indicate malicious or suspicious intent. When an IDS looks for these patterns in network traffic, it's network-based. When an IDS looks for attack signatures in log files, it's host-based. Each approach has its strengths and weaknesses, each is complementary to each other. A truly effective intrusion detection system will employ both the technologies. This paper discusses the differences in host- and network-based intrusion detection techniques to demonstrate how the two can work together to provide additionally effective intrusion detection and protection.

3. What is "phishing"?

Phishing is the criminal activity which is based around the concept of acquiring sensitive information such as usernames, passwords and credit card details by hiding the real identity and projecting the image of a  trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, on-line payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. 

4. What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?

The SET (Secure Electronic Transaction) protocol is an open industry standard developed for the secure transmission of payment information over the Internet and other electronic networks. SET has the strong support of two major league credit card companies: Visa and MasterCard. It is apparent that SET is  more secure protocol then SSL but with this added security is added complexity and cost and therefore it is not as common as SSL.

5. What are cookies and how are they used to improve security? Can the use of cookies be a security risk?

A cookie is a packet of information sent by a server to a browser and then sent back by the browser each time it accesses that server. HTTP cookies are used for user authentication, user tracking, and maintaining user-specific information such as site preferences and electronic shopping carts. 

Cookies have been of concern for Internet privacy, since they can be used for tracking the browsing of a user. Due to that, they have been subject to legislation in various countries such as the United States, as well as the European Union. Cookies have also been criticized because the identification of users they provide is not 100% accurate and because they can be used for network attacks. Some alternatives to cookies exist, but have their own disadvantages and flaws. On the other hand, cookies have been subject to a number of misconceptions, mostly based on the erroneous notion that they are computer programs. In fact, cookies are simple pieces of data unable to perform any operation by themselves. In particular, they are neither spyware nor viruses, despite the detection of cookies from certain sites by many anti-spyware products. 

6. What makes a firewall a good security investment? Accessing the Internet find two or three firewall vendors. Do they provide hardware, software or both?

Firewalls are an essential part of all modern computer infrastructure set-ups. They typically consist of a device (usually a router) installed between the internal network of an organization and the rest of the Internet to provide access control. There are several types of firewall techniques:

* Packet filter: Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. It is susceptible to IP spoofing.

* Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.

* Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

* Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

There is a large market of competing firewall manufacturers. Cisco, Sonicwall, Cyberguard, Juniper, Watchguard. Most of those offer either software or hardware firewall products, with few having both on offer.  

7. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer? 

There is a number of mechanisms that can be implemented to ensure that customers accessing an e-commerce site are safe and secure, however non of those is 100% percent guaranteed to prevent perpetrators from stealing the confidential data. These include digital certificates and signatures for authentication and integrity, secure socket layers, PCI, SET, firewall and Kerberos solutions etc. 

8. Get the latest PGP information from  http://en.wikipedia.org./wiki/Pretty_Good_Privacy. The use of digital certificates and passports are just 2 examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What are others?

PCT - This is a Microsoft product which is very similar to the SSL.

SHTTP - This is a version of the HTTP protocol which enables secure transactions to be sent over the Web. 

DNSSEC - This is the Domain Name System Security Standard. It has been designed to prevent
attacks such as domain name spoofing.

Kerberos - This is a network security system which was developed at the Massachusetts Institute of Technology. It uses symmetric key encryption to send data and messages to and from computers connected together in a network which is used for authentication purposes.

Key Exchange e.g. Diffie–Hellman key exchange - This is a technique that is used to secure a key used in symmetric key encryption. With this the two parties who are going to exchange some information first negotiate and exchange a symmetric key using public key technology.


References:

http://en.wikipedia.org/wiki/Phishing accessed on 10/05/2010
http://en.wikipedia.org/wiki/Firewall_(computing) accessed on 10/05/2010
http://en.wikipedia.org/wiki/HTTP_cookie accessed on 12/05/2010
http://en.wikipedia.org/wiki/HTTP_cookie access on 15/05/2010
http://en.wikipedia.org/wiki/SSL accessed on 17/05/2010