Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science...
-
date post
18-Dec-2015 -
Category
Documents
-
view
219 -
download
2
Transcript of Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science...
![Page 1: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/1.jpg)
![Page 2: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/2.jpg)
Electronic Commerce COMP3210
Dr. Paul Walcott08/11/04
The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave Hill Campus, Barbados
![Page 3: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/3.jpg)
Contents Online Security Issues Client computer security Communication Channel Security Server Computer Security
![Page 4: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/4.jpg)
Man-in-The-Middle Exploit Imagine sending an important containing
valuable information to a colleague A person intercepts this email and changes
its contents The intended recipient receives the email
and acts on the wrong information. This is called the man-in-the-middle
exploit
![Page 5: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/5.jpg)
Definitions We first list a number of important definitions
[Sch2004]: Computer security is the protection of assets from
unauthorized access, use, alteration or destruction Physical security includes tangible protection
devices, such as alarms, guards, fireproof doors, and safes
Protection of assets using nonphysical means is called logical security
![Page 6: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/6.jpg)
Definitions (I) A security threat is any act or object that poses a
danger to computer assets Countermeasure is the general name for a
procedure, either physical or logical, that recognises, reduces, or eliminates a threat
An eavesdropper is a person or device that can listen in on and copy Internet transmissions
Crackers/hackers are people who write software to gain unauthorised access to computers and networks
![Page 7: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/7.jpg)
Physical Security In the old days (50 years ago), computer
security was more about physical security Security guards Security badges Alarm systems Surveillance systems
All terminals tended to be dumb and computers were not networked
![Page 8: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/8.jpg)
Managing Risk It does not make sense to protect against
threats that are deemed low risk – especially if the cost to protect the asset exceeds the cost of the asset Example: it would be sensible to protect a
network from a hurricane in Barbados, but not protect it from low (below 0 degrees) temperatures
![Page 9: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/9.jpg)
Risk Management Model
Contain and control
I
III
Ignore
Prevent
II
IV
Insurance or backup plan
High probability
Low probability
Low impact (cost)
High impact (cost)
![Page 10: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/10.jpg)
Risk Management Model (I) This model shows four actions an
organisation can take depending on the cost and probability of the physical threat
In this model The threat posed by a hurricane in Barbados
would be in quadrant II The threat posed by temperatures dropping
below freezing would be in quadrant IV
![Page 11: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/11.jpg)
Good Security Schemes To implement a good security scheme you
must Identify risks Determine how to protect those assets at risk Calculate the amount to spend to protect
against the identified risks
![Page 12: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/12.jpg)
Computer Security Classifications There three main security classifications:
Secrecy Protecting against unauthorised access
Integrity Protecting against unauthorised modification
Necessity (denial of service/or avaliability) Preventing data delays or denials (removals); e.g. if
important information had to be received at a given time but a hacker delayed it by flooding an e-mail sever with email
![Page 13: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/13.jpg)
Security Policy Every company concerned about protecting
its assets should have a security policy This is a document which describes
Which assets require protection and why The person who is responsible for protecting
it And which behaviours are permissible and
which are not
![Page 14: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/14.jpg)
Security Policy (I) The security policy typically addresses:
Physical security Network security Access authorisation Virus protection And disaster recovery
This document should be updated regularly
![Page 15: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/15.jpg)
Requirements for Secure E-commerce Secrecy
Prevent unauthorised individuals from reading messages and business plans, obtaining credit card numbers or accessing confidential information
Integrity Provide a way of digitally determining whether
information has been altered Availability
Provide delivery assurance for each message so that a loss will not go undetected
![Page 16: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/16.jpg)
Requirements for Secure E-commerce Key Management
All key information must be distributed and managed securely
Nonrepudiation Provide undeniable, end-to-end proof of each
message’s origin and recipient
Authentication Securely identify clients and servers with digital
signature and certificates
![Page 17: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/17.jpg)
Client Computer Security This section outlines
security threats that may occur on client computers
how they work and how to protect against them
![Page 18: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/18.jpg)
Active Content Active content refers to programs that are
embedded transparently in Web pages that cause actions to occur [Sch2004] E.g. displaying moving graphics and
downloading and playing audio In e-commerce it is used to place items in a
shopping cart and compute total invoice amounts
![Page 19: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/19.jpg)
Active Content (I) Active content also
extends HTML functionality Since they are programs that run on client
computers they pose a security risk
![Page 20: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/20.jpg)
Active Content (II) The best known examples are:
Cookies Java applets JavaScript VBScript ActiveX controls
Other examples include graphics, Web browser plug-ins and email attachments
![Page 21: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/21.jpg)
Active Content (III) Since active content is embedded in Web
pages (e.g. scripting languages) they can be transparent to browsers of the Web page
Crackers for example can include a Trojan horse A Trojan horse is a program hidden inside
another program or Web page that masks its true purpose
![Page 22: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/22.jpg)
Active Content (IV) A Trojan horse could
Send private information on the client’s computer back to a server (a secrecy violation)
Could alter or erase information on the client’s computer (an integrity violation)
Alternatively, a zombie attack is a program that takes over another computer to launch an attack on other computers
![Page 23: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/23.jpg)
Cookies and Web Pages Allowing active content to be added to
Web Pages used for e-commerce can be dangerous since Cookies (files) frequently store credit card
numbers, usernames and passwords Information stored in cookies can be read by
the Server computer that stored then there See http://www.cookiecentral.com/
![Page 24: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/24.jpg)
Cookies Cookies were designed to solve the
problem of the stateless nature of the HTTP protocol To save information between one session and
another
![Page 25: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/25.jpg)
Cookies There are two types of time duration
cookies Session cookies
These exist until the Web client ends the session (or connection)
Persistent cookies These remain on the client’s computer indefinitely
E-commerce uses both types of these cookies
![Page 26: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/26.jpg)
Cookies (I) Cookies can also be categorised by source:
First-party cookies are cookies put on the client computer by the Web server
Third-party cookies are cookies put on the client computer by some other Web site
The third-party Web site usually provides some content on the Web site being viewed
![Page 27: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/27.jpg)
Cookies (II) These third party Web site can then track
visitors from one site to the next (because they have ads and cookies set up on many of these sites)
![Page 28: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/28.jpg)
Cookies (III) To protect yourself against cookies (or
cookie monsters) is to Disable cookies altogether, however this will
stop some sites from functioning correctly Users would have to re-enter information every
time they visit the Web site Disable third-party cookies Or use a third-party cookie blocker program
that stores cookies selectively
![Page 29: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/29.jpg)
Java Applets Applets are downloaded with Web pages and run
on client computers Once downloaded Java code can run on the
clients computer which introduces a security hole To counteract this Java has a security model
called the Java sandbox which prevents applets from performing certain functions
Also applets are classified as “untrusted” if they have not been established as being secure
![Page 30: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/30.jpg)
Java Applets (I) When running in the sandbox Java applets
can not perform file input, output or delete operations
This scheme provides secrecy and integrity
![Page 31: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/31.jpg)
JavaScript JavaScript is a scripting language developed by
Netscape When a Web page is downloaded and contains
embedded JavaScript code, it runs on the user’s (client) computer
This code can be used to attack the client’s computer destroy a user’s hard disk Disclose email stored in mailboxes Capture information stored in Web forms (e.g. credit card
information)
![Page 32: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/32.jpg)
JavaScript (I) Try the following JavaScript code: <html> <body> <script type="text/javascript"> askmeagain(); function askmeagain() { alert("Ouch!"); askmeagain(); } </script> </body> </html>
![Page 33: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/33.jpg)
ActiveX Controls An ActiveX control is an object that contains
programs Only runs on Windows operating system When downloaded the control is run on the
client’s computer like any other program They have full access to system resources
Can reformat hard disk Rename or delete files Shut down the computer
![Page 34: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/34.jpg)
ActiveX Controls (I) Execution of ActiveX controls can not be
halted once started Web browsers can be configured to warn
users when ActiveX controls are about to be downloaded
![Page 35: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/35.jpg)
Graphics and Plug-ins Graphics, browser plug-ins and email
attachments can include executable content Some graphic file formats contain special
instructions on how to render the graphic The embedded code can be used to attack
your computer Plug-ins enhance your browser’s
capabilities but can also pose a threat
![Page 36: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/36.jpg)
Viruses, Worms and Antivirus Software A virus is software that attaches itself to another
program A macro virus is a type of virus that is coded as a
macro A worm is a type of virus that replicates itself on the
computer it affects Email attachments may include word processing files,
spreadsheets, databases, images which may contain viruses Viruses within Word and Excel macros (Visual Basic for
Applications) can damage your computer
![Page 37: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/37.jpg)
Viruses, Worms and Antivirus Software Viruses tend to prey on operating system
(or Web server) vulnerabilities To counteract viruses
Ensure you have installed the latest security patches
Ensure that you are running the latest Antivirus software with the latest virus updates
![Page 38: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/38.jpg)
Digital Certificates A digital certificate is an attachment to a
message which verifies the sender of the message It also provides a means of sending encrypted
messages
![Page 39: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/39.jpg)
Digital Certificates (I) A digital certificate contains an encrypted
message that identifies the author Indicates whether the certificate is valid or
not This provides a way to sign a message
In many countries including Barbados this is accepted as a signature
![Page 40: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/40.jpg)
Digital Certificates (II) Digital certificates are issued by a
certification authority (CA) To individuals or organisations Appropriate proof of identity must be
provided
![Page 41: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/41.jpg)
Digital Certificates (III) A digital certificate contains six main elements
[Sch2004]: The certificate’s owner’s identifying information,
such as name, organisation and address The certificate owner’s public key Dates between which the certificate is valid Serial number of the certificate Name of the certificate issuer Digital signature of the certificate issuer
![Page 42: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/42.jpg)
Digital Certificates (IV) One of the oldest and best know CA is
VeriSign
![Page 43: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/43.jpg)
Communication Channel Security These threats come from various sources
including: Sniffer Programs Backdoors CyberVandalism Masquerading or Spoofing Denial-of-Service
![Page 44: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/44.jpg)
Sniffer Programs These programs provide a means of
recording packets passing through a computer or router It is similar to telephone line tapping
Sniffer programs can Read email messages Read user logins and passwords Read credit card numbers
![Page 45: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/45.jpg)
Backdoors Some e-commerce programs contain backdoors These backdoors are left intentionally or
unintentionally by software developers Backdoors provide a way for an unauthorised
user to gain access to protected information including: Credit card information Proprietary company information (which could be
sold for millions to competitors)
![Page 46: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/46.jpg)
CyberVandalism This is the electronic defacing of Web site
pages Replace regular content
It’s parallel is the spraying of graffiti on public property
![Page 47: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/47.jpg)
Masquerading or Spoofing This is when a person impersonates someone else
E.g. pretending that a Web site belongs to someone else, when it does not
On a domain name server a perpetrator might use a security hole in order to change the IP address of a given Web page
Any order entered on this new page could then be modified (e.g. change the shipping address of the goods) and the modified order sent to the original Web site.
![Page 48: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/48.jpg)
Denial-of-Service Threat This threat disrupts normal computer
processing For example a zombie computer was used
to flood a Web site with packets This prevented legitimate users from using
the Web site This also may lead to a loss in business
![Page 49: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/49.jpg)
Communication Channel Security (I) Solutions are provided in the form of
(discussed in the next section): Symmetric Encryption Asymmetric Encryption Digital Signatures Message Hashing Digital Certificates Secure Socket Layer
![Page 50: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/50.jpg)
Server Computer Security Server vulnerabilities come from
Web servers and their software Backend programs such as
Databases programs
![Page 51: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/51.jpg)
Web Server Threats The more complex this software the more
chance it contains errors which might lead to vulnerabilities
A Web server can compromise secrecy if it allows automatic directory listings
Passwords users select could be a threat since a dictionary attack might reveal it
![Page 52: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/52.jpg)
Database Threats These databases store confidential
information Some databases store username/passwords
in unencrypted tables, or do not enforce security at all
![Page 53: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/53.jpg)
Other Threats Threats may arise when programs are
executed by the server E.g. buffer overrun or buffer overflow
Buffers can overflow into critical memory locations causing the Web server to run an attacker’s program
Mail bombs cause mail servers to malfunction by overloading them with email
![Page 54: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/54.jpg)
Physical Security All Web servers and associated machines require
physical protection Backup servers and store at remote locations
The use of fingerprint readers, and biometric security help provide physical security Writing pads that measure the pressure and form of
hand writing Eye scanners Palm scanners (entire palm rather than single finger)
![Page 55: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/55.jpg)
Access Control Only allow permitted users to access
services. This can be controlled through Digital certificates
Ensure the digital signature is valid Check the time stamp on the digital certificate
Usernames and passwords
![Page 56: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/56.jpg)
Firewalls For information on firewalls see: http://
scitec.uwichill.edu.bb/cmp/online/comp3210/presentations/AntonioArthur.ppt
![Page 57: Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.](https://reader034.fdocuments.us/reader034/viewer/2022050714/56649d235503460f949fa448/html5/thumbnails/57.jpg)
References [Sch2004] Schneider, Gary, P.,
“Electronic Commerce: The second wave”, Thomson Course Technology, Fifth Annual Edition, 2004