Title: Electronic Commerce Security and Computer Forensics
1Electronic Commerce Securityand Computer
Forensics
- David Dampier
- Department of Computer Science Engineering
- Center for Computer Security Research
- dampier_at_cse.msstate.edu
- http//www.cse.msstate.edu/security
2Paradox of the Internet
- Pervasive
- Inexpensive
- Easy to use
- No one in charge
- Robust
- Used extensively today
- Intrinsically insecure
- Expensive to secure
- Hard to secure - an afterthought
- No one responsible
- Ill defined boundaries
- Laws of use not clear
3What is EC Security?
- A special case of network security
- A special case of client server security
- An evolving area of computer science
- Digital cash
- Internet banking
- Store fronts versus Store reality
- International market place
- Still an area of immense temptation for the
criminal element
4What are the threats?
- First - the traditional threats apply
- Confidentiality, Integrity, Availability,
Accountability - Malicious code
- Network vulnerabilities
- Others ???
- Second - Additional privacy concerns surface
(ethics concerns) - cookies
- buying habits and profiling
- shared databases (???)
- short term and long term storage of sensitive
data - others ...
5More threats ...
- Authentication takes on a new role
- Who is the buyer?
- Who is the seller?
- Is the seller real?
- Where is the seller?
- Non-repudiation is important
- Accountability for seller and buyer actions
- Availability
- loss of access equals loss of revenue
- recovery procedures are very important
- The greatest threat to E-Commerce today (arguable
perhaps)
6A Simple View
Client
Server
- E-Commerce protection must include data in
transit - data in processing and, data in storage
- over an open network
- in a client server environment
7Security Requirements include
- Transaction integrity
- Confidentiality of the transaction
- Mutual authentication of all parties (customer,
store, bank) - Non-repudiation
- Timely service
- Record keeping
- Protection of the systems against intrusion
8Client Side Security
- Essentially web browser security
- Two main risks have emerged
- Vulnerabilities in the Web Browser software
- Risk of Active Content
- Active Content (mobile code)
- Java and Java Applets
- Active X controls
- Push technology
- MS Macros
- Plugins
9Secure Transport
- Secure Channels
- Secure Sockets Layer (SSL)
- Secure HTTP (S-HTTP)
- Smart Cards carrying a private key for encryption
- E-Cash protocols
10Web Server Side
- Typically a front end web server, backend
database, and interface software (e.g., CGI
scripts). - Firewalls are most useful here - but varying
degrees of strength and responsiveness - Operating system security an issue (for both the
network OS and the server OS)
11Solution Sets ...
- Encryption plays a very big role
- SSL, S-HTTP
- Digital Signatures
- Certificates (X.509 - PKI)
- PGP
- Firewalls
- Trusted OS and products
- Disaster recovery plans
- Education and awareness
- Law
12Public Key Infrastructure
- Enables the Use of Public Key Technology
- Parts
- Certificate Maintenance
- Issuance, Reissuance, Revocation
- Certificate Availability
- Interoperations
13AnswerPublic Key Infrastructure
- Getting public-key materials
private
Where they are needed When they are needed
14Doing Business With Keys
Xyl?wk
4417 5712 1238 51961
amazon.com
public
private
4417 5712 1238 51961
Sold
But where did the key come from?
15Certificate ID? Or ATM Card?
- Identity Card
- Something you have
- Something you are
- ATM Card
- Something you have
- Something you know
A Certificate is Three Things
Mississippi
Jane Doe 105 Lee Street Anywhere, MS 39759
plaintext
X8ujl.
16Doing Business With Certificates
Xyl?wk
4417 5712 1238 51961
public
amazon.com
private
4417 5712 1238 51961
Sold!
But where did the certificate come from?
17Certifying Authorities
- Public Key technology is powerful - but you cant
keep everyones public key on your hard drive - hundreds of thousands of users globally
- expiration and maintenance issues
- More practical to rely on trusted third parties
- Certifying authorities
18Certifying Authorities
- A commercial enterprise that vouches for the
identities of individuals and organizations. - Browsers have public keys of well known CAs
built in. - Certificates are (for most practical purposes)
viewed as untamperable and unforgeable - VeriSign, ATT, BBN, CeriSign, and others (check
your browser)
19A Process for Secure EC
- Assess your risks
- Secure the Infrastructure
- Secure your Internet Connections
- Secure Electronic Commerce
- Disaster Recovery
- David Cullinane - Electronic Commerce
Security, 1999
20Assessing Risk -
- Conduct a Threat and Vulnerability Analysis
- What are the threats to your information assets
- How vulnerable are each of those threats
- What would be the business impact if each of the
threats were to occur - What controls are available/needed to mitigate
the threats - Identify and Prioritize (...and build a plan)
- address the threats and vulnerabilities
- insure plan is consistent with business
objectives and cost - plan fits with organizational culture?
21Secure the Infrastructure
- Concerned with OS security, external
connectivity, network security ... - Develop an Information Security Architecture
- a structure for implementing security across an
enterprise - defines the organization of the information
security program - the foundation of a solid information security
program
22Secure Internet Connection
- Based on Firewall protection primarily
- Recall - firewalls vary in trust and capability
- Defense in depth is suggested
- Tradeoff between security and ease of access is a
business and risk decision - There is no cookbook solution
23Disaster Recovery
- Continuity of operation plans
- Written down, practiced, realistic and
implementable - Backups
- Hot/Cold sites
- Usually overlooked
- Finding out what happened.
24Basics of Computer Forensics
Mississippi State University Dept Of Computer
Science and Engineering
25What is Forensics?
- Forensics is the application of scientific
techniques of investigation to the problem of
finding, preserving and exploiting evidence to
establish an evidentiary basis for arguing about
facts in court cases
26What is Computer Forensics?
- Computer forensics is forensics applied to
information stored or transported on computers - It Involves the preservation, identification,
extraction, documentation, and interpretation of
computer media for evidentiary and/or root cause
analysis - Procedures are followed, but flexibility is
expected and encouraged, because the unusual will
be encountered.
27Categories of Computer Crime
- Computer used to conduct the crime
- Child Pornography/Exploitation
- Threatening letters
- Fraud
- Embezzlement
- Theft of intellectual property
- Computer is the target of the crime
- Incident Reponse
- Security Breach
28What is the evidence?
- Bytes
- Files
- Present
- Deleted
- Encrypted
- Fragments of Files
- Words
- Sentences
- Paragraphs
29Where do we find it?
- Storage Media
- Hard Disks
- Floppy Disks
- CDs, Zip disks, tapes, etc.
- Thumb Drives
- RAM
- Log Files
30What do we do with it?
- Acquire the evidence without altering or damaging
the original. - Authenticate that your recovered evidence is the
same as the originally seized data. - Analyze the data without modifying it.
- Be prepared to testify about it in a court of law.
31Acquire the evidence
- How do we seize the computer?
- How do we handle computer evidence?
- What is chain of custody?
- Evidence collection
- Evidence Identification
- Transportation
- Storage
- Documenting the Investigation
32Authenticate the Evidence
- Prove that the evidence is indeed what the
criminal left behind. - Readable text or pictures dont magically appear
at random. - Calculate a hash value for the data
- CRC
- MD5
33Analysis
- Always work from an image of the evidence and
never from the original. - Prevent damage to the evidence
- Make two backups of the evidence in most cases.
- Analyze everything, you may need clues from
something seemingly unrelated.
34Analysis (cont.)
- Existing Files
- mislabelled
- Deleted Files
- Show up in directory listing with ? in place of
first letter - Dave.txt appears as ? ave.txt
- Free Space
- Slack Space
- Swap Space
35Storage Media Basics
- Sector 512 Bytes
- Cluster (Block) 2 or more clusters (up to 64)
36Slack Space
- RAM Slack That portion of a sector that is not
overwritten in memory. - Disk Slack Those sectors of the cluster that are
not needed to store file.
RAM Slack
EOF
Disk Slack
EOF
37Slack Space
- File Slack Last cluster of file isnt filled up
completely, so data from the last use of that
cluster isnt overwritten. - File Slack Disk Slack RAM Slack
File Slack
Disk Slack
RAM Slack
EOF
38Free Space
- That portion of the Media that is not currently
in use. - Could have been used before, but not overwritten.
- Especially true today with very large disks
- Can we really erase a hard drive?
- Even if formatted, the data is not lost.
39Data Hiding
- Obfuscating Data
- Encrypted
- Compressed
- Hiding Data
- In plain sight innocent looking data has
alternate meaning - Within File system
40Data Hiding in File System
- In a File
- Steganography
- Invisible names
- Misleading names
- Obscurity
- No names
- Not in file
- Slack, swap, free space
- Removable Media
41Tools
- Password crackers
- Hard Drive Tools
- Fdisk on Linux
- Viewers
- QVP
- Diskview
- Thumbsplus
- Unerase tools
- CD-R Utilities
- Text search tools
- Drive Imaging
- Safeback
- Linux dd
- Disk Wiping
- Forensic Toolkits
- Forensic Computers
42QUESTIONS???
43Contact Information
- Dr. David Dampier
- Department of Computer Science and Engineering
- Box 9637, 300 Butler Hall
- Mississippi State, MS 39762-9637
- (011)(662)325-2756
- Dampier_at_cse.msstate.edu