277 Security Threats It is possible that crackers will break into your system and format your hard drive. It is fairly likely that a careless programmer or administrator will delete something by acci- dent, and it is almost certain that you will occasionally lose a hard disk drive. Hard disk drives rotate thousands of times per minute, and, occasionally, they fail. Murphy’s Law would tell you that the one that fails will be the most important one, long after you last made a backup. You can take various measures to reduce the chance of data loss. Secure your servers against crackers. Keep the number of staff with access to your machine to a minimum. Hire only competent, careful people. Buy good quality drives. Use RAID so that multi- ple drives can act like one faster, more reliable drive. Regardless of the cause, there is only one real protection against data loss—backups. Backing up data is not rocket science. On the contrary, it is tedious, dull, and hopefully useless, but it is vital. Make sure that your data is regularly backed up, and make sure that you have tested your backup procedure to be certain that you can recover. Make sure that your backups are stored away from your computers. Although it is unlikely that your premises will burn down or suffer some other catastrophic fate, storing a backup offsite is a fairly cheap insurance policy. Modification of Data Although the loss of data could be damaging, modification could be worse.What if somebody obtained access to your system and modified files? Although wholesale dele- tion will probably be noticed and can be remedied from your backup, how long will it take you to notice modification? Modifications to files could include changes to data files or executable files.A crack- er’s motivation for altering a data file might be to graffiti your site or to obtain fraudu- lent benefits. Replacing executable files with sabotaged versions might give a cracker who has gained access once a secret backdoor for future visits. You can protect data from modification as it travels over the network by computing a signature.This does not stop somebody from modifying the data, but if the recipient checks that the signature still matches when the file arrives, he will know whether the file has been modified. If the data is being encrypted to protect it from unauthorized viewing, this will also make it very difficult to modify en route without detection. Protecting files stored on your server from modification requires that you use the file permission facilities your operating system provides and protect the system from unau- thorized access. Using file permissions, users can be authorized to use the system, but not be given free rein to modify system files and other users’ files.The lack of a proper per- missions system is one of the reasons that Windows 95 and 98 are not suitable as server operating systems. Detecting modification can be difficult. If at some point you realize that your system’s security has been breached, how will you know whether important files have been mod- ified? Some files, such as the data files that store your databases, are intended to change over time. Many others are intended to stay the same from the time you install them, 17 525x ch13 1/24/03 3:37 PM Page 277 278 Chapter 13 E-commerce Security Issues unless you deliberately upgrade them. Modification of both programs and data can be insidious, but although programs can be reinstalled if you suspect modification, you can- not know which version of your data was “clean.” File integrity assessment software, such as Tripwire, records information about impor- tant files in a known safe state, probably immediately after installation, and can be used at a later time to verify that files are unchanged.You can download commercial or condi- tional free versions from http://www.tripwire.com Denial of Service One of the most difficult threats to guard against is denial of service. Denial of Service (DoS) occurs when somebody’s actions make it difficult or impossible for users to access a service, or delay their access to a time-critical service. Early in the year 2000, there was a famous spate of Distributed Denial of Service (DDoS) attacks against high profile Web sites.Targets included Yahoo!, eBay,Amazon, E-Trade, and Buy.com. Sites such as these are accustomed to traffic levels that most of us can only dream of, but are still vulnerable to being shut down for hours by a DoS attack. Although crackers generally have little to gain from shutting down a Web site, the pro- prietor might be losing money, time, and reputation. One of the reasons that these attacks are so difficult to guard against is that there are a huge number of ways of carrying them out. Methods could include installing a program on a target machine that uses most of the system’s processor time, reverse spamming, or using one of the automated tools. A reverse spam involves somebody sending out fake spam with the target listed as the sender.This way, the target will have thousands of angry replies to deal with. Automated tools exist to launch distributed DoS attacks on a target.Without needing much knowledge, somebody can scan a large number of machines for known vulnerabil- ities, compromise a machine, and install the tool. Because the process is automated, an attacker can install the tool on a single host in under five seconds.When enough machines have been co-opted, all are instructed to flood the target with network traffic. Guarding against DoS attacks is difficult in general.With a little research, you can find the default ports used by the common DDoS tools and close them.Your router might provide mechanisms such as limiting the percentage of traffic that uses particular proto- cols such as ICMP. Detecting hosts on your network being used to attack others is easier than protecting your machines from attack. If every network administrator could be relied on to vigilantly monitor his own network, DDoS would not be such a problem. Because there are so many possible methods of attack, the only really effective defense is to monitor normal traffic behavior and have a pool of experts available to take coun- termeasures when abnormal things occur. 17 525x ch13 1/24/03 3:37 PM Page 278 279 Security Threats Errors in Software It is possible that the software you have bought, obtained, or written has serious errors in it. Given the short development times normally allowed to Web projects, it is highly like- ly that this software has some errors. Any business that is highly reliant on computerized processes is vulnerable to buggy software. Errors in software can lead to all sorts of unpredictable behavior including service unavailability, security breaches, financial losses, and poor service to customers. Common causes of errors that you can look for include poor specifications, faulty assumptions made by developers, and inadequate testing. Poor Specifications The more sparse or ambiguous your design documentation is, the more likely you are to end up with errors in the final product. Although it might seem superfluous to you to specify that when a customer’s credit card is declined, the order should not be sent to the customer, at least one big-budget site had this bug.The less experience your devel- opers have with the type of system they are working on, the more precise your specifica- tion needs to be. Assumptions Made by Developers The designers and programmers of a system need to make many assumptions. Hopefully, they will document their assumptions and usually be right. Sometimes though, people make poor assumptions.These might include assumptions that input data will be valid, will not include unusual characters, or will be less than a particular size. It could also include assumptions about timing such as the likelihood of two conflicting actions occurring at the same time or that a complex processing task will always take more time than a simple task. Assumptions like these can slip through because they are usually true.A cracker could take advantage of a buffer overrun because a programmer assumed a maximum length for input data, or a legitimate user could get confusing error messages and leave because it did not occur to your developers that a person’s name might have an apostrophe in it. These sort of errors can be found and fixed with a combination of good testing and detailed code review. Historically, the operating system or application level weaknesses exploited by crackers have usually related either to buffer overflows or race conditions. Poor Testing It is rarely possible to test for all possible input conditions, on all possible types of hard- ware,running all possible operating systems with all possible user settings.This is even more true than usual with Web-based systems. What is needed is a well-designed test plan that tests all the functions of your software on a representative sample of common machine types.A well-planned set of tests should 17 525x ch13 1/24/03 3:37 PM Page 279 280 Chapter 13 E-commerce Security Issues aim to test every line of code in your project at least once. Ideally, this test suite should be automated so that it can be run on your selected test machines with little effort. The greatest problem with testing is that it is unglamorous and repetitive. Although some people enjoy breaking things, few people enjoy breaking the same thing over and over again. It is important that people other than the original developers are involved in testing. One of the major goals of testing is to uncover faulty assumptions made by the developers. A fresh person is much more likely to have different assumptions. In addition to this, professionals are rarely keen to find flaws in their own work. Repudiation The final risk we will consider is repudiation. Repudiation occurs when a party involved in a transaction denies having taken part. E-commerce examples might include a person ordering goods off a Web site and then denying having authorized the charge on his credit card, or a person agreeing to something in email and then claiming that somebody else forged the email. Ideally, financial transactions should provide the peace of mind of nonrepudiation to both parties. Neither party could deny their part in a transaction, or, more precisely, both parties could conclusively prove the actions of the other to a third party, such as a court. In practice, this rarely happens. Authentication provides some surety about whom you are dealing with. If issued by a trusted organization, digital certificates of authentication can provide greater confidence. Messages sent by each party also need to be tamperproof.There is not much value in being able to demonstrate that Corp Pty Ltd sent you a message if you cannot also demonstrate that what you received was exactly what they sent. As mentioned previous- ly, signing or encrypting messages makes them difficult to surreptitiously alter. For transactions between parties with an ongoing relationship, digital certificates together with either encrypted or signed communications are an effective way of limit- ing repudiation. For one-off transactions, such as the initial contact between an e- commerce Web site and a stranger bearing a credit card, they are not so practical. An e-commerce company should be willing to hand over proof of its identity and a few hundred dollars to a certifying authority such as VeriSign ( http://www.verisign.com/) or Thawte (http://www.thawte.com/) in order to assure visitors of the company’s bona fides.Would that same company be willing to turn away every customer who was not willing to do the same in order to prove his identity? For small transactions, merchants are generally willing to accept a certain level of fraud or repudiation risk rather than turn away business. An alliance between VISA, a number of financial organizations, and software compa- nies, has been promoting a standard called Secure Electronic Transaction since 1997. One component of the SET system is that cardholders can obtain digital certificates from their card issuers. If SET takes off, it could reduce the risk of repudiation and other credit card fraud in Internet transactions. 17 525x ch13 1/24/03 3:37 PM Page 280 281 Creating a Security Policy Unfortunately, although the specification has existed for many years, there seems to be little push from banks to issue SET-compliant certificates to their cardholders. No retail- ers seem willing to reject all customers without SET software, and there is little enthusi- asm from consumers to adopt the software.There is very little reason for consumers to queue up at their local bank and spend time installing digital wallet software on their machines unless retailers are going to reject their customers without such software. Balancing Usability, Performance, Cost, and Security By its very nature, the Web is risky. It is designed to allow numerous anonymous users to request services from your machines. Most of those requests will be perfectly legitimate requests for Web pages, but connecting your machines to the Internet will allow people to attempt other types of connections. Although it can be tempting to assume that the highest possible level of security is appropriate, this is rarely the case. If you wanted to be really secure, you would keep all your computers turned off, disconnected from all networks, in a locked safe. In order to make your computers available and usable, some relaxation of security is required. There is a trade-off to be made between security, usability, cost, and performance. Making a service more secure can reduce usability by, for instance, limiting what people can do or requiring them to identify themselves. Increasing security can also reduce the level of performance of your machines. Running software to make your system more secure—such as encryption, intrusion detection systems, virus scanners, and extensive logging—uses resources. It takes a lot more processing power to provide an encrypted session, such as an SSL connection to a Web site, than to provide a normal one.These performance losses can be countered by spending more money on faster machines or hardware specifically designed for encryption. You can view performance, usability, cost, and security as competing goals.You need to examine the trade-offs required and make sensible decisions to come up with a com- promise. Depending on the value of your information, your budget, how many visitors you expect to serve, and what obstacles you think legitimate users will be willing to put up with, you can come up with a compromise position. Creating a Security Policy A security policy is a document that describes n The general philosophy towards security in your organization n What is to be protected—software, hardware, data n Who is responsible for protecting these items n Standards for security and metrics, which measure how well those standards are being met 17 525x ch13 1/24/03 3:37 PM Page 281 . of limit- ing repudiation. For one-off transactions, such as the initial contact between an e- commerce Web site and a stranger bearing a credit card, they are not so practical. An e-commerce. part. E-commerce examples might include a person ordering goods off a Web site and then denying having authorized the charge on his credit card, or a person agreeing to something in email and then. possible types of hard- ware,running all possible operating systems with all possible user settings.This is even more true than usual with Web- based systems. What is needed is a well-designed test plan