Вы находитесь на странице: 1из 5

Threats to E-Commerce Servers-Part I

By Ravi Das, HTG Solutions


This article starts our new series on E-Commerce security. This article as well as future articles will now be focusin on
!ifferent areas with rear!s to E-Commerce Security. "e will be loo#in at such issues as to how to $rotect your
customer !atabase an! transaction information% how to create a secure sho$$in cart an! $ayment system% how to write
oo! $rorammin co!e for an E-commerce site which has stron security features% how to create an! im$lement a
secure !atabase for online transactions, as well as other manaerial an! technical issues.
Overview of Article
This article will e&amine the various threats which e&ist to E-Commerce Servers. The ne&t article, which will be 'art ((,
will focus u$on solutions which can be im$lemente! to $rotect your E-Commerce server from such threats.
S$ecifically, this article is !ivi!e! into the followin sections) *+, -n .verview into E-Commerce% */, The Security
(ssues with E-Commerce-The Human Element% *0, The Threats 'ose! to E-Commerce Servers.
An Overview into E-Commerce
-ll of us remember the hey!ays of the late +1123s. "e ha! the (nternet Boom, the .com cra4e, venture ca$ital money
bein $um$e! into technoloy startu$s li#e oil ushin out of a well, the stoc# mar#et at all time hihs, etc. "ell, those
!ays have come an! one, an! all of us ( am sure have learne! $ainful lessons from that time $erio!, in the last cou$le
of years. However, there is one leacy from the (nternet Boom that has survive!, an! will continue to be a very
!ominant force in the worl!wi!e economy. That leacy is #nown as E-Commerce.
The term E-Commerce can be a nebulous one, an! can $ossess !ifferent meanins to $eo$le an! businesses. 5or
e&am$le, to some entities, E-Commerce can mean sim$ly havin a vi!eo conference over the (nternet% con!uctin an
online chat session with a customer% sim$ly $uttin u$ a website where your $ro!ucts an! services are !is$laye!% or
6ust e-mailin a $rice 7uote to a $otential customer. However, for $ur$oses of this article as well as future articles, the
term E-Commerce will be !efine! as)
The conducting of business communication and transactions over networks and through computers. As most
restrictively defined, electronic commerce is the buying and selling of goods and services, and the transfer of funds,
through digital communications. Electronic commerce also includes buying and selling over the World-Wide Web and
the nternet, electronic funds transfer, smart cards, digital cash, and all other ways of doing business over digital
networks.!
Source) *+,
-lthouh the cra4e for E-Commerce occurre! !urin the (nternet Boom, as you can see from the !efinition, the core
conce$t of buyin, sellin, an! $ayin over the (nternet still e&ists to!ay, an! will for a lon time to come. - $erfect
e&am$le of the above !efinition is E-bay. (t is $robably by far the larest an! most $o$ular E-Commerce site in the
worl!. The followin statistics reveal how $revalent E-Commerce is to!ay, an! will be in the future)
The "ollar #olume of E-$ommerce
8.n Than#sivin Day) E-Commerce transactions were reater than 9:; million, a <2= increase over /220 *Source) /,
8.n Blac# 5ri!ay, E-Commerce transactions on
(n /22< >(S- cre!it car!s an! !ebit car!s was 9/0< million com$are! to 9+?0 million in /220, a /?.+= increase *Source) 0,
8The @on!ay after Blac# 5ri!ay, E-Commerce transactions were about 9<2A million *Source) <,
By /22; 8E-Commerce transactions will reach an e&$ecte! 9+/.; billion *Source) ;,
By /22A 8 E-Commerce transactions will reach an e&$ecte! 9+0 billion *Source) A,
By /22? 8E-Commerce sales of just a$$arels an! accessories will reach an e&$ecte! 9+/ billion *Source) :,
The %ecurity ssues with E-$ommerce-The &uman Element
There are security issues associate! with E-Commerce. -n entire boo# coul! be written about them, however future
articles will a!!ress the security issues as they relate to the s$ecific to$ic on han!. (n this article, ( am oin to focus a
little bit on the human element.
@y biest mantra to business owners is that the first line of !efense aainst security threats is to be $roactive in ta#in
ste$s to $rotect your $lace of business. Bou can have all of the fanciest an! most e&$ensive security e7ui$ment that is
available, but it !oes not mean anythin unless you are $roactive. The bottom line is why wait for somethin to ha$$en
first, then enhance your securityC "hy not ta#e a stan! now before somethin !oes ha$$enC - $erfect e&am$le of this
is the recent @S Blaster worm. "hen it became #nown that this worm was $revalent, software $atches became
available for !ownloa! to $rotect your com$uter*s, before it hit you. "ell, unfortunately, many $eo$le !isrear!e!
these software $atches, an! !i! not !ownloa! them until after they were hit with the worm.
(n my meetins with contacts an! $otential clients, $eo$le are aware of security to some !eree, an! they #now that it
is a Dhot to$icE issue in to!ay3s worl!. "hen ( as# them about their security infrastructure, they o$enly a!mit that they
#now they have flaws in it. But then when ( as# them about im$lementin a chane to enhance or further strenthen
their security system, the reluctance then sets in. (f security is such a Dhot buttonE issue, why is there then the
reluctance to chane or enhance your security system when you #now it can be reatly im$rove!C "ell, it all comes
!own to human $sycholoy) *+, The fear of chane or tryin somethin new% an! */, "e live in a reactive society. To
$ut it bluntly, we will only chane our ways until somethin catastro$hic occurs an! which !irectly affects us at a reat
cost. Remember, there is a lot at sta#e-es$ecially your customer3s loyalty to you an! your bottom line. "hy ris# all of
that when all is nee!e! is a chane to a more $roactive min!set about security for your businessC (n fact, iven the
statistics in the $revious table, ultimately there will be no other choice but to have a $roactive security conscience,
since E-Commerce will be such a !ominant force in the lobal economy.
Therefore, the $rimary oal of the articles in this series is two fol!) *+, To ma#e you, the business owner, aware of the
ty$es of security threats an! ris#s that are out there% an!
*/, To ma#e you have a $roactive min!set with rear!s to security.
The Threats 'osed to E-$ommerce %ervers
E-commerce ten!s to be at a hiher echelon for ris# an! attac#s. This is so because accor!in to our !efinition, E-
Commerce is the transaction of oo!s an! services% an! the $ayment for those oo!s an! services over the (nternet.
Therefore, the $hysical $lace where all of these transactions occur is at the Server level. The server can be viewe! as
the central re$ository for your DE-Commerce 'lace of BusinessEFwhich consists of the actual website which !is$lays
your $ro!ucts an! services, the customer !atabase, an! the $ayment mechanismG. (f there are any attac#s to this server,
in one blow, there is the $otential you coul! lose everythin. Thus, bein $roactive about security ta#es on a much
reater manitu!e now.
Threats to E-Commerce servers fall into two eneral cateories) *+, Threats from an actual attac#er*s,% an! */,
Technoloical failure. (n terms of the former, the motivation is $rimarily $sycholoical. The intent is to arner $ersonal
information from $eo$le for the sheer $ur$oses of e&$loitation *such obtainin Cre!it Car! an! Ban# -ccount
information% 'hishin schemes, obtainin usernames an! $asswor!s, etc.,. "ith the latter, anythin relate! to the
(nternet can cause $roblems. This can be anythin from a networ# not confiure! $ro$erly to !ata $ac#ets bein lost,
es$ecially in a wireless access environment. Even $oorly written $rorammin co!e u$on which your E-Commerce site
was !evelo$e! can be very susce$tible to threats. @ost E-Commerce Servers utili4e a "in!ows .$eratin System
*such as "in!ows /222 an! /220 Server,, a "eb Server Software to host the E-Commerce Site *such as (nternet
(nformation Services, or ((S,, an! a !atabase *such as -ccess /222 or SHI Server /222, which contains your customer
information an! transaction history. These $latforms have ha! various security flaws associate! with them, which has
ma!e them wi!e o$en to threats an! attac#s. -s a result, there has been a move in the business community to a!o$t
more robust an! secure $latforms. - $rime e&am$le of this is the use of Iinu& as the o$eratin system, -$ache as the
"eb Server Software, an! either 'ostGRES7l or @y SHI as the !atabase *these are !atabase lanuaes create! from
the Structure! Huery Ianuae, or SHI,. These latter $latforms will be e&$lore! in much more !etail in subse7uent
articles.
"e will now e&amine the various threats an! ris#s that are $ose! to E-Commerce servers. -lso, we will loo# at some
threats $ose! to your customers who use your E-Commerce server to buy oo!s an! services.
The !irect threats to E-Commerce servers can be classifie! as either *+, @alicious Co!e Threats% an! */, Transmission
Threats. "ith the former, malicious, or roue $rorammin co!e is intro!uce! into the server in or!er to ain access to
the system resources. >ery often, the intent of @alicious Co!e -ttac#s is to cause lare scale !amae to the E-
Commerce server. "ith the latter, the threats an! ris#s can be classifie! as either as active or $assive. "ith $assive
threats, the main oal is to listen *or eaves!ro$, to transmissions to the server. "ith active threats, the intent is to alter
the flow of !ata transmission or to create a roue transmission aime! !irectly at the E-Commerce server.
Malicious Code Attacks
>iruses an! "orms
The most common threat un!er this cateory are the worms an! viruses. (n the me!ia to!ay, we #ee$ hearin about
these wor!s on almost a !aily basis, an! there is confusion that the two are relate!, an! synonymous. However, the two
are very !ifferent. - virus nee!s a host of some sort in or!er to cause !amae to the system. The e&act !efinition is
D . . . a virus attaches itself to e&ecutable co!e an! is e&ecute! when the software $roram beins to run or an infecte!
file is o$ene!.E *Source) ?,. So for e&am$le, a virus nee!s a file in which to attach itself to. .nce that file is o$ene!, the
virus can then cause the !amae. This !amae can rane from the !eletion of some files to the total reformattin of the
har! !rive. The #ey to thin to remember about viruses is that they cannot by themselves s$rea!-they re7uire a host file.
However, worms are very much !ifferent. - worm !oes not nee! a host to re$licate. Rather, the worm re$licates itself
throuh the (nternet, an! can literally infect millions of com$uters on a lobal basis in 6ust a matter of hours. - $erfect
e&am$le of this is once aain the @S Blaster worm. "orms by themselves !o not cause !amae to a system li#e a virus
!oes. However, worms can shut !own $arts of the (nternet or E-Commerce servers, because they can use u$ valuable
resources of the (nternet, as well as the memory an! $rocessin $ower of servers an! other com$uters. - 7uestion that
is often as#e! about worms an! viruses is which of the two are worse. This is a !ifficult 7uestion to answer, as the
criteria for which is worse !e$en!s u$on the business environment. However, one thin is certain) in terms of the rate
of $ro$aation an! multi$licity, worms are much worse than viruses.
Tro6an Horses
- Tro6an Horse is a $iece of $rorammin co!e that is layere! behin! another $roram, an! can $erform covert,
malicious functions. 5or e&am$le, your E-Commerce server can !is$lay a Dcool-loo#inE screen saver, but behin! that
coul! be a $iece of hi!!en co!e, causin !amae to your system. .ne way to et a Tro6an Horse attac# is by
!ownloa!in software from the (nternet. This is where you nee! to be very careful. There will be times *an! it coul! be
often, that $atches an! other software co!e fi&es *such as Service $ac#s, will nee! to be !ownloa!e! an! a$$lie! onto
your E-Commerce server. @a#e sure that whatever software is !ownloa!e! comes from an authentic an! verifie!
source, an! that all !efense mechanisms are activate! on your server.
Ioic Bombs
- Ioic Bomb is a version of a Tro6an Horse, however, it is event or time s$ecific. 5or e&am$le, a loic bomb will
release malicious or roue co!e in an E-Commerce server after some s$ecific time has ela$se! or a $articular event in
a$$lication or $rocessin has occurre!.
Transmission Threats
Denial of Service -ttac#s
"ith a Denial of Service -ttac#, the main intention is to !eny your customers the services $rovi!e! on your E-
Commerce server. There is no actual intent to cause !amae to files or to the system, but the oal is to literally shut the
server !own. This ha$$ens when a massive amount of invali! !ata is sent to the server. Because the server can han!le
an! $rocess so much information at any iven time, it is unable to #ee$ with the information an! !ata overflow. -s a
result, the server becomes Dconfuse!E, an! subse7uently shuts !own. -nother ty$e of Denial of Service -ttac# is calle!
the Distribute! Denial of Service -ttac#. (n this scenario, many com$uters are use! to launch an attac# on a $articular
E-Commerce server. The com$uters that are use! to launch the attac# are calle! D4ombies.E These D4ombiesE are
controlle! by a master host com$uter. (t is the master host com$uter which instructs the D4ombieE com$uters to launch
the attac# on the E-Commerce Server. -s a result, the server shuts !own because of the massive bombar!ment of ba!
information an! !ata bein sent from the D4ombieE com$uters. - Distribute! Denial of Service -ttac# is !iaramme!
as follows)
"iagram of A "istributed "enial of %ervice Attack
'in of Death
"hen we surf the "eb, or sen! E-@ail, the communications between our com$uter an! the server ta#es $lace via the
!ata $ac#et. (t is the !ata $ac#et that contains the information an! the re7uest for information that is sent from our
com$uter to other com$uters over the (nternet. The communication $rotocol which is use! to overn the flow of !ata
$ac#ets is calle! Transmission Control 'rotocolJ(nternet 'rotocol, or TC'J(' for short. The TC'J(' $rotocol allows for
!ata $ac#ets to be as lare as A;,;0; bytes. However, the !ata $ac#et si4e that is transmitte! across the (nternet is about
+,;22 bytes. "ith a 'in of Death -ttac#, a massive !ata $ac#et is sent-A;,;0A bytes. -s a result, the memory buffers of
the E-Commerce Server are totally overloa!e!, thus causin it to crash.
SBK 5loo!in
"hen we o$en u$ a "eb Browser an! ty$e in a "eb a!!ress, or clic# DSen!E to transmit that E-@ail from our own
com$uter *referre! to as in this section as the Dclient com$uterE,, a set of messaes is e&chane! between the server
an! the client com$uter. These set of e&chanes is what establishes the (nternet connection from the client com$uter to
the server, an! vice versa. This is also #nown as a Dhan!sha#e.E To initiate this (nternet connection, a SBK *or
synchroni4ation, messae is sent from the client com$uter to the server, an! the server re$lies bac# to the client
com$uter with a SBK -CL *or synchroni4ation ac#nowle!ement, messae. To com$lete the (nternet connection, the
client com$uter sen!s bac# an -CL *or ac#nowle!ement, messae to the server. -t this $oint, since the E-Commerce
server is awaitin to receive the -CL messae from the client com$uter, this is consi!ere! to be a half-o$en
connection. (t is at this $oint in which the E-Commerce server becomes vulnerable to attac#s. 'hony messaes *which
a$$ear to be leitimate, coul! be sent to the E-Commerce server, thus overloa!in its memory an! $rocessin $ower,
an! causin it to crash.
Threats to Your E-Commerce Customers
'hishin -ttac#s
.ne of the biest threats to your E-Commerce customers is that of 'hishin. S$ecifically, 'hishin can be !efine! as
Dthe act of sen!in an e-mail to a user falsely claimin to be an establishe! leitimate enter$rise in an attem$t to scam
the user into surren!erin $rivate information that will be use! for i!entity theft.E *Source) 1,. So, for e&am$le,
frau!ulent e-mail coul! be sent to your customers claimin that their online account is about to e&$ire, or their
username an! $asswor! has been com$romise! in some fashion, or that there is a security u$ra!e that will ta#e $lace
affectin their online account. -fter they are tric#e! into believin the content of the 'hishini e-mail, the customer
then clic#s on the lin#, an! submits all of their confi!ential information. -ll 'hishin e-mail contains a lin#, or a web
a!!ress, in which the customer clic#s on thin#in that they are oin to secure an! leitimate site *$eo$le who launch
'hishin schemes Falso #nown as D'hishersEG can co$y the HT@I co!e from your E-Commerce site, ma#in it loo#
authentic in the eyes of the customer,. The truth is, all of the confi!ential information submitte! is collecte! by the
D'hisherE, who is bent u$on creatin havoc an! !amae to your E-Commerce business.
( have seen many e&am$les of 'hishin schemes. ( routinely et 'hishin e-mails from ban#s sayin that my online
ban# account is oin to receive a security u$ra!e, an! that ( nee! to submit my username an! $asswor! after clic#in
on the lin# $rovi!e!. The irony is that ( !on3t even have an online ban# account from the ban#s mentione! in the
'hishin e-mail. The year /22< will $robably be #nown as the year for the e&$losion of 'hishin scams. -ccor!in to
one rou$ that monitors 'hishin e-mails, it first $ic#e! u$ /;2,222 'hishin e-mails $er month at the start of /22<.
Kow it has one u$ to five million. 'hishin D. . . .has firmly establishe! itself as a threat to any orani4ation or
in!ivi!ual con!uctin business online.E *Source) +2,.
Other Threats To E-Commerce Servers
There are other threats $ose! to E-Commerce servers, a few are liste! here. These threats will be further !iscusse! in
subse7uent articles.
ata Packet Sniffin!
This refers to the use of Data 'ac#et Sniffers, also #nown sim$ly as Dsniffers.E "hile it is an invaluable tool to the
Ketwor# -!ministrator for troubleshootin an! !ianosis, an attac#er can also use a sniffer to interce$t the !ata $ac#et
flow an! analy4e the in!ivi!ual !ata $ac#ets. Msernames, $asswor!s, an! other confi!ential customer !ata can then be
hi6ac#e! from the E-Commerce server. This is a very serious $roblem, es$ecially in wireless networ#s, as the !ata
$ac#ets literally leave the confines of the networ# cablin an! travel in the air. Mltimately, Data 'ac#et Sniffin can
lea! to hi6ac#in sessions. This is when the attac#er eventually ta#es control over the networ# connection, #ic#s off
leitimate users *such as your customers, from the E-Commerce server, an! ultimately ains control of it.
IP S"oofin!
The intent here is to chane the source a!!ress of a !ata $ac#et to ive it the a$$earance that it oriinate! from another
com$uter. "ith (' S$oofin, it is !ifficult to i!entify the real attac#er, since all E-Commerce server los will show
connections from a leitimate source. (' S$oofin is ty$ically use! to start the launch of a Denial of Service -ttac#.
Port Scannin!
This is listenin to the networ# $orts of the E-Commerce server. "hen con!uctin such a scan, an attac#er can fiure
out what #in! of services are runnin on the E-Commerce server, an! from that $oint fiure out the vulnerabilities of
the system in or!er to cause the reatest !amae $ossible.
Tra"doors#$ackdoors
(n !evelo$in the co!e for an E-Commerce site, !evelo$ers often leave Dtra$!oorsE or Dbac#!oorsE to monitor the co!e
as it is !evelo$e!. (nstea! of a im$lementin a secure $rotocol in which to access the co!e, bac#!oors $rovi!e a 7uic#
way into the co!e. "hile it is convenient, tra$!oors can lea! to ma6or security threats if they are not com$letely
remove! $rior to the launch of the E-Commerce site. Remember, an attac#er is always loo#in first for vulnerabilities
in the E-Commerce server. Tra$!oors $rovi!e a very easy vulnerability for the attac#er to et into, an! cause system
wi!e !amae to the E-Commerce server.
.ur ne&t article, DThreats to E-Commerce Servers-'art ((E, will $rovi!e solutions to the threats !etaile! in this article
Remember, security is an issue which cannot be ta#en for rante! anymore in to!ay3s business environment. (t is a
necessity to be $roactive, an! to avoi! threats an! ris#s, before they really hurt you.

Вам также может понравиться