This article starts our new series on E-Commerce security. This article as well as future articles will now be focusin on !ifferent areas with rear!s to E-Commerce Security. "e will be loo#in at such issues as to how to $rotect your customer !atabase an! transaction information% how to create a secure sho$$in cart an! $ayment system% how to write oo! $rorammin co!e for an E-commerce site which has stron security features% how to create an! im$lement a secure !atabase for online transactions, as well as other manaerial an! technical issues. Overview of Article This article will e&amine the various threats which e&ist to E-Commerce Servers. The ne&t article, which will be 'art ((, will focus u$on solutions which can be im$lemente! to $rotect your E-Commerce server from such threats. S$ecifically, this article is !ivi!e! into the followin sections) *+, -n .verview into E-Commerce% */, The Security (ssues with E-Commerce-The Human Element% *0, The Threats 'ose! to E-Commerce Servers. An Overview into E-Commerce -ll of us remember the hey!ays of the late +1123s. "e ha! the (nternet Boom, the .com cra4e, venture ca$ital money bein $um$e! into technoloy startu$s li#e oil ushin out of a well, the stoc# mar#et at all time hihs, etc. "ell, those !ays have come an! one, an! all of us ( am sure have learne! $ainful lessons from that time $erio!, in the last cou$le of years. However, there is one leacy from the (nternet Boom that has survive!, an! will continue to be a very !ominant force in the worl!wi!e economy. That leacy is #nown as E-Commerce. The term E-Commerce can be a nebulous one, an! can $ossess !ifferent meanins to $eo$le an! businesses. 5or e&am$le, to some entities, E-Commerce can mean sim$ly havin a vi!eo conference over the (nternet% con!uctin an online chat session with a customer% sim$ly $uttin u$ a website where your $ro!ucts an! services are !is$laye!% or 6ust e-mailin a $rice 7uote to a $otential customer. However, for $ur$oses of this article as well as future articles, the term E-Commerce will be !efine! as) The conducting of business communication and transactions over networks and through computers. As most restrictively defined, electronic commerce is the buying and selling of goods and services, and the transfer of funds, through digital communications. Electronic commerce also includes buying and selling over the World-Wide Web and the nternet, electronic funds transfer, smart cards, digital cash, and all other ways of doing business over digital networks.! Source) *+, -lthouh the cra4e for E-Commerce occurre! !urin the (nternet Boom, as you can see from the !efinition, the core conce$t of buyin, sellin, an! $ayin over the (nternet still e&ists to!ay, an! will for a lon time to come. - $erfect e&am$le of the above !efinition is E-bay. (t is $robably by far the larest an! most $o$ular E-Commerce site in the worl!. The followin statistics reveal how $revalent E-Commerce is to!ay, an! will be in the future) The "ollar #olume of E-$ommerce 8.n Than#sivin Day) E-Commerce transactions were reater than 9:; million, a <2= increase over /220 *Source) /, 8.n Blac# 5ri!ay, E-Commerce transactions on (n /22< >(S- cre!it car!s an! !ebit car!s was 9/0< million com$are! to 9+?0 million in /220, a /?.+= increase *Source) 0, 8The @on!ay after Blac# 5ri!ay, E-Commerce transactions were about 9<2A million *Source) <, By /22; 8E-Commerce transactions will reach an e&$ecte! 9+/.; billion *Source) ;, By /22A 8 E-Commerce transactions will reach an e&$ecte! 9+0 billion *Source) A, By /22? 8E-Commerce sales of just a$$arels an! accessories will reach an e&$ecte! 9+/ billion *Source) :, The %ecurity ssues with E-$ommerce-The &uman Element There are security issues associate! with E-Commerce. -n entire boo# coul! be written about them, however future articles will a!!ress the security issues as they relate to the s$ecific to$ic on han!. (n this article, ( am oin to focus a little bit on the human element. @y biest mantra to business owners is that the first line of !efense aainst security threats is to be $roactive in ta#in ste$s to $rotect your $lace of business. Bou can have all of the fanciest an! most e&$ensive security e7ui$ment that is available, but it !oes not mean anythin unless you are $roactive. The bottom line is why wait for somethin to ha$$en first, then enhance your securityC "hy not ta#e a stan! now before somethin !oes ha$$enC - $erfect e&am$le of this is the recent @S Blaster worm. "hen it became #nown that this worm was $revalent, software $atches became available for !ownloa! to $rotect your com$uter*s, before it hit you. "ell, unfortunately, many $eo$le !isrear!e! these software $atches, an! !i! not !ownloa! them until after they were hit with the worm. (n my meetins with contacts an! $otential clients, $eo$le are aware of security to some !eree, an! they #now that it is a Dhot to$icE issue in to!ay3s worl!. "hen ( as# them about their security infrastructure, they o$enly a!mit that they #now they have flaws in it. But then when ( as# them about im$lementin a chane to enhance or further strenthen their security system, the reluctance then sets in. (f security is such a Dhot buttonE issue, why is there then the reluctance to chane or enhance your security system when you #now it can be reatly im$rove!C "ell, it all comes !own to human $sycholoy) *+, The fear of chane or tryin somethin new% an! */, "e live in a reactive society. To $ut it bluntly, we will only chane our ways until somethin catastro$hic occurs an! which !irectly affects us at a reat cost. Remember, there is a lot at sta#e-es$ecially your customer3s loyalty to you an! your bottom line. "hy ris# all of that when all is nee!e! is a chane to a more $roactive min!set about security for your businessC (n fact, iven the statistics in the $revious table, ultimately there will be no other choice but to have a $roactive security conscience, since E-Commerce will be such a !ominant force in the lobal economy. Therefore, the $rimary oal of the articles in this series is two fol!) *+, To ma#e you, the business owner, aware of the ty$es of security threats an! ris#s that are out there% an! */, To ma#e you have a $roactive min!set with rear!s to security. The Threats 'osed to E-$ommerce %ervers E-commerce ten!s to be at a hiher echelon for ris# an! attac#s. This is so because accor!in to our !efinition, E- Commerce is the transaction of oo!s an! services% an! the $ayment for those oo!s an! services over the (nternet. Therefore, the $hysical $lace where all of these transactions occur is at the Server level. The server can be viewe! as the central re$ository for your DE-Commerce 'lace of BusinessEFwhich consists of the actual website which !is$lays your $ro!ucts an! services, the customer !atabase, an! the $ayment mechanismG. (f there are any attac#s to this server, in one blow, there is the $otential you coul! lose everythin. Thus, bein $roactive about security ta#es on a much reater manitu!e now. Threats to E-Commerce servers fall into two eneral cateories) *+, Threats from an actual attac#er*s,% an! */, Technoloical failure. (n terms of the former, the motivation is $rimarily $sycholoical. The intent is to arner $ersonal information from $eo$le for the sheer $ur$oses of e&$loitation *such obtainin Cre!it Car! an! Ban# -ccount information% 'hishin schemes, obtainin usernames an! $asswor!s, etc.,. "ith the latter, anythin relate! to the (nternet can cause $roblems. This can be anythin from a networ# not confiure! $ro$erly to !ata $ac#ets bein lost, es$ecially in a wireless access environment. Even $oorly written $rorammin co!e u$on which your E-Commerce site was !evelo$e! can be very susce$tible to threats. @ost E-Commerce Servers utili4e a "in!ows .$eratin System *such as "in!ows /222 an! /220 Server,, a "eb Server Software to host the E-Commerce Site *such as (nternet (nformation Services, or ((S,, an! a !atabase *such as -ccess /222 or SHI Server /222, which contains your customer information an! transaction history. These $latforms have ha! various security flaws associate! with them, which has ma!e them wi!e o$en to threats an! attac#s. -s a result, there has been a move in the business community to a!o$t more robust an! secure $latforms. - $rime e&am$le of this is the use of Iinu& as the o$eratin system, -$ache as the "eb Server Software, an! either 'ostGRES7l or @y SHI as the !atabase *these are !atabase lanuaes create! from the Structure! Huery Ianuae, or SHI,. These latter $latforms will be e&$lore! in much more !etail in subse7uent articles. "e will now e&amine the various threats an! ris#s that are $ose! to E-Commerce servers. -lso, we will loo# at some threats $ose! to your customers who use your E-Commerce server to buy oo!s an! services. The !irect threats to E-Commerce servers can be classifie! as either *+, @alicious Co!e Threats% an! */, Transmission Threats. "ith the former, malicious, or roue $rorammin co!e is intro!uce! into the server in or!er to ain access to the system resources. >ery often, the intent of @alicious Co!e -ttac#s is to cause lare scale !amae to the E- Commerce server. "ith the latter, the threats an! ris#s can be classifie! as either as active or $assive. "ith $assive threats, the main oal is to listen *or eaves!ro$, to transmissions to the server. "ith active threats, the intent is to alter the flow of !ata transmission or to create a roue transmission aime! !irectly at the E-Commerce server. Malicious Code Attacks >iruses an! "orms The most common threat un!er this cateory are the worms an! viruses. (n the me!ia to!ay, we #ee$ hearin about these wor!s on almost a !aily basis, an! there is confusion that the two are relate!, an! synonymous. However, the two are very !ifferent. - virus nee!s a host of some sort in or!er to cause !amae to the system. The e&act !efinition is D . . . a virus attaches itself to e&ecutable co!e an! is e&ecute! when the software $roram beins to run or an infecte! file is o$ene!.E *Source) ?,. So for e&am$le, a virus nee!s a file in which to attach itself to. .nce that file is o$ene!, the virus can then cause the !amae. This !amae can rane from the !eletion of some files to the total reformattin of the har! !rive. The #ey to thin to remember about viruses is that they cannot by themselves s$rea!-they re7uire a host file. However, worms are very much !ifferent. - worm !oes not nee! a host to re$licate. Rather, the worm re$licates itself throuh the (nternet, an! can literally infect millions of com$uters on a lobal basis in 6ust a matter of hours. - $erfect e&am$le of this is once aain the @S Blaster worm. "orms by themselves !o not cause !amae to a system li#e a virus !oes. However, worms can shut !own $arts of the (nternet or E-Commerce servers, because they can use u$ valuable resources of the (nternet, as well as the memory an! $rocessin $ower of servers an! other com$uters. - 7uestion that is often as#e! about worms an! viruses is which of the two are worse. This is a !ifficult 7uestion to answer, as the criteria for which is worse !e$en!s u$on the business environment. However, one thin is certain) in terms of the rate of $ro$aation an! multi$licity, worms are much worse than viruses. Tro6an Horses - Tro6an Horse is a $iece of $rorammin co!e that is layere! behin! another $roram, an! can $erform covert, malicious functions. 5or e&am$le, your E-Commerce server can !is$lay a Dcool-loo#inE screen saver, but behin! that coul! be a $iece of hi!!en co!e, causin !amae to your system. .ne way to et a Tro6an Horse attac# is by !ownloa!in software from the (nternet. This is where you nee! to be very careful. There will be times *an! it coul! be often, that $atches an! other software co!e fi&es *such as Service $ac#s, will nee! to be !ownloa!e! an! a$$lie! onto your E-Commerce server. @a#e sure that whatever software is !ownloa!e! comes from an authentic an! verifie! source, an! that all !efense mechanisms are activate! on your server. Ioic Bombs - Ioic Bomb is a version of a Tro6an Horse, however, it is event or time s$ecific. 5or e&am$le, a loic bomb will release malicious or roue co!e in an E-Commerce server after some s$ecific time has ela$se! or a $articular event in a$$lication or $rocessin has occurre!. Transmission Threats Denial of Service -ttac#s "ith a Denial of Service -ttac#, the main intention is to !eny your customers the services $rovi!e! on your E- Commerce server. There is no actual intent to cause !amae to files or to the system, but the oal is to literally shut the server !own. This ha$$ens when a massive amount of invali! !ata is sent to the server. Because the server can han!le an! $rocess so much information at any iven time, it is unable to #ee$ with the information an! !ata overflow. -s a result, the server becomes Dconfuse!E, an! subse7uently shuts !own. -nother ty$e of Denial of Service -ttac# is calle! the Distribute! Denial of Service -ttac#. (n this scenario, many com$uters are use! to launch an attac# on a $articular E-Commerce server. The com$uters that are use! to launch the attac# are calle! D4ombies.E These D4ombiesE are controlle! by a master host com$uter. (t is the master host com$uter which instructs the D4ombieE com$uters to launch the attac# on the E-Commerce Server. -s a result, the server shuts !own because of the massive bombar!ment of ba! information an! !ata bein sent from the D4ombieE com$uters. - Distribute! Denial of Service -ttac# is !iaramme! as follows) "iagram of A "istributed "enial of %ervice Attack 'in of Death "hen we surf the "eb, or sen! E-@ail, the communications between our com$uter an! the server ta#es $lace via the !ata $ac#et. (t is the !ata $ac#et that contains the information an! the re7uest for information that is sent from our com$uter to other com$uters over the (nternet. The communication $rotocol which is use! to overn the flow of !ata $ac#ets is calle! Transmission Control 'rotocolJ(nternet 'rotocol, or TC'J(' for short. The TC'J(' $rotocol allows for !ata $ac#ets to be as lare as A;,;0; bytes. However, the !ata $ac#et si4e that is transmitte! across the (nternet is about +,;22 bytes. "ith a 'in of Death -ttac#, a massive !ata $ac#et is sent-A;,;0A bytes. -s a result, the memory buffers of the E-Commerce Server are totally overloa!e!, thus causin it to crash. SBK 5loo!in "hen we o$en u$ a "eb Browser an! ty$e in a "eb a!!ress, or clic# DSen!E to transmit that E-@ail from our own com$uter *referre! to as in this section as the Dclient com$uterE,, a set of messaes is e&chane! between the server an! the client com$uter. These set of e&chanes is what establishes the (nternet connection from the client com$uter to the server, an! vice versa. This is also #nown as a Dhan!sha#e.E To initiate this (nternet connection, a SBK *or synchroni4ation, messae is sent from the client com$uter to the server, an! the server re$lies bac# to the client com$uter with a SBK -CL *or synchroni4ation ac#nowle!ement, messae. To com$lete the (nternet connection, the client com$uter sen!s bac# an -CL *or ac#nowle!ement, messae to the server. -t this $oint, since the E-Commerce server is awaitin to receive the -CL messae from the client com$uter, this is consi!ere! to be a half-o$en connection. (t is at this $oint in which the E-Commerce server becomes vulnerable to attac#s. 'hony messaes *which a$$ear to be leitimate, coul! be sent to the E-Commerce server, thus overloa!in its memory an! $rocessin $ower, an! causin it to crash. Threats to Your E-Commerce Customers 'hishin -ttac#s .ne of the biest threats to your E-Commerce customers is that of 'hishin. S$ecifically, 'hishin can be !efine! as Dthe act of sen!in an e-mail to a user falsely claimin to be an establishe! leitimate enter$rise in an attem$t to scam the user into surren!erin $rivate information that will be use! for i!entity theft.E *Source) 1,. So, for e&am$le, frau!ulent e-mail coul! be sent to your customers claimin that their online account is about to e&$ire, or their username an! $asswor! has been com$romise! in some fashion, or that there is a security u$ra!e that will ta#e $lace affectin their online account. -fter they are tric#e! into believin the content of the 'hishini e-mail, the customer then clic#s on the lin#, an! submits all of their confi!ential information. -ll 'hishin e-mail contains a lin#, or a web a!!ress, in which the customer clic#s on thin#in that they are oin to secure an! leitimate site *$eo$le who launch 'hishin schemes Falso #nown as D'hishersEG can co$y the HT@I co!e from your E-Commerce site, ma#in it loo# authentic in the eyes of the customer,. The truth is, all of the confi!ential information submitte! is collecte! by the D'hisherE, who is bent u$on creatin havoc an! !amae to your E-Commerce business. ( have seen many e&am$les of 'hishin schemes. ( routinely et 'hishin e-mails from ban#s sayin that my online ban# account is oin to receive a security u$ra!e, an! that ( nee! to submit my username an! $asswor! after clic#in on the lin# $rovi!e!. The irony is that ( !on3t even have an online ban# account from the ban#s mentione! in the 'hishin e-mail. The year /22< will $robably be #nown as the year for the e&$losion of 'hishin scams. -ccor!in to one rou$ that monitors 'hishin e-mails, it first $ic#e! u$ /;2,222 'hishin e-mails $er month at the start of /22<. Kow it has one u$ to five million. 'hishin D. . . .has firmly establishe! itself as a threat to any orani4ation or in!ivi!ual con!uctin business online.E *Source) +2,. Other Threats To E-Commerce Servers There are other threats $ose! to E-Commerce servers, a few are liste! here. These threats will be further !iscusse! in subse7uent articles. ata Packet Sniffin! This refers to the use of Data 'ac#et Sniffers, also #nown sim$ly as Dsniffers.E "hile it is an invaluable tool to the Ketwor# -!ministrator for troubleshootin an! !ianosis, an attac#er can also use a sniffer to interce$t the !ata $ac#et flow an! analy4e the in!ivi!ual !ata $ac#ets. Msernames, $asswor!s, an! other confi!ential customer !ata can then be hi6ac#e! from the E-Commerce server. This is a very serious $roblem, es$ecially in wireless networ#s, as the !ata $ac#ets literally leave the confines of the networ# cablin an! travel in the air. Mltimately, Data 'ac#et Sniffin can lea! to hi6ac#in sessions. This is when the attac#er eventually ta#es control over the networ# connection, #ic#s off leitimate users *such as your customers, from the E-Commerce server, an! ultimately ains control of it. IP S"oofin! The intent here is to chane the source a!!ress of a !ata $ac#et to ive it the a$$earance that it oriinate! from another com$uter. "ith (' S$oofin, it is !ifficult to i!entify the real attac#er, since all E-Commerce server los will show connections from a leitimate source. (' S$oofin is ty$ically use! to start the launch of a Denial of Service -ttac#. Port Scannin! This is listenin to the networ# $orts of the E-Commerce server. "hen con!uctin such a scan, an attac#er can fiure out what #in! of services are runnin on the E-Commerce server, an! from that $oint fiure out the vulnerabilities of the system in or!er to cause the reatest !amae $ossible. Tra"doors#$ackdoors (n !evelo$in the co!e for an E-Commerce site, !evelo$ers often leave Dtra$!oorsE or Dbac#!oorsE to monitor the co!e as it is !evelo$e!. (nstea! of a im$lementin a secure $rotocol in which to access the co!e, bac#!oors $rovi!e a 7uic# way into the co!e. "hile it is convenient, tra$!oors can lea! to ma6or security threats if they are not com$letely remove! $rior to the launch of the E-Commerce site. Remember, an attac#er is always loo#in first for vulnerabilities in the E-Commerce server. Tra$!oors $rovi!e a very easy vulnerability for the attac#er to et into, an! cause system wi!e !amae to the E-Commerce server. .ur ne&t article, DThreats to E-Commerce Servers-'art ((E, will $rovi!e solutions to the threats !etaile! in this article Remember, security is an issue which cannot be ta#en for rante! anymore in to!ay3s business environment. (t is a necessity to be $roactive, an! to avoi! threats an! ris#s, before they really hurt you.