You are on page 1of 23

A report on

e Security


Mr. Gaurav V. Choudhari

Mr. Nilesh N. Pethkar
Mr. Sameer S. Thombare

Under the Guidance of

Prof. M.H. Bade


Munshi Nagar, Andheri (W) 400 058.
1) About e Security………………………………………………………………………………..1
2) Threats
i) Hackers/Crackers………………………………………………………………..1
ii) Virus………………………………………………………………………………….2
iii) Worms……………………………………………………………………………….3
iv) Trojan Horses…………………………………………………………………….3
v) Spywares…………………………………………………………………………..5
vi) Adware………………………………………………………………………………6
vii) Denial of service (DOS)……………………………………………………….7
3) Solutions
i) Firewall……………………………………………………………………………..8
ii) Password Protection………………………………………………………….10
iii) Monitoring………………………………………………………………………..11
iv) Virus protection…………………………………………………………………12

4) Case Studies
i) Five million Visa and MasterCard accounts hacked……………….14
ii) MS hacked once, twice, three, FOUR times………………………….18

Internet Security Essentials Top 10 Internet Security Tips


About e-Security

Few issues are more fundamental to the success of an online business

than knowing that those who access its information and other resources are who
they say they are, and that they can be trusted. Without such trust few
companies, if any, would be prepared to share their resources with others,
undermining the whole eCommerce concept.
Before understanding e-security, it is essential to know what the threats
are! So let’s look at the threats to an e-Business.


Following are the main threats to a network-

Denial of Service (DoS)
Trojan Horses
Spy wares/Ad wares
Now let’s look at them one by one.

A hacker or cracker is someone who breaks into someone else’s computer
system, often on a network; bypasses passwords or licenses in computer
programs; or in other ways intentionally breaches computer security. But there is
a fundamental difference between a hacker and a cracker! A hacker can do this
for profit, maliciously, or because the challenge is there, but he doesn’t! On the
other hand, a cracker does all this for malicious purpose only.


Hackers, for some altruistic purpose or cause, generally do breaking-and-

entering apparently to point out weaknesses in a site’s security system.
But what is at stake? DATA! In this world of Information technology, Data
– of any kind can be used or misused by other firms. A cracker can steal the data
and sell out to other competitors or even defame the firm by disclosing the dark
secrets of the firm. There have been millions of attacks by hackers on
websites/networks of renowned firms. We will go through a case study later on.

A virus is a piece of programming code usually disguised as
something else that causes some unexpected and usually undesirable event. A
virus is usually designed so that it is automatically spread to other computer
users. Viruses can be transmitted as attachments to an e-mail, as downloads, or
be present on a diskette or CD. The source of the e-mail, downloaded file, or
diskette you’ve received is often unaware of the virus. Some viruses wreak their
effect as soon as their code is executed; other viruses lie dormant until
circumstances cause their code to be executed by the computer. Some viruses
are playful in intent and effect (e.g. “Happy Birthday”) and some can be
devastating (e.g. “W32.Blackmal.E”), erasing data or causing your hard disk to
require reformatting. Generally, there are three main classes of viruses:

1. File infectors: - Some file infector viruses attach themselves to program files,
usually selected .COM or .EXE files. When the program is loaded, the virus is
loaded as well. Other file infector viruses arrive as wholly contained programs or
scripts sent as an attachment to an e-mail. e.g. W32.Blackmal.E

2. System or boot-record infectors: - These viruses infect executable code found in

certain system areas on a hard disk called the boot sector. A typical scenario is
to receive a diskette from an innocent source that contains a boot disk virus.


When your operating system is running, files on the diskette can be read without
triggering the boot disk virus. However, if you leave the diskette in the drive, and
then turn the computer off or reload the operating system, the computer will
look first in your A drive, find the diskette with its boot disk virus, load it, and
make it temporarily impossible to use your hard disk. e.g. Exe_Bug.C, Kampana.

3. Macro viruses: - These are among the most common viruses, and they tend to
do the least damage. Macro viruses infect your Microsoft Office application and
typically insert unwanted words or phrases.

A ‘worm’ is a self-replicating virus that does not alter files but resides in
active memory and duplicates itself. Worms use parts of an operating system
that are automatic and usually invisible to the user. It is common for worms to
be noticed only when their uncontrolled replication consumes system resources,
slowing or halting other tasks. e.g. W32.Sober.X@mm

Trojan Horses
‘Trojan Horse’ is a destructive program that masquerades as a benign
application. Unlike viruses, Trojan horses do not replicate themselves but they
can be just as destructive. One of the most insidious types of Trojan horse is a
program that claims to rid your computer of viruses but instead introduces
viruses onto your computer.
The term comes from the Greek story of the Trojan War, in which the
Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a
peace offering. But after the Trojans drag the horse inside their city walls, Greek


soldiers sneak out of the horse's hollow belly and open the city gates, allowing
their compatriots to pour in and capture Troy.
Trojan horses are broken down in classification based on how they breach
systems and the damage they cause. The six main types of Trojan horses are:
1. Remote Access Trojans
Abbreviated as RATs, a Remote Access Trojan is one of six major types of
Trojan horse designed to provide the attacker with complete control of the
victim's system. Attackers usually hide these Trojan horses in games and other
small programs that unsuspecting users then execute on their PCs. e.g.

2. Data Sending Trojans

A type of a Trojan horse that is designed to provide the attacker with
sensitive data such as passwords, credit card information, log files, e-mail
address or IM contacts lists. These Trojans can look for specific pre-defined data
(e.g., just credit card information or passwords), or they could install a key
logger and send all recorded keystrokes back to the attacker. e.g.

3. Destructive Trojans
A type of Trojan horse designed to destroy and delete files, and is more
like a virus than any other Trojan. It can often go undetected by antivirus
software. e.g. Sadcase.Trojan

4. Proxy Trojans
A type of Trojan horse designed to use the victim's computer as a proxy
server. This gives the attacker the opportunity to do everything from your
computer, including the possibility of conducting credit card fraud and other
illegal activities, or even to use your system to launch malicious attacks against
other networks. e.g. Backdoor.Migmaf


5. FTP Trojans
A type of Trojan horse designed to open port 21 (the port for FTP
transfer) and lets the attacker connect to your computer using File Transfer
Protocol (FTP). e.g. Trojan.Haradong

6. Security software disabler Trojans

A type of Trojan horse designed stop or kill security programs such as an
antivirus program or firewall without the user knowing. This Trojan type is
normally combined with another type of Trojan as a payload. e.g. Trojan.Disabler

Any software that covertly gathers user information through the user's
Internet connection without his or her knowledge, usually for advertising
purposes. Spyware applications are typically bundled as a hidden component of
freeware or shareware programs that can be downloaded from the Internet;
however, it should be noted that the majority of shareware and freeware
applications do not come with spyware. Once installed, the spyware monitors
user activity on the Internet and transmits that information in the background to
someone else. Spyware can also gather information about e-mail addresses and
even passwords and credit card numbers.

Spyware is similar to a Trojan horse in that users unwittingly install the

product when they install something else. A common way to become a victim of
spyware is to download certain peer-to-peer file swapping products that are
available today.


Aside from the questions of ethics and privacy, spyware steals from the
user by using the computer's memory resources and also by eating bandwidth as
it sends information back to the spyware's home base via the user's Internet
connection. Because spyware is using memory and system resources, the
applications running in the background can lead to system crashes or general
system instability.

Because spyware exists as independent executable programs, they have

the ability to monitor keystrokes, scan files on the hard drive, snoop other
applications, such as chat programs or word processors, install other spyware
programs, read cookies, change the default home page on the Web browser,
consistently relaying this information back to the spyware author who will either
use it for advertising/marketing purposes or sell the information to another party.

Licensing agreements that accompany software downloads sometimes

warn the user that a spyware program will be installed along with the requested
software, but the licensing agreements may not always be read completely
because the notice of a spyware installation is often couched in obtuse, hard-to-
read legal disclaimers. e.g. Spyware.NiceSpy

A form of spyware that collects information about the user in order to
display advertisements in the Web browser based on the information it collects
from the user's browsing patterns.

Software that is given to the user with advertisements already embedded

in the application. e.g. Adware.Bonzi


Denial of service (DOS):

There have been an increasing number of well publicized attacks of this
kind recently. In February 2000 alone, Yahoo, CNN Interactive,,
eBay and other Internet giants fell victim to distributed denial of service attacks.
During a DOS a company’s network is flooded with so much network traffic that
legitimate traffic is prevented from traversing the network. Eventually the servers
shut down under the overload.

Distributed denial of service attack tools like ‘Stacheldraht’ are making it

ever easier for outsiders and insiders to mount attacks. Companies cannot afford
to have their systems shut down, given the impact that this has on customer
loyalty. Customers are increasingly spoilt for choice on the Internet, so a site that
is not available immediately will soon be abandoned in favor of an equivalent
one. Not having its site available can have a very lasting impact on a business.



Up till we have discussed the security threats to a network. Now let’s see
the security solutions.

If you have been using the Internet for any length of time, you have
probably heard the term firewall used. For example, you often hear people in
companies say things like, "I can't use that site because they won't let it through
the firewall."

If you have a fast Internet connection into your home (either a DSL
connection or a cable modem); you may have found yourself hearing about
firewalls for your home network as well. It turns out that a small home network
has many of the same security issues that a large corporate network does. You
can use a firewall to protect your home network and family from offensive Web
sites and potential hackers.

Basically, a firewall is a barrier to keep destructive forces away from your

property. In fact, that's why it’s called a firewall. Its job is similar to a physical
firewall that keeps a fire from spreading from one area to the next.


What It Does?
A firewall is simply a program or hardware device that filters the
information coming through the Internet connection into your private network or
computer system. If an incoming packet of information is flagged by the filters, it
is not allowed through.

Let's say that you work at a company with 500 employees. The company
will therefore have hundreds of computers that all have network cards
connecting them together. In addition, the company will have one or more
connections to the Internet through something like T1 or T3 lines. Without a
firewall in place, all of those hundreds of computers are directly accessible to
anyone on the Internet. A person who knows what he or she is doing can probe
those computers, try to make FTP connections to them, try to make telnet
connections to them and so on. If one employee makes a mistake and leaves a
security hole, hackers can get to the machine and exploit the hole.

With a firewall in place, the landscape is much different. A company will

place a firewall at every connection to the Internet (for example, at every T1 line
coming into the company). The firewall can implement security rules. For
example, one of the security rules inside the company might be:
Out of the 500 computers inside this company, only one of them is
permitted to receive public FTP traffic. Allow FTP connections only to that one
computer and prevent them on all others.

A company can set up rules like this for FTP servers, Web servers, Telnet
servers and so on. In addition, the company can control how employees connect
to Web sites, whether files are allowed to leave the company over the network
and so on. A firewall gives a company tremendous control over how people use
the network.


Firewalls use one or more of three methods to control traffic flowing in

and out of the network:

Packet filtering - Packets (small chunks of data) are analyzed against a set of
filters. Packets that make it through the filters are sent to the requesting system
and all others are discarded.

Proxy service - Information from the Internet is retrieved by the firewall and
then sent to the requesting system and vice versa.

Stateful inspection - A newer method that doesn't examine the contents of

each packet but instead compares certain key parts of the packet to a database
of trusted information. Information traveling from inside the firewall to the
outside is monitored for specific defining characteristics, and then incoming
information is compared to these characteristics. If the comparison yields a
reasonable match, the information is allowed through. Otherwise it is discarded.

Password protection
Password protection is something that is relevant to everyone in an
organization. If these rules are set from the beginning, this will make things
much easier later on:

A registration and enrollment process should be in place to ensure that

only authorized users get access at the start.
All new accounts should be given initial passwords that are set by
administrators. These and new passwords should expire at first use, the
user can then specify their own password.


Passwords should be alpha numeric with at least 7 characters. Tell new

users that this is the rule and that there are no exceptions.
The maximum length of time between setting a password and its expiry
is 60 days.
Invalid user attempts shall be set to a maximum of 6.
Session timeouts should be implemented. Session timeouts is the process
of allowing an accurate appropriate amount of time for the users to
perform their transactions and receive results without compromising
security. As a general guideline, a user session should timeout after
approximately 15 minutes of inactivity.
Default accounts, such as visitor access for contract workers, should be
given a good password and disabled when not in use.
Passwords should not be sent over net as a text; they should be
encrypted before sending the form to and from server. As well they
should be subjected to encryption while storing in database at server site.

With the program implemented, you must ensure that security is made an
integral part of day-to-day activities. Security must be a considered element to
all system upgrades, such as when new software is installed or when more
computers are added to your network. All too often, new additions to systems
are not made secure.

‘Monitoring’ tries to identify potential and actual security problems, before

they become issues that could cost your company time and money. When a
security issue is identified, you should have procedures in place to stop further
intrusion, limit disruption, save evidence and prevent the incident from


happening again. Believe it or not, the first thing you should NOT do is turn off
the computer by doing so you may damage evidence.

A periodic scan of data bases for obsolete and/or sensitive data. If such
data exists, it should be deleted from the system to prevent a security
A periodic security review of the web site and related servers.
Systems should have the ability to generate simple network management
protocol alerts i.e. tell you when something is wrong, examples include
warning notes and help options.
Automated monitoring of network vulnerabilities should be researched
and, if appropriate, used.
Keep logs of important systems, covering security alerts and system
utilization to detect memory leaks or excessive usage.
Keep logs to identify a standard usage baseline to determine user work
habits, such as how often and how long users or customers use your
Conduct regular security system reviews preferably using an independent
third party.

Virus Protection
The objective of an anti-virus policy is to address the risk of malicious
code (e.g. Viruses, Trojan horses, Spy wares/ Ad wares, worms etc.) being
introduced into the company’s networks. Nearly all companies use virus-Scanning
software. This software does not make any computer network completely safe.
New viruses are constantly being developed. The only way to stay informed of
new viruses and anti-virus upgrades is to keep reading the security web sites,
articles and publications such as SANS, Microsoft ( and IBM


( If upgrades to virus scanning software are released, do not

waste time; upgrade your systems immediately!

Companies are now buying Anti-Virus software solutions that allow real
time upgrading of systems with anti-virus patches. The anti virus software is
stored on a network server and, periodically, the software automatically initiates
a connection via the Internet to the anti-virus software website. The software
then automatically downloads any new patches from the Internet and applies
these patches across the network. Obviously, this functionality may be limited by
the fact that the network system might only have limited access to the Internet.
But if Internet access is 24x7, then anti virus control may be 24x7 also. Examples
of this type of software are McAfee, Symantec, FSecure and Trend.

Key policies should include the following:

A Virus Scanning Procedure that is documented and published to all users
All desktops and laptops in the system should contain virus-scanning
All Internet e-mail gateways and web proxies into the network should use
virus-scanning software.
Documenting the process of what to do when an intrusion is detected or a
virus is identified.
All source/destination addresses and high level content information should
be logged for all Internet gateway devices.
A log review procedure to be documented and followed for each Internet
gateway device.
System administrators or users immediately should be alerted to viruses.
Infected files should be deleted or quarantined.
Anti-virus software on all installations should be updated at least monthly,
or better still should be updated automatically as mentioned above.


Case studies

40 million Visa and MasterCard accounts

May 2005

Over forty million Visa and two million MasterCard accounts in the US
have been accessed by unauthorized individuals, after the computer system of a
company which processes credit card transactions on behalf of the merchants
was hacked into.
The data breach at CardSystems Solutions, the latest in a growing list of
data leaks involving scams and absent-minded workers, is believed to be the
largest to date. It happened when intruders exploited software security

Nearly 70,000 MasterCard account numbers were especially at risk

because they were kept in a file exported from CardSystems' database.
MasterCard's security team discovered abnormal usage patterns on certain cards
after fraud monitoring systems received picked up on the clues.

The probe also found that the Atlanta-based payment processor did not
meet MasterCard's security regulations. CardSystems should not have held onto
MasterCard's records, and later compounded the problem by storing the
transaction data in unencrypted form.

This wouldn't have happened if CardSystems was obeying the association

rules. It's not necessarily just CardSystems problem. It's really Visa and


MasterCard's problem because they put out these rules but they don't enforce
This does not end here. This is a chain process. The hackers do not use
the information themselves, instead the sell the information on Undernet or
some IRC’s .

(Shopadmins are hacked online merchants from which crooks can extract fresh customer
credit cards as new orders come in.)

The attacks are done as new demand of stolen card numbers comes.
What's happening is these guys will steal a credit-card number and then start
compiling any information about these individuals that's available. Most people
aren't aware that if your credit-card data is stolen from XYZ company, most likely
the thieves have also got your address, home phone number, e-mail address and
other data that can be used to turn around and get more data, or even open up
new lines of credit in your name.

Once adequate information is collected, they will check out the cards
validity by donating small amount generally $1 to a charity. Once the amount is
processed they know for sure that this card owner has not yet detected the theft
and now they are ready to use the card number.

So what the Firms are doing?

As hackers improve their methodology, the firms also have to come up
with newer solutions. Both the firms are funding a lot of new advancement
around the world. Following are different methods of authentication:
Risk Based
Secure Token


SMS Text

Risk-based Authentication
Unlike the binary (right or wrong) decision involved in traditional
username and password authentication, risk-based authentication is based on a
series of observations. It works by analyzing a series of requested and observed
customer information, along with data supplied during Internet communications,
to assess the probability that a customer interaction is authentic.
Risk-based authentication typically uses a combination of techniques,
including internet Protocol intelligence, device profiling (sometimes called PC
fingerprinting), and stored certificates to assess the authenticity of an online

Token-based Strong Authentication

The most common form of this solution is a small keychain fob (the
"token") that displays a six-character password that changes every 60 seconds.
This one-time password (OTP) is generated by random number algorithm on a
chip in the token, which is synchronized with an OTP server at the bank or a
third party. A user must have the token and input the OTP to be authenticated to
gain access to the online account. The use of tokens for online consumer
banking access seems to be gaining popularity in Europe and in Japan and some
other Asian nations. The two most prominent providers of these devices are RSA
Security and Vasco.

SMS Based Authentication

Another interesting approach uses Short Message Service (SMS) messaging for
authentication via a registered cellular phone. Typically, when a customer
attempts to gain access to an account at a bank that uses this method, the bank
sends the cell phone a onetime password in SMS format, which the user enters
on a personal computer. Entering the code proves that the device is present and


thus authenticates the user. This approach is gaining traction in Australia,

France, and Hong Kong and would likely work well in countries with high
penetration rates for cell phones.


MS France Hacked!
June 2006

Part of Microsoft's French Web site has been taken offline by hackers, who
apparently took advantage of a misconfigured server at the software vendor's
Web hosting provider.

(Screenshot of hacked http:// homepage)

The Web site was defaced Sunday with the word
"HACKED!" written across the top, just above a note that attributed the job to a
group of Turkish hackers. The hacked sections were quickly taken down, and
remained out of operation on Monday morning.


The defacement led to rumors that the hackers may have used a new
undisclosed vulnerability in the Microsoft's Internet Information Services (IIS) 6.0
Web server. Such an unpatched bug is called a 0day in security industry
Microsoft dismissed these rumors on Monday, saying that the hack was
due to a misconfigured Web server.

"We're not aware of any 0day in IIS in circulation," said Stephen

Toulouse, security program manager with Microsoft's security response center.
"If we were, we would be providing guidance on it."

Microsoft's public relations agency confirmed, however, that the Web site had been hit by a "criminal" attack. "Microsoft's initial
investigation points to a mis-configuration of a web server at a third party
hosting facility as the most likely cause of the compromise," the company said in
a statement.

The hack comes at an unfortunate time for Microsoft. Not only has the
company been promoting the security features of its upcoming Vista operating
system, it is also in the process of developing a new line of security software,
called Forefront.

Because Microsoft has paid so much attention to security of late, it is

unusual to hear of such hacks, said Rich Miller, an analyst with Internet research
company Netcraft Ltd. "People are noting it because it's a site that's related to
Microsoft," he said.


Internet Security Essentials Top 10 Internet

Security Tips

1. Develop a 'culture of security'

Businesses need to have Internet security measures in place and make sure
staff is aware of, and follow, Internet security practices.

2. Install anti-virus software and keep it updated

Anti-virus software scans and removes known viruses your computer may
have contracted. It will help protect your computer against viruses, worms
and Trojans.

3. Install a firewall to stop unauthorized access to your computer

Firewalls work like a security guard to protect your computer from intruders.

4. Protect yourself from harmful emails

Be cautious about opening emails from unknown or questionable sources.

5. Minimize spam
While it is not possible to completely stop spam from entering your email box,
you can take steps to reduce the amount.

6. Back-up your data

Create a copy of back-up of data is a sensible way to ensure that you can
recover all of your business information from your computer or website
quickly and easily.

7. Develop a system for secure passwords

Creating effective passwords can provide an additional means of protecting
the information on your computer.

8. Keep your software up-to-date

If your software is out of date, you are more vulnerable.

9. Make sure your online banking is secure

If you bank online you should follow security advice provided by your
financial institution.

10. Develop and maintain a security policy

You need to monitor and test security policies.