As taught by Prof. Tim Richardson School of Marketing & e-Business, Faculty of Business, Seneca College, Canada

last updated 2001 July 4
 

In SAN's web page, which includes the listing "How To Eliminate The Ten Most Critical Internet Security Threats" their introduction serves to provide some important points we should consider in beginning this section of the IEC 719 course, namely:

The majority of successful attacks on computer systems via the Internet can be traced to exploitation of one of a small number of security flaws.  Recent compromises of Windows NT-based web servers are typically traced to entry via a well-known vulnerability.  A few software vulnerabilities account for the majority of successful attacks because attackers are  opportunistic – taking the easiest and most convenient  route. They exploit the best-known flaws with the  most effective and widely available attack tools. They  count on organizations not fixing the problems, and  they often attack indiscriminately, by scanning the  Internet for vulnerable systems. System administrators report that they have not corrected these flaws because they simply do not know which of over 500 potential problems are the ones that are most dangerous, and they are too busy to correct them all

.
 

The SANS Institute http://www.sans.org Bethesda, Maryland, USA in their own words "The SANS (System Administration, Networking, and Security) Institute is a cooperative research and education organization through which more than 96,000 system administrators, security professionals, and network administrators share the lessons they are learning and find solutions for challenges they face. SANS was founded in 1989."

What products does SANS offer people interested in the most contemporary and reliable internet security information? SANS offers three different free electronic subscriptions:  Security Alert Consensus (SAC) - weekly One definitive weekly summary of new alerts and countermeasures week with announcements from: SANS, CERT, the Global Incident Analysis Center, the National Infrastructure Protection Center, the U.S.  Department of Defense, Security Portal, Sun, and several other vendors. SANS NewsBites - weekly  NewsBites keep up with everything going on in the computer security world. A dozen or two articles, each just one, two, or three sentences in length, elaborate a URL that points to the source of the  detailed information SANS Windows Security Newsletter - monthly  provides updates to NT Security: Step-by-Step and guidance on new Hotfixes and Service Packs that should and should not be implemented. It also summarizes new threats and bugs found in Windows and its services.

.

The ECRC Program is sponsored by the U.S. Department of Defense Joint Electronic Commerce Program Office (JECPO). The Bremerton ECRC is operated by Concurrent Technologies Corporation, EDC of Kitsap County and Olympic College for JECPO	Electronic Commerce Resource Center 'ECRC' Bremerton, WA  USA  The ECRC describes itself as a "clearinghouse and jumpstation for electronic commerce information and resources"
"The Security Resources page includes resources on a variety of security issues, including document transfers, financial transactions, firewalls, and virus information. The ECRC also offers a free Internet Security Issues seminar"	http://www.becrc.org/security.htm

. .
.

 

National Government Involvement in internet crime and e-business Security                                 National Government Involvement in internet crime and e-business Security

. In this section, which we may not have time to discuss in class, there will be provided some links to web sites from various security and police agencies of national governments. It is hoped that you will be able to read a couple of these articles to get some idea of the degree to which the FBI, CIA, RCMP, CSIS etc. may or may not, be understanding of, and contributing to, a more safe environment for business on the Web. WTGR .  It was announced in August 2000 that The Federal Bureau of Investigation (FBI) will head up this year's World E-Commerce  Forum, at which global Internet security will be an issue for the first time. The full story announcing this event, written by Jennifer Hampton, was in the E-commerce Times in August.  www.ecommercetimes.com/news/articles2000/000804-7.shtml The reason why you would read this article is because it mentions that Michael Vatis, director of the FBI's  computer crime investigation unit "the goal of the summit ... is to identify how a global Internet security agency can be established, and how international law can be utilized to develop and enforce penalties against hackers and virus-mongers" The FBI and "Carnivore" "Carnivore attaches a combination of hardware and software  applications to the network of an Internet Service Provider  (ISP) and scans all of the e-mail and other transmissions to  locate a "target" piece of e-mail or communication from a  specific person or suspect. Carnivore can analyze millions of  messages per second while it searches for the specific  messages that it wants.   The FBI is developing Carnivore to help the agency police  cyberspace. Law enforcement officials have expressed  increasing concern over how the Internet is used illegally for  those who would anonymously distribute child pornography,  steal confidential proprietary information or wreak havoc on  e-commerce giants by hacking into their systems".  by Dan Gebler  E-Commerce Times  August 3, 2000  full online article at  www.ecommercetimes.com/news/articles2000/000803-2.shtml The FBI's own statement on their web site about using "Carnivore"  www.fbi.gov/pressrm/congress/congress00/kerr072400.htm "The National Infrastructure Protection Center (NIPC) serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity." Recommended by Mr. Sean Rooney  http://www.nipc.gov/warnings/advisories/2000/00-060.htm in this particular document "... the NIPC has observed that there has recently been an increase [December 2000]  in hacker activity specifically targeting U.S. systems associated with e-commerce and other internet-hosted sites. The majority of the intrusions have occurred on Microsoft Windows NT systems, although Unix based operating systems have been victimized as well. The hackers are exploiting at least three known system vulnerabilities to gain unauthorized access and download propriety information. Although these vulnerabilities are not new, this recent activity warrants additional attention by system administrators. In most cases, the hacker activity had been ongoing for several months before the victim became aware of the intrusion."

.
 

National Government Involvement in internet crime and e-business Security             National Government Involvement in internet crime and e-business Security

The RCMP's  Computer Crime Prevention webpage with sections on Steps to establish and maintain an adequate computer security program Common Methods to Commit Computer Related Crime Computer Virus  www.rcmp-grc.gc.ca/html/ccprev.htm This section of the RCMP web site is not very extensive but it does include a small section on the basics of PKI - Public Key Infrastructure "Emerging Internet-related crimes include piracy, copyright infringement, currency and document counterfeiting, smuggling, hate- and sex-related offences, stalking, extortion, mischief, conspiracy, theft, fraud, and gambling." from an article on the RCMP web site titled "Business in Internet-related crime is booming"  www.rcmp-grc.gc.ca/html/online000128a.htm Maclean's online magazine had a story June 12th, 2000,  "Canada's police are only starting to catch up with hackers and other criminals who target online computer users" The article mentions a number of well known internet security situations that have happened and says that "Canada's response has been relatively low-key"   written by Chris Wood with Brenda Ranswell in Montreal and Robert Scott in  Toronto RCMP involvement with e-businesses that have been hit by cyber crime. A recent example (Feb 2000) is what happened to the HMV website. Basically, it was a denial of service attack.  HMV's site went offline for an hour Feb. 7 after being flooded with bogus information.  Full story was available on the Toronto Star's web site

National Government Involvement in internet security

Echelon "Designed and coordinated by NSA, [America's National Security Agency] the ECHELON system is used to intercept ordinary e-mail, fax, telex, and telephone communications carried over the world's  telecommunications networks. Unlike many of the electronic spy systems developed during the Cold War, ECHELON is designed primarily for non-military targets:  governments, organizations, businesses, and individuals in virtually every country. It potentially affects every person communicating between (and sometimes within) countries anywhere in the world. "

National Government's involved in internet scams Nigeria Nigerian Flag             National Government's involved in internet scams Nigeria Nigerian Flag                     National Government's involved in internet scams Nigeria Nigerian Flag

. In discussing this scam, we are not making any value judgement on Nigerian people, rather we are referring to the geographic place where a popular scam format has originated for many years, and is now becoming very popular using internet communication means. WTGR .  For 10 years now, there have been many scams come out of Nigeria, and with the popularization of the internet, contact with target victims is facilitated more easily by email. In the screen capture to the left, you can see an example of an email that was sent to your professor, attempting to solicit contact. The best thing to do if you receive such contact, is pass the information to the RCMP. You should NOT reply to the person because then they will know they have a "live contact". You should understand that they contact thousands and thousands of potential targets and you are nothing "special" From the official web site of the RCMP Most letters are variations of the following:  You receive an "urgent" business proposal "in strictest confidence" from a Nigerian civil servant /businessman. The sender, often a member of the "contract review panel",  obtained your name and profile through the Chamber of Commerce or the International Trade Commission. The sender recently intercepted or has been named  beneficiary of the proceeds from real estate, oil products, over-invoiced contracts, cargo shipments, or other commodities, and needs a foreign partner to assist with  laundering the money.  Since their government/business position prohibits them from opening foreign bank accounts, senders ask you to deposit  the sum, usually somewhere between $25-50 million, into your personal account. For your assistance, you will receive between 15-30% of the total, which sits in the Central Bank of Nigeria awaiting   transfer. To complete the transaction, they ask you to provide your bank name and address, your telephone and fax numbers, the name of your beneficiary, and, of course, your bank account numbers. The sender promises to forward your share within ten to fourteen working days!  It is not true - it is a scam - DO NOT BECOME A VICTIM. Do not reply, make no contact.

Professional Security Service Companies

KPMG Investigation and Security Inc. part of the large KMPG accounting and consulting group of companies  http://www.kpmg.ca/english/services Norman Inkster is the President of KPMG ISI and is best known for being the former Commissioner for the RCMP Many of the large professional service firms such as KPMG, Price Waterhouse Coopers, Ernst & Young have publications on their web sites re: e-commerce KPMG has e.fr@ud.survey.2000   http://www.kpmg.ca/english/services/fas/publications/efraudsurvey2000.html