MGTC50

Building Internet
Commerce Ventures

A 3rd year undergraduate course in the
Division of Management, University of Toronto, Scarborough College, Canada

For the section(s) taught by Tim Richardson Monday evenings, 19:00 (7:00 pm) - 21:00 (9:00 pm)

SECTION E - December 2001
© by W. Tim G. Richardson This page last updated 2002 July 3rd
.

Security - whether it be credit card misuse or email messages being infected with a virus, - continues to be one of the most significant impediments to the successful spread of e-commerce. Therefore, in order to have a good grasp on "building Internet Commerce ventures", it is necessary to include a good discussion of security topics.
WTGR

Before we begin this section, it is perhaps wise to pause and reflect on whether the precautions we are about to discuss are necessary - that is to say "why deal with the trouble of security procedures if the threat, in actuality, is not very big?"

The answer to this question is a resounding YES - the threat is real and it is growing.

We searched for an authoritative voice on threat trends and found the article below - this article discusses a survey conducted by the Computer Security Institute (a legitimate and credible organization) and the FBI's Computer Intrusion squad based in San Francisco. The survey concludes that cyber crimes are rising substantially - therefore the threat is real and it needs to be dealt with.

"The results of the sixth annual [2001]"Computer Crime and Security Survey," conducted by the Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigations (FBI) Computer Intrusion squad, were released mid-March [2001] with some startling findings. "Based on responses from 538 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, the findings of the 2001 Computer Crime and Security Survey confirm that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting," the report states."
www.rsasecurity.com/newsletter/v2n2/cybercrime.html

.	After reading the story in the RSA page about the Survey concluding Cyber Crime is growing, you should pause and reflect if 1. Cyber Crime is growing, or is it also partly 2. Companies are simply getting better about detecting cyber crime.

Security
Considerations

Proper
Procedures

In addition to the SANS web site, Bruce Schneier's company, Counterpane, has a very extensive web site, within which is a lot of material, especially related to the topic of security procedures.

"Security is a process, not a product"

Bruce Schneier, CTO of Counterpane and
Author of the book Applied Cryptography

Counter
measures

Responding to a security risk, or a threat of a security risk

One of the things you can do is to be on mailing lists from different security related organizations

government security organizations
national industry associations
large security IT companies

that provide information on current threats, and remedies to deal with the threat.
The remedies sometimes involve obtaining the latest patches to use in software that has vulnerabilities..

Being on the SANS mailing list can be very useful. As this course was being prepared, the author of the course received an email from SANS about hackers extorting North American businesses.

Security
Considerations

Proper
Procedures

Aladdin Knowledge Systems
Internet Security Unit
is based in Seattle

From their main web site
http://www.eAladdin.com
you can also see a link to "Glossary of terms" on their main page

Shimon Gruper is the Chief Technology Officer of Aladdin's Internet Security Unit
Gruper has had a list of Top 10 Security Tips on Aladdin's web site for quite some time and the list is quite valuable to refer to.

The point form list of the 10 tips is to the right.

Was at
http://www.esafe.com/shimonsays/index.html#top10
but this link was not active November 2000

1. The Safe use of Email Attachments
2.Vandals in Word Documents?
3.Setting Browser Security Options
4.Buying Products over the Web
5.Protecting your Personal Information
6.What about Cookies?
7.Are Java and ActiveX Safe?
8.Are Plug-ins and Push Clients Safe?
9.What about Viruses?
10.How to handle Spam Mail

Security
Considerations

Proper
Procedures

Security Procedures: Weak Points

Matthew Friedman, writing in the Plesman publication e-Business, authored an article in April 2000 about Hackers in which he said that "Security Managers are confident in the security postures of their organizations.But a recent report suggests they might not be getting the whole picture"
http://www.plesman.com/eb/news.html
?CONTENT=news/eb020425a

Friedman explains that in Feb 2000 the publicized stories of hackers overloading some well known sites like Yahoo raised awareness of security issues but Friedman goes on to cite some experts who say not enough is being done, and more importantly, key people don't understand the implications of security vulnerabilities. Friedman notes Steven Ross, Deloitte & Touche's director of e-business technologies and security - quoting Ross "there's a feeling among the security people themselves that management doesn't understand the issues like they do."

Friedman's article is a very good report on the key issues and you are strongly encouraged to read it thoroughly.

Secrets & Lies: Digital Security in a Networked World
- information about this book can be obtained from
www.witiger.com/ecommerce/ecommercetextssecurity.htm
Schneier talking about the "relationship between prevention, detection and reaction.

"Good security encompasses all three"

prevention - facilities and systems to prevent people getting in and taking information
detection - to find out if anybody has gotten in, and compromised important information or processes
reaction - to allow the "bad guys" to be identified and their activity stopped

Schneier points out widely that "digital security tends to reply wholly on prevention: cryptography, firewalls and so forth. There's generally no detection, and there's almost never any response or auditing"

Schneier's statement about the relationship between prevention, detection and reaction is very important. The reason it is important is that most companies are focusing on e-commerce security by spending money to develop firewalls, filtering etc. - but if someone is successful in getting past that - very few organizations will know about it.

This is like putting steel bars on your patio sliding doors hoping your house will not be broken into - but not knowing whether or not someone has snuck in through a basement window.

Security doesn't work - if you cannot determine if it is working !!!

Chpt 5

"Electronic Commerce": Greenstein & Feinman, Chpt 5 The Risks of Insecure Systems
- information about this book can be obtained from
www.witiger.com/ecommerce/ecommercetextssecurity.htm

the powerpoints for Chpt 5 can be obtained from
http://homepages.cambrianc.on.ca/timrichardson/ecommerce/ECP1220/greensteinchap5.ppt

Before you begin - it would be a good idea to go to the website for the book and scan through the online list of "Key Terms"

clicking on the screen capture to the right will take you directly to this "glossary"

http://www.mhhe.com/business/accounting/greenstein/keyterms.mhtml#five

Page 133 Greenstein Text

"Until recently, most information security breaches were initiated by insiders. However a study by the CSI Computer Security Institute and FBI indicates that this trend is rapidly changing. The findings indicate that the number of external attacks is growing because if the increased use of the Internet"

Overview of Risks Associated with Internet Transactions
Greenstein page 135

Internet Associated Risks

Risks to Customers
Risks to Selling Agents and Vendors

Intranet Associated Risks

Sabotage by Employees
former employees
threats from current employees
social engineering

B2B Risks

risks associated with transactions between business partners

Data Interception

Archives

risks associated with confidentially-maintained archival, master file and reference data

Viruses

risks associated with viruses and malicious code overflows

trojan horses
hoaxes
buffer overflows
denial of service

Chpt 3

Types of
Attacks

Chpt 3

Types of
Attacks

Secrets & Lies: Digital Security in a Networked World
by Bruce Schneier

Chpt 3 Attacks

.	Schneier's third chapter in the book is an excellent overview of the different classes of attacks. You are strongly encouraged to read the entire chapter. The main themes, summarized in point form, are arranged below.

Criminal Attacks

fraud
scams
destructive attacks
intellectual property attacks

piracy
unauthorized copy of text and images from one site to another

identity theft
brand theft
prosecution

Privacy Violations

data harvesting
surveillance
databases
traffic analysis
massive electronic surveillance

Publicity Attacks

denial of service attacks
defacing web pages

Legal Attacks

http://www.witiger.com/ecommerce/hackers.htm

Chpt 3

Types of
Attacks

- Frauds

In addition to the resources of the National Consumers League, you can also access the web page of the National Fraud Information Center. The NFIC also has a special section on their web site dealing with Internet Fraud
www.fraud.org

In their own words "Internet Fraud Watch was launched in March of 1996 enabling the NFIC to expand its services to help consumers distinguish between legitimate and fraudulent promotions in cyberspace and route reports of suspected fraud to the appropriate law enforcement agencies. "

The NFIC web site is very extensive and you should time looking at the various links and read about some of the types of scams and frauds.

They also have an "Internet Tips" page which is simply worded, but useful.

You could earn some class contribution points by thoroughly reviewing this site and picking out some additional information which could be added in to this page.

Chpt 3

Types of
Attacks

- Scams

Scams
Schneier quotes the National Consumers League (Chpt 3, page 24)
"the five most common online scams are

sale of internet services

sale of general merchandise

auctions

pyramid and multi-level marketing schemes

business opportunities"

.
the National Consumers League (Chpt 3, page 24)

http://www.natlconsumersleague.org/essentials/index.html

It would be very worthwhile to spend some time on this site since
it has some links and tips that are helpful
.

Privacy Violations

In many countries, people do not own the information which is collected about them, that is to say, their personal data.

This information is considered the property of whatever credit card company, insurance firm, educational institution that collected the information.

As a consequence of some outrageous violations of collecting and disseminating personal information, Canada, New Zealand and other countries have enacted tough laws which are binding on the companies that collect and pass on personal profile information (which we noted in Section 1 of this course when we presented the federal and provincial legislation dealing with this).

Privacy violations are not, strictly speaking, criminal activity, but, depending on what is done with the information, it can be used for criminal purposes - such as assuming an identity for the purposes of obtaining credit, which could then be used to fraudulently buy products and services.

As a person studying e-commerce, it would be your responsibility to understand that protecting the private personal information of people that have data held within your firm's IT systems, is critical to conduct effectively and without risk.

Chpt 3

Types of
Attacks

- Privacy Violations

Privacy Violations

Schneier, page 29
"There are two types of privacy violations

Targeted Attacks, and
Data Harvesting"

Targeted Attacks
If the attacker wants to know everything about

a person, it is called stalking
a company, it is called industrial espionage and corporate intelligence
a country, it is called national intelligence gathering, or spying

http://www.witiger.com/ecommerce/DNSattacks.htm

Data Harvesting
As Schneier says, "this attack harnesses the power of correlation"

Data harvesting is only worthwhile doing if it can be automated, and computers allow the automation process to be done very effectively. Using good cryptography will thwart harvesters since they will not be easily able to identify if what they are looking for is in the target they are attacking.

Chpt 3

Types of
Attacks
- Traffic Analysis

Chpt 3

Types of
Attacks
- Traffic Analysis

Secrets & Lies: Digital Security in a Networked World
by Bruce Schneier
Chpt 3 Attacks

Privacy Violations

traffic analysis

"Traffic analysis is the study of communication patterns. Not the content of the messages themselves, but characteristics about them"

Explanation:

If Joe sends a long message to Bill, then Bill sends a short reply back to Joe, and additionally a long message to Sue, Kevin, Greg and Alice, then we can assume there is some degree of hiearchy in this structure and regardless of the content, there must be some directions coming from Big Joe, which need to be passed on. If you wanted to spend time hacking these messages, the most effective thing to do is hack the single message from Joe to Bill since the information in that would probably tell you what Sue, Kevin, Greg and Alice received from Bill.

The purpose of this explanation is to show that sometimes the patterns of communication are just as important to understanding as the actual text of the message sent.

.
Schneier gives an amusing example noting that in the hours leading up to the 1991 bombing of Iraq, pizza deliveries to the Pentagon increased one hundredfold - even if you did not know what the generals and admirals were talking about, it had to be something important from which there would be some serious time spent on decision making.

Although we have cautioned that it is wise to encrypt your communications, we also have to mention that sometimes people can figure out what you are doing anyway because even if the message is encrypted, people could know the volume of traffic and this might be an indicator of something important - depending on the context.

Therefore: not only do you prevent people knowing the content of your messages, you should endeavour to let people know the messages even exist !!!

http://www.witiger.com/ecommerce/privacyissues.htm

Internal
Threats

Internal Threats

"The threat that is most often overlooked, yet is most likely to occur, is the inside threat. Provding internal access to an organization's digital assets can be the Achille's heel of many security plans through either malicious intention or carelessness... Few modern systems can withstand attacks from users who are logged on to internal machines"
page 9, Chpt 1

Dr. Gnosh's book, E-Commerce Security, and other books and several on-line resources emphasize that good security requires a blend of computer security tools with policies that are judiciously applied - meaning if situation "x" requires the person only has a password to section"1", then do not give them a password for all sections just because it is too time consuming to block them off from thos they should not have access to.

Gnosh says "The principles of need-to-know and compartmented information can be useful in determining to whom privaleged accounts and paswords should be given".

Internal
Threats

Internal Threats, Logic Bombs

Examples
of how
internal
threats
are
carried out
by
disgruntled
employees

A true story.

"Lloyd built the Novell NetWare computer network at Omega South and then blew it up with a software time bomb after he fell from corporate grace and was ultimately fired for performance and behavioral problems....Ralph Michel, Omega's chief financial officer, testified that the software bomb destroyed all the programs and code generators that allowed the company to manufacture 25,000 different products"

CNN
www.cnn.com/2000/TECH/computing/06/27/omega.files.idg/

"On May 9, the U.S. District Court jury in Newark, N.J., found Tim Lloyd, 37, of Wilmington, Del., guilty of setting a software time bomb that crippled his former employer's manufacturing capabilities and cost the company more than U.S.$12 million.
www.rsasecurity.com/newsletter/v1n1/securitywatch.html

"Omega Engineering learned firsthand the dangers of the disgruntled employee after a timed virus, known as a logic bomb, wiped out all of its research, development, and production programs in one fell swoop. The tape backup also was destroyed."
www.computingsa.co.za/1998/04/27/ANALYSIS/NAN01.htm

.	The story of Tim Lloyd is well known and appears in several online news sites.

The disgruntled employee poses but one of many insider threats to information systems and the valuable data stored therein. Unauthorised access from insiders, rather than outside hackers, accounted for 44% of network security breaches last year, according to the March 2000 survey by Computer Security Institute (CSI) and the FBI.

"The greatest exposure to any organisation is what I call the knowledgeable insider - anybody from a janitor to a vendor or an active or ex-employee," says Steve Dougherty, director of information security at the Fulsom, California-based California Independent System Operator, which is taking over management of power grid transmissions for 27m Californians with the state’s recent industry deregulation.

American Society for Industrial Security’s (ASIS). 89% of respondents to the ASIS 1997/1998 Intellectual Property Loss Special Report indicated that their biggest concern regarding system security is retaliation from disgruntled employees..

University
College
computers
- a weak link

Several columnists and experts have spoken and written about one of the more distasteful sources of IT risk and that is namely the hackers from within colleges and universities.

The very nature of academic institutions fosters freedom and access together with learning. It is also at universities and colleges that people have access to massive computing power with very little human security measures.

Since some of the more spectacular security breaches require lots of computing power, it has happened in the past, and will happen again that people will use interconnected computers in campus labs to launch attacks, either for the thrill of the process, or to accomplish a criminal act.

You can earn some class participation / contribution points by finding an online news story about any recent attacks that originated from a college or university. It would be particularly useful if the story also included the "what happened later" information so that it can be known what was the consequence of the event being made public.

.
Risks with Business Partners

Risks
With
Business
Partners

they may
pass on
infections
to your clients

Risks
With
Business
Partners

they may
pass on
infections
to your clients

A SANS Institute email alert about a "fix" which itself contains a virus

Medium and large size companies make themselves vulnerable to risk when they outsource various services to intermediary parties.

Microsoft - which one would presume is very very careful about who they partner with, is often vulnerable when the partner makes a bad mistake.

Some of these mistakes happen when the intermediary is responsible for dispensing some service, such as making downloads available. In the screen capture below, you can see Prof. Richardson has received an email from SANS. This email details how Microsoft Hotfixes downloaded from the Premier Support and Gold Certified Partner web sites were infected with the Fun Love virus.

http://homepages.cambrianc.on.ca/timrichardson/ecommerce/SANalert1.htm

The original email has been uploaded to the ECP site and you can read the full text, including other warnings and info at
http://homepages.cambrianc.on.ca/timrichardson/ecommerce/SANalert1.htm

So the irony of the situation is almost funny if it weren't so dangerous - here is the world's most powerful softare company providing "fixes", through an intermediary, and the "fixes" themselves contain a virus !!

One of the ways you protect yourself from these situations is being very diligent and reading all the email from organizations like SAN, which provide news and info on these vulnerabilities..

It is not the intention of this part of the course to be able to adequately cover all the various types of viruses that may effect e-commerce since do not have the time nor resources to do that satisfactorly -
but,
it is important to have some understanding of the business risk at stake here and try to evaluate if it is a serious problem, because - if it is a serious problem, then every e-commerce professional needs to add to their portfolio of knowledge, some degree of understanding about viruses.

http://www.mcafee.com/anti-virus/virus_glossary.asp?

This web site is very helpful and you are encouraged to bookmark it and check it for terms you do not know.

Virus
Protection
and
business
risk

"The internal threat is clearly a danger, but most companies are concerned about the external threat - the extent of which is unknown"
page 10, Chpt 1

"IT's Battleground: The Quest for Virus Protection"
is the title of an August 4th, 2000 in Computing Canada
www.plesman.com/Archives/cc/2000/Aug/2616/cc261614a.html

In this August 4rth article it is noted that
"A recent survey estimated that viruses and other destructive acts will cost large businesses (over 1,000 employees) worldwide $US1.6 trillion this year and result in almost 40,000 person-years of lost productivity ...It's no wonder the anti-virus software market has hit almost $US70 million so far this year [2000]"

Is the problem getting worse? At this stage statistics on known virus attacks seem to indicate the problem is getting worse. For the most part, security experts believe the majority of virus attacks are made by unhappy employees and egotistical hackers and crackers - it does not appear to be something that companies are employing against each other to give themselves a competitive edge - but it may not be long before this happens since businesses large and small have been known to use very "illegal and immoral" tactics to gain advantage.

.
From the August 4rth article
"Symantec, publisher of the market-leading Norton Anti-Virus, has seen an average of 115 new viruses each month this year, up 30 per cent from 1999."

Viruses

"Virus Vigilance "
is the title of a December 11, 2000 article in Computerworld written by Deborah Radcliff
http://www.surfcontrol.com/news/articles/content/12_11_2000_cw.html

In this Dec 2000 article it is noted that

"The problem with today's viruses is twofold: Not only can they be easily rewritten to change their signatures and bypass antivirus tools, but they are also tempting attachment types for click-happy users who see nothing wrong with opening mail attachments from trusted sources. "

translated

1. viruses can change form so the anti-virus software you installed, and obediently updated, cannot recognize the new virus as a threat, and does not screen it out
2. too many people are indiscrimantly passing on viruses without following basic security procedures

So, what is the problem when people don't listen, andfollow proper procedures to protect against viruses?

Radcliff quotes Roland Cuny, chief technology officer at Webwasher.com, an Internet content filtering vendor
Cuny says
"Training is not enough. You also need a technical solution,"

It would seem obviously self-serving for Cuny to say the solution is technical since his company makes the solution marketed for this - but there seems to be more and more people saying that it is hopeless to get IT persons to do the right procedural thing - therefore we have to have software to protect us..

.
What is part of a technical solution to block viruses?

Radcliff quotes experts saying you can "...set up filters to block executable attachments before they get to desktops. Blocking file types known to carry viruses and Trojan horses (hidden programs) may sound extreme. Bruce Moulton, vice president of infrastructure risk management at Fidelity Investments in Boston said he first reviewed how his company uses these file types. Once he determined that these attachments weren't even used for business purposes, making the decision to block them was easy. "The business impact of shutting out these file types is zero because 99.9% of these attachments that come in are for personal viewing, like animated Christmas cards, movie clips, things like that,"

Worm
Viruses

Viruses

Worm
Viruses

.	There are many specific virus and DNS attacks that could be mentioned but for the sake of time, and for the sake of learning from focusing on just a few examples, we will look at the July / August 2001 case of the CODE RED worm virus that gathered much attention worldwide. WTGR

"Code Red is a time-linked worm that awakens on the first of the month and goes dormant on the 20th; computer security watchers noticed the first version of it in mid-July (2001), with the worst virulence appearing on July 19, when even the White House had to take evasive action to keep it from affecting its official Web site

It works by installing itself on server computers running Microsoft Corp.'s Windows NT and 2000 operating systems and IIS software. It then blitzes Web sites with data, in an attempt to knock them out of commission known as denial-of-service."

What does it do?

"Code Red, named for a caffeinated soft drink favored by computer programmers, scans the Internet for other computers to infect, and as more computers are infected the scanning gets more widespread and could slow Internet traffic to a crawl.

The worm can also defaces sites, though in two of the three known variants no vandalism is apparent to computer users. In last week's hits, some U.S. government sites showed the message ''Hacked by Chinese!'' but the Chinese government said the worm probably did not come from China."
from yahoo.com

"Government agencies in Canada and the United States, as well as academics and Web security experts, were monitoring the situation closely, but did not detect any slowdown right after the worm's expected arrival at 8 p.m. EDT., July 31, 2001"
National Post Aug 1, 2001

http://www.witiger.com/ecommerce/viruses.htm

Before we finish the section on viruses, it would be worthwhile to visit the Security Section on Netscape's site. There is a short Q&A about viruses and a helpful glossary.

http://home.netscape.com/security/basics/viruses.html

.

.

. While there are some news reports and insightful web sites we can reference which seem to indicate where things are going - there is not a lot of hard core knowledge about the future of the internet - why?

Too many entities are involved and many of these entities have conflicting purposes

government agencies and the regulatory reforms

industry associations

individual large corporations fighting for market dominance

Rapid changes in speed of connectivity to the internet in different countries around the world (eg. high speed access is common for thousands of people in Korean cities)

effects who can use the internet, which effects the number of new users

effects what features can be used on the WWW, based on connectivity speeds

Customers are confused and bewildered about everything from payment systems to transaction security to shipping of the product and in this confusion they drift from one site to another

In some situations the actions of customers seem to have big effects because of their mass adherence to some activity

in other situations the actions of customers are very difficult to understand and predict due to the anonymity with which people surf the WWWeb

WTGR

.