Rokeshia Robinson
Follow up Paper #2
Internet Security & Security Issues
May 9, 2006
Too often, some businesses just do not take security seriously. Common statements range from “We don’t have data of any value”, “Nothing will happen to us”. The problem seems to stem from a misunderstanding of how organizations’ resources could be violated and used. A common misconception is that hackers only go after the “big fish”. Not much thought is given to the idea that their resources may be used for things other than a DOS (denial of service) attack. Organizations cannot afford to lose time, money, or integrity due to security incidents. Businesses can suffer immeasurable security incidents, such as, losses because a data center has a production outage as a result of a worm or virus, or from a hacker who defaces a website.
To avoid becoming a victim of misguided pranksters or cyber-crime, organizations should take the time to examine the security of their customers and personal data. In our security presentation we talked about some devices and solutions that organizations use to decrease vulnerabilities within their organization. Listed below are a few tips that we use at Fiserv to protect ourselves from Internet threats.
Spyware protection: Viruses spread rapidly and can damage or destroy your computer. New ones appear almost daily. It's critical that you install and update anti-virus software regularly. Use the program to scan all the files on your system once a week, deleting the infected ones.
Email Attachments: Like I mention in class, some people will open suspicious email, and most of the time a virus is what hides in the attachment. Not to my surprise, opening it will unleash the virus. Don't open an attachment from anyone you don't know. Even if you do know the sender, an infected attachment may have been surreptitiously sent from an infected machine. The safest thing to do is to scan the attachment with anti-virus software before you open it.
Firewalls: (Chin discuss the use of firewalls and their benefits. However, if organization don’t set additional rules, the firewall may cause more harm than good.) A firewall is a software program that blocks unauthorized access to your computer. This is particularly important if you have a broadband connection, such as DSL or a cable modem. Windows XP has a built-in firewall, so make sure it's activated if you use that operating system.
Password protection and management: Many online services, such as banking, brokerage and e-mail require the use of passwords. A secure password is the first line of defense against cyber-snoops. Use a different password for each account, don't divulge them to anyone and change them periodically. (Dr. Sargent pointed users become less security due to having so many passwords to remember, which forces user to write them down.)
Security Updates: Update security patches for your operating system and web browser. You've probably read about security "holes" that turn up periodically. Once they are discovered, you can download fixes. For Windows users, an easy way to update your system is click on the Windows Update option under the Start menu or by pointing your web browser to this link: http://windowsupdate.microsoft.com/.
And last, but no where near least; Log offline when you are done for the day. You are most vulnerable when connected to the Net. If there isn't a good reason to remain online, disconnect from the network. Here are some of the Internet attack trends highlights from Symantec 2006 report. I just wanted to show the percentage of Internet attacks and who are affected, in addition to showing that no one is safe from Internet vulnerabilities.
Attack Trends Highlights
• The government sector accounted for 25 percent of all identity theft-related data breaches, more than any other sector.
• The United States was the top country of attack origin, accounting for 33 percent of worldwide attack activity.
• Symantec recorded an average of 5,213 denial of service (DoS) attacks per day, down from 6,110 in the first half of the year.
• The United States was the target of most DoS attacks, accounting for 52 percent of the worldwide total.
• Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers.
• Home users were the most highly targeted sector, accounting for 93 percent of all targeted attacks.
• China had 26 percent of the world’s bot-infected computers, more than any other country.
• Beijing was the city with the most bot-infected computers in the world, accounting for just over five percent of the worldwide total.
• Israel was the highest ranked country for malicious activity per Internet user, followed by Taiwan and Poland.
Thursday, May 10, 2007
Tuesday, May 8, 2007
Internet: Secure Enough?
Chinnapong Somsueb
ID# 1671071
MCS 760
2nd Follow-up Paper
Internet: Secure Enough?
Nowadays, Internet has been used and become our daily life for years. The number of users has also been increasing progressively. Many businesses have implemented Internet system as one part of their businesses. According to Internet World Stats, the number of Internet users has grown dramatically from 8.6 percent in 2002 to 16.6 percent at the end of 2006, which is about double in only four years. As the users have been growing, the number of risks and threats has been increasing at a similar rate as the growth rate. Therefore, the Internet security has become one of the major issues in today business. There are several possible risks in current Internet society, such as virus, spyware, adware, phishing, and other privacy issues.
First of all, computers have been involved in our daily life for decades. Computer viruses, a computer program that can copy itself and infect a computer without permission or knowledge of the user, have been also distributed steadily. In previous years, a computer would be infected by using a removable medium, such as floppy disk. Nowadays, many computers have been connected as networking computers, so viruses can spread to other computers that are connecting to the same network. Extensively, if computers connect to the Internet, there is a greater chance to get a virus than closed network computers. Several anti-virus packages have been created in order to prevent and eliminate virus from computers and network. Therefore, Internet users have to update their anti-virus software in order to protect as soon as possible.
The next possible vulnerability from the Internet could be spyware and adware. It is computer software that usually collects personal information about users without their proper informed permission. Several different Internet users’ personal information could be searched, recorded, and sent out without any consent. There purposes of spyware are, for example, advertising while using the Internet and stealing browsing history as well as personal information which many users want to be secured. If there is a spyware on the computer, it would slow down its performance. Moreover, Internet users would be annoyed while using the computer. Most of anti-virus and anti-spyware could detect and remove software on a user's computer that is determined to be either adware or spyware. It also detects dialers, trojans, malware, data-mining, aggressive advertising, parasites, browser hijackers, and tracking components.
Phishing and other privacy issues such as pharming could be considered as the affects of social engineering which is a collection of techniques used to manipulate people into performing actions or divulging confidential information.(1) Phishing frequently applies to email appearing to come from a legitimate business, such as financial institution or credit card company. Requesting for a verification of personal information and warning of some disgraceful significance have been emphasized if it is not done. According to the fact that phishing is usually come from email, Internet users have to be aware and deny to replying this type of email. According to the federal bank, thrift and credit union regulatory agencies’ information (2), we can protect ourselves from phishing in the following ways:
- Never provide personal information in response to an unsolicited request.
- If you believe the contact may be legitimate, contact the financial institution yourself.
- Never provide password over the phone or in response to an unsolicited Internet request.
- Review account statements or transactions regularly to ensure all charges are correct.
Furthermore, pharming is a cracker's attack aiming to redirect a website's traffic to another (counterfeit) website. It can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. Significantly, anti-virus software and spyware removal software cannot defend against pharming. Even though the Anti-Phishing Act was introduced in 2005, Internet users have to make sure they are using secure Internet connections (HTTPS) to access privacy sensitive sites such as banking or taxing, and accept the valid public key certificates issued only by trusted sources.
On the other hand, besides anti-virus, anti-spyware, and awareness of Internet users, there is a computer hardware such as firewall and router that can help use to be safe from several cyber crimes. Firewalls can block all traffic except through authorized ports on internal computers, thus only restricting unfettered access. In addition, routers, computer networking devices that buffers and forwards data packets across an internetwork toward their destinations, direct messages to the proper target and is sometimes referred to as a "gateway." Routers are often employed in conjunction with firewalls. Moreover, the implementation of security systems has several effects. For example, because of the high cost of software and hardware to protect the computer and privacy, users have to have enough knowledge and awareness in order to avoid sharing inappropriate information, and start updated about of computer threats.
The number of Internet users are still increasing, this group would be considered as a target group of business and unwanted advertisements. Several kinds of software and methods have to be used in order to prevent and protect users’ privacy. As a result, if there is both proper user behavior and network design implemented together, it could help avoid problems with security which have been increasing.
(1) Mitnick, Kevin; Kasperavičius, Alexis: "Certified Social Engineering Prevention Specialist Course Workbook.", page 4. Mitnick Security Publishing, 2004.
(2) The federal bank, thrift and credit union regulatory agencies, Avoiding Scams. Retrieved May 5, 2007, from Warning Internet Pirates Web site: http://www.wright-pattcu.coop/files/antiphishing.pdf
Symantec Internet Security Threat Report-interesting notes
Over the past two reporting periods, Symantec has observed a fundamental shift in Internet security activity. The current threat environment is characterized by an increase in data theft and data leakage, and the creation of malicious code that targets specific organizations for information that can be used for financial gain.
Instead of exploiting high-severity vulnerabilities in direct attacks, attackers are now discovering and exploiting medium-severity vulnerabilities in third-party applications, such as Web applications and Web browsers. Those vulnerabilities are often used in “gateway” attacks, in which an initial exploitation takes place not to breach data immediately, but to establish a foothold from which subsequent, more malicious
attacks can be launched.
Symantec has observed high levels of malicious activity across the Internet, with increases in phishing, spam, bot networks, Trojans, and zero-day threats. However, whereas in the past these threats were often used separately, attackers are now refining their methods and consolidating their assets to create global networks that support coordinated criminal activity.
This has resulted in an increasing interoperability between diverse threats and methods. For example, targeted malicious code may take advantage of Web-enabled technologies and third-party applications to install a back door, which then downloads and installs bot software. These bots can, in turn, be used to distribute spam, host phishing sites, or launch attacks in such a way as to create a single coordinated network of malicious activity. Once entrenched, these networks can be used in concert as global networks of malicious activity that support their own continued growth.
Instead of exploiting high-severity vulnerabilities in direct attacks, attackers are now discovering and exploiting medium-severity vulnerabilities in third-party applications, such as Web applications and Web browsers. Those vulnerabilities are often used in “gateway” attacks, in which an initial exploitation takes place not to breach data immediately, but to establish a foothold from which subsequent, more malicious
attacks can be launched.
Symantec has observed high levels of malicious activity across the Internet, with increases in phishing, spam, bot networks, Trojans, and zero-day threats. However, whereas in the past these threats were often used separately, attackers are now refining their methods and consolidating their assets to create global networks that support coordinated criminal activity.
This has resulted in an increasing interoperability between diverse threats and methods. For example, targeted malicious code may take advantage of Web-enabled technologies and third-party applications to install a back door, which then downloads and installs bot software. These bots can, in turn, be used to distribute spam, host phishing sites, or launch attacks in such a way as to create a single coordinated network of malicious activity. Once entrenched, these networks can be used in concert as global networks of malicious activity that support their own continued growth.
4th Position paper
Rokeshia Robinson
4th Position paper
Internet Security & Security Issues
May 4, 2007
What is Internet Security? I believe to understand this question we would first have to look at the history of the “Internet”. Now we all may have heard the rumor that the “Internet” was created by Al Gore. Well in my quest to find the real creator of the internet, I stumbled across some interested information that would argue that Al Gore wasn’t the creator, but was a true activism for the concept that eventually turned into a reality.
According to wikipedia, the history of the internet goes all the way back to the fifies and early sixties, prior to the widespread inter-networking that led to the internet. Most communication networks were limited by nature to only allow communciations between the stations on the network. These networks only had bridges and gateways between them, and they were often limited or built solely for a single use. It wasn’t until the late 1980s when the Internet system was developed and ready, but was held up due to The Cold War. J.C.R. Licklider, Larry Roberts, and Robert Taylor were the three who engaged in the interconnected networking systems that envoled into the core of what the Internet would become.So now that we have a brief overview of “Internet”, I will like to talk about internet vulnerabilities, threats, and security around the world.
Internet-based, real-world applications require appropriate security mechanisms because potentially millions of users and their agents (or participants) will access billions of objects of information content in complex workflow processes (e.g., commerce, learning, healthcare). Security is one of the strategic technologies that will increase the value and utility of the Internet and Internet-based applications. Traditional security issues deal with the authentication and authorization of users in network domains. Today there are numerous security issues concerning information content, users, and application systems in information domains.
Effective Internet security systems combine several methods of protecting data and systems. These are some of the most common Internet security measures: Authentication: Authentication restricts access to designated systems or information until users "prove" their right of access by providing an authorized password or personal identification number (PIN). Password administration becomes vital to update the system frequently so only "authentic" passwords are active. In some systems, a digital signature can be used to verify that the message was sent by the authorized party and that it wasn't tampered with during transmission.
Antivirus software: Software can be loaded on an operating system to detect viruses and prevent them from entering the database where they can alter or delete data. Because new viruses are constantly being created, you should update your antivirus software on a regular basis.
Encryption: Data is encrypted--or translated into a code--to ensure that it can be read only by authorized users who have the software to decrypt the data. Encryption also protects material from unauthorized access or tampering while it's traveling on the Internet.
Firewalls: Firewalls provide a single point of entry for data, which allows the credit union or security service to screen out unauthorized users before they enter the internal computer system. You can usually dedicate a personal computer (PC) for firewall use. This PC is loaded with the appropriate software to filter all information passing to and from the in-house computer system.
Protocols: You use a set of rules, or "protocols," to determine how a network operates, including the cryptography that protects information. Intranet systems usually rely on transmission control protocol (TCP) or Internet protocol (IP).
One common protocol for Internet security is secure sockets layer (SSL), which helps secure data contained within networks. Secure electronic transaction (SET) is a protocol that's used to secure credit card transactions on the Web.
Routers: Routers, which connect two or more networks, are used to direct messages to the correct access point. A router may be either a computer or a software package. The router directs messages to the proper destination and is sometimes referred to as a "gateway." Routers are often employed in conjunction with firewalls.
According to Symantec’s Internet Security Threat Report, the high degree of malicious activity originating in the United States is likely driven by the expansive Internet infrastructure there. The United States accounts for 19 percent of the world’s Internet users. Furthermore, the number of broadband Internet users in that country grew by 14 percent between December 2005 and July 2006. Despite the relatively well developed security infrastructure in the United States, the high number of Internet-connected computers there presents more targets for attackers to compromise for malicious use. Symantec predicts that the United States will remain the highest ranked country for malicious activity until another country exceeds it in numbers of Internet users and broadband connectivity.
China was the second highest country for malicious activity during the six-month reporting period, accounting for 10 percent of all worldwide malicious activity. Germany was third, with seven percent. The prominence of both of these countries can likely be attributed to the high number of Internet users there, as well as the rapid growth in the country’s Internet infrastructure.
4th Position paper
Internet Security & Security Issues
May 4, 2007
What is Internet Security? I believe to understand this question we would first have to look at the history of the “Internet”. Now we all may have heard the rumor that the “Internet” was created by Al Gore. Well in my quest to find the real creator of the internet, I stumbled across some interested information that would argue that Al Gore wasn’t the creator, but was a true activism for the concept that eventually turned into a reality.
According to wikipedia, the history of the internet goes all the way back to the fifies and early sixties, prior to the widespread inter-networking that led to the internet. Most communication networks were limited by nature to only allow communciations between the stations on the network. These networks only had bridges and gateways between them, and they were often limited or built solely for a single use. It wasn’t until the late 1980s when the Internet system was developed and ready, but was held up due to The Cold War. J.C.R. Licklider, Larry Roberts, and Robert Taylor were the three who engaged in the interconnected networking systems that envoled into the core of what the Internet would become.So now that we have a brief overview of “Internet”, I will like to talk about internet vulnerabilities, threats, and security around the world.
Internet-based, real-world applications require appropriate security mechanisms because potentially millions of users and their agents (or participants) will access billions of objects of information content in complex workflow processes (e.g., commerce, learning, healthcare). Security is one of the strategic technologies that will increase the value and utility of the Internet and Internet-based applications. Traditional security issues deal with the authentication and authorization of users in network domains. Today there are numerous security issues concerning information content, users, and application systems in information domains.
Effective Internet security systems combine several methods of protecting data and systems. These are some of the most common Internet security measures: Authentication: Authentication restricts access to designated systems or information until users "prove" their right of access by providing an authorized password or personal identification number (PIN). Password administration becomes vital to update the system frequently so only "authentic" passwords are active. In some systems, a digital signature can be used to verify that the message was sent by the authorized party and that it wasn't tampered with during transmission.
Antivirus software: Software can be loaded on an operating system to detect viruses and prevent them from entering the database where they can alter or delete data. Because new viruses are constantly being created, you should update your antivirus software on a regular basis.
Encryption: Data is encrypted--or translated into a code--to ensure that it can be read only by authorized users who have the software to decrypt the data. Encryption also protects material from unauthorized access or tampering while it's traveling on the Internet.
Firewalls: Firewalls provide a single point of entry for data, which allows the credit union or security service to screen out unauthorized users before they enter the internal computer system. You can usually dedicate a personal computer (PC) for firewall use. This PC is loaded with the appropriate software to filter all information passing to and from the in-house computer system.
Protocols: You use a set of rules, or "protocols," to determine how a network operates, including the cryptography that protects information. Intranet systems usually rely on transmission control protocol (TCP) or Internet protocol (IP).
One common protocol for Internet security is secure sockets layer (SSL), which helps secure data contained within networks. Secure electronic transaction (SET) is a protocol that's used to secure credit card transactions on the Web.
Routers: Routers, which connect two or more networks, are used to direct messages to the correct access point. A router may be either a computer or a software package. The router directs messages to the proper destination and is sometimes referred to as a "gateway." Routers are often employed in conjunction with firewalls.
According to Symantec’s Internet Security Threat Report, the high degree of malicious activity originating in the United States is likely driven by the expansive Internet infrastructure there. The United States accounts for 19 percent of the world’s Internet users. Furthermore, the number of broadband Internet users in that country grew by 14 percent between December 2005 and July 2006. Despite the relatively well developed security infrastructure in the United States, the high number of Internet-connected computers there presents more targets for attackers to compromise for malicious use. Symantec predicts that the United States will remain the highest ranked country for malicious activity until another country exceeds it in numbers of Internet users and broadband connectivity.
China was the second highest country for malicious activity during the six-month reporting period, accounting for 10 percent of all worldwide malicious activity. Germany was third, with seven percent. The prominence of both of these countries can likely be attributed to the high number of Internet users there, as well as the rapid growth in the country’s Internet infrastructure.
Monday, May 7, 2007
Internet trust and security issues
Fourth Position Paper
By Kamakshi Samala
Ubiquitous services and applications when combined with computing business applications, forms a challenging context for internet security and trust. Its not only important for the user to be concerned with the basic security requirements of the internet for controlled access, data integrity, confidentiality and accountability, its also important to make sure that the users are using trusted computing devices. With the rapid change in technology, there has been rapid growth in e-commerce which makes our lives better, simpler and more productive. Electronic commerce basically uses electronic communications technology of the World Wide Web, even though electronic commerce frequently depends on computer technologies other than the World Wide Web, such as databases, and e-mail, and on other non-computer technologies, such as transportation for physical goods sold via e-commerce. Today consumers are extremely comfortable with technology and values of online retail shopping. Online shopping is a convenience both for the retailers and the customers. But as e-commerce and World Wide Web has grown, so has the number of security threats. Identity theft is still at the top of the list of consumer complaints at the Federal Trade Commission, data security breaches are often reported, and phishing is also rising. All these factors undermine trust and security of doing business through internet and World Wide Web.
Vulnerabilities associated with the Internet have put government, business and individual users at risk. The security measures that were used with the main frame computers as well as the networks within the organization are no more possible with the internet as it’s a complex world of interconnected networks with no clear boundaries and control. Originally internet was designed with an aim to put control and trust totally in the hands of users. Also, internet is digital, not physical. This means it has no geographic location and as well as no well defined boundaries. Therefore, physical rules are impossible to apply. Instead new knowledge is required to understand the issues related with the internet. Due to this reason, even though the lives of people are becoming simpler by using the internet but side by side the intruder community is also growing. Intruder tools are becoming more sophisticated and user friendly day by day. By using so called distributed-system attack tools, intruders can hack into large number of sites at a same time with a focus to attack the victim hosts or networks. Now-a-days developers of intruder tools, package their tools in such a user friendly way that even a person with least knowledge of the technology can use them.
There are various reasons for the lack of internet trust and security. Some of the reasons are as follows:
• Due to fall in the prices of communication on the Internet, use of the Internet is replacing other forms of electronic communication. The internet sites have also become so interconnected and the intruder tools have become so sophisticated that it’s easy to hack all the interconnected sites.
• As the distributed client-server and heterogeneous configurations are increasing, the management of the technology is also becoming distributed. In such cases, system administration and management fall upon those people who do not have the training, skill, resources, or interest to operate their systems securely. Therefore, with the increase in untrained system administrator and security staff, the life of attackers is becoming easier.
• With lack of knowledge about the network and security, most sensitive data of an organization such as financial information, medical records, human resources files, and customer information files, etc. can be put to risk.
• Most often when the vendors release patches or upgrades to solve the security problems, organization systems are often not upgraded because the job is too time consuming and sometimes complicated. This job probably demands a skilled system administrator which may far exceed the supply.
• Today software products, workstations, and personal computers have become so easy to use that people with little technical knowledge can install and operate them on their personal computers. Unfortunately, it is difficult to configure and operate many of these products securely. This leads to the increase in the number of vulnerable systems.
• Even the organizations that are security conscious, and have used solutions, such as firewalls and encryption, often can fall trap to false sense of security and become less vigilant. Also single solutions that are once applied are neither foolproof nor adequate. Therefore, solutions must be combined and security situation must be constantly monitored as technology changes and new exploitation techniques are discovered.
• Today the technology is evolving so rapidly that vendors most often concentrate on marketing their products with placing low priority on security features. Therefore, until the customers demand more secure products, the situation will not change.
The above reasons can lead to different types of abuses. If we take for example Web sites. The websites gather information with or without the consumer’s knowledge. The most common method is by using clickstream data. This method tracks where the individual travels in a site and which advertisement and content he/she examines and uses. One of the common tools used are Cookies. Cookies are small files that are transferred to our computer by some websites that we log on first. This file allows the Web server to track preferences and usage of information and target advertisements or specific content. Even though cookies allow a site to brand users, they do not disclose real names and addresses unless this information has previously been secured by other means. Some browsers allow the users to determine if they want cookie files located on their computer. Sometimes personal information like name, address, email, age, etc. are gathered from promotional "swebstakes," by allowing the user to enter a contest to win prizes in exchange for personal information. Matchlogic, a subsidiary of Excite, Inc, is an example of the firm that is involved in this campaign which posts advertisements and marketing campaigns on various Web sites for approximately 65 customers.
This can lead to transfer of inaccurate data, loss of identity, stolen credit card numbers and other possible problems that can be very difficult to resolve unless all the right tools find wide implementation.
Some of the possible solutions that can be used to ensure internet trust and security are:
1. Encryptions: For greater security the network must be encrypted and must have Firewalls. Firewalls deny or accept all messages and sites based on a list that is stored in the system. This is usually decided by a system administrator.
2. Secure Sockets Layer (SSL): This was developed by Netscape Communications Corporation which helps to reduce the chances of the information sent through the Internet to be intercepted. It provides security to all the parties involved in the transaction.
3. Platform for Privacy Principles: This is also known as P3 which is universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. This tries to define and describe limits on the use of user’s private information garnered from Web sites.
4. Tokens: These are small devices, which are usually the size of a credit card or calculator that the remote users physically carry with them. This is based on a challenge-response system. When the remote user tries to log on a given authentication server, a challenge is asked. The user keys the challenge into the device which then generates the correct reply. The user then sends this response to the remote server to gain access.
5. Secure Electronic Transaction (SET): It is an open, multi-party protocol that transmits bank card payments via open networks like the Internet. SET allows the parties performing the transaction, to confirm each other's identity. By employing digital certificates, SET allows a purchaser to confirm that the merchant is legitimate and also allows the merchant to verify that the credit card is being used by its owner. It also requires that each purchase request includes a digital signature, which further identifies the cardholder to the retailer. The digital signature and the merchant's digital certificate provide a certain level of trust. SET plays an important role as it offers protection from repudiation and unauthorized payments.
6. Digital Certificates: Purchasers and retailers generate these certificates through the use of secret keys that authenticates that each party to the transaction is legitimate.
7. Open Profiling Standard for Authorization and Single Sign-On (OPS): This makes it necessary for the customers to reenter information that identifies them more than once at a website.
Therefore, these are some of the solutions that can be used to have internet security and provide trust among the users.
Hence in my opinion, while doing business in the real world having and building trust among the customers is very important for the business. Merchants, consumers and financial institutions all need to be confident of the identity with whom they conduct business. Only when all of the above parties are truly able to trust who they are dealing with online, then only will the online business model be successful. Computer based crimes are increasing day by day. For example if we take the case of T.J. Maxx and Marshalls and other off-price retailers, hackers stole data of at least 45.7 million credit and debit cards of shoppers. This case is believed to be the largest breach of consumer information and is considered to be a major security concern.
Government and industries should work together towards better internet security. This way the industry can influence the type of safeguards that are put into practice. If there is resistance to cooperation with government agencies towards internet fraud, crime and privacy, legislative and other political solutions will atomically become more involved. Therefore, internet offers great potential for both consumers and businesses, but proper measures should be taken to protect the internet trust and security. This way both the industry and consumers will be benefited in the long run.
By Kamakshi Samala
Ubiquitous services and applications when combined with computing business applications, forms a challenging context for internet security and trust. Its not only important for the user to be concerned with the basic security requirements of the internet for controlled access, data integrity, confidentiality and accountability, its also important to make sure that the users are using trusted computing devices. With the rapid change in technology, there has been rapid growth in e-commerce which makes our lives better, simpler and more productive. Electronic commerce basically uses electronic communications technology of the World Wide Web, even though electronic commerce frequently depends on computer technologies other than the World Wide Web, such as databases, and e-mail, and on other non-computer technologies, such as transportation for physical goods sold via e-commerce. Today consumers are extremely comfortable with technology and values of online retail shopping. Online shopping is a convenience both for the retailers and the customers. But as e-commerce and World Wide Web has grown, so has the number of security threats. Identity theft is still at the top of the list of consumer complaints at the Federal Trade Commission, data security breaches are often reported, and phishing is also rising. All these factors undermine trust and security of doing business through internet and World Wide Web.
Vulnerabilities associated with the Internet have put government, business and individual users at risk. The security measures that were used with the main frame computers as well as the networks within the organization are no more possible with the internet as it’s a complex world of interconnected networks with no clear boundaries and control. Originally internet was designed with an aim to put control and trust totally in the hands of users. Also, internet is digital, not physical. This means it has no geographic location and as well as no well defined boundaries. Therefore, physical rules are impossible to apply. Instead new knowledge is required to understand the issues related with the internet. Due to this reason, even though the lives of people are becoming simpler by using the internet but side by side the intruder community is also growing. Intruder tools are becoming more sophisticated and user friendly day by day. By using so called distributed-system attack tools, intruders can hack into large number of sites at a same time with a focus to attack the victim hosts or networks. Now-a-days developers of intruder tools, package their tools in such a user friendly way that even a person with least knowledge of the technology can use them.
There are various reasons for the lack of internet trust and security. Some of the reasons are as follows:
• Due to fall in the prices of communication on the Internet, use of the Internet is replacing other forms of electronic communication. The internet sites have also become so interconnected and the intruder tools have become so sophisticated that it’s easy to hack all the interconnected sites.
• As the distributed client-server and heterogeneous configurations are increasing, the management of the technology is also becoming distributed. In such cases, system administration and management fall upon those people who do not have the training, skill, resources, or interest to operate their systems securely. Therefore, with the increase in untrained system administrator and security staff, the life of attackers is becoming easier.
• With lack of knowledge about the network and security, most sensitive data of an organization such as financial information, medical records, human resources files, and customer information files, etc. can be put to risk.
• Most often when the vendors release patches or upgrades to solve the security problems, organization systems are often not upgraded because the job is too time consuming and sometimes complicated. This job probably demands a skilled system administrator which may far exceed the supply.
• Today software products, workstations, and personal computers have become so easy to use that people with little technical knowledge can install and operate them on their personal computers. Unfortunately, it is difficult to configure and operate many of these products securely. This leads to the increase in the number of vulnerable systems.
• Even the organizations that are security conscious, and have used solutions, such as firewalls and encryption, often can fall trap to false sense of security and become less vigilant. Also single solutions that are once applied are neither foolproof nor adequate. Therefore, solutions must be combined and security situation must be constantly monitored as technology changes and new exploitation techniques are discovered.
• Today the technology is evolving so rapidly that vendors most often concentrate on marketing their products with placing low priority on security features. Therefore, until the customers demand more secure products, the situation will not change.
The above reasons can lead to different types of abuses. If we take for example Web sites. The websites gather information with or without the consumer’s knowledge. The most common method is by using clickstream data. This method tracks where the individual travels in a site and which advertisement and content he/she examines and uses. One of the common tools used are Cookies. Cookies are small files that are transferred to our computer by some websites that we log on first. This file allows the Web server to track preferences and usage of information and target advertisements or specific content. Even though cookies allow a site to brand users, they do not disclose real names and addresses unless this information has previously been secured by other means. Some browsers allow the users to determine if they want cookie files located on their computer. Sometimes personal information like name, address, email, age, etc. are gathered from promotional "swebstakes," by allowing the user to enter a contest to win prizes in exchange for personal information. Matchlogic, a subsidiary of Excite, Inc, is an example of the firm that is involved in this campaign which posts advertisements and marketing campaigns on various Web sites for approximately 65 customers.
This can lead to transfer of inaccurate data, loss of identity, stolen credit card numbers and other possible problems that can be very difficult to resolve unless all the right tools find wide implementation.
Some of the possible solutions that can be used to ensure internet trust and security are:
1. Encryptions: For greater security the network must be encrypted and must have Firewalls. Firewalls deny or accept all messages and sites based on a list that is stored in the system. This is usually decided by a system administrator.
2. Secure Sockets Layer (SSL): This was developed by Netscape Communications Corporation which helps to reduce the chances of the information sent through the Internet to be intercepted. It provides security to all the parties involved in the transaction.
3. Platform for Privacy Principles: This is also known as P3 which is universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. This tries to define and describe limits on the use of user’s private information garnered from Web sites.
4. Tokens: These are small devices, which are usually the size of a credit card or calculator that the remote users physically carry with them. This is based on a challenge-response system. When the remote user tries to log on a given authentication server, a challenge is asked. The user keys the challenge into the device which then generates the correct reply. The user then sends this response to the remote server to gain access.
5. Secure Electronic Transaction (SET): It is an open, multi-party protocol that transmits bank card payments via open networks like the Internet. SET allows the parties performing the transaction, to confirm each other's identity. By employing digital certificates, SET allows a purchaser to confirm that the merchant is legitimate and also allows the merchant to verify that the credit card is being used by its owner. It also requires that each purchase request includes a digital signature, which further identifies the cardholder to the retailer. The digital signature and the merchant's digital certificate provide a certain level of trust. SET plays an important role as it offers protection from repudiation and unauthorized payments.
6. Digital Certificates: Purchasers and retailers generate these certificates through the use of secret keys that authenticates that each party to the transaction is legitimate.
7. Open Profiling Standard for Authorization and Single Sign-On (OPS): This makes it necessary for the customers to reenter information that identifies them more than once at a website.
Therefore, these are some of the solutions that can be used to have internet security and provide trust among the users.
Hence in my opinion, while doing business in the real world having and building trust among the customers is very important for the business. Merchants, consumers and financial institutions all need to be confident of the identity with whom they conduct business. Only when all of the above parties are truly able to trust who they are dealing with online, then only will the online business model be successful. Computer based crimes are increasing day by day. For example if we take the case of T.J. Maxx and Marshalls and other off-price retailers, hackers stole data of at least 45.7 million credit and debit cards of shoppers. This case is believed to be the largest breach of consumer information and is considered to be a major security concern.
Government and industries should work together towards better internet security. This way the industry can influence the type of safeguards that are put into practice. If there is resistance to cooperation with government agencies towards internet fraud, crime and privacy, legislative and other political solutions will atomically become more involved. Therefore, internet offers great potential for both consumers and businesses, but proper measures should be taken to protect the internet trust and security. This way both the industry and consumers will be benefited in the long run.
Sunday, May 6, 2007
Internet Trust and Security
Joe Farrar
4th Position Paper
Attacks can come from a disgruntled employee inside an organization seeking to steal information from a company’s intranet or from outside an organization by hackers seeking to exploit any possible weakness a system has. As the volume of these attacks increase and the material stolen becomes more sensitive, businesses will be forced to pay a premium to ensure that their systems are secure. These threats will continue to produce sensational headlines each time a system is breached and its contents are opened up to unscrupulous individuals. If businesses cannot keep pace with the volume and variety of threats to their systems, they could stand to lose market share to scared consumers unwilling to risk doing business with a business that cannot protect their privacy.
The issue of internet security and trust also has some staggering dollar amounts attached to it. In a study conducted by the Ponemon Institute in 2005, companies lost an average of $14 million per breach when customer data losses happened. In some higher profile cases where significant data was compromised, the cost was as much as $50 million per incident because businesses opted to offer free credit reporting services to those affected by the breach. This figure does not even include the cost of denial of service attacks or factor in the cost of the disruption of business processes of internet-based businesses. In a study published in 2004, the Aberdeen Group found that the cost of disruptions to internet-based business is about $2 million per incident. These figures serve to illustrate the importance that these types of threats pose to a businesses’ bottom- line.
There are ways to prevent or minimize these types of attacks from being perpetrated. The hard truth is that the use of diligence by those involved in the handling of sensitive data could have prevented hackers from gaining access to private data. The watchful eye of security personnel and system administrators makes it much harder for such breaches to happen.
A sound security policy combined with compliance training for every employee should be a mandate that all businesses follow in the coming century. However, the truth is that employees and businesses alike choose to believe that their data won’t fall victim to the prying eyes of criminals. The naïve and misguided belief that one’s system is entirely secure will ultimately wind up costing companies and consumers billions of dollars.
In summation, risks associated with doing business online will continue to evolve in step with the technology that supports online commerce. Sensitive data about consumers and corporate proprietary information will always be a tempting target for criminals who understand how to circumvent security protocols in this age of interconnectivity. The security of information needs to be a top down mandate within corporations doing business over the internet. Aggressive and proactive measures must be implemented before an attack happens and contingency plans must be in place for quick and competent reactions not if, but when, attacks happen.
RFID
Joe Farrar
2nd Follow-up Presentation Paper
Our presentation focused primarily on the positive aspects and the underlying technology of RFID and only provided limited details on the concerns associated with this technology. For my follow up paper I will expand on the challenges RFID faces and the potential repercussions associated with its use. There are important considerations companies and the individuals in charge of RFID initiatives should weigh before making the transition to RFID.
The cost of RFID technology is presently too expensive and the price of RFID tags has traditionally been a significant obstacle to its widespread deployment in medium to smaller size companies. A survey conducted by the consulting company Accenture found cost to be one barrier to the implementation of RFID. Current passive tag cost estimates range from $0.15 to $0.75, with the volume of tags purchased having a significant impact on the per tag cost. This indicates that the current cost of tags is too high to justify tagging all items. This is why most companies mandating the use of RFID such as Wal-Mart and Target are focusing on tagging pallets and cases of products, rather than each item.
Some experts suggest that per item tracking is approximately ten years away. However, I would argue that some organizations will never move to RFID technology because the cost will not justify the benefit. The integration of RFID into existing practices requires considerable investment from organizations. Reengineering a business and aligning systems takes time and, more importantly, money to complete. The process of implementing RFID technology will affect all facets of the organization and should be expected to cost millions of dollars.
Wal-Mart and the U.S. Department of Defense have come under fire from many of their suppliers, sense the cost of complying with mandates made by them, may reach over $9 million. The money required to implement RFID technology is likely to deter the cash strapped airline industry from using the technology in their baggage processing systems. This is compounded by the fact that many airlines span a large number of airports thus generating significant financial implications to implementing a cohesive system. As a result, some industry consultants have indicated that companies should allow a five-year transition period and a budget of $20 million to integrate RFID technology into current processes.
Additionally, there are concerns that there will soon be a shortage of skilled individuals in the RFID industry. This will become all too apparent when the number of companies integrating RFID technology begins to increase. While RFID technology has been around for decades, only been recently has its efficiency in the area of supply chain management been touted. As a result, an apparent lack of standards is hindering the technology’s adoption and widespread use in supply chains.
Most RFID products do not possess interoperable qualities, meaning that they can not be easily integrated into the supply chain between partners and as such they would not add value. The development of standards has progressed somewhat through the formation of the EPCglobal network. However, EPCglobal’s standard is yet to be backed by the International Organization for Standardization (
Incompatible systems exist across different industries making interoperability a foremost concern for the seamless use of RFID across supply chains. The
Another issue related to the difficulties of using RFID technology is radio spectrum allocation. Radio spectrum is a finite resource so it suffers from the inherent range limitations associated with the radio spectrum. As RFID uses the radio spectrum to transmit its signals, it is susceptible to interference that hinders its ability to transmit clear and reliable information to RFID readers. Numerous institutions try to ensure that the spectrum is managed in a way that is beneficial to the end user, it is ultimately in the control of government agencies like the FCC to decide how it is allocated. This issue becomes one of international law due to the fact that different countries have already allocated different areas of their spectrum for the use of RFID. Clearly, private and public organizations alike lack the standards needed to integrate RFID into their daily practices.
Proper tagging is also a barrier to implementing RFID. Some tag readers are only able to read product tags that are facing a particular way, so items need to be packed accordingly. Another problem arises when a pallet containing different packaged items is read, as the reader needs to be aware it is reading multiple types of items. The ability of RFID to read through most packaging material such as plastic wraps and cardboard containers is one of its most valuable assets. However, metal and liquid can play havoc with RFID signals. Evidently, tagging is not simply a matter of attaching RFID tags to items.
Privacy issues associated with RFID continue to be the biggest threat to the success of RFID. Current RFID protocols are designed to offer the most optimal performance between readers and tags, but failed to address consumer privacy concerns. As these tags become more prevalent, RFID could be used by marketers to do research at such a specific level of detail that the threat of invading a consumer’s privacy becomes a very real one. Privacy advocates are worried that, if RFID tags are placed in common items, the product may continue to be tracked once purchased by consumers. One of the public’s biggest concerns with RFID in general is lack of information as how to turn the tags off once an item was purchased. Human rights organizations have already raised their concerns about the technology.
Privacy concerns have the potential to derail an RFID initiative before it gets off the ground. For example, clothing retailer Benetton came under fire for placing RFID tags in its clothes. Once the public was made aware of this, consumers called for a boycott against Benetton, causing the retailer to abandon its RFID plans. Companies implementing RFID without considering their customers’ privacy issues concerns could stand to lose goodwill by using RFID improperly.
In conclusion, the technology of RFID still has a long road to travel before it becomes a widely used technology. There are many wrinkles that need to be ironed out before a standard is adopted by all stakeholders. Steps that further address the protection of consumer privacy must be taken. RFID does hold the potential to change the way businesses operate for the better and should be seen as a way to supercharge existing processes. Time will tell as to how widely RFID is used in the future. The management of these challenges will play a big part in determining if RFID meets its potential.
Subscribe to:
Posts (Atom)