1

Electronic Commerce Securityand Computer Forensics

David Dampier

Department of Computer Science & Engineering

Center for Computer Security Research

dampier@cse.msstate.edu

http://www.cse.msstate.edu/~security

2

Paradox of the Internet

• Pervasive– Inexpensive– Easy to use

• No one in charge• Robust• Used extensively

today

• Intrinsically insecure– Expensive to secure– Hard to secure - an

afterthought

• No one responsible• Ill defined boundaries• Laws of use not clear

3

What is EC Security?• A special case of network security• A special case of client server security• An evolving area of computer science

– Digital cash– Internet banking– Store fronts versus Store reality– International market place …

• Still an area of immense temptation for the criminal element

4

What are the threats?• First - the traditional threats apply

– Confidentiality, Integrity, Availability, Accountability– Malicious code – Network vulnerabilities – Others ???

• Second - Additional privacy concerns surface (…ethics concerns)– cookies– buying habits and profiling– shared databases (???) – short term and long term storage of sensitive data– others ...

5

More threats ...

• Authentication takes on a new role– Who is the buyer?– Who is the seller?– Is the seller real?– Where is the seller?– Non-repudiation is important– Accountability for seller and buyer actions

• Availability – loss of access equals loss of revenue– recovery procedures are very important– The greatest threat to E-Commerce today (arguable perhaps…)

6

A Simple View

Server

Client

E-Commerce protection must include data in transit;data in processing; and, data in storage

•over an open network•in a client server environment

7

Security Requirements include

• Transaction integrity • Confidentiality of the transaction• Mutual authentication of all parties (customer,

store, bank)• Non-repudiation • Timely service• Record keeping• Protection of the systems against intrusion

8

Client Side Security

• Essentially “web browser” security• Two main risks have emerged

– Vulnerabilities in the Web Browser software– Risk of Active Content

• Active Content (mobile code) – Java and Java Applets– Active X controls– Push technology– MS Macros– Plugin’s

9

Secure Transport

• Secure Channels – Secure Sockets Layer (SSL)– Secure HTTP (S-HTTP)

• Smart Cards carrying a private key for encryption

• E-Cash protocols

10

Web Server Side

• Typically a front end web server, backend database, and interface software (e.g., CGI scripts).

• Firewalls are most useful here - but varying degrees of strength and responsiveness

• Operating system security an issue (for both the network OS and the server OS)

11

Solution Sets ...• Encryption plays a very big role

– SSL, S-HTTP– Digital Signatures– Certificates (X.509 - PKI)– PGP

• Firewalls• Trusted OS and products• Disaster recovery plans• Education and awareness• Law

12

Public Key Infrastructure

• Enables the Use of Public Key Technology

• Parts– Certificate Maintenance

Issuance, Reissuance, Revocation

– Certificate Availability– Interoperations

13

Answer:Public Key Infrastructure

• Getting public-key materials

Jane DoeAcme

public

private

Where they are needed

When they are needed

14

Doing Business With Keys

Internet

PKIforDummies

4417 5712 1238 51961

PKIforDummies

Xyl?wk$

public

But where did the key come from?

private

amazon.com

4417 5712 1238 51961 Sold

15

Certificate: ID? Or ATM Card?

• Identity Card– Something you have

– Something you are

• ATM Card– Something you have

– Something you know

A Certificate is Three Things

• An ID Card

Jane DoeAcme

public

• A Notarized Signature • A Scrambling Device

plaintext X&8uj*l.

Mississipp

i Jane Doe105 Lee StreetAnywhere, MS 39759

16

Doing Business With Certificates

amazon.comInternet

PKIforDummies

4417 5712 1238 51961

PKIforDummies

Xyl?wk$

public

But where did the certificate come from?

private

Jane DoeAcme

public

4417 5712 1238 51961 Sold!

17

Certifying Authorities

• Public Key technology is powerful - but you can’t keep everyone’s public key on your hard drive– hundreds of thousands of users globally– expiration and maintenance issues

• More practical to rely on trusted “third parties” - Certifying authorities

18

Certifying Authorities

• A commercial enterprise that vouches for the identities of individuals and organizations.

• Browsers have public keys of well known CA’s built in.

• Certificates are (for most practical purposes) viewed as “untamperable” and “unforgeable”

• VeriSign, AT&T, BBN, CeriSign, and others (check your browser)

19

A Process for Secure EC

• Assess your risks

• Secure the Infrastructure

• Secure your Internet Connections

• Secure Electronic Commerce

• Disaster Recovery

- David Cullinane - “Electronic Commerce Security, 1999

20

Assessing Risk -• Conduct a Threat and Vulnerability Analysis

– What are the threats to your information assets– How vulnerable are each of those threats– What would be the business impact if each of the threats

were to occur– What controls are available/needed to mitigate the threats

• Identify and Prioritize (...and build a plan)– address the threats and vulnerabilities– insure plan is consistent with business objectives and cost– plan fits with organizational culture?

21

Secure the Infrastructure

• Concerned with OS security, external connectivity, & network security ...

• Develop an Information Security Architecture– “…a structure for implementing security across an

enterprise”

– defines the organization of the information security program

– the foundation of a solid information security program

22

Secure Internet Connection

• Based on Firewall protection primarily

• Recall - firewalls vary in trust and capability

• Defense in depth is suggested

• Tradeoff between security and ease of access is a business and risk decision

• There is no cookbook solution

23

Disaster Recovery

• Continuity of operation plans– Written down, practiced, realistic and

implementable

• Backups

• Hot/Cold sites

• Usually overlooked

• Finding out what happened.

24

Basics of Computer Forensics

Mississippi State UniversityDept Of Computer Science and Engineering

25

What is Forensics?

• Forensics is the application of scientific techniques of investigation to the problem of finding, preserving and exploiting evidence to establish an evidentiary basis for arguing about facts in court cases

26

What is Computer Forensics?

• Computer forensics is forensics applied to information stored or transported on computers

• It “Involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis”

• Procedures are followed, but flexibility is expected and encouraged, because the unusual will be encountered.

27

Categories of Computer Crime

• Computer used to conduct the crime– Child Pornography/Exploitation

– Threatening letters

– Fraud

– Embezzlement

– Theft of intellectual property

• Computer is the target of the crime– Incident Reponse

– Security Breach

28

What is the evidence?

• Bytes• Files

– Present– Deleted– Encrypted

• Fragments of Files– Words– Sentences– Paragraphs

29

Where do we find it?

• Storage Media– Hard Disks– Floppy Disks– CDs, Zip disks, tapes, etc.– Thumb Drives

• RAM

• Log Files

30

What do we do with it?

• Acquire the evidence without altering or damaging the original.

• Authenticate that your recovered evidence is the same as the originally seized data.

• Analyze the data without modifying it.

• Be prepared to testify about it in a court of law.

31

Acquire the evidence

• How do we seize the computer?• How do we handle computer evidence?

– What is chain of custody?– Evidence collection– Evidence Identification– Transportation– Storage

• Documenting the Investigation

32

Authenticate the Evidence

• Prove that the evidence is indeed what the criminal left behind.– Readable text or pictures don’t magically

appear at random.– Calculate a hash value for the data

• CRC

• MD5

33

Analysis

• Always work from an image of the evidence and never from the original.– Prevent damage to the evidence– Make two backups of the evidence in most

cases.

• Analyze everything, you may need clues from something seemingly unrelated.

34

Analysis (cont.)

• Existing Files– mislabelled

• Deleted Files– Show up in directory listing with in place of first

letter• “Dave.txt” appears as “ ave.txt”

• Free Space• Slack Space• Swap Space

35

Storage Media Basics

• Sector: 512 Bytes

• Cluster (Block): 2 or more clusters (up to 64)

0 1 2 3 4 5 511…

0 1 2 3 4 5 511 0 1 2 3 4 5 511

36

Slack Space• RAM Slack: That portion of a sector that is

not overwritten in memory.

• Disk Slack: Those sectors of the cluster that are not needed to store file.

0 1 2 3 4 5 511…

EOF

RAM Slack

0 1 2 3 4 5 511 0 1 2 3 4 5 511

EOF

Disk Slack

37

Slack Space

• File Slack: Last cluster of file isn’t filled up completely, so data from the last use of that cluster isn’t overwritten.

• File Slack = Disk Slack + RAM Slack

0 1 2 3 4 5 511 0 1 2 3 4 5 511

EOF

Disk SlackRAM Slack

File Slack

38

Free Space

• That portion of the Media that is not currently in use.

• Could have been used before, but not overwritten.– Especially true today with very large disks

• Can we really erase a hard drive?– Even if formatted, the data is not lost.

39

Data Hiding

• Obfuscating Data– Encrypted– Compressed

• Hiding Data– In plain sight – innocent looking data has

alternate meaning– Within File system

40

Data Hiding in File System

• In a File– Steganography– Invisible names– Misleading names– Obscurity– No names

• Not in file– Slack, swap, free space

• Removable Media

41

Tools

• Password crackers• Hard Drive Tools

– Fdisk on Linux

• Viewers– QVP

– Diskview

• Thumbsplus• Unerase tools

• CD-R Utilities• Text search tools• Drive Imaging

– Safeback

– Linux dd

• Disk Wiping• Forensic Toolkits• Forensic Computers

42

QUESTIONS???

43

Contact Information

Dr. David Dampier

Department of Computer Science and Engineering

Box 9637, 300 Butler Hall

Mississippi State, MS 39762-9637

(011)(662)325-2756

Dampier@cse.msstate.edu