Computer securitys primary mission is to ensure that systems and their contents remain the same!

At the end of the day when you leave the office you turn-on the alarms and lock the doors to secure your workplace and its equipment. You lock the file cupboard for securing confidential company papers. Our computer requires the same kind of protection. When computer applications were developed to handle financial, private and personal data, the real need for information and network security was felt. Network security technologies protect the network against the theft and misuse of confidential business information and guards against malicious attacks from Internet-borne trapdoors and viruses. Without network security mechanisms in place critical data risks unauthorized access from intruders, network downtime, service disruption, regulatory noncompliance and even illegal action. Goal of Network Security Basic goal of implementing security mechanisms on the network is to control network access to various host and their services, rather than individual host security. Generally, the aim of applying security on a network is attained by following a series of steps, each step focused at explaining the relationship between the attacks and the measures taken to protect against them. 1. Asset Identification: Identify the assets which you are trying to protect. 2. Threat assessment: Determine the vulnerabilities and threat you are trying to protect it from. 3. Risk assessment: Determine the probability of the threat and the occurrence of the attacks. 4. Defining security Policies and its Implementation: Design the security policies and implement measures that protect your assets in a cost-effective manner. 5. Review and Updation: Review the process continuously, and make improvements each time you find a weakness.

Principles of Security Security rests on the four chief principles: 1. Confidentiality: is the concealment (hiding) of the information or the resources. Confidentiality implies keeping data and resources private. This privacy could entail physically or logically restricting access to sensitive data and resources or encrypting traffic traversing a network. A network that provides confidentiality would do the following, as a few examples:

Use network security mechanisms (for example, firewalls and access control lists [ACL]) to prevent unauthorized access to network resources. Require appropriate credentials (for example, usernames and passwords) to access specific network resources. Encrypt traffic such that an attacker could not decipher any traffic he captured from the network.

2. Integrity: refers to the reliability of data or resources, and it is usually expressed in terms of preventing improper or unauthorized change. Integrity ensures that data has not been modified in transit. Also, a data integrity solution might perform origin authentication to verify that traffic is originating from the source that should be sending it. Examples of integrity violations include Modifying the appearance of a corporate website Intercepting and altering an e-commerce transaction Modifying financial records that are stored electronically 3. Availability: refers to the ability to use the information or resource desired. The availability of data and resources is a measure of their accessibility. For example, if a server were down only five minutes per year, it would have an availability of 99.999 percent (that is, five nines of availability). Here are a couple of examples of how an attacker could attempt to compromise the availability of a network: He could send improperly formatted data to a networked device, resulting in an unhandled exception error. He could flood a network system with an excessive amount of traffic or requests. This would consume the systems processing resources and prevent the system from responding to many legitimate requests. This type of attack is called a denial-of-service (DoS) attack. 4. Authentication: refers to the identifying the user accessing information or the resources. It is the act of validating and verifying a claim of identity. It is essential to guarantee that the information, transactions, users or documents are authentic and valid. It is also necessary for authenticity to confirm that all parties concerned are real and reliable. There are three different types of information that can be used for authentication: Something you know: a password, PIN. Something you have: a driver's license or an electronic swipe card. Something you are: biometrics identification. Some of the other security triads are 5. Access Control: Access to important and protected data and resources must be restricted to users who are authorized to access them. This involves method be in place to manage

and control the access to private and protected resources. The establishment of access control mechanisms starts with identification and authentication. 6. Non-Repudiation: It implies that the parties involved in the transaction cannot deny their participation. Receiving party cannot deny having received the transaction nor can the sending party deny having sent a transaction. History of Computer security Since the beginning of networked computers, security has been a major concern. Before the 90s, networks were relatively uncommon and the general public was not made-up of heavy internet users. During these times, security was not as critical - however, with more and more sensitive information being placed on networks, it would grow in importance. Now days public network are being relied upon to deliver financial and personal information. Due to the evolution of information that is made available through the internet, network security is also required to evolve. The internet was born in 1969 when Advanced Research Projects Agency Network (ARPANet) is specially made by the department of defense (DOD) for research in networking. The first automated worm appeared on the ARPANET in 1988. The "Morris Worm", developed by a student at Cornell, could exploit the lack of intrusion prevention system and connect to another computer, use vulnerabilities to copy itself, and send itself to a new location. The self-replicating Morris Worm did much to expose the vulnerabilities of networked computers - using so many resources that infected computers were rendered inoperable, and spreading quickly throughout the network. At this point, influential leaders in the network decided to begin developing countermeasures against network threats.

Vulnerability and Threat

BASIC TERMINOLOGY: 1. BACKDOOR Definition: A backdoor is a secret or undocumented means of getting into a computer system. Many programs have backdoors placed by the programmer to allow them to gain access to troubleshoot or change the program. Some backdoors are placed by hackers once they gain access to allow themselves an easier way in next time or in case their original entrance is discovered. A backdoor is a means of access to a computer program that bypasses security mechanisms. A programmer may sometimes install a backdoor so that the program can be accessed for troubleshooting or other purposes. However, attackers often use backdoors that they detect or install themselves, as part of an exploit. In some cases, a worm is designed to take advantage of a backdoor created by an earlier attack. Whether installed as an administrative tool or a means of

attack, a backdoor is a security risk, because there are always crackers out there looking for any vulnerability to exploit. A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing illegal remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice) or may subvert the system through a rootkit. A backdoor in a login system might take the form of a hard coded user and password combination which gives access to the system. 2. ADWARE Adware, or advertising-supported software, is any software package which automatically renders advertisements in order to generate revenue for its author. The advertisements may be in the user interface of the software or on a screen presented to the user during the installation process. The functions may be designed to analyze which Internet sites the user visits and to present advertising pertinent to the types of goods or services featured there. In legitimate software, the advertising functions are integrated into or bundled with the program. Adware is usually seen by the developer as a way to recover development costs, and in some cases it may allow the software to be provided to the user free of charge or at a reduced price. The income derived from presenting advertisements to the user may allow or motivate the developer to continue to develop, maintain and upgrade the software product. Some software is offered in both an advertising-supported mode and a paid, advertisement-free mode. The latter is usually available by an online purchase of a license or registration code for the software that unlocks the mode, or the purchase and download of a separate version of the software. Examples of advertising-supported software include the Windows version of the Internet telephony application Skype, and the Amazon Kindle 3 family of e-book readers, which has versions called "Kindle with Special Offers" that display advertisements on the home page and in sleep mode in exchange for substantially lower pricing. The term adware is frequently used to describe a form of malware (malicious software), usually that which presents unwanted advertisements to the user of a computer. The advertisements produced by adware are sometimes in the form of a pop-up. When the term is used in this way, the severity of its implication varies. While some sources rate adware only as an "irritant", others classify it as an "online threat" or even rate it as seriously as computer viruses and trojans. The precise definition of the term in this context also varies. Adware that observes the computer user's activities without their consent and reports it to the software's author is called spyware. 3. HACKER In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge. The term hacker is reclaimed by computer programmers who argue that someone breaking into computers is better called a cracker, not making a difference between computer criminals (black hats) and computer security experts (white hats). Some white hat hackers claim that they also deserve the title hacker, and that only black hats should be called crackers. Classifications

According to (Clifford R.D. 2006) a cracker or cracking is to "gain unauthorized access to a computer in order to commit another crime such as destroying information contained in that system". White hat A white hat hacker breaks security for non-malicious reasons, perhaps to test their own security system or while working for a security company which makes security software. The term "white hat" in Internet slang refers to an ethical hacker. This classification also includes individuals who perform penetration tests and vulnerability assessments within a contractual agreement. The ECCouncil,[8]also known as the International Council of Electronic Commerce Consultants, is one of those organizations that have developed certifications, course-ware, classes, and online training covering the diverse arena of Ethical Hacking. Black hat A "black hat" hacker is a hacker who "violates computer security for little reason beyond maliciousness or for personal gain". Black hat hackers form the stereotypical, illegal hacking groups often portrayed in popular culture, and are "the epitome of all that the public fears in a computer criminal". Black hat hackers break into secure networks to destroy data or make the network unusable for those who are authorized to use the network.

4. Botnet A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks as keeping control of an IRC channel, or it could be used to send spam email or participate in DDoS attacks. The word botnet stems from the two words robot and network. Legal botnets: The term botnet is widely used when several IRC bots have been linked and may possibly set channel modes on other bots and users while keeping IRC channels free from unwanted users. This is where the term is originally from, since the first illegal botnets were similar to legal botnets. A common bot used to set up botnets on IRC is eggdrop. Ilegal botnets: Botnets sometimes compromise computers whose security defenses have been breached and control conceded to a third party. Each such compromised device, known as a "bot", is created when a computer is penetrated by software from a malware (malicious software) distribution. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols such as IRC (Internet Relay Chat) and HTTP (Hypertext Transfer Protocol). Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a drive-by download, exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse program, which may come from an email attachment. This malware will typically install modules that allow the computer to be commanded and controlled by the botnet's operator. Depending on how it is written, a Trojan may then delete itself, or may remain present to update and maintain the modules This example illustrates how a botnet is created and used to send email spam.

1. A botnet operator sends outviruses or worms, infecting ordinary users' computers, whose payload is a malicious applicationthe bot. 2. The bot on the infected PC logs into a particular C&C server. 3. A spammer purchases the services of the botnet from the operator. 4. The spammer provides the spam messages to the operator, who instructs the compromised machines via the control panel on the web server, causing them to send out spam messages. Botnets are exploited for various purposes, including denial-of-service attacks, creation or misuse ofSMTP mail relays for spam (see Spambot), click fraud, mining bitcoins, spamdexing, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers. 5. Cracker 6. Phishing Protect yourself from phishing scams Never respond to emails that ask you for any username or password. Never share your Elon username and password with anyone - not even your spouse or children. They may be responding to phishing scams and could be putting your personal information and Elon at risk. Never respond to emails that ask you to verify, update, or validate information the organization should already have. Before you share any personal information, confirm that you are dealing with a legitimate organization. Don't reply, click on links, or call phone numbers provided in the emails. Even if it is a link to unsubscribe, do not click it. Doing so will likely increase the amount of phishing emails you receive because now the scammer knows there is a person reading the emails. If you are ever unsure whether an email is legitimate, DO NOT RESPOND to it. Instead, contact the Technology Help Desk at 336.278.5200 and ask for advice.

How to spot a phishing scam Phishing emails often pretend to be from an organization you trust, like Elon University, your bank, an airline, the IRS and others. Or they pretend to be from a stranger informing you of an unusually lucrative opportunity, like the Nigerian prince who wants to give you money. Both are fake and are an attempt to take your personal information like your password, social security number, account information, etc. A phishing email will ask you to perform an action in order to get your personal information. That action can either be to reply to an email, click on a link to a web page or complete an online form. The good news is, a phishing scam will only work if you let it. If you perform the action the scam asks, they will have your personal information. However, if you know what to look for and spot the scam, their phishing attempt will fail. Phishing emails have become more sophisticated but they have common warning signs that should make you suspicious. What is phishing? Phishing is an email that tries to obtain your personal information to steal your identify or to hijack your Elon email account. It's called phishing because scammers email large groups of random people and hope someone bites. Watch the video below for an introduction to phishing scams.

7. Polymorphic Virus 8. Spam 9. Spoofing Caller ID spoofing E-mail spoofing IP address spoofing Protocol spoofing, a technique to increase performance in data communications Referrer spoofing, a type of spoofing attack SMS spoofing Spoofing attack, falsifying data on a telecommunications network Spoofing (anti-piracy measure), a technique to curb unlawful online downloading Website spoofing

10. Zombie / Zombie Drone

In computer science, a zombie is a computer connected to the Internet that has been compromised by a hacker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spamand launch denial-of-service attacks. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies.

Zombies have been used extensively to send e-mail spam; as of 2005, an estimated 5080% of all spam worldwide was sent by zombie computers. This allows spammers to avoid detection and presumably reduces their bandwidth costs, since the owners of zombies pay for their own bandwidth. This spam also greatly furthers the spread of Trojan horses, as Trojans are not selfreplicating. They rely on the movement of e-mails or spam to grow, whereas worms can spread by other means. For similar reasons zombies are also used to commit click fraud against sites displaying pay per click advertising. Others can host phishing or money mule recruiting websites. Zombies can be used to conduct distributed denial-of-service attacks, a term which refers to the orchestrated flooding of target websites by large numbers of computers at once. The large number of Internet users making simultaneous requests of a websites server is intended to result in crashing and the prevention of legitimate users from accessing the site. A variant of this type of flooding is known as distributed degradation-of-service. Committed by "pulsing" zombies, distributed degradation-of-service is the moderated and periodical flooding of websites, done with the intent of slowing down rather than crashing a victim site. The effectiveness of this tactic springs from the fact that intense flooding can be quickly detected and remedied, but pulsing zombie attacks and the resulting slow-down in website access can go unnoticed for months and even years.

11. DOS

Denial-of-service attack

DDoS Stacheldraht Attack diagram. In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers. This technique has now seen extensive use in certain games, used by server owners, or disgruntled competitors on games. Increasingly, DoS attacks have also been used as a form of resistance. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. Denial-of-service attacks are considered violations of the Internet Architecture Board's Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations. Symptoms and manifestations The United States Computer Emergency Readiness Team (US-CERT) defines symptoms of denial-of-service attacks to include: 1.Unusually slow network performance (opening files or accessing web sites) 2.Unavailability of a particular web site 3.Inability to access any web site

4.Dramatic increase in the number of spam emails received(this type of DoS attack is considered an e-mail bomb)[3] 5.Disconnection of a wireless or wired internet connection Denial-of-service attacks can also lead to problems in the network 'branches' around the actual computer being attacked. For example, the bandwidth of a router between the Internet and a LAN may be consumed by an attack, compromising not only the intended computer, but also the entire network or other computers on the LAN.[4] If the attack is conducted on a sufficiently large scale, entire geographical regions of Internet connectivity can be compromised without the attacker's knowledge or intent by incorrectly configured or flimsy network infrastructure equipment. Methods of attack A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. There are two general forms of DoS attacks: those that crash services and those that flood services. A DoS attack can be perpetrated in a number of ways. The five basic types of attack are: 1. Consumption of computational resources, such as bandwidth, disk space, or processor time. 2. Disruption of configuration information, such as routing information. 3. Disruption of state information, such as unsolicited resetting of TCP sessions. 4. Disruption of physical network components. 5. Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. A DoS attack may include execution of malware intended to:[citation needed] 1.Max out the processor's usage, preventing any work from occurring. 2.Trigger errors in the microcode of the machine. 3.Trigger errors in the sequencing of instructions, so as to force the computer into an unstable state or lock-up. 4.Exploit errors in the operating system, causing resource starvation and/or thrashing, i.e. to use up all available facilities so no real work can be accomplished or it can crash the system itself 5.Crash the operating system itself. In most cases DoS attacks involve forging of IP sender addresses (IP address spoofing) so that the location of the attacking machines cannot easily be identified and to prevent filtering of the packets based on the source address.

Methods of attack 1.Internet Control Message Protocol (ICMP) flood 2.(S)SYN flood

3.Teardrop attacks 4.Low-rate Denial-of-Service attacks 5.Peer-to-peer attacks 6.Asymmetry of resource utilization in starvation attacks 7.Permanent denial-of-service attacks 8.Application-level floods 9.Nuke 10.OWASP HTTP Post Denial of Service Tool 11.R-U-Dead-Yet? (RUDY) 12.Slow Read attack 13.Distributed attack 14.Reflected / Spoofed attack 15.Telephony denial of service 16.Unintentional denial of service 17.Denial-of-Service Level II Handling Defensive responses to Denial of Service attacks typically involves the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate.[25] A list of prevention and response tools is provided below: 1. Firewalls 2.Switches 3.Routers 4.Application front end hardware 5.IPS based prevention 6.DDS based defense 7.Blackholing and sinkholing 8.Clean pipes Firewalls Firewalls can be set up to have simple rules to allow or deny protocols, ports or IP addresses. In the case of a simple attack coming from a small number of unusual IP addresses for instance, one could put up a simple rule to drop all incoming traffic from those attackers. More complex attacks will however be hard to block with simple rules: for example, if there is an ongoing attack on port 80 (web service), it is not possible to drop all incoming traffic on this port because doing so will prevent the server from serving legitimate traffic. Additionally, firewalls may be too deep in the network hierarchy. Routers may be affected before the traffic gets to the firewall. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.

Some stateful firewalls, like OpenBSD's pf(4) packet filter, can act as a proxy for connections: the handshake is validated (with the client) instead of simply forwarding the packet to the destination. It is available for other BSDs as well. In that context, it is called "synproxy". Switches Most switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing. Routers Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under a DoS attack. Cisco IOS has features that prevent flooding, i.e. example settings. Application front end hardware Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. IPS based prevention Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks. An ASIC based IPS may detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way. A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic. DDS based defense More focused on the problem than IPS, a DoS Defense System (DDS) is able to block connection-based DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks (such as Teardrop and Ping of death) and rate-based attacks (such as ICMP floods and SYN floods). Blackholing and sinkholing With blackholing, all the traffic to the attacked DNS or IP address is sent to a "black hole" (null interface or a non-existent server). To be more efficient and avoid affecting network connectivity, it can be managed by the ISP.

Sinkholing routes traffic to a valid IP address which analyzes traffic and rejects bad packets. Sinkholing is not efficient for most severe attacks. Clean pipes All traffic is passed through a "cleaning center" or a "scrubbing center" via various methods such as proxies, tunnels or even direct circuits, which separates "bad" traffic (DDoS and also other common internet attacks) and only sends good traffic beyond to the server. The provider needs central connectivity to the Internet to manage this kind of service unless they happen to be located within the same facility as the "cleaning center" or "scrubbing center". Prolexic, Tata Communications, AT&T and Verisign are examples of providers of this service
12. Trojan Horse

Information Security Services

Types of Cyber Attacks E-commerce Security

What is e-Commerce? e-Commerce refers to the exchange of goods and services over the Internet. All major retail brands have an online presence, and many brands have no associated bricks and mortar presence. However, e-Commerce also applies to business to business transactions, for example, between manufacturers and suppliers or distributors. In the online retail space, there are a number of models that retailers can adopt. Traditionally, the Web presence has been kept distinct from the bricks and mortar presence, so transactions were limited to buying online and delivering the goods or services. The online presence is also important for researching a product that a customer can purchase later in the store. Recently, there has been a trend towards multi-channel retail, allowing new models such as purchasing online and picking up in store. e-Commerce systems are also relevant for the services industry. For example, online banking and brokerage services allow customers to retrieve bank statements online, transfer funds, pay credit card bills, apply for and receive approval for a new mortgage, buy and sell securities, and get financial guidance and information. Security overview A secure system accomplishes its task with no unintended side effects. Using the analogy of a house to represent the system, you decide to carve out a piece of your front door to give your pets' easy access to the outdoors. However, the hole is too large, giving access to burglars. You have created an unintended implication and therefore, an insecure system. In the software industry, security has two different perspectives. In the software development community, it describes the security features of a system. Common security features are ensuring

passwords that are at least six characters long and encryption of sensitive data. For software consumers, it is protection against attacks rather than specific features of the system. Your house may have the latest alarm system and windows with bars, but if you leave your doors unlocked, despite the number of security features your system has, it is still insecure. Hence, security is not a number of features, but a system process. The weakest link in the chain determines the security of the system. In this article, we focus on possible attack scenarios in an e-Commerce system and provide preventive strategies, including security features, that you can implement. Security has three main concepts: confidentiality, integrity, and availability. Confidentiality allows only authorized parties to read protected information. For example, if the postman reads your mail, this is a breach of your privacy. Integrity ensures data remains as is from the sender to the receiver. If someone added an extra bill to the envelope, which contained your credit card bill, he has violated the integrity of the mail. Availability ensures you have access and are authorized to resources. If the post office destroys your mail or the postman takes one year to deliver your mail, he has impacted the availability of your mail. The players In a typical e-Commerce experience, a shopper proceeds to a Web site to browse a catalog and make a purchase. This simple activity illustrates the four major players in e-Commerce security. One player is the shopper who uses his browser to locate the site. The site is usually operated by a merchant, also a player, whose business is to sell merchandise to make a profit. As the merchant business is selling goods and services, not building software, he usually purchases most of the software to run his site from third-party software vendors. The software vendor is the last of the three legitimate players. The attacker is the player whose goal is to exploit the other three players for illegitimate gains. Figure 2 illustrates the players in a shopping experience. Figure 2. The players

The attacker can besiege the players and their resources with various damaging or benign schemes that result in system exploitation. Threats and vulnerabilities are classified under confidentiality, integrity, and availability. A threat is a possible attack against a system. It does not necessarily mean that the system is vulnerable to the attack. An attacker can threaten to throw eggs against your brick house, but it is harmless. A vulnerability is a weakness in the

system, but it is not necessarily known by the attacker. For example, only you know that you have left your front door unlocked. Vulnerabilities exist at entry and exit points in the system. In a house, the vulnerable points are the doors and windows. When the burglar threatens to break into your house and finds the vulnerability of the unlocked door, he is exploiting the assets in the house. Security features While security features do not guarantee a secure system, they are necessary to build a secure system. Security features have four categories: 1.Authentication: Verifies who you say you are. It enforces that you are the only one allowed to logon to your Internet banking account. 2.Authorization: Allows only you to manipulate your resources in specific ways. This prevents you from increasing the balance of your account or deleting a bill. 3.Encryption: Deals with information hiding. It ensures you cannot spy on others during Internet banking transactions. 4.Auditing: Keeps a record of operations. Merchants use auditing to prove that you bought a specific merchandise.

The criminal incentive Attacks against e-Commerce Web sites are so alarming, they follow right after violent crimes in the news. Practically every month, there is an announcement of an attack on a major Web site where sensitive information is obtained. Why is e-Commerce vulnerable? Is e-Commerce software more insecure compared to other software? Did the number of criminals in the world increase? The developers producing e-Commerce software are pulled from the same pool of developers as those who work on other software. In fact, this relatively new field is an attraction for top talent. Therefore, the quality of software being produced is relatively the same compared to other products. The criminal population did not undergo a sudden explosion, but the incentives of an e-Commerce exploit are a bargain compared to other illegal opportunities. Compared to robbing a bank, the tools necessary to perform an attack on the Internet is fairly cheap. The criminal only needs access to a computer and an Internet connection. On the other hand, a bank robbery may require firearms, a getaway car, and tools to crack a safe, but these may still not be enough. Hence, the low cost of entry to an e-Commerce site attracts the broader criminal population. The payoff of a successful attack is unimaginable. If you were to take a penny from every account at any one of the major banks, it easily amounts to several million dollars. The local bank robber optimistically expects a windfall in the tens of thousands of dollars. Bank branches do not keep a lot of cash on hand. The majority is represented in bits and bytes sitting on a hard disk or zipping through a network.

While the local bank robber is restricted to the several branches in his region, his online counterpart can choose from the thousands of banks with an online operation. The online bank robber can rob a bank in another country, taking advantage of non-existent extradition rules between the country where the attack originated, and the country where the attack is destined. An attack on a bank branch requires careful planning and precautions to ensure that the criminal does not leave a trail. He ensures the getaway car is not easily identifiable after the robbery. He cannot leave fingerprints or have his face captured on the surveillance cameras. If he performs his actions on the Internet, he can easily make himself anonymous and the source of the attack untraceable. The local bank robber obtains detailed building maps and city maps of his target. His online counterpart easily and freely finds information on hacking and cracking. He uses different sets of tools and techniques everyday to target an online bank. Points the attacker can target As mentioned, the vulnerability of a system exists at the entry and exit points within the system. Figure 3 shows an e-Commerce system with several points that the attacker can target: 1.Shopper 2.Shopper' computer 3.Network connection between shopper and Web site's server 4.Web site's server 5.Software vendor Figure 3. Points the attacker can target

These target points and their exploits are explored later in this article. Attacks This section describes potential security attack methods from an attacker or hacker. Tricking the shopper

Some of the easiest and most profitable attacks are based on tricking the shopper, also known as social engineering techniques. These attacks involve surveillance of the shopper's behavior, gathering information to use against the shopper. For example, a mother's maiden name is a common challenge question used by numerous sites. If one of these sites is tricked into giving away a password once the challenge question is provided, then not only has this site been compromised, but it is also likely that the shopper used the same logon ID and password on other sites. A common scenario is that the attacker calls the shopper, pretending to be a representative from a site visited, and extracts information. The attacker then calls a customer service representative at the site, posing as the shopper and providing personal information. The attacker then asks for the password to be reset to a specific value. Another common form of social engineering attacks are phishing schemes. Typo pirates play on the names of famous sites to collect authentication and registration information. For example, http://www.ibm.com/shop is registered by the attacker as www.ibn.com/shop. A shopper mistypes and enters the illegitimate site and provides confidential information. Alternatively, the attacker sends emails spoofed to look like they came from legitimate sites. The link inside the email maps to a rogue site that collects the information. Snooping the shopper's computer Millions of computers are added to the Internet every month. Most users' knowledge of security vulnerabilities of their systems is vague at best. Additionally, software and hardware vendors, in their quest to ensure that their products are easy to install, will ship products with security features disabled. In most cases, enabling security features requires a non-technical user to read manuals written for the technologist. The confused user does not attempt to enable the security features. This creates a treasure trove for attackers. A popular technique for gaining entry into the shopper's system is to use a tool, such as SATAN, to perform port scans on a computer that detect entry points into the machine. Based on the opened ports found, the attacker can use various techniques to gain entry into the user's system. Upon entry, they scan your file system for personal information, such as passwords. While software and hardware security solutions available protect the public's systems, they are not silver bullets. A user that purchases firewall software to protect his computer may find there are conflicts with other software on his system. To resolve the conflict, the user disables enough capabilities to render the firewall software useless. Sniffing the network In this scheme, the attacker monitors the data between the shopper's computer and the server. He collects data about the shopper or steals personal information, such as credit card numbers. There are points in the network where this attack is more practical than others. If the attacker sits in the middle of the network, then within the scope of the Internet, this attack becomes impractical. A request from the client to the server computer is broken up into small pieces known as packets as it leaves the client's computer and is reconstructed at the server. The packets of a request is sent through different routes. The attacker cannot access all the packets of a request and cannot decipher what message was sent.

Take the example of a shopper in Toronto purchasing goods from a store in Los Angeles. Some packets for a request are routed through New York, where others are routed through Chicago. A more practical location for this attack is near the shopper's computer or the server. Wireless hubs make attacks on the shopper's computer network the better choice because most wireless hubs are shipped with security features disabled. This allows an attacker to easily scan unencrypted traffic from the user's computer. Figure 4. Attacker sniffing the network between client and server

Guessing passwords Another common attack is to guess a user's password. This style of attack is manual or automated. Manual attacks are laborious, and only successful if the attacker knows something about the shopper. For example, if the shopper uses their child's name as the password. Automated attacks have a higher likelihood of success, because the probability of guessing a user ID/password becomes more significant as the number of tries increases. Tools exist that use all the words in the dictionary to test user ID/password combinations, or that attack popular user ID/password combinations. The attacker can automate to go against multiple sites at one time. Using denial of service attacks The denial of service attack is one of the best examples of impacting site availability. It involves getting the server to perform a large number of mundane tasks, exceeding the capacity of the server to cope with any other task. For example, if everyone in a large meeting asks you your name all at once, and every time you answer, they ask you again. You have experienced a personal denial of service attack. To ask a computer its name, you use ping. You can use ping to build an effective DoS attack. The smart hacker gets the server to use more computational resources in processing the request than the adversary does in generating the request. Distributed DoS is a type of attack used on popular sites, such as Yahoo!. In this type of attack, the hacker infects computers on the Internet via a virus or other means. The infected computer becomes slaves to the hacker. The hacker controls them at a predetermined time to bombard the target server with useless, but intensive resource consuming requests. This attack not only causes the target site to experience problems, but also the entire Internet as the number of packets is routed via many different paths to the target.

Figure 5. Denial of service attacks

Using known server bugs The attacker analyzes the site to find what types of software are used on the site. He then proceeds to find what patches were issued for the software. Additionally, he searches on how to exploit a system without the patch. He proceeds to try each of the exploits. The sophisticated attacker finds a weakness in a similar type of software, and tries to use that to exploit the system. This is a simple, but effective attack. With millions of servers online, what is the probability that a system administrator forgot to apply a patch? Using server root exploits Root exploits refer to techniques that gain super user access to the server. This is the most coveted type of exploit because the possibilities are limitless. When you attack a shopper or his computer, you can only affect one individual. With a root exploit, you gain control of the merchants and all the shoppers' information on the site. There are two main types of root exploits: buffer overflow attacks and executing scripts against a server. In a buffer overflow attack, the hacker takes advantage of specific type of computer program bug that involves the allocation of storage during program execution. The technique involves tricking the server into execute code written by the attacker. The other technique uses knowledge of scripts that are executed by the server. This is easily and freely found in the programming guides for the server. The attacker tries to construct scripts in the URL of his browser to retrieve information from his server. This technique is frequently used when the attacker is trying to retrieve data from the server's database. Defenses Despite the existence of hackers and crackers, e-Commerce remains a safe and secure activity. The resources available to large companies involved in e-Commerce are enormous. These companies will pursue every legal route to protect their customers. Figure 6 shows a high-level illustration of defenses available against attacks.

Figure 6. Attacks and their defenses

At the end of the day, your system is only as secure as the people who use it. Education is the best way to ensure that your customers take appropriate precautions: 1.Install personal firewalls for the client machines. 2.Store confidential information in encrypted form. 3.Encrypt the stream using the Secure Socket Layer (SSL) protocol to protect information flowing between the client and the e-Commerce Web site. 4.Use appropriate password policies, firewalls, and routine external security audits. 5.Use threat model analysis, strict development policies, and external security audits to protect ISV software running the Web site. Education Your system is only as secure as the people who use it. If a shopper chooses a weak password, or does not keep their password confidential, then an attacker can pose as that user. This is significant if the compromised password belongs to an administrator of the system. In this case, there is likely physical security involved because the administrator client may not be exposed outside the firewall. Users need to use good judgement when giving out information, and be educated about possible phishing schemes and other social engineering attacks. Personal firewalls When connecting your computer to a network, it becomes vulnerable to attack. A personal firewall helps protect your computer by limiting the types of traffic initiated by and directed to your computer. The intruder can also scan the hard drive to detect any stored passwords. Secure Socket Layer (SSL) Secure Socket Layer (SSL) is a protocol that encrypts data between the shopper's computer and the site's server. When an SSL-protected page is requested, the browser identifies the server as a trusted entity and initiates a handshake to pass encryption key information back and forth. Now,

on subsequent requests to the server, the information flowing back and forth is encrypted so that a hacker sniffing the network cannot read the contents. The SSL certificate is issued to the server by a certificate authority authorized by the government. When a request is made from the shopper's browser to the site's server using https://..., the shopper's browser checks if this site has a certificate it can recognize. If the site is not recognized by a trusted certificate authority, then the browser issues a warning as shown in Figure 7. Figure 7. Warning to user

As an end-user, you can determine if you are in SSL by checking your browser. For example, in Mozilla Firefox, the secure icon is at the top in the URL entry field as shown in Figure 8. Figure 8. Secure icon in Mozilla Firefox

In Microsoft Internet Explorer, the secure icon is at the bottom right of the browser as shown in Figure 9. Figure 9. Secure icon in Microsoft Internet

Server firewalls A firewall is like the moat surrounding a castle. It ensures that requests can only enter the system from specified ports, and in some cases, ensures that all accesses are only from certain physical machines. A common technique is to setup a demilitarized zone (DMZ) using two firewalls. The outer firewall has ports open that allow ingoing and outgoing HTTP requests. This allows the client

browser to communicate with the server. A second firewall sits behind the e-Commerce servers. This firewall is heavily fortified, and only requests from trusted servers on specific ports are allowed through. Both firewalls use intrusion detection software to detect any unauthorized access attempts. Another common technique used in conjunction with a DMZ is a honey pot server. A honey pot is a resource (for example, a fake payment server) placed in the DMZ to fool the hacker into thinking he has penetrated the inner wall. These servers are closely monitored, and any access by an attacker is detected. Figure 10. Firewalls and honey pots

Password policies Ensure that password policies are enforced for shoppers and internal users. A sample password policy, defined as part of the Federal Information Processing Standard (FIPS), is shown in the table below.

Policy Account lockout threshold Consecutive unsuccessful login delay Matching user ID and password Maximum occurrence of consecutive characters Maximum instances of any character

Value 6 attempts 10 seconds N (no, they cannot match) 3 characters 4 instances

Maximum lifetime of passwords Minimum number of alphabetic characters Minimum number of numeric characters Minimum length of password Reuse user's previous password

180 days 1 alphabetic character 1 numeric character 6 characters N (no, cannot be reused)

You may choose to have different policies for shoppers versus your internal users. For example, you may choose to lockout an administrator after 3 failed login attempts instead of 6. These password policies protect against attacks that attempt to guess the user's password. They ensure that passwords are sufficiently strong enough so that they cannot be easily guessed. The account lockout capability ensures that an automated scheme cannot make more than a few guesses before the account is locked. Intrusion detection and audits of security logs One of the cornerstones of an effective security strategy is to prevent attacks and to detect potential attackers. This helps understand the nature of the system's traffic, or as a starting point for litigation against the attackers. Suppose that you have implemented a password policy, such as the FIPS policy described in the section above. If a shopper makes 6 failed logon attempts, then his account is locked out. In this scenario, the company sends an email to the customer, informing them that his account is locked. This event should also be logged in the system, either by sending an email to the administrator, writing the event to a security log, or both. You should also log any attempted unauthorized access to the system. If a user logs on, and attempts to access resources that he is not entitled to see, or performs actions that he is not entitled to perform, then this indicates the account has been co-opted and should be locked out. Analysis of the security logs can detect patterns of suspicious behavior, allowing the administrator to take action. In addition to security logs, use business auditing to monitor activities such as payment processing. You can monitor and review these logs to detect patterns of inappropriate interaction at the business process level. The infrastructure for business auditing and security logging is complex, and most likely will come as part of any middleware platform selected to host your site. WebSphere Commerce, for example, has extensive capabilities in this area. Site development best practices This section describes best practices you can implement to help secure your site. Security policies and standards There are many established policies and standards for avoiding security issues. However, they are not required by law. Some basic rules include: Never store a user's password in plain text or encrypted text on the system. Instead, use a one-way hashing algorithm to prevent password extraction. Employ external security consultants (ethical hackers) to analyze your system.

Standards, such as the Federal Information Processing Standard (FIPS), describe guidelines for implementing features. For example, FIPS makes recommendations on password policies. Ensure that a sufficiently robust encryption algorithm, such as triple DES or AES, is used to encrypt all confidential information stored on the system. When developing third-party software for e-Commerce applications, use external auditors to verify that appropriate processes and techniques are being followed. Recently, there has been an effort to consolidate these best practices as the Common Criteria for IT Security Evaluation (CC). CC seems to be gaining attraction. It is directly applicable to the development of specific e-Commerce sites and to the development of third party software used as an infrastructure in e-Commerce sites. Security best practices remain largely an art rather than a science, but there are some good guidelines and standards that all developers of e-Commerce software should follow. Using cookies One of the issues faced by Web site designers is maintaining a secure session with a client over subsequent requests. Because HTTP is stateless, unless some kind of session token is passed back and forth on every request, the server has no way to link together requests made by the same person. Cookies are a popular mechanism for this. An identifier for the user or session is stored in a cookie and read on every request. You can use cookies to store user preference information, such as language and currency. This simplifies Web page development because you do not have to be concerned about passing this information back to the server. The primary use of cookies is to store authentication and session information, your information, and your preferences. A secondary and controversial usage of cookies is to track the activities of users. Different types of cookies are: Temporary cookies: These cookies are valid only for the lifetime of your current session, and are deleted when you close your browser. These are usually the good type. They are mostly used to keep your session information. Permanent cookies: These are for a time period, specified by the site, on the shopper's computer. They recall your previous session information. Server-only cookies: These cookies are usually harmless, and are only used by the server that issued them. Third-party cookies: These are usually used for tracking purposes by a site other than the one you are visiting. Your browser or a P3P policy can filter these cookies. If you do not want to store cookies, here are other alternatives: Send user ID/password on every request: This was popular 5-10 years ago, but now recognized as an insecure technique. The user ID/password flowing under non-SSL is susceptible to attacks. This alternative is not practical for a high volume site. Pages that run under SSL would slow down site performance. SSL client side authentication: This is the most secure, but it is cumbersome for shoppers to install on their browsers. You have to pay for a company to verify who you are and to issue a certificate. The popularity of this technique for client-side authentication has decreased in recent years. It remains very popular on server sites. URL rewriting: This is a popular alternative to cookies. Each HTTP link on the page is specially encoded, but it is expensive for the site to implement. It interferes with the

performance of the site because the pages cannot be cached and reused for different users. This alternative is susceptible to attack if it is not used under SSL. Cookies marked as secure (storing encrypted data and passing to the user only under SSL) remain the most popular method of providing a secure online experience. Using threat models to prevent exploits When architecting and developing a system, it is important to use threat models to identify all possible security threats on the server. Think of the server like your house. It has doors and windows to allow for entry and exit. These are the points that a burglar will attack. A threat model seeks to identify these points in the server and to develop possible attacks. Threat models are particularly important when relying on a third party vendor for all or part of the site's infrastructure. This ensures that the suite of threat models is complete and up-to-date. Figure 11. Threat models

Responding to security issues An effective overall security strategy is to be prepared when vulnerabilities are detected. This also means ensuring that software vendors selected for all or part of the site's infrastructure have proactive and reactive policies for handling security issues. In the case of WebSphere Commerce, we can quickly form a SWAT team with key developers, testers, and support personnel. This becomes the highest priority for all involved parties. An assessment is made immediately, usually within the first few hours, to determine the vulnerability of the merchant's sites. A workaround or permanent solution is developed for the affected sites within a day. Then a "flash" issued to all customers to notify them of the problem, the solution, and how to check if they have been exploited. For critical issues, no one leaves until there is a solution. Using an online security checklist Use this security checklist to protect yourself as a shopper: Whenever you logon, register, or enter private information, such as credit card data, ensure your browser is communicating with the server using SSL. Do not shop at a site when the browser does not recognize the server's SSL certificate. This check is done by your browser the first time your URL becomes HTTPS for the site. If the certificate is not recognized, then your browser presents a pop-up message to inform you. Use a password of at least 6 characters, and ensure that it contains some numeric and special characters (for example, c0113g3). Avoid reusing the same user ID and password at multiple Web sites. If you are authenticated (logged on) to a site, always logoff after you finish.

Use a credit card for online purchases. Most credit card companies will help you with non-existent or damaged products. A bricks and mortar store with an online brand is most likely a legitimate site. However, the site may still have vulnerabilities.

Security Technologies and Infrastructures for Electronic Commerce Systems The Role of Security for E-commerce E-commerce has many standardized security services. These services deal with the control and flow of information so that the informations integrity remains as its originator intended. These services protect E-commerce transactions by:

Authentication: Identities such as users, computers, and files can be uniquely identified. Control of Access: Controlling unwanted access to realms of the internetwork. Data Confidentiality: Protection of privacy. Data Integrity Assurance: Protection of data from modifications. Transaction Non-Repudiation: Reliability of transactions.

These security services are provided to ensure basic E-commerce requirements. Security services provide a way for safe, authentic, and reliable communications between two or more parties. Security not only includes that the information stays within the communicating parties but also it can be verified and noted as authentic. Signing of contracts, registration of mail, disclosures, anonymity, and authorization schemes of the real world must be able to be replicated and done in the electronic world.

Basic Principles of Network Security Encryption is generally done with Secret Key Cryptography. Several schemes exist, and they are only as strong at there cryptogram generation. However providing a secret key by itself is not enough, a strong backbone system must be in place to offset the weaknesses of individual encryption/decryption efforts. The system involves: Public Key Cryptography: Providing two keys, one encryption key and a decryption key. One is kept private while another is used publicly. Public Key Servers: Must provide a safe place where public keys can be shared but not tampered with. Certification Authority: Provides the guarantee of authentic keys. A use of a hierarchy can certify keys within the system. You are only as safe as the authority you trust above you that is providing the certification. This is generally a safe mechanism for providing security.

The Concept of Security Platform and Infrastructure The security platform should allow for heterogeneous platform use. As the networking world grows it encompasses many types of systems that must be hosted. Assuring allowance for all systems provides a security mechanism will last. As E-commerce environment expands it becomes an even bigger concern for security systems to be installed. An expert reports that only about 3% of credit card use is on the Internet today, of these 3% half are from fraudulent usage. As the usage of credit cards increase overtime it becomes vastly important to discourage fraudulent use. Installation of a security infrastructure can be used to ensure safety. This infrastructure is a hierarchical approach to security. A role above each grouping of users will provide security measures. This continues up a chain where it resolves to a single point of authorization. Security Requirements for E-commerce Environments Again, to ensure safety within the E-commerce environment, a structured hierarchy must be used. Such systems exist, such as the X.500/Smart Card Registration. A smart card is a device that allows security and personal identification techniques to be carried by a person. This allows personalization and answers to question who are you? The X.500 an international security solution system that provides hierarchical registration of uniquely identified smart cards. Certification in such a system occurs on two levels, local and global. Locally users are assured safety by certification authorization by the head of there department, group, or system. They are guaranteed security amongst their peers. To provide a worldwide and further reaching security, a global registration is put into place. The providers for local security are then secured themselves in the same manner. This continues up a tree to global certification scheme. For this type of system to work efficiently and without disjoint groups, standards must come to rise. Situations involving payments, document exchange, and sensitive information sharing are then highly secured within a standard very strong security system. The same system may be used for secure financial transactions, supporting business transactions, and personal safety. Security Solutions Today many in-place and emerging solutions are providing for a safe Internet world. Some of the more interesting ones rely on cryptographic keys and personalized smart card type technologies. They provide for user authentication and privacy protection. Here are a few systems.

E-Commerce Infrastructure: Providing ways to access Credit Card information, and transaction control. E-Commerce Specialized Components, Wallets: Provide safekeeping of customer transactions.

E-Commerce Specialized Components, Merchant Servers: Payments and inquiries E-Commerce Specialized Components: Bank Server: Provides for access to all security clearances, registrations, payments, etc. E-Commerce Specialized Components, Certification Servers: Registration and certifications. Smart Card Systems: By one expert is probably best solution for security and personalization of the Internet. Smart Card systems provide a good protection scheme as it takes the security issues away from the Internet/PC domain and puts it into the persons real world wallet.

Computer Forensics

Forensics is the process of using scientific knowledge for collecting, analysing, and presenting evidence to the courts. (The word forensics means to bring to the court.). Going by this definition, Cyber Forensics means bringing admissible digital evidence before the court. Cyber Forensics v. E-Discovery Despite popular belief, Cyber Forensics is different from E-Discovery, Digital Recovery or other synonymous terms. Cyber Forensics primarily caters the Legal Requirements whereas EDiscovery meets the requirements of private individuals and organizations. Take an example of a security breach like hacking in an organisation. The management of the organisation decides to trace the origin of this breach. After proper analysis they come to know about the source of that breach. Till this stage it is only an EDiscovery. The management can take whatever preventive or remedial measure as it may deem fit. If the management decides to take a Legal Action against the offender, it has to prove the acquired digital evidence before the Court of Law. Mere E-Discovery may not be enough to prove the guilt of the accused as legal requirements regarding evidence and procedural laws must also be complied with. When the E-Discovery is Law Compliant it becomes Cyber Forensics. Similarly, there are certain laws that require individuals and organisation to exercise Cyber Law Due Diligence and Statutory Cyber Law Compliances. These requirements may fall either in the category of E-Discovery or Cyber Forensics as per the facts and circumstances of each case. Live v. Dead Forensics Cyber Forensics may be live or dead. Traditionally, Cyber Forensics Investigations were performed after pulling the plug and then subsequently imaging the media under investigation. The contemporary practice is to perform live analysis to get useful volatile data that is lost the moment a computer is turned off or after the pulling of the plug.

Cyber Forensics

The simple definition of computer forensics ... is the art and science of applying computer science to aid the legal process. With the rapid advance in technology it quickly became more than just an art though, and nowadays you can even get a cyber forensics specialization degree on the subject. Although plenty of science is attributable to computer forensics, most successful investigators possess a nose for investigations and a skill for solving puzzles, which is where the art comes in. - Chris L.T. Brown, Computer Evidence Collection and Preservation, 2006 Thus, it is more than the technological, systematic inspection of the computer system and its contents for evidence or supportive evidence of a civil wrong or a criminal act. Computer forensics requires specialized expertise and tools that goes above and beyond the normal data collection and preservation techniques available to end-users or system support personnel. One definition is analogous to "Electronic Evidentiary Recovery, known also as e-discovery, requires the proper tools and knowledge to meet the Court's criteria, whereas Computer Forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence." Another is "a process to answer questions about digital states and events". This process often involves the investigation and examination computer system(s), including, but not limitied to the data acquisition that resides on the media within the computer. The forensic examiner renders an opinion, based upon the examination of the material that has been recovered. After rendering an opinion and report, to determine whether they are or have been used for criminal, civil or unauthorized activities. Mostly, computer forensics experts investigate data storage devices, these include but are not limited to hard drives, portable data devices (USB Drives, External drives, Micro Drives and many more). Computer forensics experts: Identify sources of documentary or other digital evidence. Preserve the evidence. Analyze the evidence. Present the findings. Computer forensics is done in a fashion that adheres to the standards of evidence that are admissible in a court of law. Thus, computer forensics must be techno-legal in nature rather than purely technical or purely legal. Understand the suspects It is absolutely vital for the forensics team to have a solid understanding of the level of sophistication of the suspect(s). If insufficient information is available to form this opinion, the suspects must be considered to be experts, and should be presumed to have installed countermeasures against forensic techniques. Because of this, it is critical that you appear to the equipment to be as indistinguishable as possible from its normal users until you have shut it

down completely, either in a manner which probably prohibits the machine modifying the drives, or in exactly the same way they would. If the equipment contains only a small amount of critical data on the hard drive, for example, software exists to wipe it permanently and quickly if a given action occurs. It is straightforward to link this to the Microsoft Windows "Shutdown" command, for example. However, simply "pulling the plug" isn't always a great idea, either-- information stored solely in RAM, or on special peripherals, may be permanently lost. Losing an encryption key stored solely in Random Access Memory, and possibly unknown even to the suspects themselves by virtue of having been automatically generated, may render a great deal of data on the hard drive(s) unusable, or at least extremely expensive and time-consuming to recover. Electronic evidence considerations Electronic evidence can be collected from a variety of sources. Within a companys network, evidence will be found in any form of technology that can be used to transmit or store data. Evidence should be collected through three parts of an offenders network: at the workstation of the offender, on the server accessed by the offender, and on the network that connects the two. Investigators can therefore use three different sources to confirm of the datas origin. Like any other piece of evidence used in a case, the information generated as the result of a computer forensics investigation must follow the standards of admissible evidence. Special care must be taken when handling a suspects files; dangers to the evidence include viruses, electromagnetic or mechanical damage, and even booby traps. There are a handful of cardinal rules that are used to ensure that the evidence is not destroyed or compromised: Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability. In order to verify that a tool is forensically sound, the tool should be tested in a mock forensic examination to verify the tools performance. There are government agencies such as the Defense Cyber Crime Institute that accept requests to test specific digital forensic tools and methods for governmental agencies, law enforcement organizations, or vendors of digital forensic products at no cost to the requestor. Handle the original evidence as little as possible to avoid changing the data. Establish and maintain the chain of custody. Document everything done. Never exceed personal knowledge. If such steps are not followed the original data may be changed, ruined or become tainted, and so any results generated will be challenged and may not hold up in a court of law. Other things to take into consideration are: The time that business operations are inconvenienced. How sensitive information which is unintentionally discovered will be handled. In any investigation in which the owner of the digital evidence has not given consent to have his or her media examined as in most criminal cases special care must be taken to ensure that you as the forensic specialist have legal authority to seize, image, and examine each device.

Besides having the case thrown out of court, the examiner may find him or herself on the wrong end of a hefty civil lawsuit. As a general rule, if you aren't sure about a specific piece of media, do not examine it. Amateur forensic examiners should keep this in mind before starting any unauthorized investigation. Some of the most valuable information obtained in the course of a forensic examination will come from the computer user themself. In accordance with applicable laws, statutes, organizational policies, and other applicable regulations, an interview of the computer user can often yield invaluable information regarding the system configuration, applications, and most important, software or hardware encryption methodology and keys utilized with the computer. Forensic analysis can become exponentially easier when analysts have passphrase(s) utilized by the user open encrypted files or containers used on the local computer system, or on systems mapped to the local computer through a local network or the internet. Secure the machine and the data Unless completely unavoidable, data should never be analyzed using the same machine it is collected from. Instead, forensically sound copies of all data storage devices, primarily hard drives, must be made. Exceptional consideration to this practice are detailed below regarding live system considerations. Cyber Forensics

To ensure that the machine can be analyzed as completely as possible, the following sequence of steps must be followed: Examine the machine's surroundings A USB key drive XD Picture Card Secure Digital card The collection phase starts off with the computer forensic team analyzing its surroundings. Similar to police investigating a crime in any other case, all printouts, disks, notes, and other physical evidence must be collected to take back to the laboratory for analysis. Furthermore, an investigating team must take digital photographs of the surrounding environment before any of the hardware is dealt with. This initial collection phase sets the tone for the rest of the investigation and therefore the evidence must be locked away securely, with limited access granted to authorized team members only. Look for notes, concealed or in plain view, that may contain passwords or security instructions. Secure any recordable media, including music mixes. Also look for removable storage devices such as key drives, MP3 players or security tokens. See Category: Solid-state computer storage media. Examine the Live System and record open applications If the machine is still active, any intelligence which can be gained by examining the applications currently open should be recorded. If the machine is suspected of being used for illegal

communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down it may be lost, so acquiring the data while the RAM is still powered is a priority. For most practical purposes, it is not possible to completely scan contents of RAM modules in a running computer. Though specialized hardware could do this, the computer may have been modified to detect chassis intrusion (some Dell machines, for example, can do this stock; software need only monitor for it) and removing the cover could cause the system to dump the contents. Ideally, prior intelligence or surveillance will indicate what action should be taken to avoid losing this information. Several Open Source tools are available to conduct an analysis of open ports, mapped drives (including through an active VPN connection), and of significant importance, open or mounted encrypted files (containers) on the live computer system. Additionally, through Microsoft's implementation of the Encrypted File System (EFS), once a system is powered down, the difficulty to examine previously mounted EFS files and directory structures is substantially increased. Utilizing open source tools and commercially available products, it is possible to obtain an image of these mapped drives and the open encrypted containers in an unencrypted format. For Windows based systems, these Open Source tools include Knoppix and Helix. Commercial imaging tools include Access Data's Forensic Tool Kit and Guidance Software's Encase application. Both companies make available their imaging tools for free; however, in order to analyze the data imaged using these tools you will need to purchase a full licensed version of the application. The aforementioned Open Source tools can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently access local email applications including MS Outlook. With MS most recent addition, Vista, and Vista's use of BitLocker and the Trusted Platform Module (TPM), the importance of developing procedures for examining and imaging live (mounted unencrypted) systems is anticipated to significantly increase. It is possible that in utilizing tools to analyze and document a live computer system that changes can be made to the content of the hard drive. During each phase of system analysis, the forensic examiner must document what they did and why they did it. Specifically, the examiner should detail the potentially perishable information that can/will be lost during a system power down process. The examiner must balance the need to potentially change data on the hard drive versus the evidentiary value of such perishable data. RAM can be analyzed for prior content after power loss. Although as production methods become cleaner the impurities used to indicate a particular cell's charge prior to power loss are becoming less common. Data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The likelihood of such recovery increases as the originally applied voltages, operating temperatures and duration of data storage increases. Holding unpowered RAM below - 60 C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, the practicality of utilizing such a method in a field examination environment severely limits this approach.

As expeditious destruction of chronic residual stress within the module can really only be achieved by impractical exposure to high energies, applications written with data security in mind will periodically bit-flip critical data, such as encryption keys, to eliminate 'imprinting' of this data on the RAM, thus preventing the need to actively destroy it in the first place.[1] It is important to note that that when preforming a live analysis that the order of volatility be followed. The data that is most likely to be modified or damaged first should be captured first. The order of volatility is. 1. Network connections Network connections can close quickly and often leave no evidence of where they were connected to or the data being transfered. 2. Running Processes It is important to note which programs are running on a computer before further analysis is conducted. 3. RAM The systems Random Accessing Memory contains information on all running programs as well as recently run programs. The information that can be gained from the system ram includes Passwords, encryption keys, personal information and system and program settings. 4. System settings The Operating system settings can now be extracted. this includes User lists, currently logged in users, system date and time, currently accessed files and current security policies. 5. Hard Disk The hard disk can then be imaged. It is important to note that it is not forensically sound to image a hard drive while it is running live unless there are extenuating circumstances. Power down carefully If the computer is running when seized, it should be powered down in a way that is least damaging to data currently in memory and that which is on the hard disk. The method that should be used is dependent on many differing values, such as the operating system in use, and the role of the computer to be seized. Performing a proper shut down may cause malicious scripts to be run, or volatile data to be lost. On the other hand, removing the power plug may cause corruption of the filesystem or loss of crucial data. Be aware of the fact that computers may feature an internal uninterruptible power supply (UPS). With such devices the computer may stay running long after the power cable has been removed.

Inspect for traps See also: commons:Category:Computer hardware Fully document hardware configuration Completely photograph and diagram the entire configuration of the system. Note serial numbers and other markings. Pay special attention to the order in which the hard drives are wired, since this will indicate boot order, as well as being necessary to reconstruct a RAID array. A little time being thorough here will save you more later. Duplicate the electronic media (evidence) The process of creating an exact duplicate of the original evidenciary media is often called Imaging. Using a standalone hard-drive duplicator or software imaging tools such as DCFLdd or IXimager, completely duplicate the entire hard drive. This should be done at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the filesystem. Be sure to note which physical drive each image corresponds to. The original drives should then be moved to secure storage to prevent tampering. Usually some kind of hardware write protection to ensure no writes will be made to the original drive is used. Even if operating systems like Linux can be configured to prevent this, a hardware write blocker is usually the best practice. The Defense Cyber Crime Institute warns that if a hardware write-block is used the examiner should take into consideration the fact that writeblocks can introduce extra benign data when being used to image damaged media (bad sectors).[3] Special consideration is also given to hard drives with Host Protected Areas (HPAs) and Device Configuration Overlays (DCOs). These small areas of a hard drive, normally reserved for hard drive device and diagnostic utilities and hidden from the operating system, can be altered up to the entire capacity of the hard drive and used to store information (potential evidence) that many imaging applications and devices fail to image. You can image to another hard disk drive, a tape, or other media. Tape is a preferred format for archive images, since it is less vulnerable for damage and can be stored for a longer time. Cyber Forensics

There are two goals when making an image: Completeness (imaging all of the information) Accuracy (copying it all correctly) The imaging process is verified by using the SHA-1 message digest algorithm (with a program such as sha1sum) or other still viable algorithms. To make a forensically sound image, you need to make two reads that result in the same output by the message digest algorithm. Generally, a drive should be hashed in at least two algorithms to help ensure its authenticity from modification in the event one of the algorithms is cracked. This can be accomplished by first imaging to one tape labeled as the Master and then make an image labeled Working. If onsite and time is critical, the second read can be made to Null.

Note: Ultimately the methodology used by computer forensic investigators in capturing potential evidence on a system (such as imaging hard drives) will be dictated by the proportionality of the likely importance of that evidence in the matter for which these services are engaged. Additional influences such as claims of privilege and potential damages sought for business interruption create potential headaches for corporate investigations where forensic soundness is often sacrificed for practicality. Law enforcement personnel moving into the corporate environment tend to be overly strict in their application of computer forensic principles in litigations where the burden of proof does not require it. There is an increasing need to capture servers live and capturing less than whole disks worth of data in an effort to work within a time and cost framework. Even an unsolved murder investigation must be wound up at some point where there are diminishing gains to be had in progressing the investigation, so too with computer forensic investigations in both the corporate and criminal arenas where the sheer quantity of digital evidence can become overwhelming and threaten to overburden investigators. Also, it must be remembered that any computer evidence is potentially admissible regardless of the methodology by which it came to the attention of the court. If an examiner fails to create a SHA or MD5 hash on the original hard drive, the data is not necessarily worthless or non admissible. Traditional discovery has been happening for at least a decade (often without a hashes). Application of proper forensic principles will however improve its overall credibility and diminish admissibility challenges. However, reasonable attempts should be made to ensure that the most complete and accurate image possible is obtained. E-mail review E-mail has become one of the primary mediums of communication in the digital age, and vast amounts of evidence may be contained therein, whether in the body or enclosed in an attachment. Because users may access email in a variety of ways, it's important to look for different kinds of emails. The user may have used a dedicated program, or Mail User Agent (MUA), a web browser, or some other program to read and write email. Additionally, files for each of these programs may be stored on a local hard drive, a network device, or a removable device. A good examiner will search all of these locations for email data. Be aware that many email clients will save a copy of outgoing messages, so both the sender and the recipient may have a copy of each message. Finally, mail may also be stored on a dedicated mail server, either awaiting delivery or as permanent storage. E-mail headers Main article: E-mail#Internet e-mail header All email programs generate headers that attach to the messages. The study of these headers is complex. Some investigators favor reading the headers from the bottom up, others from the top down. Under normal circumstances, headers are supposed to be created by the mail user agent and then prepended by mail servers, the bottom up method should work. But a malicious mail server or forger may make this difficult. The headers added by an MUA are different from those added by mail servers. For example, here is the format for headers generated by Mozilla Thunderbird 1.0 running on Microsoft Windows. Message-ID: <41b5f981.5040504@example.net> Date: Tue, 07 Dec 2004 13:42:09 -0500

From: User Name User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: recipient@example.com Subject: Testing Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Extensions such as enigmail may add extra headers. The Message-ID field has three parts: The time the message was sent in seconds past the epoch in hexadecimal (Unix 32 bit Big Endian Hex Value) A random value called a salt. The salt is of the format #0#0#0# where # is a random digit. Because Thunderbird treats the salt like a number, it may be shorter if the leading digits are zeros. For example, a salt of "0030509" would display as "30509". The fully qualified domain name of the sender. Message-ID: [time].[salt]@[domain-name] Information on the Message-ID header was derived from the source code in mozilla/mailnews/compose/src/nsMsgCompUtils.cpp in function msg_generate_message_id() and therefore applies only to mail sent by this application. Generally the format of the MessageID is arbitrary, and you should refer to the applicable RFCs. Sorting through the masses While theoretically possible to review all e-mails, the sheer volume that may be subject to review may be a daunting task; large-scale e-mail reviews cannot look at each and every e-mail due to the sheer impracticality and cost. Forensics experts use review tools to make copies of and search through e-mails and their attachments looking for incriminating evidence using keyword searches. Some programs have been advanced to the point that they can recognize general threads in e-mails by looking at word groupings on either side of the search word in question. Thanks to this technology vast amounts of time can be saved by eliminating groups of e-mails that are not relevant to the case at hand. Also, emails may contain In-Reply-To: headers that allow threads to be reconstructed. Good email clients can do this. Computer forensic examples Forensics can be defined as the use of technology and science for investigation and fact recovery when dealing with criminal matters. Computer forensics is the technological aspect of retrieving evidence to use within criminal or civil courts of law. They are able to recover damaged and deleted files. Some cases in particular used the art of computer forensics as their lead of evidence to indict a criminal offender or find the location of a missing person. Example Chandra Levy, who went missing on April 30, 2001, was a Washington, D.C. intern whose

disappearance was widely publicized. While her location was unknown, she had used the Internet as well as e-mail to make travel arrangements and to communicate with her parents. The use of this technology helped a computer criminalist trace her whereabouts. The information found on her computer led police to her location, even though she had been missing for one year. Example two There have been a number of cases at private schools where authority figures have been charged with possession of child pornography. These discoveries were made using computer forensics. By tracking the buying and selling of pornography online, computer forensic investigators have been able to locate people involved in these crimes. They are able to use information found on the computers as circumstantial evidence in court, allowing prosecution to occur. Example three A final example of how computer forensics is affecting the current workplace is the aspect of security. Employees' work computers are now being monitored to ensure no illegal actions are taking place in the office. They also have heightened security so outsiders cannot access a companys confidential files. If this security is broken a company is then able to use computer forensics to trace back to which computer was being tampered with and what information was extracted from it, possibly leading to the guilty parties and other potential parties involved. Comparison to Physical Forensics There are many core differences between computer forensics and "physical forensics." At the highest level, the physical forensic sciences focus on identification and individualization. Both of these processes compare an item from a crime scene with other substances to identify the class of the item (i.e. is the red liquid fruit juice or blood?) or the source of the item (i.e. did this blood come from person X?). Computer forensics on the other hand focuses on finding the evidence and analyzing it. Therefore, it is more analogous to a physical crime scene investigation than the physical forensic processes.

Steganography Security Engineering

===================================================================================