Most Common Security Threats in the E-

commerce Environment
• Malicious Code (malware): software which is specifically designed to
disrupt or damage a computer system. It includes variety of threats such
as:
Viruses
Worms
Trojan Horses
Bots
 Virus
• A Computer program that has the ability to replicate or make copies of
itself, and spread to other files to infect.
• A logic Bomb is a virus whose attack is triggered by some event such as
the date on a computer’s system clock.
 Worm
• Unlike viruses which spread from file to file, a Worm is designed to
spread from computer to computer. A worm does not need to be activated
by the user.
• Example: the slammer worm, which targeted Microsoft SQL Server
database software, infected more than 90% computers worldwide
specially banks database.
 Trojan horse
• A Trojan horse appears to be an attractive, but then does something other
than expected. Often a way for viruses or other malicious code to be
introduced into a computer system.
• A Trojan horse may masquerade as a game, but actually hide a program to
steal your password and email them to other person.
• Difference
 Bots and Botnets
• Bots are a type of malicious code that can be secretly installed on a
computer when attached to the internet. Once installed, the bot responds
to external commands sent by the attackers.

Botnets are a collection of captured bot computers used for

sending spam, DDoS attacks, stealing information from
computers, and storing network traffic for later analysis.
 Potentially unwanted programs (PUPs)

• In addition to malicious code, the e – commerce security environment is

further challenged by unwanted programs such as:
Adware
Browser parasite
spyware
 Adware
• Adware is typically used to call for pop – up ads to display when user
visits certain sites.
 Browser parasite
• A browser parasite is a program that can monitor and change the settings
of a user’s browser, for instance, changing the browser’s home page, or
sending information about the sites visited to a remote computer.
 Spyware
• Spyware can be used to obtain information such as a user’s keystrokes,
copies of e – mail and instant messages, and even take screenshots.
 Phishing
• Phishing is any deceptive, online attempt by a third party to obtain
confidential information for financial gain.
• Phishing do not involve malicious code but instead rely on
misrepresentation and fraud. The most popular phishing attack is the e –
mail scam letter.
 Sniffing
• A sniffer is a type of eavesdropping program that monitors information
traveling over a network.
• Sniffer enable hackers to steal proprietary information from anywhere on
a network, including e – mail messages, company files, and confidential
reports.
Protecting Internet
Communications
 Encryption
• Encryption is the process of transforming plain text or data into cipher text
that cannot be read by anyone other than the sender and the receiver.
• A key (or cipher) is any method for transforming plain text into cipher.
 Symmetric Key Encryption

• In symmetric key encryption, both the sender and the receiver use the
same key to encrypt and decrypt the message.
• Modern encryption systems are digital. Computer stores data in binary
form (0,1). For example binary representation of “A” is 01000001.
One way in which digital strings can be transformed into chipper text
is by multiplying each letter by another binary number, say, an eight
bit key number 01010101.
• If we multiplied every digital character in our text messages by this
eight bit key, sent the encrypted message to a receiver along with the
secret eight bit key, the receiver can decode the message easily.
 Public Key Encryption
• In this method, two mathematically related digital keys are used: a public
key and a private key. The private key is kept secret by the owner, and the
public key is widely disseminated. Both keys can be used to encrypt and
decrypt a message. However, once the keys are used to encrypt a message,
that same key cannot be used to unencrypt the message.

Encryption
Public Key Cryptography: A Simple Case
 Digital Envelopes
• A technique that uses symmetric encryption for large documents, but
public key encryption to encrypt and send the symmetric key. So we have
a “key within a key” (a digital envelope).
• The recipient first uses private key to decrypt the symmetric key, and then
the recipient uses the symmetric key to decrypt the report. This method
saves time because both encryption and decryption are faster with
symmetric keys.
Creating a Digital Envelope
Securing Channels of Communication
• The Concept of public key encryption are used routinely for
securing channels of communication.
• Secure Socket Layer (SSL)
• The most common form of securing channels is using SSL to
establish a secure negotiated session.
• Secure Negotiated Session is a client server session in which
the URL of the requested document along with the content and
the cookies exchanged are encrypted. For instance, your credit
card number that you entered would be encrypted.
• Client generates session key, and uses server public key to
create digital envelope. Sends to server. Server decrypts using
private network. A session key is a unique symmetric
encryption key.
 Protecting Network
• Firewall refers to either hardware or software that filters
communication packets and prevents some packets from
entering the network based on security policy.
• When a user on an internal network requests a Web page,
the request is routed first to the Firewall. The Firewall
validates the user and the nature of the request, and then
sends the request onto the Internet. Same is followed
while receiving back the requested page.
 Protecting Servers and Clients
• Operating system features and anti – virus software can help further protect
servers and clients from certain types of attack.
• Operating System Security Enhancements
• The Companies like Microsoft and Apple are continuously being upgrading
their Server and client based operating systems to patch vulnerabilities
discovered by the hackers.
• The most common known worms and viruses can be prevented by simply
keeping your operating system up to date.
 Anti Virus Software
• The easiest way to prevent threats to system integrity is to install an anti
virus software. Anti virus programs can be set up so that e-mail
attachments are inspected prior to you clicking on them, and the
attachments are eliminated if they contain a known virus or worm.
• Since new viruses are developed and released every day, daily routine
updates are needed in order to prevent new threats from being loaded.