Ex-16

1. Visit an e-commerce website and survey the mode of payment allowed. Would you trust the site with your business?

I visited www.ebay.com which is one of most famous auction and selling site in the world to buy any products.

Payment mehods;

1. Credit card payments are given the first priority of purchasing by secured pay pal system used.

2. Personal / Bank cheques

3. Money Orders and Bank Deposit

are used as payment methods and i trust this wensite and i have never encountered any fraud or issues with this website so far in purchasing items.

2. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?

• Comprehensive security and privacy policies to safeguard the security and privacy of customer data;
• Implement security measures to protect the systems, servers and networks. Measures including installing firewall, SSL for pages collecting customer information, virus scanning software to detect virus with scheduled online updating for virus signature etc.;
• Strictly policies regarding collection, storing, modification and subsequent destroy of customer data. These policies should be strictly followed and made known to the customers;
• All customers should be pre-registered with unique username and passwords. The password should be forced to be renewed at a pre-set period.

Secure the web site by SSL certificate which is issued by trusted third party Certificate Authority like Verisign and Entrust can be verified by the customers where customer can view the certificate details, like issuer,  and expiry date through web browser.

3. Visit the Verisign web site – what solutions does it offer for e-commerce?

VeriSign offers security advice and services to various sectors including Customer Products and Retail, Media and Entertainment, Financial Services, Public sectors, Health care and Life Sciences and Telecommunications by providing enterprise security services ,identity and authentication services and many more

Verisign is providing a wide range of solutions across various industries, from healthcare to financial service, and different size of companies, from SMB to big enterprise. Its solutions for e-commerce include issuing SSL Certificate and digital ID, Security Risk Management, Security Consultancy, Fraud Detection, and even mobile or wireless solution.

Reference:

http://www.verisign.com/

http://www.verisign.com/ssl/ssl-information-center/ecommerce-trust-ssl/

4. Visit the TRUSTe web site. Describe what services and solutions are offered.

· Web privacy seal – concerns measures to protect customers’ privacy;
· E-mail privacy seal – concerns measures in handling e-mails sent to customers;
· EU Safe Harbor seal – concerns compliance with international privacy laws in
US and European parties;
· International services – services for certifying foreign-language privacy policies
and administer disputes resolution in international level;
· Children’s privacy seal – concerns compliance with the Children’s Online
Privacy Protection Act (COPPA); and
· Trusted downloaded program – program for certifying download sites not
exhibiting surreptitious activities, and are distributed in a responsible manner.

Reference ;

TRUSTe, Retrieved 29th may 2009 from

http://en.wikipedia.org/wiki/TRUSTe

6. The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?

Other than the use of digital certificates and passports, there are smart cards containing both the private and public keys and the use of biometric data for validating the legitimate users to avoid identity theft

Ex-15

1.  What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?

Yes, a firewall is a good security investment because it is

A firewall helps to screen out many kinds of malicious Internet traffic before it reaches your computer. Some firewalls can also help to prevent other people from using computer to attack other computers without network knowledge.

Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside world. This, more than anything, helps prevent vandals from logging into machines on your network.

Hardware firewall nowadays always exists together with router which is convenient and efficient in protecting the internal networks from public access via the Internet.  On the other hand, software firewall is now included in operation systems and anti virus guards.

Cisco and Juniper are the main vendor and they manufacture both hardware and built in software  firewalls.

2. Find out if your university or workplace has a backup policy in place. Is it followed and enforced?

My work place has a strong back up policy enforced accoridng to the work nature of the departments. The finance division has a real time back up system by using high storage servers and other department database servers are sheduled to start the back up process from midnight every day.

3. Most of the anti virus software perform an active scanning of the user activity on the Internet, detecting downloads and attachments in e-mails. Hackers have readily available resources to create new viruses. How easy is it to find a virus writing kit? Search the Internet and find such a tool. For example, see what you can find at http://vx.netlux.org/dat/vct.shtml.

It seems so easy to find a virus writing kit from the Internet.  I search “Virus Writing Kit” using Google and there were approximately 3,510,000 websites matching the above search.

When I visited http://vx.netlux.org/dat/vct.shtml, there were many software for virus writing kit available from the websites.  It is amazing to note how easy to obtain a virus writing kit from the Internet and how important that appropriate security measures should be in place to protect our computer systems.

References ;

Firewall,
http://personalfirewall.comodo.com/download_firewall.html

Juniper Networks
http://www.juniper.net/us/en/products-services/security/netscreen/

Cisco

http://www.cisco.com/en/US/products/ps5708/Products_Sub_Category_Home.html

Ex-14

1.What are the cookies and how they used to improve security?

When a client request of webpage from a web server, the server would send the required HTTP object to the client together with a piece of state information stored in the client computer.  A range of valid URL would be stored in the state object.  When future request of HTTP object is made by the client with the URL fallen within the valid URL range, the current values of the state object would be transmitted from the client to the server.  The state of object is the cookie.

Cookie can be used to improve security. For example, client can store the authentication codes into 2 parts. The first part of the authentication code could be stored as cookie assessable by the server. The second part of the authentication code cannot be assessable by the server.

The transmission of the 1st part of the authentication code would be carried out at the back-end with minimum chances of being observed by other closed by the client machine. Thus, the security of accessing the site would be improved.

Reference :

Netscape (n.d.). Persistent client state HTTP cookies. Retrieved may 29th, 2009 from http://wp.netscape.com/newsref/std/cookie_spec.html.

2. Can the use of cookies be a security risk?

Yes, the use of cookie can be a security risk.  Some server use cookie to store users’ logjn name and passwords in order to save time for logging into the server every time.  Under the situation, an eavesdropper armed with a packet sniffer could simply intercept the cookie as it passes from your browser to the server and gaining access to the server site.

Ex-13

1. List and describe your experince with a secure site.

I do always keep in touch with www.cisco.com for my learning purpose and to update me on latest technologies and techniques which is useful to my work and to get many vital information related to the field.

I have noticed when i try to login to the site with using my user id or password , or when i try to track my certification with the cisco certification tracking system the URL changes from “http” to “https” which means the page is secured.

Also furhter when i observed in to my mozilla web browswer i noticed a yellow “lock” sighn in the right side below corner which said “verified by verisign trust network”.

Further when i investigate by double clicking the sighn i noticed the site is encrypted with hogh grade encryption (AES -128 Bit) and few other login information.

2. What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?

Compared with SSL, SET has the following advantages over SSL:-
a. Higher Privacy via cryptography making intercepted message unreadable.

b. Higher Integrity via hashing and signing assuring message sent are not modified.

c. Authentication via digital certificate assuring parties involved in the transaction from denying their participation in the transaction.

d. Customers’ credit cards information not accessible by merchants.

However SET has the following drawbacks compared with SSL;-

a. more complex and slower transaction.

b. require client software installation.
c. high processing cost.
d. lack of standard specification causing interoperability problems between SET applications.

e. Problems in systems integration with merchants’ front-end and back-end applications.

Nowadays, SET is still not common in use because of the issues mentioend above as is slow and the high processing cost. In addition, it requires the agent while SSL is not required.

Reference:
Ahsan, M.S. (2002). SET vs SSL. Retrieved on 29th May 2009 from
http://islab.oregonstate.edu/koc/ece478/02Report/CA.pdf.

Ex-12

1. Find out about SET and the use of RSA-128 bit encription for e-commerce.

SET is secure electronic transaction protocol which is a open protocol for securing electronic transactions developed jointly by Visa, Master Card and IBM. SET relies on cryptography. SET employs both symmetric and asymmetric encryption mechanism. Transaction details are encrypted with 56-bit session key in form of Data Encryption Standard (DES) and the session key is transmitted by asymmetric mechanism, public –key encryption.

RSA was first described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT. RSA encryption is important to the e-commerce, it is the industry standard for securing application.

RSA-128 bit encryption is considered unbreakable and is adopted as standard feature by BusinessObject XI which is considered as the most flexible and scalable businesses intelligence (BI) platform.

References:
http://en.wikipedia.org/wiki/Secure_electronic_transaction

2. What can you find out about network and host-based intrusion detection systems?

Network Based Intrusion Detection

Network-based intrusion detection systems use raw network packets as the data source. A network-based IDS typically utilizes a network adapter running in promiscuous mode to monitor and analyze all traffic in real-time as it travels across the network. Its attack recognition module uses four common techniques to recognize an attack signature:
· Pattern, expression or bytecode matching,
· Frequency or threshold crossing
· Correlation of lesser events
· Statistical anomaly detection

Host Based Intrusion Detection

Host-based intrusion detection was common practice to review audit logs for suspicious activity. Host-based intrusion detection systems are powerful tools for understanding previous attacks and determining proper methods to defeat their future application.

Host-based IDS use audit logs, but they are much more automated, having evolved sophisticated and responsive detection techniques.

Host based IDS typically monitor system, event, security logs and system log. When any of these files change, the IDS compares the new log entry with attack signatures to see if there is a match. If so, the system responds with administrator alerts and other calls to action.

References:

Internet Security Systems (1998). Network- vs. Host-based Intrusion Detection. Retrieved April 14, 2008 from http://documents.iss.net/whitepapers/nvh_ids.pdf.

3. What is “phishing” ?

“Phishing” is a form of Internet fraud that aims to steal valuable information such as credit cards, social security numbers, user IDs and passwords using techniques pretend as a trustworthy source in an electronic communication media.

References:

Wikipedia. (2008). Phishing. Retrieved may 29th, 2009 from http://en.wikipedia.org/wiki/Phishing.

Introduction!

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!