1. Find out about SET and the use of RSA 128-bit encryption for e-commerce.SET which stands for Secure Electronic Transaction jointly developed by Microsoft, Mastercard, VISA international and others, is an open protocol for securing credit card transaction over insecure networks like protecting the privacy and ensuring the authenticity. Its working mechanism is encoding the message to be transferred and decoding the received message which is also known as cryptography. SET protocol relies on two different encryption mechanism and authentication mechanism. SET uses 56 bits session keys which are transmitted asymmetrically and the remainder transaction uses symmetric encryption in the form of Data Encryption Standard (DES).
RSA was previously described by Ron Rivest, Adi Shamir and Leonard Adleman which was named after the initials of their surname. It is an algorithm for public key cryptography used for both signing and encryption. RSA derives its security from factoring large integers that are the product of two large primes of roughly equal size. The RSA algorithm contains three basic steps which are key generation, encryption and decryption.
Reference:
RSA. Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 3, 2010 from
http://en.wikipedia.org/wiki/RSASecure Electronic Transaction. Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 2, 2010 from
http://en.wikipedia.org/wiki/Secure_Electronic_TransactionSecure Electronic Transaction: An Overview. Retrieved on May 3, 2010 from
http://www.davidreilly.com/topics/electronic_commerce/essays/secure_electronic_transactions.htmlSSH: The Secure Shell. Retrieved on May 3, 2010 from
http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch03_09.htm2. What can you find out about network and host-based intrusion detection systems?Network Based Intrusion Detection System(IDS) is the system that detects and reads all the incoming packects and finds the suspicious patterns known as signatures or rules. The IDS's attack recognition module uses four to recognize signature: 1. pattern, expression or byte code matching, 2. Frequency or threshold crossing, 3. Correlation of lesser events 4. Statistical anomaly detection. If an attack has been detected then the IDS continues with option such as administrator notification, connection termination or session recording for collecting evidence.
A Host-Based Intrusion Detection System monitors the threat present in the computer itself rather than analysing the network packets. It detects which program uses what resources and any possible threat present in the computer. Host-Based IDS uses an object database of the system objects which it should monitor. It records all of the events in logs like whether the attack was successfull or not making Host-Based IDS more accurate. It detects the threats that even the Network-Based IDS missed and also donot require additional hardware to implement it.
Reference:
Network Intrusion Detection System. Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 3, 2010 from
http://en.wikipedia.org/wiki/Network_intrusion_detection_systemNetwork vs Host-Based Intrusion Detection. Retrieved on May 3, 2010 from
http://documents.iss.net/whitepapers/nvh_ids.pdfHost-Based Intrusion Detection System. Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 3, 2010 from
http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system3. What is 'Phishing'?
Phising is an act of sending a false email to users claiming to be an legitimate enterprise or authorized person in an attempt to acquire user's private and sensitive information such as passwords or credit card details. This emails directs people to website which asks the user to enter or update private information
and ends up stealing the information to damage the users well-being. The other techniques of phishing are such as Link manupulation, Filter evasion, Website forgery, Phone phishing etc. The most effective anti-phishing technique can be making public aware about the level of phising atempts being made and how to recognize it. People should be a little extra precautious while browsing sensitive material over the Internet.
Reference :
Phishing. Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 4, 2010 from
http://en.wikipedia.org/wiki/PhishingWhat is Phishing?. Retrieved on May 4, 2010 from
http://www.webopedia.com/TERM/P/phishing.html4. What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?Secure Electronic Transaction(SET) is system that ensures the security of financial transaction via the internet. During a financial transaction, purchaser, merchants and purchaser's bank are verified and the transaction is conducted after the user has recieved a digital certificate (digital wallet). This process makes the transaction secure and confidential.
Secure Socket Layer(SSL) on the other is a standard that encrypts the data between Web Server and a Web Browser. It helps improve the communication in the Internet. SSL is built in over the all of the major browsers and webservers which turns on the SSL capabilities by simply installing the digital certificate.
SET and SSL are both similar in a way that they both uses public key encryption but SET is more secure and ensures safe internet transaction then SSL because the process in SET double checks all the transaction at least three times but SET is more complex and costly in relation to SSL which could be called its drawback.
Therefore, SET is less common is use than SSL because of its high cost as well as its Network effect caused by a need to install client software.
Reference:
Secure Electronic Transaction. Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 4, 2010 from
http://en.wikipedia.org/wiki/Secure_Electronic_TransactionSSL versus SET, Clough G. (n.d), retrieved on May 5, 2010 from
http://www.savagerun.com/SSLSET.htmWhat is secure electronic transaction?, retrieved on May 5, 2010 from
http://searchfinancialsecurity.techtarget.com/sDefinition/0,,sid185_gci214194,00.html5. What are cookies and how are they used to improve security?Can the use of cookies be a security risk?Cookies is a small text file stored by the browser which stores bits of information like Unique ID tag in an encrypted format for the purpose of privacy. There are two types of cookies stored in the computer system, which are temporary cookies also known as session which remains on the computer's memory only till the browser is open and another cookies which is permanent cookie stored in the computer's drive and will be recreated even if it is deleted when the website is opened again.
A cookie can be used for the purpose of authenticating the user and tracking the session for the shopping cart purpose. Hence it can enhance security of the user.
However, there has also been a security concerns while using cookies. Cookies Hijacking is the most common among those risk, where unauthorized party hijacks all the sensitive information from the cookies such as usernames from the network causing damage to the user. Such an act can be manipulated by packet sniffing. Another security risks could be Cookies Poisoning, the act of changing the values of the cookies by an attacker and Cookies Theft, the act of directing the cookies to an arbitary server using different means from the 'cookies header'.
Reference:
HTTP cookie. Wikipedia. 2010.Wikimedia Foundation, Inc. Retreived on May 5, 2010 from
http://en.wikipedia.org/wiki/HTTP_cookieWhat are Computer Cookies?, Kayne R. (2010), Retrieved on May 5, 2010 from
http://www.wisegeek.com/what-are-computer-cookies.htm6. What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?Firewall is a barrier in computer system built to stop unauthorized access to the system, based on a certain set of rules. Firewalls are specially used to prevent unwanted network from internet
and extranet into the system. Its main function is to monitor the network that is seeking access and then give permit or denies the network based on the set of rules. Hence, firewalls can also provide good security from unauthorized network access.
The firewall vendors that we found on internet were
- Zone Alarm PRO firewall 2010: it provides firewall and anti-spy protection software only.
- Prisma Firewall : provides firewall software only.
- WatchGuard FireBox X6500e : the vendor provides both hardware and software for the firewall
Reference:
Best Firewall Software - Editors choice. Retreived on May 7, 2010 from
7. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?
To create trust among the potential customers on the e-commerce, they can use certain level of encryption while the file is being transferred. Antivirus and firewall can also used in the server side to prevent damage from unknown viruses and attacks.
Cusomer can be educated about the dangers and threat present in the internet while doing financial transaction and measures to prevent themselves like making passwords that are difficult to trace and unpredicatable, Not leaving their computers for others to use and use of antivirus software for deeper protection.
Reference:
Internet Security. Retreived on May 7, 2010 from
8. Get the latest PGP information from http://en.wikipedia.org/wiki/Pretty_Good_Privacy.
The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?
The latest information on PGP was on April 29 2010, that Symantec Corp will be aquiring PGP for 300 million with the intent of integrating it into its Enterprise Security Group.
Other examples for avoiding identity theft other than digital certificate and passports are Ephemeral Key, Federated identity, Secure Socket Layer (SSL), Biometric Verification etc.
Reference:
Identity and Access Management, Milgate R. (2010), Retreived on May 8, 2010 from