277
Security Threats
It is possible that crackers will break into your system and format your hard drive. It is
fairly likely that a careless programmer or administrator will delete something by acci-
dent, and it is almost certain that you will occasionally lose a hard disk drive. Hard disk
drives rotate thousands of times per minute, and, occasionally, they fail. Murphy’s Law
would tell you that the one that fails will be the most important one, long after you last
made a backup.
You can take various measures to reduce the chance of data loss. Secure your servers
against crackers. Keep the number of staff with access to your machine to a minimum.
Hire only competent, careful people. Buy good quality drives. Use RAID so that multi-
ple drives can act like one faster, more reliable drive.
Regardless of the cause, there is only one real protection against data loss—backups.
Backing up data is not rocket science. On the contrary, it is tedious, dull, and hopefully
useless, but it is vital. Make sure that your data is regularly backed up, and make sure that
you have tested your backup procedure to be certain that you can recover. Make sure
that your backups are stored away from your computers. Although it is unlikely that your
premises will burn down or suffer some other catastrophic fate, storing a backup offsite is
a fairly cheap insurance policy.
Modification of Data
Although the loss of data could be damaging, modification could be worse.What if
somebody obtained access to your system and modified files? Although wholesale dele-
tion will probably be noticed and can be remedied from your backup, how long will it
take you to notice modification?
Modifications to files could include changes to data files or executable files.A crack-
er’s motivation for altering a data file might be to graffiti your site or to obtain fraudu-
lent benefits. Replacing executable files with sabotaged versions might give a cracker
who has gained access once a secret backdoor for future visits.
You can protect data from modification as it travels over the network by computing a
signature.This does not stop somebody from modifying the data, but if the recipient
checks that the signature still matches when the file arrives, he will know whether the

file has been modified. If the data is being encrypted to protect it from unauthorized
viewing, this will also make it very difficult to modify en route without detection.
Protecting files stored on your server from modification requires that you use the file
permission facilities your operating system provides and protect the system from unau-
thorized access. Using file permissions, users can be authorized to use the system, but not
be given free rein to modify system files and other users’ files.The lack of a proper per-
missions system is one of the reasons that Windows 95 and 98 are not suitable as server
operating systems.
Detecting modification can be difficult. If at some point you realize that your system’s
security has been breached, how will you know whether important files have been mod-
ified? Some files, such as the data files that store your databases, are intended to change
over time. Many others are intended to stay the same from the time you install them,
17 525x ch13 1/24/03 3:37 PM Page 277
278
Chapter 13 E-commerce Security Issues
unless you deliberately upgrade them. Modification of both programs and data can be
insidious, but although programs can be reinstalled if you suspect modification, you can-
not know which version of your data was “clean.”
File integrity assessment software, such as Tripwire, records information about impor-
tant files in a known safe state, probably immediately after installation, and can be used at
a later time to verify that files are unchanged.You can download commercial or condi-
tional free versions from

Denial of Service
One of the most difficult threats to guard against is denial of service. Denial of Service
(DoS) occurs when somebody’s actions make it difficult or impossible for users to access
a service, or delay their access to a time-critical service.
Early in the year 2000, there was a famous spate of Distributed Denial of Service (DDoS)
attacks against high profile Web sites.Targets included Yahoo!, eBay,Amazon, E-Trade,
and Buy.com. Sites such as these are accustomed to traffic levels that most of us can only

dream of, but are still vulnerable to being shut down for hours by a DoS attack.
Although crackers generally have little to gain from shutting down a Web site, the pro-
prietor might be losing money, time, and reputation.
One of the reasons that these attacks are so difficult to guard against is that there are a
huge number of ways of carrying them out. Methods could include installing a program
on a target machine that uses most of the system’s processor time, reverse spamming, or
using one of the automated tools. A reverse spam involves somebody sending out fake
spam with the target listed as the sender.This way, the target will have thousands of
angry replies to deal with.
Automated tools exist to launch distributed DoS attacks on a target.Without needing
much knowledge, somebody can scan a large number of machines for known vulnerabil-
ities, compromise a machine, and install the tool. Because the process is automated, an
attacker can install the tool on a single host in under five seconds.When enough
machines have been co-opted, all are instructed to flood the target with network traffic.
Guarding against DoS attacks is difficult in general.With a little research, you can find
the default ports used by the common DDoS tools and close them.Your router might
provide mechanisms such as limiting the percentage of traffic that uses particular proto-
cols such as ICMP. Detecting hosts on your network being used to attack others is easier
than protecting your machines from attack. If every network administrator could be
relied on to vigilantly monitor his own network, DDoS would not be such a problem.
Because there are so many possible methods of attack, the only really effective defense
is to monitor normal traffic behavior and have a pool of experts available to take coun-
termeasures when abnormal things occur.
17 525x ch13 1/24/03 3:37 PM Page 278
279
Security Threats
Errors in Software
It is possible that the software you have bought, obtained, or written has serious errors in
it. Given the short development times normally allowed to Web projects, it is highly like-
ly that this software has some errors. Any business that is highly reliant on computerized

processes is vulnerable to buggy software.
Errors in software can lead to all sorts of unpredictable behavior including service
unavailability, security breaches, financial losses, and poor service to customers.
Common causes of errors that you can look for include poor specifications, faulty
assumptions made by developers, and inadequate testing.
Poor Specifications
The more sparse or ambiguous your design documentation is, the more likely you are to
end up with errors in the final product. Although it might seem superfluous to you to
specify that when a customer’s credit card is declined, the order should not be sent to
the customer, at least one big-budget site had this bug.The less experience your devel-
opers have with the type of system they are working on, the more precise your specifica-
tion needs to be.
Assumptions Made by Developers
The designers and programmers of a system need to make many assumptions. Hopefully,
they will document their assumptions and usually be right. Sometimes though, people
make poor assumptions.These might include assumptions that input data will be valid,
will not include unusual characters, or will be less than a particular size. It could also
include assumptions about timing such as the likelihood of two conflicting actions
occurring at the same time or that a complex processing task will always take more time
than a simple task.
Assumptions like these can slip through because they are usually true.A cracker could
take advantage of a buffer overrun because a programmer assumed a maximum length
for input data, or a legitimate user could get confusing error messages and leave because
it did not occur to your developers that a person’s name might have an apostrophe in it.
These sort of errors can be found and fixed with a combination of good testing and
detailed code review.
Historically, the operating system or application level weaknesses exploited by crackers
have usually related either to buffer overflows or race conditions.
Poor Testing
It is rarely possible to test for all possible input conditions, on all possible types of hard-

ware,running all possible operating systems with all possible user settings.This is even
more true than usual with Web-based systems.
What is needed is a well-designed test plan that tests all the functions of your software
on a representative sample of common machine types.A well-planned set of tests should
17 525x ch13 1/24/03 3:37 PM Page 279
280
Chapter 13 E-commerce Security Issues
aim to test every line of code in your project at least once. Ideally, this test suite should
be automated so that it can be run on your selected test machines with little effort.
The greatest problem with testing is that it is unglamorous and repetitive. Although
some people enjoy breaking things, few people enjoy breaking the same thing over and
over again. It is important that people other than the original developers are involved in
testing. One of the major goals of testing is to uncover faulty assumptions made by the
developers. A fresh person is much more likely to have different assumptions. In addition
to this, professionals are rarely keen to find flaws in their own work.
Repudiation
The final risk we will consider is repudiation. Repudiation occurs when a party involved
in a transaction denies having taken part. E-commerce examples might include a person
ordering goods off a Web site and then denying having authorized the charge on his
credit card, or a person agreeing to something in email and then claiming that somebody
else forged the email.
Ideally, financial transactions should provide the peace of mind of nonrepudiation to
both parties. Neither party could deny their part in a transaction, or, more precisely, both
parties could conclusively prove the actions of the other to a third party, such as a court.
In practice, this rarely happens.
Authentication provides some surety about whom you are dealing with. If issued by a
trusted organization, digital certificates of authentication can provide greater confidence.
Messages sent by each party also need to be tamperproof.There is not much value in
being able to demonstrate that Corp Pty Ltd sent you a message if you cannot also
demonstrate that what you received was exactly what they sent. As mentioned previous-

ly, signing or encrypting messages makes them difficult to surreptitiously alter.
For transactions between parties with an ongoing relationship, digital certificates
together with either encrypted or signed communications are an effective way of limit-
ing repudiation. For one-off transactions, such as the initial contact between an e-
commerce Web site and a stranger bearing a credit card, they are not so practical.
An e-commerce company should be willing to hand over proof of its identity and a
few hundred dollars to a certifying authority such as VeriSign
(
or Thawte ( in order to assure
visitors of the company’s bona fides.Would that same company be willing to turn away
every customer who was not willing to do the same in order to prove his identity? For
small transactions, merchants are generally willing to accept a certain level of fraud or
repudiation risk rather than turn away business.
An alliance between VISA, a number of financial organizations, and software compa-
nies, has been promoting a standard called Secure Electronic Transaction since 1997. One
component of the SET system is that cardholders can obtain digital certificates from
their card issuers. If SET takes off, it could reduce the risk of repudiation and other
credit card fraud in Internet transactions.
17 525x ch13 1/24/03 3:37 PM Page 280
281
Creating a Security Policy
Unfortunately, although the specification has existed for many years, there seems to be
little push from banks to issue SET-compliant certificates to their cardholders. No retail-
ers seem willing to reject all customers without SET software, and there is little enthusi-
asm from consumers to adopt the software.There is very little reason for consumers to
queue up at their local bank and spend time installing digital wallet software on their
machines unless retailers are going to reject their customers without such software.
Balancing Usability, Performance, Cost, and
Security
By its very nature, the Web is risky. It is designed to allow numerous anonymous users to

request services from your machines. Most of those requests will be perfectly legitimate
requests for Web pages, but connecting your machines to the Internet will allow people
to attempt other types of connections.
Although it can be tempting to assume that the highest possible level of security is
appropriate, this is rarely the case. If you wanted to be really secure, you would keep all
your computers turned off, disconnected from all networks, in a locked safe. In order to
make your computers available and usable, some relaxation of security is required.
There is a trade-off to be made between security, usability, cost, and performance.
Making a service more secure can reduce usability by, for instance, limiting what people
can do or requiring them to identify themselves. Increasing security can also reduce the
level of performance of your machines. Running software to make your system more
secure—such as encryption, intrusion detection systems, virus scanners, and extensive
logging—uses resources. It takes a lot more processing power to provide an encrypted
session, such as an SSL connection to a Web site, than to provide a normal one.These
performance losses can be countered by spending more money on faster machines or
hardware specifically designed for encryption.
You can view performance, usability, cost, and security as competing goals.You need
to examine the trade-offs required and make sensible decisions to come up with a com-
promise. Depending on the value of your information, your budget, how many visitors
you expect to serve, and what obstacles you think legitimate users will be willing to put
up with, you can come up with a compromise position.
Creating a Security Policy
A security policy is a document that describes
n
The general philosophy towards security in your organization
n
What is to be protected—software, hardware, data
n
Who is responsible for protecting these items
n

Standards for security and metrics, which measure how well those standards are
being met
17 525x ch13 1/24/03 3:37 PM Page 281