Introduction
The Internet is a huge place that hosts several millions of people. As all the people are not honest, illegal activity’ is inevitable. Statistics show that only 10% of computer client is reported and only 2% of the reported client results in with convictions. There are two basic types of criminal activities:
The person who tries to understand and learn the various systems and capabilities of any private network. In this case the person has no intentions to do any damage or to steal any resources but tries to observe the system functionality. For example teenagers who tries to enter into a network out of curiosity till they are caught or deducted.
The persons who uses the Internet and the Web to benefit themselves by doing illegal activities such as, stealing software’s, information and causing damage to resources. This type of criminal activity raises the concern for network security.
A large system like Internet has many holes and crevices in which a determined person can easily find the way to get into any private network. There are many terms used to signify the computer criminals.
Type of Computer Criminals
1. Hacker-is a person who has good knowledge about computers and tries to open the data packets and steal the information transmitted through the Internet.
2. Cracker-is someone who specifically breaks into computer systems by bypassing or by guessing login passwords. These persons enter into the network as authenticated users and can cause any harm to the system.
3. Phreaks-are persons who hack phone systems. These people specifically try to scam long distance phone-time for them to control phone switch capability or to hack company automated EBX systems to get free voice-mail accounts or to raid companies existing voice-mail messages.
4. Phracker-is the combination of freak and cracker. A phracker breaks into phone systems and computer systems and specializes in total network destruction.
Security Issues
Another major issue in the Internet security is misrepresentation and fraud. One of the reasons of misrepresentation is that on the net it is easy to appear as anyone or anything without the actual presence.
In case (of doing commercial transactions everybody seems to fear having their credit card information stolen when they type it into the Web sites. This has developed the use of Secure servers. Secure servers I attempt to protect information when it is submitted in the forms by encrypting the information as it to twelve’s between the user browser and the server. Here the protection is only between the two points of transmission. But the information is not protected at the browser or at the server.
In reality there are three places where data can be intercepted
• In the browser
• Between the browser and the server
• In the server
1. In the browser the users often type sensitive data into a form field and continue their Web session. If the user leaves the computer tuned on and unattended, anyone can access that computer and view the last users personal data.
When the crucial information (credit card) is sent to a server even by using a secure method it is often encrypted and stored or sent as e-mail. During this process it could be intercepted.
For example, a hacker can access to the e-mail system and the crucial data sent by the e-mail.
There is currently huge cry for secure commerce server that will make credit card transactions fairly safe. Although such servers might protect consumers from having their credit card information stolen, they do nothing to protect the store owner from criminals who use fraudulent credit card numbers or false identities to purchase the products. Unfortunately storeowners have less protection from these kinds of frauds.
One of the simplest ways to safeguard against illegal transactions is to have your order entry system check the credit numbers against the credit card check sum standard. One can run this algorithm on any credit card number to determine whether it belongs to valid sequence of numbers.
This is the big joke with the secure server discussion that everyone claims security for the secure server transaction on net but actually they protect only one-half of the picture.
Secure servers attempt to encrypt the data between the browser and the server. Pirates are many ways in which they can intercept the data. However, this requires that the pirates operate within a trusted look and have significant technical expertise.
Sometimes during the shopping cycle, after the data reaches the secure server the system decrypts the data. Even if the data is decrypted for a time specific time period the information would still be intercepted. Most sophisticated software handles this decryption using the quickest and most uncrackable mechanism possible. However, creating a system in which information remains encrypted through out the cycle is practically impossible.
Products that try to address this problem are beginning to appear, such as Netscape Communications I-Store. This product tries to make the system 100% secure by connecting the store owner to a commercial bank that clears the credit card information. The system sends the credit card information directly to the bank in an encrypted format. The data is then decrypted in the bank secure system.
On the other hand systems like First Virtual (www.firstvirtua1.com) offer online cash transactions without credit card number or secure serving by creating a secure bank style pin members for users. So no credit card numbers are ever entered online and because of this no possibility exist for them to be stolen.
Whether the system routes information to the shop owner or to the bank, the credit card information can actually remain encrypted until the last possible moment. However, at some point the system must convert the information so that shop
owner can read it. At that point of time the information can be cracked.
The most secure setup is one that transmits the information to the shop owner in encrypted format, then moves the information to a computer that is not on the net, and then decrypt the information.
Many professional mathematicians and expert claims that model encryption technology is totally unbreakable. In encryption technologies many recent break-through have been achieved. At the same time decryption technology also advanced at the same pace.
Encryption
Encryption is a technique for hiding data. The encrypted data can be read only by those users for whom it is intended.
Nowadays various encryption techniques are available. One of the available techniques commonly used for encryption is Public Key. In Public Key encryption system, RSA Data Security of Redwood City offers the most popular and commercially available algorithm.
In a Public Key encryption system each user has two keys-public key and private key. The encryption and decryption algorithms are designed in a way so that only the private key can decrypt data that is encrypted by the public key. And the public key can decrypt data, encrypted by the private key. Therefore, one can broadcast the public key to all users.
For example, Kelvin has a private key known him only. Another user, Carlo has a private key that known to her only. Both users have public keys that every other user knows. Kelvin wants to send a secure message to Carlo. But he wants that only Carlo should read the message and she should know that Kelvin has sent the message to her. For this, Kelvin encrypts his message using the Carlo’s public key that is known to all other users.
However, once the message is encrypted using the Carlo’s public key only Carlo’s private key can decrypt the message that is known only to Carlo.
When Carlo receives the message from Kelvin, she decrypts with her private key and is able to read the message. In case Carlo replies Kelvin back then she should encrypt the message with Kelvin’s public key that can only be decrypted by Kelvin’s private key.
Secure Servers and Browsers Use the Following Public Key Technique.
A user fills out on order form and submits it. The user’s browser contacts the remote server. The server sends back server’s public encryption key to the user’s browser. The user browser uses server’s public key to encrypt the order form and sends the order form to the server. The server decrypts the order form using server’s private key. This technique is otherwise known as digital signature.
In case a pirate catches any information transmitted between browser and server, the information cannot be decrypted because the pirate does not have the server’s private key. Since all users know the public key, the pirate may also have the public key of the server. The only way that a pirate can crack the code is by guessing the private key. Most systems use large private keys that make it difficult to crack the private key.
A shop owner who receives secure information in the encrypted order should know how to maintain security. Depending on the type of communication (secure or non-secure)’ while ordering the goods, the owner has to see the order form either in an encrypted form or decrypted form. If the order form is decrypted instantly by the owner then any hacker can access the encrypted order form. To avoid this, the owner should make sure that the connection to the network is disconnected before decrypting the order form.
This means that if you are on a network and you receive your orders, you need to archive them in their encrypted state. When you are ready to view the order forms you can transmit them to a secure system and disconnect the link. With the secure system completely off the way you can than decrypt the information without worrying about pirates invading your information system.
When one receive an order from a secure mechanism, the receiver should keep in mind that sender is not necessarily honest because one cannot guarantee that such senders are who they say they are.
This is particularly a problem if you use secure server to accept login information for a subscription or a membership system.
In a login system the pirate can also do the following:
• Record the login sequence and then repeat it later. This enables the pirate to gain access.
• Misrepresent him as another user.
Most encrypting servers and browsers have special capabilities that enable them to overcome this type of problem. The solution for pirates recording login sequence is to record the time of day for each transaction. This totally eliminates the possibility of recording and then claim them a login session.
Encryption servers also use a technique known as certificate to verify the user. Certificate acts as a mechanism to stop pirates from using false IDs (using other user name with a different key). Certificates work by having a third party that keep track of public keys and their owners. The third party must be a trusted party similar InterNIC. The certificates that third party issues are encrypted with private keys.
Under this scenario when a browser contacts to a server, the server prompts for the certification document that the sender provides along with the sender’s private key.
One can examine the certification (which only the third party can encrypt) and compare the name and public key to the person who submitted the message. If they match the message sender’s authenticity is proved.
As you can see the issues related to receive secure information are complex. It is not possible to plug every security hole but most of them can be plugged. One hole that cannot be plugged is the one that enables a pirate to intercept your message to trace the key. In a world of super computers and corporate secrets plugging this hole is not impossible but it requires an investment of both time and resources.
Storing Secure Information
The most insure part of the Internet is not the Net itself but the source and destination of users and computers on the net.
As the user of the system, you should know the place and the method to store your data. When you are connected to the network your personal system is vulnerable. Because of the nature slip type connectivity and TCP/IP networks, someone else could be probing (interesting) your system while you are working.
Decrypted data residing on your hard disk may be available to outside for snooping. As server and browser security increases almost pirates will be driven to breaking into the system at the source or at the destination. This information of-course applies equally to the both the user and the storeowner. Storeowners must ensure that product information database is secure. Again store owners should ensure that they encrypt archived transactions, as well as transactions in the process of being fulfilled.
If a business can afford only lesser security then the best you can do is keep permissions of files hidden from pirates.
One of the best security measures that you can take for physically stored data is to have hardware password protection. Many commercial products provide this facility and often work well to keep the data secure.
Another security measure is to delete the not required data or information. Simply deleting the information is not enough. Pirates can easily undelete previously deleted information. They can even unformatted a formatted disk. After securely deleting file defrayment your drive using any popular disk utility. Such program ensures that the original structure of the disk is recognized leaving no recoverable data.
The best solution is to use programs like the Defense Departments recommended secure delete program. Such programs are available in software archives throughout the Internet. Before marking the file as deleted such programs first write repeating sequences of bits to each bit within the file. This ensures that magnetic particles are mixed several times so that traces of data are not readable.
Another type of pirating is also done by using, the electromagnetic emissions that come from the monitors. In the early age of computing, programmers could debug programs by turning on a radio and placing it near the computer. The internal clock speed of the computer would oscillate like the radio stations.
So they could hear the programming sequence running on the computer.
The programmers soon learn how to interpret the different sound frequencies to determine what was happening in their program. A type of technology and research called TEMPEST is available that can reverse this electromagnetic radiation into a reasonable reproduction of the original information.
The degree of security for computer connected Into Internet, depends upon the requirements and cost. Every one should take the basic measures of creating secure passwords, not leaving printouts laying around, and keeping hard” Yare secure.
One should encrypt sensitive data that sent over the Internet. The basic measures should be enough to cover the average security standards for the company. But monitor the system in, regular intervals. If security breaches are encounter, more sophisticated security measures should be implemented. Particularly, the companies are vulnerable those are involved in national security or those that have such companies as clients.
The Internet is a huge place that hosts several millions of people. As all the people are not honest, illegal activity’ is inevitable. Statistics show that only 10% of computer client is reported and only 2% of the reported client results in with convictions. There are two basic types of criminal activities:
The person who tries to understand and learn the various systems and capabilities of any private network. In this case the person has no intentions to do any damage or to steal any resources but tries to observe the system functionality. For example teenagers who tries to enter into a network out of curiosity till they are caught or deducted.
The persons who uses the Internet and the Web to benefit themselves by doing illegal activities such as, stealing software’s, information and causing damage to resources. This type of criminal activity raises the concern for network security.
A large system like Internet has many holes and crevices in which a determined person can easily find the way to get into any private network. There are many terms used to signify the computer criminals.
Type of Computer Criminals
1. Hacker-is a person who has good knowledge about computers and tries to open the data packets and steal the information transmitted through the Internet.
2. Cracker-is someone who specifically breaks into computer systems by bypassing or by guessing login passwords. These persons enter into the network as authenticated users and can cause any harm to the system.
3. Phreaks-are persons who hack phone systems. These people specifically try to scam long distance phone-time for them to control phone switch capability or to hack company automated EBX systems to get free voice-mail accounts or to raid companies existing voice-mail messages.
4. Phracker-is the combination of freak and cracker. A phracker breaks into phone systems and computer systems and specializes in total network destruction.
Security Issues
Another major issue in the Internet security is misrepresentation and fraud. One of the reasons of misrepresentation is that on the net it is easy to appear as anyone or anything without the actual presence.
In case (of doing commercial transactions everybody seems to fear having their credit card information stolen when they type it into the Web sites. This has developed the use of Secure servers. Secure servers I attempt to protect information when it is submitted in the forms by encrypting the information as it to twelve’s between the user browser and the server. Here the protection is only between the two points of transmission. But the information is not protected at the browser or at the server.
In reality there are three places where data can be intercepted
• In the browser
• Between the browser and the server
• In the server
1. In the browser the users often type sensitive data into a form field and continue their Web session. If the user leaves the computer tuned on and unattended, anyone can access that computer and view the last users personal data.
When the crucial information (credit card) is sent to a server even by using a secure method it is often encrypted and stored or sent as e-mail. During this process it could be intercepted.
For example, a hacker can access to the e-mail system and the crucial data sent by the e-mail.
There is currently huge cry for secure commerce server that will make credit card transactions fairly safe. Although such servers might protect consumers from having their credit card information stolen, they do nothing to protect the store owner from criminals who use fraudulent credit card numbers or false identities to purchase the products. Unfortunately storeowners have less protection from these kinds of frauds.
One of the simplest ways to safeguard against illegal transactions is to have your order entry system check the credit numbers against the credit card check sum standard. One can run this algorithm on any credit card number to determine whether it belongs to valid sequence of numbers.
This is the big joke with the secure server discussion that everyone claims security for the secure server transaction on net but actually they protect only one-half of the picture.
Secure servers attempt to encrypt the data between the browser and the server. Pirates are many ways in which they can intercept the data. However, this requires that the pirates operate within a trusted look and have significant technical expertise.
Sometimes during the shopping cycle, after the data reaches the secure server the system decrypts the data. Even if the data is decrypted for a time specific time period the information would still be intercepted. Most sophisticated software handles this decryption using the quickest and most uncrackable mechanism possible. However, creating a system in which information remains encrypted through out the cycle is practically impossible.
Products that try to address this problem are beginning to appear, such as Netscape Communications I-Store. This product tries to make the system 100% secure by connecting the store owner to a commercial bank that clears the credit card information. The system sends the credit card information directly to the bank in an encrypted format. The data is then decrypted in the bank secure system.
On the other hand systems like First Virtual (www.firstvirtua1.com) offer online cash transactions without credit card number or secure serving by creating a secure bank style pin members for users. So no credit card numbers are ever entered online and because of this no possibility exist for them to be stolen.
Whether the system routes information to the shop owner or to the bank, the credit card information can actually remain encrypted until the last possible moment. However, at some point the system must convert the information so that shop
owner can read it. At that point of time the information can be cracked.
The most secure setup is one that transmits the information to the shop owner in encrypted format, then moves the information to a computer that is not on the net, and then decrypt the information.
Many professional mathematicians and expert claims that model encryption technology is totally unbreakable. In encryption technologies many recent break-through have been achieved. At the same time decryption technology also advanced at the same pace.
Encryption
Encryption is a technique for hiding data. The encrypted data can be read only by those users for whom it is intended.
Nowadays various encryption techniques are available. One of the available techniques commonly used for encryption is Public Key. In Public Key encryption system, RSA Data Security of Redwood City offers the most popular and commercially available algorithm.
In a Public Key encryption system each user has two keys-public key and private key. The encryption and decryption algorithms are designed in a way so that only the private key can decrypt data that is encrypted by the public key. And the public key can decrypt data, encrypted by the private key. Therefore, one can broadcast the public key to all users.
For example, Kelvin has a private key known him only. Another user, Carlo has a private key that known to her only. Both users have public keys that every other user knows. Kelvin wants to send a secure message to Carlo. But he wants that only Carlo should read the message and she should know that Kelvin has sent the message to her. For this, Kelvin encrypts his message using the Carlo’s public key that is known to all other users.
However, once the message is encrypted using the Carlo’s public key only Carlo’s private key can decrypt the message that is known only to Carlo.
When Carlo receives the message from Kelvin, she decrypts with her private key and is able to read the message. In case Carlo replies Kelvin back then she should encrypt the message with Kelvin’s public key that can only be decrypted by Kelvin’s private key.
Secure Servers and Browsers Use the Following Public Key Technique.
A user fills out on order form and submits it. The user’s browser contacts the remote server. The server sends back server’s public encryption key to the user’s browser. The user browser uses server’s public key to encrypt the order form and sends the order form to the server. The server decrypts the order form using server’s private key. This technique is otherwise known as digital signature.
In case a pirate catches any information transmitted between browser and server, the information cannot be decrypted because the pirate does not have the server’s private key. Since all users know the public key, the pirate may also have the public key of the server. The only way that a pirate can crack the code is by guessing the private key. Most systems use large private keys that make it difficult to crack the private key.
A shop owner who receives secure information in the encrypted order should know how to maintain security. Depending on the type of communication (secure or non-secure)’ while ordering the goods, the owner has to see the order form either in an encrypted form or decrypted form. If the order form is decrypted instantly by the owner then any hacker can access the encrypted order form. To avoid this, the owner should make sure that the connection to the network is disconnected before decrypting the order form.
This means that if you are on a network and you receive your orders, you need to archive them in their encrypted state. When you are ready to view the order forms you can transmit them to a secure system and disconnect the link. With the secure system completely off the way you can than decrypt the information without worrying about pirates invading your information system.
When one receive an order from a secure mechanism, the receiver should keep in mind that sender is not necessarily honest because one cannot guarantee that such senders are who they say they are.
This is particularly a problem if you use secure server to accept login information for a subscription or a membership system.
In a login system the pirate can also do the following:
• Record the login sequence and then repeat it later. This enables the pirate to gain access.
• Misrepresent him as another user.
Most encrypting servers and browsers have special capabilities that enable them to overcome this type of problem. The solution for pirates recording login sequence is to record the time of day for each transaction. This totally eliminates the possibility of recording and then claim them a login session.
Encryption servers also use a technique known as certificate to verify the user. Certificate acts as a mechanism to stop pirates from using false IDs (using other user name with a different key). Certificates work by having a third party that keep track of public keys and their owners. The third party must be a trusted party similar InterNIC. The certificates that third party issues are encrypted with private keys.
Under this scenario when a browser contacts to a server, the server prompts for the certification document that the sender provides along with the sender’s private key.
One can examine the certification (which only the third party can encrypt) and compare the name and public key to the person who submitted the message. If they match the message sender’s authenticity is proved.
As you can see the issues related to receive secure information are complex. It is not possible to plug every security hole but most of them can be plugged. One hole that cannot be plugged is the one that enables a pirate to intercept your message to trace the key. In a world of super computers and corporate secrets plugging this hole is not impossible but it requires an investment of both time and resources.
Storing Secure Information
The most insure part of the Internet is not the Net itself but the source and destination of users and computers on the net.
As the user of the system, you should know the place and the method to store your data. When you are connected to the network your personal system is vulnerable. Because of the nature slip type connectivity and TCP/IP networks, someone else could be probing (interesting) your system while you are working.
Decrypted data residing on your hard disk may be available to outside for snooping. As server and browser security increases almost pirates will be driven to breaking into the system at the source or at the destination. This information of-course applies equally to the both the user and the storeowner. Storeowners must ensure that product information database is secure. Again store owners should ensure that they encrypt archived transactions, as well as transactions in the process of being fulfilled.
If a business can afford only lesser security then the best you can do is keep permissions of files hidden from pirates.
One of the best security measures that you can take for physically stored data is to have hardware password protection. Many commercial products provide this facility and often work well to keep the data secure.
Another security measure is to delete the not required data or information. Simply deleting the information is not enough. Pirates can easily undelete previously deleted information. They can even unformatted a formatted disk. After securely deleting file defrayment your drive using any popular disk utility. Such program ensures that the original structure of the disk is recognized leaving no recoverable data.
The best solution is to use programs like the Defense Departments recommended secure delete program. Such programs are available in software archives throughout the Internet. Before marking the file as deleted such programs first write repeating sequences of bits to each bit within the file. This ensures that magnetic particles are mixed several times so that traces of data are not readable.
Another type of pirating is also done by using, the electromagnetic emissions that come from the monitors. In the early age of computing, programmers could debug programs by turning on a radio and placing it near the computer. The internal clock speed of the computer would oscillate like the radio stations.
So they could hear the programming sequence running on the computer.
The programmers soon learn how to interpret the different sound frequencies to determine what was happening in their program. A type of technology and research called TEMPEST is available that can reverse this electromagnetic radiation into a reasonable reproduction of the original information.
The degree of security for computer connected Into Internet, depends upon the requirements and cost. Every one should take the basic measures of creating secure passwords, not leaving printouts laying around, and keeping hard” Yare secure.
One should encrypt sensitive data that sent over the Internet. The basic measures should be enough to cover the average security standards for the company. But monitor the system in, regular intervals. If security breaches are encounter, more sophisticated security measures should be implemented. Particularly, the companies are vulnerable those are involved in national security or those that have such companies as clients.
Comments
Post a Comment