eCommerce

With the onslaught of eCommerce and eBusiness solutions appearing all over the www, we decided to look into the issue a bit deeper. Do these providers really understand the simplicity of exploiting most servers? Are they justified in claiming they are secure? Do customers really understand what happens when their credit cards are sent online? We decided we'd ask some of the top people in the security industry their opinions on the issue, which will hopefully turn out to be a valuable resource to those interested in running a "secure site", as well as those that are interested in purchasing online.
We will post replies as they come. If you feel something important is missing, feel free to send an email to webmaster@<thisdomain>.com. It should also be noted that with all our submissions, they are posted unedited.
The first reply came from tftp, someone I find an unreplaceable resource. One of his most popular pieces of software is tkPGP.

Date: Mon, 19 Jun 2000 02:55:43 -0700 (PDT)
From: tftp <tftp(at)yahoo.com>
To: Yasholomew Yashinski <yashy(at)yashy.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> 1) How do you feel about e-commerce?

e-commerce is a good and valuable tool, if used correctly. It allows
to buy things from far away (such as other provinces, states, countries).
It offers very wide assortment of goods and easy price comparison.
Finally, I don't need to go outside - it might be raining, slippery or
awfully cold (not here, but up North it's not uncommon). You are saving
on transportation, even maybe shopping at night (or at work). E-commerce
sites work 24/7.

> 2) Do you feel that e-commerce solutions (ie: SSL) are secure enough that the
> public should trust them?

Transport protocols are secure enough. They are infinitely more secure
than people who operate servers and clients :) The applications are probably
less secure. Any server is insecure. Nothing protects from hackers or thieves
short of encrypting everything in RAM, swap and filesystems - and even
that might be not enough. Good security is hard to achieve, and most
e-tailers don't pay enough attention to it, until someone hacks them bad.

> 3) Do you feel that the e-commerce machines are secure enough that the public
> should trust them?

No, servers aren't secure enough - few are properly trained and educated.
Security of the system does not stop at SSL; it starts at physical security
and then goes up. What cables are connected, how they can be abused, what
services are running, what if they are compromised, what passwords are chosen
and how often they are replaced - there are so many aspects of security that
it is virtually guaranteed that every e-commerce site violates some.

So public should not trust e-commerce servers. Instead they should be
handled as specifically untrusted systems - with knowledge that most of
what you do might be stolen. There is nothing new here. Our credit cards
can be stolen too - this doesn't prevent us from using them everywhere.

> 4) Should we be waiting until machines become more secure before trusting
> e-commerce?

No, we shouldn't wait. First of all, the waiting period will be pretty
long - until all servers are operated by AI, not less :) Secondly, there
are many dangers in our lives, and this one is far from serious. Credit
companies always cancel fraudulent charges because they don't care; the
merchant pays for everything.

> 5) Any security measures one should take when using e-commerce solutions?

Yes. The measures are interestingly familiar. Use your head, not just
emotions. Select partner sites carefully. Evaluate them before starting
a financial relationship. Do not tell them more than they need to know.
It is safer to have few good commercial partners than many bad ones.
Protect your personal data. Make sure that protection methods are valid
and not expired (check SSL certificate). If a problem nevertheless occurs
take corrective actions immediately. Most people know the drill :)

> 6) Do you feel the public is aware of the security hazards involving
> e-commrce?

No, not at all. Public will NEVER be fully aware of anything. Only
specialists (in any area) have a chance to be reasonably knowledgeable
in their area. Even if you take 100 Nobel laureates together, they will
not score much on average because genius chemist has no clue why this
butterfly spends winters on that island.

Thanks,
Dmitri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Gnome PGP version 0.4

iD8DBQE5Te0WTBNuAuzeIlARAgDZAJ93IIe7Dwrh370Iz5BXY4pEVWPZiACffxWD
edJjTKKEzHg9FKad1iDXPdA=
=7z++
-----END PGP SIGNATURE-----


__________________________________________________
Do You Yahoo!?
Send instant messages with Yahoo! Messenger.
http://im.yahoo.com/

Date: Mon, 19 Jun 2000 15:05:44 -0500 (CDT)
From: rain forest puppy <rfp(at)wiretrip.net>
To: Yasholomew Yashinski <yashy(at)yashy.com>

E-commerce...what a nice, small topic. :)

In a nutshell, I feel that most of today's implementations are flawed,
security-wise.  Let's consider first the mom-and-pop, 'get rich selling
stuff on the Internet' shops.  Some have set up some nice storefronts,
invested in SSL certificates (to be 'secure'), etc.  And yet, when it
comes time to place your order, you make an SSL connection to....formmail.
Yep.  They pipe your credit card order back into email.  So much for
secure.  But I can't blame them...besides some kinda kludgy public-key
email solutions, what available pre-packaged mechanisms are there for
these types of people to use?

And then there's the 'big businesses', which can afford more sophisticated
setups.  They pipe orders into a database.  Well, then I have to wonder:

1. Where is the database, and how does the travel (securely) between the
web server and the database server?

2. Do they store sensitive data in the database?  If so, is it encrypted?
If it's encrypted, is it with a public key algorithm?  Private keys mean
the application has to have access to them, meaning if the database server
and/or the application server are compromised, they can get *all* the
data...

3. Are they using a credit card fulfillment house?  If so, who, and how do
they communicate orders to them?  Some use proprietary encryption (joy)
over HTTP, others may batch process via email.

So, to me, eCommerce is just like anything else: lots of people claiming
it's secure, but in reality, you really don't know if they're lieing or
not.  Or perhaps they're not lieing--they just don't understand it enough
to know it's not secure, in which case, they shouldn't be doing eCommerce
in the first place.

- rfp

-----BEGIN PGP SIGNED MESSAGE-----

Servus Yash,

Am 07.07.2000 so gegen 04:07 meintest Du:

> 1) How do you feel about e-commerce?

Fine. It'll bring back our jobs ;) Never had any problems with it,
all
went fine 2 date.

> 2) Do you feel that e-commerce solutions (ie: SSL) are secure
> enough that the public should trust them?  

Yes, especially TLS v1 and SSL128

> 3) Do you feel that the e-commerce machines are secure enough that
> the public should trust them?  

What do you mean by machines? The servers that host the website?

> 6) Do you feel the public is aware of the security hazards
> involving e-commrce?  

Not really. Sure, you see, Internet, thats just a bunch of nazis,
terrorists and pr0n dealers. That's public opinion. Now you see,
there
they can also buy their favourite make-up *g* Having worked for the
startup e-commerce company Beautynet (http://www.beautynet.de), I
know
that the customers don't really care and thus are not really
knowledgeable.

Cheers,
 Johannes                           
mailto:jposel@this.lsd.is.tainted.org
- --
Vergiß niemals, daß auf der anderen Seite auch nur ein Computer
abstürzt

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i
Comment: Freiheit stirbt in kleinen Stücken

iQEVAwUBOWWRPwt4MvNz1i1BAQFxpwgAvJ3ZqS8jvkiuyl1qAv8nGloF6DfjFnHO
VpvTGbQKRgzJkzyDTPHghX1ipbCBbSBUMGepe6+7/wXcSxyoPnkTXq/T3jW31ue4
zlkvCrQxMmvjI0FIflP9Edn+ZEMXKL0RHsqkW6Q1tw8K4CVwhqiRmy/frKoPDi0i
/nz5cVpxfzPTO9QUfjueQRR0rN8b4BPa9i5ZfOD9JzdSmIYJ40WUFBjpCQmQFLP8
s+fhJGv4mUtLMcyYr56MJ66gxbTULD9cxDs3xVEzHFVhc1G7Gobm8mN+Pp93I+yU
a5RNFUOZHsmx9P82GM/MOpw0MIpkgl7K1gR81PACXuCAXaNsVbBr5Q==
=LmvU
-----END PGP SIGNATURE-----

Feeling as always I have something to contribute, and because while replying I
look so busy noone will bother me here at work... ;)

* Yasholomew Yashinski (yashy@yashy.com) [000707 04:22]:
> 1) How do you feel about e-commerce?

A very interesting concept, in part because of the way it radicatlly changed
just about every aspect of how one goes about purchacing goods. Also, it's a
shame it's currently in such a hype state, with everyone trying to get on the
.com train, without knowing anything about it. E-Commerce has a very big
potential, but that requires people to be willing to study the effects of
various moves, before making them. 

> 2) Do you feel that e-commerce solutions (ie: SSL) are secure enough that the public should trust them?

No.

Quite simply because neither the people running the servers, which are in
charge of security, nor the general public knows enough about their systems to
secure them to such a level that it's no longer trivial to break the security.

The sad part is that that can also be said against nearly every other
finincial transaction solutions in use today.

Secure enough? Not by a long shot, but I am starting to think it might be the
lesser evil.

> 3) Do you feel that the e-commerce machines are secure enough that the public should trust them?

I think the general public is now facing a new problem compared to good old
hard cash for example. They now have to look at the vendor they're pondering
making a purchace from, and not only doubt his intentions, which are almost
always good, but also doubt his compentence to take all the steps needed to
make a secure environment to protect the customers information.

Again I would think twice about thinking of ecommerce as bad because there is
a security risk involved. If you go to a resturant, have a fine meal, and pay
with your VISA, there's nothing stopping the crew at the resturant from using
your VISA number in online scams. In fact, recent studies show that the bigger
part of the VISA accounts ripped of online belong to people who have never
sent thier account number over the net.

With ecommerce you also get the abillity for a company to outsource the
transaction services to a mutually trusted 3rd party, thus you can give your
account information to a company you consider to be secure, yet purchace goods
from a vendor you're not quite so sure about. This ends up giving the end user
a lot more freedom.

> 4) Should we be waiting until machines become more secure before trusting e-commerce?

Depends on which risks you're willing to face. If you own a VISA card, and use
it frequently, you should consider online purchaces to be a small risk. This
in part because most banks will refund any expenses should you be ripped off.

That said, you should still excercice the same security precautions you do
when you shop in real life. Be carefull about who you give your VISA account
number to, try to keep your own workstation at least fairly secure, and so on.

> 5) Any security measures one should take when using e-commerce solutions?

One of the easiest point of attacks is the customers own computer. For this
reason, the customer should always be carefull about opening attachments,
installing software from unknown vendors and in general just try not to get
backdoored. This isn't really a ecommerce issue though. If someone cracks into
your coputer, you have a bit problem no matter if you're purchasing goods on
the net or not.

> 6) Do you feel the public is aware of the security hazards involving e-commrce

They are aware that there are seucrity hazards. They're not aware of which,
and they have a totally wrong understanding of where the risks are. It seems
the general public is thinking if you put your VISA number on the net, no
matter how you do it, it's out there for the world to see. That's one of the
biggest problems with todays ecommerce situation. 

The internet is the place people exploits the VISA numbers, it's no the only
place where they harvest them.

>  Also, as euphoria is co-located, I'm contemplating deleting anything I
> don't use, including xfree. How safe am I deleting xf86? As SuSE is rpm
> based, I can just delete the rpm, I'm just afraid of breaking
> dependancies. Anything else that is only xfree related that I can safely
> remove?

Should you even be asking this question?

>  Finally, is there something like a realtime netstat? I'd like a
> combination of netstat with a top like interface.

trafshow might help some...

Terje