4/24/2009

Exercise 16-1

1. Visit an e-commerce website and survey the mode of payment allowed. Would you trust the site with your business?

I also visit an e-commerce website named EasyLife(http://www.esdlife.com/) which is a famous online shopping website in hong kong.

From its website, i find that they allow 2 kinds of payment, they are online payment and offline payment. For online payment, it accepts paying by Visa and Master Card. And for offline payment, it accepts paying by bank transfer and cheque.

Yes, i trust that site, because it is a very secure site, for exampe,

a.) Use double firewall.
b.) Use anti-hacking device.
c.) Use token based login system.
d.) Use PKI.
e.) Use data warehouse which has two loading monitor and Crisis Management service.
f.) Use precise anti-virus device.

2. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by customer?

The below Figure 1 (McKnight 2002) depicts the subconstructs of, and linkages among, the trust constructs. Disposition to trust should influence trusting beliefs because it tends to color interpretations of the interpersonal relationship at hand.Gefen (2000) found that disposition to trust influencestrust in vendors. Similarly, disposition to trust shouldpositively influence perceptions of the institutional setting.Figure 1 also shows disposition to trust impactingtrusting intentions directly, but this relation should beweak because it is largely mediated by trusting beliefs.The direct effect of disposition to trust on trusting beliefsis likely to be strongest when both the institutionalcontext and the specific trustee are unfamiliar to thetruster (Bigley and Pierce 1998, Rotter 1971). If one hassizeable experience with an institutional context (butnot with a specific trustee), that experience will directlyinfluence institution-based trust, and the impact of dispositionto trust on trusting beliefs will be largely mediatedby institution-based trust. If a Web user gainsexperience with a specific vendor, the experience may be the dominant influence on trusting beliefs, insteadof dispositional or institution-based trust.Institution-based trust is proposed to relate positivelyto both trusting beliefs and trusting intentions.When a situation feels safe, we tend to believe thatthose in the situation have trustworthy attributes(McKnight et al. 1998). Thus, a consumer who is comfortablewith the Web situation and the security of itsstructures is likely to have high trusting beliefs in aspecific vendor. Similarly, feelings of contextual securityentice us to have trusting intentions.Trusting beliefs will relate positively to trusting intentionsbecause a consumer with high trusting beliefsperceives the Internet vendor to have attributes that enable the consumer to hold a secure willingness todepend on the vendor. Perceptions that the vendor ishonest, for example, encourage the consumer to providepersonal information. TRA research also supportsthis link, in that beliefs strongly predict correspondingintentions (Davis et al. 1989).

















Figure 1.



The items used to operationalize the constructs came from a number of sources. Because negatively worded trust items tend to factor separately into distrust (Wrightsman 1991), which is conceptually separate from trust (Lewicki et al. 1998, McKnight andChervany 2001), we used all positively worded items.We did not measure trusting behaviors, a limitation future research should address. For trusting intentions willingness to depend, we adapted a scale that we had previously developed and tested (with Cronbach’s alpha 0.90) for use in organizations, with items largely from Dobing (1993). For trusting intentions-subjective probability of depending, new items were developedto measure three common trust-related Internet behaviors:provide personal information, buy from the vendor,and follow vendor advice. We felt respondents would perceive these intentions to embody vulnerability,as the definition of trusting intentions suggests(Mayer et al. 1995).The trusting beliefs items were adapted from scalesreviewed and summarized in Wrightsman (1991), especially Johnson-George and Swap (1982) and Rempelet al. (1985). In selecting items, we tried to capture the aspects of the belief that were most relevant to the Webcontext. Thus, for competence, we measured perceptions of how well the vendor did its job or how knowledgeable the vendor was (expertness/competence).We excluded dynamism (as a speaker), because it is not relevant to the Internet. The integrity items capturedperceptions of vendor honesty, truthfulness, sincerity,and keeping commitments (reliability/dependability).Finally, the benevolence items focused on the vendor acting in the customer's best interest, trying to help, and being genuinely concerned.No specific structural assurance or situational normalityitems were located. Typically, sociologists have either observed this kind of trust or, in Garfinkel’s(1963) case, experimentally created it.2 We developed situational normality items to capture the same threedimensions—competence, benevolence, and integrity—by adapting the trusting beliefs items to reflect perceptions about Web vendors in general (instead of a specificWeb vendor). For structural assurance, we utilized terms like “safeguards,” “protect,” “robust,” and “encryption”to refer to the structures making the Web safe.As with trusting beliefs, we dimensionalized faith inhumanity into competence, benevolence, and integrity.Existing items were adapted from scales compiled in Wrightsman (1991). The items refer to attributes of people in general, distinguishing them from beliefs about aspecific Web-based vendor. No items corresponding to the definition of trusting stance were found, so we createda new scale for this subconstruct with three items. Nontrust items were adapted from existing scales:Agarwal and Prasad (1998) for personal innovativenessand Cheskin (1999) for perceived site quality. Webexperience was operationalized as the frequency of useof Web newspapers, news groups, information onproducts, and shopping, based on Georgia Institute ofTechnology’s Graphics, Visualization, and Usability surveys of Web usage www.cc.gatech.edu/gvu/user_surveys/.

Measures can be verified by customer that can use a questionnaire that included measures of disposition to trust,institution-based trust, Web experience, and personal innovativeness.

3.Visit the Versign web site - what solutions does it offer for e-commerce?

VeriSign, Inc. (Nasdaq: VRSN) is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, its SSL, identity and authentication, and domain name services allow companies and consumers all over the world to engage in trusted communications and commerce. In details, please access their commerce solutions introduction page at http://www.verisign.com/verisign-business-solutions/commerce-enablement-solutions/index.html, it introduce how security for e-commerce service they can provide.

4. Visit the TRUSTe web site. Describe what services and solutions are offered.
I have visited TRUSTe web site (http://truste.org/) and have studies all its service and solution which are listed in the following:

Service:
TRUSTe's services support online business growth by allowing companies to communicate their
commitment to privacy, and letting consumers know which businesses they can trust.

Solution:
a.) Develop standards and a certification program for downloadable consumer desktop applications.
b.) Offer a “Roadmap to Trust” starter package,
c.) In order to protect customer brand with backend solutions. Maintain a good reputation with TRUSTe's automated compliance scanning and breach alerts.
d.)Support growing international business with the TRUSTe EU Safe Harbor Seal Use TRUSTe International Services to certify your privacy policies, resolve disputes, and communicate your privacy leadership in multiple languages.


References:
McKnight (2002). "Developing and Validating Trust Measuresfor e-Commerce: An Integrative Typology". Received 24th April, 2009 from URL - https://www.msu.edu/~mcknig26/Measures.pdf
Posted by Sam Kwong at 20:14 0 comments
Labels: ,

Exercise 15

1. What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?

Wikipedia (2009) states that a firewall is a part of a computer system or network that is designed to block unauthorized access while permitting outward communication. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.

Bidgoli (2004) tells me that security is a critical aspect of extranet development, which extends to both the orgranization and its partners. Security issues must be considered through the design, implementation, and management of any extranet applications. Developing a security plan for an extranet application should begin with a risk assessment to identify the pontential sources of threat to the network, how likely these threats are to occur, and the investment (cost) in security that will be required. The level of security investment will vary depending on the nature of the extranet application, the threats of intrusion, and the sensitivity of the information shared on the extranet. Extranet security should consider authentication and access control, privacy and data integrity.

As firewall is used in access control, it makes a good security investment.

I have found that Cisco is a hardware firewall vendor and ZoneAlarm is a software firewall vendor. Please see the following link which introduces their famous product:

For Cisco, please go to http://www.cisco.com/en/US/products/ps5708/Products_Sub_Category_Home.html

For ZoneAlarm, please go to
http://www.zonealarm.com/security/en-us/zonealarm-pc-security-free-firewall.htm

2. Find our if your university or workplace has a backup policy in place. Is it followed and enforced?

I can't find any backup policy from my university and workplace

3. Most of the antivirus software perform an active scanning of the use of activity on the internet, detecting downloads and attachments in e-mails. Hackers have readily available resources to create new viruses. How easy is it to find a virus writing kit? Search the Internet and find such a tool, For example, see what you can find at http://vx.netlux.org/dat/vat.shtml.

I use a search engine named google and input the search criteria such "virus writing kit" or "virus creation kit" or "virus construction kit", i can find there is a lots of that type of tools for me to download....

For example:

From netlux web (http://vx.netlux.org) which contains a massive, continuously updated collection of magazines, virus samples, virus sources, polymorphic engines, virus generators, virus writing tutorials, articles, books, news archives etc.

References:

Wikipedia (2009). “Firewall”. Received 20th April, 2009 from URL - http://en.wikipedia.org/wiki/Firewall

Bidgoli (2004). John Wiley and Sons. "The Internet encyclopedia ", "securtiy of internet", p278.

Posted by Sam Kwong at 20:08 0 comments
Labels: ,

Exercise 14

1. What are cookies and how are they used to improve security?

Cookie is information that a Web site puts on your hard disk so that it can remember something about you at a later time. (More technically, it is information for future use that is stored by the server on the client side of a client/server communication.) Typically, a cookie records your preferences when using a particular site. Using the Web's Hypertext Transfer Protocol (HTTP), each request for a Web page is independent of all other requests. For this reason, the Web page server has no memory of what pages it has sent to a user previously or anything about your previous visits. A cookie is a mechanism that allows the server to store its own information about a user on the user's own computer. You can view the cookies that have been stored on your hard disk (although the content stored in each cookie may not make much sense to you). The location of the cookies depends on the browser. Internet Explorer stores each cookie as a separate file under a Windows subdirectory. Netscape stores all cookies in a single cookies.txt fle. Opera stores them in a single cookies.dat file. (Techtarget, 2009)

Cookies are used to improve security, for example, a cookie contains a random chain (session identification), which is unique and difficult to decipher, and valid only for a given period of time. Only the server should be able to associate the user's preferences with the session identifier. Thus, when the session cookie expires, it becomes useless and should not contain any information relating to the user. (Kioskea, 2009)

2. Can the use of cookies be a security risk?

Yes, they can, for example, If the cookie contains direct user information, and its lifespan don't be as close as possible to the duration of the user's session. On the other hand, the data stored in the cookie is sent to the server, to the database where the user entered his data.
Thus, the cookie can be a potential security risk when contain user information.

References:

Techtarget (2009). “Cookie”. Received 20th April, 2009 from URL -
http://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci211838,00.html

Kioskea (2009). “Cookies”. Received 20th April, 2009 from URL -
http://en.kioskea.net/contents/securite/cookies.php3
Posted by Sam Kwong at 20:01 0 comments
Labels: ,

Exercise 13

1. List and describe your experiences with a secure Web site. Some examples may be:

* University enrolment;
* Online banking, auctions, real estate;
* booking a cheap air ticket or concert ticket;
* shopping online for a book, software or a CD.

I have an experiences on using the Online banking service for checking the deposit and buying stocks. I check that the web site of that bank uses 128-bit SSL encryption, Unique user name and password to logon, Security Device and Automatic time-out to protect personal data.
Therefore, It is very secure for us to do the online ebanking.

2. What is SET and how does it compare to SSL as a platform for secure electronic transaction?Is SET in common use?

SET (Secure Electronic Transaction) protocol is an open industry standard developed for the secure transmission of payment information over the Internet and other electronic networks. SET has the strong support of two major league credit card companies: Visa and MasterCard. It is apparent that SET is the more secure protocol but with this added security is added complexity and cost. The nature of the transactions, one can see that SET possesses a rather intricate nature that double checks the transaction at least three times. This is in addition to the initial safeguard protection: the issuance of a “certificate” that enables a party to place orders in a highly secure and if needed, anonymous environment. (Clough, 2006)

SSL is built into all major browsers and web servers; therefore simply installing a digital certificate turns on their SSL capabilities. This of course makes SSL easier for a business to use at the outset. These are the sorts of market advantages that perhaps develop when a protocol like SSL has been invented by and has the support of the major computer players like Microsoft and Netscape rather than “conventional” credit extending companies such as Visa and MasterCard. In the end what we have is a comparison between an old standby that performs adequately, is relatively easy to use and is widely accepted (SSL) and a possibly up and coming protocol that offers more protections for sure but at what cost (SET). (Clough, 2006)

Yes, SET is very common because it is an open industry standard developed for the secure transmission of payment information over the Internet and other electronic networks
In SET, a certificate is a public key that has been digitally signed by a trusted authority (usually the cardholder's financial institution) to identify the user of the public key. SET defines the following certificate types: signature, key encipherment, certificate signature, and CRL signature. See: http://www.setco.org/glossary.html (Clough, 2006)

Referances:
Webopedia (2009). “SET”. Received 20th April, 2009 from URL -
http://e-momm.webopedia.com/TERM/S/SET.html

Clough (2006). "Comparing and Contrasting SSL and SET". Received 20th April, 2009 from URL - http://www.savagerun.com/SSLSET.htm
Posted by Sam Kwong at 19:57 0 comments
Labels: ,

Exercise 12



1. Find out about SET and the use of RSA 128-bit encrption for e-commerce.

SET, short for Secure Electronic Transaction, Webopedia(2009) states that is a standard that will enable secure credit card transactions on the Internet. SET has been endorsed by virtually all the major players in the electronic commerce arena, including Microsoft, Netscape, Visa, and Mastercard. By employing digital signatures, SET will enable merchants to verify that buyers are who they claim to be. And it will protect buyers by providing a mechanism for their credit card number to be transferred directly to the credit card issuer for verification and billing without the merchant being able to see the number.

RSA is stand for Rivest, Shamir, Adelman, Keen(1997) states that is a cryptographic system based on public keys for both encryption and authentication. Advantages of RSA over other public key cryptosystems include the fact that it can be used for both encryption and authentication. In the RSA public key cryptosystem used for securing electronic cash transactions; both encryption and decryption are done by raising the digital representation of a message by a power that is the appropriate key.

2. What can you find out about network and host-based intrusion detection system?

ISS(2007) tell me that Most traditional intrusion detection systems (IDS) take either a network or a host-based approach to recognizing and deflecting attacks. In either case, these products look for attack signatures, specific patterns that usually indicate malicious or suspicious intent. When an IDS looks for these patterns in network traffic, it's network-based. When an IDS looks for attack signatures in log files, it's host-based.

A next-generation IDS, therefore, must include tightly integrated host and network
components. Combining these two technologies will greatly improve network resistance to attacks and misuse, enhance the enforcement of security policy and introduce greater flexibility in deployment options.

The graphic below illustrates how network- and host-based intrusion detection techniques interact to create a more powerful network defense. Some events are detectable by network means only. Others that are detectable only at the host. Several require both types of intrusion detection to function properly.




















3. What is 'phishing'?

In the field of computer security, Wikipedia (2009) states that phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT Administrators are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging,[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users,[2] and exploits the poor usability of current web security technologies.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

References:

Webopedia (2009). “SET”. Received 20th April, 2009 from URL -
http://e-momm.webopedia.com/TERM/S/SET.html

Keen(1997), Harvard Business Press, “On-line profits”, RSA Encryption, pp. 234-235.

ISS (2007). “Network- vs. Host-based Intrusion Detection”. Received 20th April, 2009 from URL - http://documents.iss.net/whitepapers/nvh_ids.pdf

Wikipedia (2009). “Phishing”. Received 20th April, 2009 from URL -
http://en.wikipedia.org/wiki/Phishing
Posted by Sam Kwong at 19:54 1 comments
Labels: ,
訂閱: 文章 (Atom)