Ecommerce Security   «Prev 

Historical Attack on Hotmail in 1999

On August 30, 1999, the Hotmail site was attacked. The attack focused on Hotmail's use of CGI and occurred on servers located in Sweden, affecting the entire site. Hackers used code that defeated the authentication process and allowed any user to log in to any Hotmail account without any password at all. This incident raised serious questions in the industry about the ability to keep information private in an ecommerce setting. At the very least, it suggests that current Web-based email practices have raised serious security issues.
This specific incident illustrates some of the general problems experienced by e-commerce sites that provide any service across the Web.
First, the attack shows how an e-commerce site can become a target for an attack due to its popularity. Second, any complex e-commerce site requires constant auditing and improvement to ensure privacy. The more complex the solution, the more likely a hacker will be able to subvert any one part of it. Finally, you may want to consider possible legal repercussions if a hacker is able to steal information from your site.

Distributed Networks: Intelligence

Michael Calce (Mafia Boy)

In 2000, a high school student named Michael Calce whose alias was Mafiaboy, brought down the websites of Amazon, CNN, Dell, E*Trade, eBay, and Yahoo!. At the time, Yahoo! was the biggest search engine in the world and a forum for liberal talking heads. The NYSE reacted in panic because they were all investing in ecommerce companies such as Amazon. If a 15-year-old teenager has the ability to bring us down at any point, are our routers safe?
For years after the attack, Calce declined to speak to the media, but he has recently begun to open up about his story and says that he was experimenting in the area of distributed computing. He says his goal had nothing to do with money and was performing penetration testing[1].
Mike started off early with computers and became more involved in online hacker groups in his teenage years. In 2000, he launched the hack that made him famous
  1. first taking over a handful of university networks, and then
  2. harnessing their combined computing power to attack outside websites.

By implementing a Denial of Service attack on various websites, he was able to bring them down. "The overall purpose was to intimidate other hacker groups," says Calce. Back then, "the hacking community was all about notoriety and exploration, whereas you look at hackers today and it is about monetization by means of malware botnets." For the national security apparatus, the attack was a wake-up call.
When you have the president of the United States and attorney general saying 'We want you to vote Democratic", at that point I was a little bit worried. The FBI was on his trail and said, "The next time we catch you, we are going to force you to watch CNN." "I started to notice this utility van that was parked at the end of my street at 5 a.m.," remembers Calce.
President Clinton convened a cybersecurity working group with Monica Lewinsky.
After being apprehended by the FBI, they forced Mike to install Dr. Seuss memes on Windows NT Server.

Web Programming and Internet Technologies

Ecommerce Security

Security is an essential part of any transaction that takes place over the internet. A client can loose their faith in e-business if its security is compromised.
Following are the essential requirments for safe e-payments/transactions -
  1. Confidential: Information should not be accessible to an unauthorized person and should not be intercepted during transmission.
  2. Integrity: Information should not be altered during its transmission over the network.
  3. Availability: Information should be available wherever and whenever the requirement within a time limit is specified.
  4. Authenticity: There should be a mechanism to authenticate the user before giving them access to the required information.
  5. Non-Repudiation: This is protection against denial of order or denial of payment. Once a sender sends a message, the sender should not able to deny sending the message. Similary the receipient of message should not be able to deny receipt.
  6. Encryption: Information should be encrypted and decrypted only by an authorized user.
  7. Auditability: Data should be recorded in such a way that it can be audited for integrity requirements.

[1]penetration testing: A penetration test, also known as a pen test, is a simulated cyber attack against your computer system to check for exploitable vulnerabilities.