Implementing Security in Wireless MANs

The wireless metropolitan area networks (WMANs) based on the 802.16 technology have recently gained a lot of interest among vendors and ISPs as the possible next development in wireless IP offering and a possible solution for the last mile Access problem. With the theoretical speed of up to 75 Mbps and with a range of several miles, 802.16 broadband wireless offers an alternative to cable modem and DSL, possibly displacing these technologies in the future. We discuss implementing security in wireless MANs with the PKM protocol that is used in 802.16 for key management and security associations management. Since device certificates are defined by the IEEE 802.16 standard, we briefly cover the issue of certificates and certificate hierarchies.

Securing Financial Transactions on the Internet

Securing payment information on the Internet is challenging work. With proper care, attention to detail, and selection and use of the right tools, e-commerce site administrators can indeed ensure privacy and integrity of data for both their employers and customers alike. Remember that any security solution requires constant attention or it risks becoming a problem in and of itself. Secure payment processing environments rely on careful separation of activities where a “defense in depth” approach can help to shield you from threats coming from the Internet.

Web Server Security for E-Commerce Applications

Most merchant Web servers are contacted by completely unknown, often even anonymous, users. Thus they cannot generally protect themselves by demanding client authentication, but rather by employing carefully configured access control mechanisms. These range from firewall mechanisms and operating system security to secured execution environments for mobile code. Generally, all types of mechanisms that allow a client to execute a command on the server should be either completely disabled or provided only to a limited extent. Denial-of-service attacks on Web servers have much more serious consequences for Web servers than for Web clients because for servers, losing availability means losing revenue. Web publishing issues include anonymous publishing and copyright protection. Web servers must take special care to protect their most valuable asset. Information. which is usually stored in databases and in some cases requires copyright protection.

Attacks on Online Banking and Commerce

With the arrival of the internet, cell phones, e-mail, instant messaging and social networking sites we can do many wonderful things electronically now that make our lives easier and more productive. We should get used to the idea that a good part of our social life can happen in cyberspace. You can keep up with your friends and meet new ones through a keyboard, microphone and a webcam. You can send a detailed e-mail, send a quick message or alert your circle of friends and followers about the latest details what's happening around you. At the same time, we should come to terms with the fact that the cyberspace is flooded with attacks from people who are unscrupulous in their intent to damage others in the cyberspace. The attacks date back to the time when telephone was invented, when the attackers found way to invade people's privacy. For most users, the web is just part of a well-rounded life that includes both a cyber world and a real world. The internet can be helpful, educational and fun. But It can also become an obsession leading to waste of time and money. Just because cyberspace is virtual, that does not mean that there are not real dangers out there. The same sort of bad people who can cause problems for people in the “real” world are also lurking on the internet. They spend their time looking for ways to steal your money, ruin your name or even cause you harm.

Value and Risk in Business to Business E-Banking

The purpose of this paper is to examine the functional relationships between three types of risk (performance, financial and psychological) and the benefits and sacrifices components of value are tested within a broader nomological network that includes e-service quality and satisfaction, word-of-mouth and intention to switch. The hypothesized relationships are tested; using Partial Least Squares, on data collected through a postal survey from167 Iran-based SME organizations. The results confirm the significant but differential impact of the three types of risk on the two value components. Specifically, performance risk and financial risk are found to be significant determinants of benefits, while psychological risk impacts on perceptions of sacrifices. We also provide evidence of the differential impact of the benefits and sacrifices components of value on satisfaction, and the existence of both direct and indirect impact of these components on word-of-mouth and intention to switch.

Prevention of SQL Injection Attacks in Web Browsers

Applications that operate on the Web often interact with a database to persistently store data. For example, if an e-commerce application needs to store a user's credit card number, they typically retrieve the data from a Web form (filled out by the customer) and pass that data to some application or script running on the company's server. The dominant language that these database queries are written in is SQL, the Structured Query Language. Web applications can be vulnerable to a malicious user crafting input that gets executed on the server. One instance of this is an attacker entering Structured Query Language (SQL) commands into input fields, and then this data being used directly on the server by a Web application to construct a database query. The result could be an attacker's gaining control over the database and possibly the server. Care should be taken to validate user input on the server side before user data is used.

XML Signatures and Encryption

Many XML uses today need security, particularly in terms of authentication and confidentiality. Consider commercial transactions. It should be clear why purchase orders, payments, delivery receipts, contracts, and the like need authentication. In many cases, particularly when the transaction involves multiple parties, different parts of a message need different kinds of authentication for different recipients. For example, the payment portion of an order from a customer to a merchant could be extracted and sent to a payment clearing system and then to the customer's bank. Likewise, court filings, press releases, and even personal messages need authentication as a protection against forgery. XML Digital Signature, which provides authentication is a full Recommendation in the W3C and a Draft Standard in the IETF. XML Encryption which provides confidentiality, and Exclusive XML Canonicalization are W3C Candidate Recommendations.

Web Application Vulnerabilities and Their Countermeasures

The obvious risks to a security breach are that unauthorized individuals: 1) can gain access to restricted information and 2) may be able to escalate their privileges in order to compromise the application and the entire application environment. The areas that can be compromised include user and system administration accounts. In this chapter we identify the major classes of web application vulnerabilities, gives some examples of actual vulnerabilities found in real-life web application audits, and describes some countermeasures for those vulnerabilities. The classes are: 1) authentication 2) session management 3) access control 4) input validation 5) redirects and forwards 6) injection flaws 7) unauthorized view of data 8) error handling 9) cross-site scripting 10) security misconfigurations and 10) denial of service.

Implementing a Secure E-Commerce Web Site

The design of a secure e-commerce website, involves process of grouping your systems together in common areas as defined by their requirements for security. These groupings or security zones will be regulated by the control systems (such as firewalls and routers) that you deploy in your site. They will also be monitored against attack by intrusion detection systems (IDSs) and other tools deployed within your environment. The main steps in securing the E-commerce Web Site are: (i) implementing Security Zones, (2) Deploying Firewalls, (3) Deciding Where to place the Components (4) Implementing Intrusion Detection (5) Managing and Monitoring the Systems.

Threats and Attacks on E-Commerce Sites

In this chapter, a detailed knowledge of some of the most devastating attacks against Web applications and common tools in the attacker's arsenal is discussed. There are many ways of categorizing and classifying attacks: based on the complexity to mount them, the effect they have on the target system, the type of vulnerability that they exploit, the assets that they expose, the difficulty of detecting and fixing them, and so on. There are different methodologies for Vulnerability Assessment and Threat Analysis (VATA) and many sources to consult for assessing the risk of each attack. Among other sources, in this chapter we pay special attention to the methodology of Open Web Application Security Project (OWASP) because OWASP is one of the most active security communities on the Web. Other good resources to follow the attack and vulnerability trends are Common Vulnerabilities and Exposures (CVE), National Vulnerability Database (NVD), United States CERT Bulletins (US-CERT), and SANS.