Searching for Confidential Data and Files

In the previous section we described how some of the most common Search Engines are a real threat to those systems which allow access to their pages. Their indexing policies and a lack of efficient mechanisms implemented by the Engines, leave our machines completely unprotected from attackers.
The case is much worse when we deal with File Search Engines. File Search Engines such as Lycos, have thousand of entries referring to unsecured machines which filter confidential information all around the web. Even when the information contained in a file is codified, we still don’t want it to be available to every user around the Internet. But unbelievably that is what is happening with files containing passwords for every machine in a whole system.Such files are indexed in File Search Engines all around the Web.

Next, we quote a few examples:

Using Lycos to search for files as confidential as /etc/passwd and /etc/shadow we can get hundreds of different and very interesting outcomes. But it is not only those files that are a great source of confidential information about a system. Files such as .htaccess and .htpasswd are used to control access to specific content within a server and they also store information about passwords and users. Well, these files are extremely easy to find with the useful help from the Lycos Engine.

In many cases the information found in any of theses files is quick and easy to decode. Usually the algorithms used to codify the data are not very strong and easy to crack. This allows the hacker to recover a password almost immediately and very frequently to guess other users’ passwords, even the root password of a system. A clear example of a very unsophisticated algorithm used to codify passwords in files is the one used by cuteFTP to store passwords in the file SMDATA.DAT, another is the one used by Netscape Enterprise Server to store passwords in the file admpw. A search on any of the files above will provide very sensitive information that can be used to gain access to the system.

Securing Web Transactions through Smartcards

Smart cards play an important role as part of the project since they are used for user identification and authentication, and they provide support for electronic transactions based on e- Purses.
The Web and smart cards create the need for analysing the security architecture provided by the most used Web browsers: Netscape Communicator and Microsoft Internet Explorer. Regarding Netscape Communicator, we adapted a previous work, which was developed in the SSL Project of the Universidad de Murcia [9]. As part of this project, a complete implementation of a PKCS#11 [14] cryptographic module was developed. In relation to Microsoft Internet Explorer, the analysis and design of a cryptographic module in compliance with the security architecture of this browser, and therefore with the Microsoft Windows operating system, was one of the tasks where more technical and human resources were used.

The Security Architecture of Microsoft Windows
In order to add the smart card technology to Microsoft Internet Explorer in particular, and into Microsoft Windows in general, we used the PC/SC standard [13] since it provides the necessary interoperability between this kind of device and the most widely-used operating systems.

The PC/SC architecture is based on several levels defined by the physical features of smart cards and readers and the specific details of the API, Application Program Interface, aproviding the smart cards services (CryptoAPI) [11]. This API is a fundamental component of the security architecture of Microsoft Windows. It provides a complete cryptographic interface (digital signature, cipher, digital envelope, etc.) which is completely independent from the final service provider, its specific implementation, and the existence, or not, of a hardware device with cryptographic support. In this way, the developer can make use of cryptographic capabilities without the need to know the details of the cryptographic engine or hardware/software implementation.

Development of the CSP Cryptographic Module
Two components of the application environment defined by the PISCIS Project make use of smart cards by means of the CryptoAPI: PKI and SPEED protocol

In relation to the PKI, we use our CSP, Cryptographic Service Provider, through the Certificate Enrolment Control library in order to generate the key pairs related to the users, and to store in the smartcard the private key, the user certificate and the CA certificate. On the other hand, the SPEED protocol uses the private keys and certificates for authenticating and validating the messages being sent by the participants in an e-Commerce transaction.

Taking those requirements into account we have implemented a CSP according to the Microsoft specification and using the smart cards of the PISCIS Project. Moreover, in order to check the proper functionality of our CSP, we have tested it with several Windows applications (logon, Windows 2000 PKI, etc.) and other CSPs (for example, Microsoft Base Cryptographic Provider). Currently, the CSP developed in PISCIS has obtained the official signature of Microsoft, which enables its distribution as a valid component for Windows systems.

Security in e-Commerce

One of the most hindering factors for e-Commerce has been the fact that most of the services related to e-Commerce have not been implemented with security in mind. If security is applied as an add-on or a patchto existing e-Commerce solutions, it provides a degraded service because existing e-Commerce functional requirements cannot easily be altered a posteriori. Even if this is not the case, e-Commerce users do not usually trust such an e-Commerce service and frequently opt out of it, being afraid of possible risks they might have to take while using the service. Security for e-Commerce must be thought of as a primary functional requirement and must be designed and implemented a priori. Thus, security will not constitute a hindering factor, but an enabler. This paper first considers security requirements for e-Commerce applications, then discusses the workings of the Public Key Infrastructure, PKI, and, finally, highlights its role in developing secure, hence trustworthy, e-Commerce applications.


The Internet is changing every aspect of our lives, but no area is undergoing as rapid and ificant a change as the way businesses operate. Today, companies large, medium and small are sing the Internet to communicate with their customers, suppliers and partners, to facilitate the unication among their employees and among their branches, to connect with their back-end data- systems, and to transact commerce, i.e. they do e-business. In this environment, where almost every organization is increasing its reliance on information and computer-processing facilities, e-Commerce is bringing with it new dependencies and new risks. An industry survey discovered that “organizations engaged in Web commerce, electronic supply chains, and enterprise resource planning experience three times the incidents of information loss and theft of trade secrets than everybody else” [1].

The Information Security Breaches Survey of the British Department of Trade and Industry [2] indicates that 60% of the organizations surveyed (a total of 1000) have suffered a security each in the last 2 years.


Public Key Infrastructure

A PKI consists of five types of components [10]:
1. Certification Authorities, Cas, that issue and revoke PKCs;
2. Organizational Registration Authorities, ORAs, that vouch for the binding between public keys and certificate holder identities and other attributes;
3. Certificate holders that are issued certificates and can sign digital documents and encrypt documents;
4. Clients that validate digital signatures and their certification paths from a known public key of a trusted CA;
5. Repositories that store and make available certificates and Certificate Revocation Lists, CRLs.

Additionally, a Time Stamping Authority, TSA may be considered as part of the PKI. Entities that collectively operate as CAs, RAs, Repositories and TSAs have been commonly referred to as Trusted Third Parties, TTPs, or, more recently, as Certification Service Providers, CSPs.


Conclusion
The vast majority of businesses are competing with each other nowadays in the e-Commerce arena. Incentives most commonly used to attract customers in e-Commerce include the fact that the customer transacts directly with the service or product provider, reduced prices (stemming mostly from the lack of business intermediaries) and ease of locating a service
or a product.

What the business world seems to be neglecting is the use a model for e-Commerce transactions, a model that would clarify the functional requirements that have to be met in order to jump on the e-Commerce wagon. In this paper we provide such a model. Our business conclusion, based on that model, is that the best customer incentive for e-Commerce is probably the integrated security services. This can lead a customer into trusting e-Commerce and engaging in electronic transactions. We show what PKI services businesses need to use in order to enable e-Commerce. Information security technology is there; all businesses have to do is use it in a proper way. What is needed is a careful examination of the risks involved in the process, a comprehensive plan for managing them and the acceptance or mitigation of the remaining ones.

Information security –if used in a correct manner– is once more shown to be an enabler rather than a hindering factor for business.

cerebral palsy