Put on a hacker-proof vest

For decades, parents the world over have been asking their children, "Don't you have anything better to do than watch TV?" You've no doubt heard (or made) references to the "boob tube" or "idiot box," condemning this muchmaligned appliance for keeping children from using their brains and reading books.

Enter the late 1990s and the new world of cyberspace. Internet access on the personal computer is often a parent's dream as it is the gateway to mass amounts of information and educational topics for children around the globe. Children love the medium because they control the information they receive more than they can on TV. Parents like the idea that their kids are using the computer, which most perceive as a more productive way to spend time than watching "the box," as TV was referred to in my home as I grew up.

As a result, we now have millions of children watching less TV and spending their time surfing the Web instead. Most of these kids enjoy a challenge and understand computers better than their parents. However, the scenario is less idyllic than it sounds. Take, for example, a roguish, computer-savvy teenager and mix in eight hours of free time per day, sprinkle in a high-speed DSL or cable modem connection and add a dash of hacker newsgroup - you have the perfect recipe for e-commerce heartburn. By the way, the heartburn I am referring to is yours - that is, if your company has implemented or is about to implement an e-commerce solution. Your site is not safe from hackers. No site is. This is your wake up call. Please read the following column carefully and cc it to your colleagues. And please do take this column and e-commerce security very seriously. I would much rather write positive stories about e-commerce success than how your customer list was stolen off your Web site and sold to your competitors.

Lest you think I have anything against children, I don't. I simply think it's worthwhile to point out that if a child can break into your e-commerce site, anyone can. Take anyone literally, as in your competitor, your customer, your enemies or just some random, malicious person who found a hole in your system.

Since IBM has been making a huge e-business splash of late, I thought the company would be a great resource to tap into on the topic of e-commerce security. Recently I had a chance to ask IBM's program director of S/390 Security, Linda Distel, some questions about ecommerce security. The S/390 G6 Server is IBM's most powerful commercial enterprise server.

Here is the dialog that ensued:

Q: What is the first step in building a secure e-commerce site?

A: The first step to building a secure site is to know that the entire business system - from the network level to the system level to the transaction level has to have security features and functions. Next, a business needs to develop a security policy and an action plan to implement the policy.

Q: What are all the possible holes that need to be plugged before attempting to set up such a site and protect it from hackers? Unfortunately, there are many ways hackers can get into systems. They can get in through the outside, which is why firewall technology, which includes data encryption, packet filters, etc., can protect businesses from unwanted outsiders. Access to applications should be limited to those needed to conduct the transaction. For added security, businesses that often conduct transactions together over the Internet can also set up virtual private networks, which allow private communications over public networks.

Hacking can also occur within the company by its own employees. It is important to enforce strong password rules or other strong authentication methods such as using digital certificates in conjunction with a resource control manager.

Q: How do you ensure the privacy of your customer's confidential information, such as credit card numbers and unlisted phone numbers?

A: IBM and other technology companies, working in collaboration with VISA and MasterCard, helped establish the Secure Electronic Transaction (SET) standard for Internet bank card security, and developed the first merchant server based on SET. Using this standard, buyers and sellers authenticate their identities, helping to secure that those involved are who they claim they are, and that sensitive data remain confidential and are revealed only to the parties who need to know this information.

There is also the Secure Socket Layer (SSL), a de facto standard developed by Netscape. It provides a private channel between client and server, which helps ensure privacy of data, authentication of the session participants and message integrity. This technology is generally available as part of Web browsers and Web servers.

Q: What are some of the security standards that must be known inside and out by someone looking to build a secure e-commerce site?

A: Businesses building e-commerce Web sites should know about the Secure Socket Layer (SSL) that provides a private channel between client and server and helps ensure privacy of data, authentication of the session participants and message integrity.

They should also know about the Secure Electronic Transaction (SET) for conducting secure bank card payments over the Internet.

Q: What kind of security/encryption is provided for Web-based calls on an e-commerce site?

A: SSL, SET and Public Key Infrastructures use a set of standard encryption calls. They use RSA algorithms and DES and Triple DES. S/390 H1W crypto supports all of these algorithms. The set of standards that RSA supports includes the following:

(If some of these acronyms are foreign to you, I found a few references that may be helpful: www.rsa.com and www.whatis.com.)

Security Function Highlights Data Privacy Data Encryption Standard

(DES) [56 bits] (TDES) [168 bits]

Commercial Data Masking Facility

(CDMF) [40 bits]

Data Integrity

Secure Hash functions

(MDC, MD5, SHA-1)

Authentication

PIN Algorithms

Message Authentication Code

(Single Key MAC) (Double Key MAC)

Non-repudiation

Digital Signature (RSA/DSS) Public Key Algorithms (RSA/DSS/

Diffie-Hellman)

Optional Trusted Key Entry (TKE)

Uses public key cryptography and TDES to enforce multiple authority control and loading of Master Keys Security

FIPS 140-1 Level 4 (Certification) LPAR

E-commerce is crucial to the future of all businesses and as more and more sensitive corporate information is connected to the Internet, it becomes vital that we take the necessary precautions to ensure our e-commerce solutions are secure from hackers and others. Please consider this brief interview and the article in this issue entitled "E-Commerce Security" by Kevin Grumball of Actinic Software as a starting point into the realm of securing your Web site. In the world of e-commerce security, as in life, there are few sure things. By taking the first steps in securing your site and continually keeping up-to-date with the latest security concepts, you will be assured at least a comfort level analogous to donning a hacker-proof vest.

BY RICH TEHRANI, GROUP PUBLISHER, TECHNOLOGY MARKETING CORPORATION

Sincerely,

Rich Tehrani Group Publisher rtehrani@tmcnet.com

For information and subscriptions:

call TMC(TM) at 203-852-6800; or fax to 203-853-2845 or 203-838-4070.

Copyright Technology Marketing Corporation Sep 1999
Provided by ProQuest Information and Learning Company. All rights Reserved