Starting Page

click for table of contents

Copyright
Table of Contents
Index
Full Description
About the Author
Reviews
Reader reviews
Errata

Web Security, Privacy & Commerce, 2nd Edition

Simson Garfinkel
Gene Spafford
Publisher: O'Reilly
Second Edition November 2001
ISBN: 0-596-00045-6, 786 pages

start reading


This much expanded new edition explores web security risks and how to minimize them. Aimed at web users, administrators, and content providers, Web Security, Privacy & Commerce covers cryptography, SSL, the Public Key Infrastructure, digital signatures, digital certificates, privacy threats (cookies, log files, web logs, web bugs), hostile mobile code, and web publishing (intellectual property, P3P, digital payments, client-side digital signatures, code signing, PICS).

only for RuBoard - do not distribute or recompile

Web Security, Privacy & Commerce, 2nd Edition

Copyright © 2001 O'Reilly & Associates, Inc. All rights reserved.

Printed in the United States of America.

Published by O'Reilly & Associates, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.

O'Reilly & Associates books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://safari.oreilly.com). For more information contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com.

Nutshell Handbook, the Nutshell Handbook logo, and the O'Reilly logo are registered trademarks of O'Reilly & Associates, Inc. was contributed by Lorrie Cranor of AT&T Labs-Research. It is copyright AT&T and reprinted with permission. The section entitled "Brad Biddle on Digital Signatures and E-SIGN" () was contributed by Brad Biddle. It is copyright Brad Biddle and reprinted with permission.

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O'Reilly & Associates, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. The association between the image of a whale shark and the topic of web security, privacy, and commerce is a trademark of O'Reilly & Associates, Inc.

While every precaution has been taken in the preparation of this book, the publisher assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

only for RuBoard - do not distribute or recompile
only for RuBoard - do not distribute or recompile

Preface

The World Wide Web has changed our world. More than half the people in the United States now use the Web on a regular basis. We use it to read today's news, to check tomorrow's weather, and to search for events that have happened in the distant past. And increasingly, the Web is the focus of the 21st century economy. Whether it's the purchase of a $50 radio or the consummation of a $5 million business-to-business transaction, the Web is where the action is.

But the Web is not without its risks. Hand-in-hand with stories of the Internet's gold rush are constant reminders that the 21st century Internet has all the safety and security of the U.S. Wild West of the 1860s. Consider:

  • In February 2000, web sites belonging to Yahoo, Buy.com, Amazon.com, CNN, E*Trade, and others were shut down for hours, the result of a massive coordinated attack launched simultaneously from thousands of different computers. Although most of the sites were back up within hours, the attacks were quite costly. Yahoo, for instance, claimed to have lost more than a million dollars per minute in advertising revenue during the attack.

  • In December 1999, an attacker identifying himself as a 19-year-old Russian named "Maxim" broke into the CDUniverse web store operated by eUniverse Inc. and copied more than 300,000 credit card numbers. Maxim then sent a fax to eUniverse threatening to post the stolen credit cards on the Internet if the store didn't pay him $100,000.[1] On December 25, when the company refused to bow to the blackmail attack, Maxim posted more than 25,000 of the numbers on the hacker web site "Maxus Credit Card Pipeline."[2] This led to instances of credit card fraud and abuse. Many of those credit card numbers were then canceled by the issuing banks, causing inconvenience to the legitimate holders of those cards.[3] Similar break-ins and credit card thefts that year affected RealNames,[4] CreditCards.com, EggHead.Com, and many other corporations.

    [1] http://www.wired.com/news/technology/0,1282,33539,00.html

    [2] http://www.cnn.com/2000/TECH/computing/01/10/credit.card.crack.2/

    [3] Including one of the authors of this book.

    [4] http://www.thestandard.com/article/display/0,1151,9743,00.html

  • In October 2000, a student at Harvard University discovered that he could view the names, addresses, and phone numbers of thousands of Buy.com's customers by simply modifying a URL that the company sent to customers seeking to return merchandise. "This blatant disregard for security seems pretty inexcusable," the student, Ben Edelman, told Wired News.[5]

    [5] http://www.wired.com/news/technology/0,1282,39438,00.html

  • Attacks on the Internet aren't only limited to e-commerce sites. A significant number of high-profile web sites have had their pages rewritten during attacks. Those attacked include the U.S. Department of Justice, the U.S. Central Intelligence Agency (see Figure P-1), the U.S. Air Force, UNICEF, and the New York Times. An archive of more than 325 hacked home pages is online at http://www.antionline.com/.

Figure P-1. On September 18, 1996, a group of Swedish hackers broke into the Central Intelligence Agency's web site (http://www.odci.gov/) and altered the home page, proclaiming that the Agency was the Central Stupidity Agency.
figs/wsc2_0001.gif

Attacks on web servers are not the only risks we face on the electronic frontier:

  • On August 25, 2000, a fraudulent press release was uploaded to the computer of Internet Wire, an Internet news agency. The press release claimed to be from Emulex Corporation, a maker of computer hardware, and claimed that the company's chief executive officer had resigned and that the company would have to adjust its most recent quarterly earnings to reflect a loss, instead of a profit. The next morning, Emulex's share price plunged by more than 60%: within a few hours, the multi-billion-dollar company had lost roughly half its value. A few days later, authorities announced the Emulex caper had been pulled off by a single person—an ex-employee of the online news service, who had made a profit of nearly $250,000 by selling Emulex stock short before the release was issued.

  • Within hours of its release on May 4, 2000, a fast-moving computer worm called the "Love Bug" touched tens of millions of computers throughout the Internet and caused untold damage. Written in Microsoft Visual Basic Scripting Language (VBS), the worm was spread by people running the Microsoft Outlook email program. When executed, the worm would mail copies of itself to every email address in the victim's address book, then destroy every MP3 and JPEG file that it could locate on the victim's machine.

  • A growing number of computer "worms" scan the victim's hard disk for Microsoft Word and Excel files. These files are infected and then sent by email to recipients in the victim's address book. Not only are infections potentially started more often, but confidential documents may be sent to inappropriate recipients.

The Web doesn't merely represent a threat for corporations. There are cyberstalkers, who use the Web to learn personal information and harass their victims. There are pedophiles, who start relationships with children and lure them away from home. Even users of apparently anonymous chat services aren't safe: In February 1999, the defense contracting giant Raytheon filed suit against 21 unnamed individuals who made disparaging comments about the company on one of Yahoo's online chat boards. Raytheon insisted that the 21 were current employees who had leaked confidential information; the company demanded that the Yahoo company reveal the identities behind the email addresses. Yahoo complied in May 1999. A few days later, Raytheon announced that four of the identified employees had "resigned," and the lawsuit was dropped.[6]

[6] http://www.netlitigation.com/netlitigation/cases/raytheon.html

Even using apparently "anonymous" services on the Web may jeopardize your privacy and personal information. A study of the 21 most visited health-related web sites on the Internet (prepared for the California HealthCare Foundation) discovered that personal information provided at many of the sites was being inadvertently leaked to third-parties, including advertisers. In many cases, these data transfers were in violation of the web sites' own stated privacy policies.[7] A similar information leak, which sent the results of home mortgage calculations to the Internet advertising firm DoubleClick, was discovered on Intuit's Quicken.com personal finance site.[8]

[7] http://admin.chcf.org/documents/ehealth/privacywebreport.pdf

[8] http://news.cnet.com/news/0-1007-200-1562341.html

only for RuBoard - do not distribute or recompile