ISIN 312 Applications of Information Security
Instructor: Jerry Emerick
Christopher Smith
2/19/2016
EXECUTIVE SUMMARY
This is a report on an authorized penetration test against the site located at http://192.168.0.1/isihack/shop.aspx. The testing occurred at my testing facility in Grand Ledge, MI. The testing occurred between the dates of 2/16/2016 and 2/20/2016 after written authorization was received from Jerry Emerick. The scope of the test was discussed on 2/15/2016 with Jerry Emerick. The following areas were the focus of the assessment:
1. Testing of shopping site security
2. Testing whether price could be manipulated
3. Testing whether quantities could be manipulated
As documented in this report, many vulnerabilities were identified
…show more content…
VULNERABILITY
The following is a list of the vulnerabilities found during the attack:
1. Using proxy software Burp Suite it was discovered that the shopping site contained a hidden form field that could be manipulated.
2. The hidden form field offered no security in regards to the item quantity and an attacker could select and item and enter a negative quantity which would subtract from the total dollar amount in the shopping cart.
REMEDIATION
The following are a list of recommendations that should be considered to resolve the vulnerabilities
1. Remove the hidden form fields from the shopping website and move all sensitive items to the server side.
2. Use validation to ensure the information is correct.
CONCLUSION AND RECOMMENDATIONS As mentioned earlier in the report. The vulnerabilities present on the e-commerce site allow a malicious user to intercept the web traffic and locate the hidden form fields and alter the item prices and quantities. These vulnerabilities allow the user to adversely affect the financial stability of the company. As show in the below diagram the user has the ability to user proxy software such as Burp Suite and intercept the traffic and send back manipulated data to the web server and paying reduced prices on all
* Perform a vulnerability assessment scan on the targeted IP subnet to discover what the weakest link in the system.
Despite the presence of network security devices such as firewalls and other security appliances, today's corporate networks are still vulnerable to both internal and external attacks by hackers intent on creating havoc. By proactively
When you use our online purchasing services, you may be asked for personally identifiable information such as your name, address, date of birth, email address, telephone number.
List the name and number of the critical Microsoft® vulnerabilities identified. What is vulnerability “MS08-067”?
On September 24, 2010, a laptop was stolen from an unlocked Urology office at the Henry Ford Health Systems hospital. The laptop did contain password protection software; however, it may not have been enough to permit access if the thief had advanced knowledge in computers. Additionally, the information stored on the laptop did not include social security or health insurance information, but instead held “patient names, medical record numbers, dates of birth, telephone numbers, e-mail addresses, and treatment and doctor visits” (Moscaritolo, 2010, p. 1). It is unknown how many records were contained on the laptop, but all records were related to prostate services that were provided during an eleven year span.
The bulleted list can be corrected mostly by updating antivirus and anti-malware software definitions and scanning regularly. Monitoring of logs and then hardening the network to anything we have
Global Information Assurance Certification (GIAC) is an information security certification entity that specialises in technical and practical certification as well as new research in the form of its GIAC Gold program. SANS Institute founded the certification entity in 1999 and the term GIAC is trademarked by The Escal Institute of Advanced Technologies.
In this era of globalization and cut-throat world of competition, it is virtually impossible to do business without using the internet and web applications. Internet gets used for processing the credit card or debit card sale and even for using to save the data of customers to the merchant’s database for future reference and to send promotional offers to the previous and patron customers. And on the other hand, hackers are trying their best to get the data stored on the merchant’s server by spoofing
Security of transactions is critical in building the confidence of customers in a specified e-commerce site. This security depends heavily on an organization 's ability to ensure authenticity, availability, privacy, integrity and disruption of unwanted intrusions. Malicious program known as sniffer programs often disrupt the privacy transactions especially when one uses unauthorized networks. They are found at network connection end points. When transactions are carried out, confidentiality is necessary thus it requires removing of any data showing transaction paths. This has become a common problem in the e-commerce sites.
Each year online auction fraud is one of the most commonly reported cases of Internet fraud reported to the Federal Trade Commission. Advances in information technologies enable the creation and success of business models such as Internet auctions. There are a variety of auction frauds, the five most common methods of Internet Auction fraud include bid shilling, bid shielding, non-delivery of merchandise, non-delivery of payment, and product authenticity. This paper will expound on the five most common Internet auction frauds along with examining and performing a literature review of prior empirical studies on Internet auction fraud.
Faults are a precise interaction of hardware and software that can be fixed given enough time.
Day by day E-commerce and Mcommerce playing very good role in online retail marketing and peoples using this technology day by day increasing all over the world. E-commerce security is the protection of e-commerce assets from unauthorized access, use, alteration, or destruction. Dimensions of e-commerce security; Integrity: prevention against unauthorized data modification.
That can prevent the child and elderly inadvertently to buy some things in online store by them self.
Their operations are very slick and swift such that stolen data is quickly exploited within seconds of being submitted by unsuspecting victims. Since 2005, over 400,000 databases have been compromised since 2005, and thousands more have gone unnoticed or reported. About 40 percent of those involved in IT security have no fixed figure on the number of hackings their companies have experienced. One of the rapidly increasing areas of ecommerce is in the use of web-based applications to replace traditional over-the counter transactions. Hackers have expectedly, latched on. According to a study by Gartner, over 75 percent of Internet security breaches are due to flaws and loop holes in software. The reason for this is that, applications are normally designed and put together quickly to get the system running, and no time is spend analyzing and assessing security implications. As computer hackers continue to step up their operations in line with technology advancements, the securities and future industry recorded a 150 percent increase in the number of suspicious activities detected by their systems. During the same time, research carried out at the University of Maryland indicated that a computer connected to the Internet was subject to an attempted hack every 40 seconds. The battle between ecommerce websites and consumers wages on, according to an independent analyst, ‘consumers are losing a tug of war.’ Simon Smelt, an economist who runs a survey company
In today’s highly connected digital ecosystem, our lives, businesses, communications, and a lot of activities depend on the websites and web applications. All websites contain sensitive data and deliver business-critical information services to the targeted audience. Due to the rapidly increasing use of websites and web applications, vulnerabilities have become quite rampant. Even the smallest security loophole can give cybercriminals a chance to destroy the web-based business, damage customer confidence, and brand reputation in a short time span.