- Email: [email protected]
Electronic commerce on the internet — Part 1
Network Security
July 7998
most good auditors have far more experience than the defenders and it takes a lot less in the way of finances to find a few holes than to block all of them. This is one of the reasons you hear the defenders moan whenever the auditor starts to write something down, Here’s a near quote from a recent audit: “Oh no, look at that, he’s writing it down, I shouldn’t have said anything.” Defeated again by his own honesty, the defender acted like he lost some sort of battle. I consoled him by telling him that he was helping his company find out why more time, money and effort are required to support his efforts. It didn’t seem to cheer him up very much.
He was being a little bit humorous, and we were on fairly jovial terms, but ultimately, it’s not a very good idea for an auditor to become too friendly with the client’s personnel. This is another important point about IT auditing that many people seem to largely miss. While it is always important to be on a reasonably friendly basis with your clients, becoming too friendly in an audit situation is never good. It clouds the judgement. This may be one reason that people dread the auditors.
Summary and conclusion and I think that point counterpoint, question and answer, relate back to the
Electronic Commerce On The Internet - Part 1 Jane Rawlings Electronic Commerce is in one sense nothing new. In the UK for many years, electronic document interchange (EDI) has been used in logistics management. EDI relies upon three things: a managed data network; an electronic document interchange agreement between the supplier and those who seek to contract with them; and a protocol for exchange of messages. The point about electronic document interchange is that it happens automatically. The sort of systems we’re talking about are an inventory system saying ‘I’ve run out of widgets, better order some more” which places an electronic order with the widget supplier and the widget supplier’s computer instructs its human trainers and handlers to pick out the widgets and send them on to the person who is
0 1998 Elsevier Science
Ltd
placing the order, All of this happens automatically, so you can see that there are issues about the form of the messages, where the message is sent, when is it validly received by the receiving computer, what happens if the message is corrupted in transit, what happens if a message is fraudulently sent.
Socratic method that lies at the core of much of our modern social views on the value of the loyal opposition in bettering all of our lives. I also think that IT audit is a helpful tool in doing a better job of protecting information assets. While I hope I have clarified some muddy waters, I fear I may have muddied some clear ones today. I hope that any insight I have brought you about the hows and whys of IT audit are helpful. But perhaps, more importantly, I hope that you see some value in the purpose and methods of IT audits and that it helps to encourage you to do regular IT and audits - both internally externally.
The Internet, being the somewhat anarchic place that it is, has developed quite a different model of electronic commerce. This model seems to be mail order, rather as if you rang up a travel agent and booked your flights over the phone or you send off a form in the newspaper with your credit card details. This seems to be the way that most people have chosen to interact with those providing electronic commerce services on the Internet. EDI will still have a role with respect to the Internet on virtual private networks, but it will be business to business supply and logistics where businesses are prepared to enter into electronic document interchange agreements and to agree between themselves the types of document formats.
Creating the contract So, how creating
do you go about an enforceable
11
July 7998
Network Security
contract on the Internet? Let’s take a contract for sale. Let’s say that I’m running Amazon.com. the Internet book shop and you’re a user who wants to place an order with me. Actually, legally there’s surprisingly little difficulty. Assuming that E-mail happens instantaneously or without further human intervention creating the contract is almost like the classic offer and face-to-face acceptance. I stand in front of you and say I want to buy your books. You say, “Yes, I’ll sell you your books.” *How much do you want for them?” “This much?” “Fine, I’ll pay it.” Rather like the cases that deal with creation of contracts by fax or telex, the contract Is created at the time and place where acceptance of the offer is communicated by the offeror, There are some contract law issues about whether or not a Web site represents an invitation to treat, in other words whether its like an electronic shop where you pick out the goods and then go to the person organizing the shop and offer to pay for them and they accept your offer to buy the goods, Or, alternatively, whether the Web site itself is like an offer to the world which is accepted by sending the E-mail and the credit card details. This has some technical relevance in terms of when the contract is created and also potentially in terms of whose law applies. However, there is a more serious problem. A web site itself is displayed on a computer screen. There is only so much text that somebody can absorb on screen. It’s not so much a question of
12
having a Web site look pretty by keeping it simple, it’s a question of literally the persons ability to absorb what’s on the screen. If mail order is the model for most online transaction, then you face the problem of bringing your terms of supply to the attention of the customer. Basically, terms that are not brought to the customers attention before the contract is formed do not form part of the contract. Now this is of particular significance when you are seeking to exclude or limit liability for breach of contract or negligence in the supply of services or where you are seeking to exclude terms that are implied into the contract by statute, such as, for example, the Sale of Goods Act terms. Inclusion of contractual terms is an important point - but the problem here, of course, is a marketing and commercial problem. Do you really want people reading through screens of legal stuff, which many people find boring, and quite rightly so, before they actually sign up? Will they have just go away in boredom? This has been solved on Web sites in various ways by getting the person placing the Email order to, in effect, prove that they’ve read the terms and conditions of supply or that they agree to be bound or, alternatively, by the Web site receiving the E-mail and back an then sending acknowledgement of the E-mail together with the terms and conditions of supply which the purchaser can then assess. The latter, of course, is far more cumbersome. Better to have some little button on the site that brings up the terms and conditions of supply and to have some sort of acknowledgement
of the E-mail order form that the person placing the order has actually read the terms and agrees to be bound by them. The next question is actually quite an interesting one. Does the contract actually have to be a written physical document? The answer is no. Most contracts in England and Wales can be created without formality and need to be in writing, sale of goods transactions for example or buying a ticket to get on a bus or train, is another example.These are strictly speaking a contract of carriage, but not one where you have to sign your life away to the rail company to get on the train. However, that is not necessarily the case with all potential electronic transactions, because some contracts must be in writing, notably those transferring title to property. This is something that goes right back to the Statute of Frauds in 1633. The Statute of Frauds is a Gothically written statement to the effect that contracts which transfer property must be in writing and signed to prevent fraudulent transfers of property. So, for example, transfer of title to land under section 2 of the Law of Property and Miscellaneous Provisions Act 1989 and assignments of intellectual property rights must be in writing and signed, for example, copyright under the Copyright Designs and Patents Act 1988 must be written and signed. There is a further limitation to certain other types of contract, because it appears that some of these contracts must be not only written but actually physically signed, as opposed to signed in some other way. Consumer credit is a particularly good example. Sections 62 and 63 of the
0 1998 Elsevier Science Ltd
Network Security
July 7998
Consumer Credit Act 1974 deal with the requirements that the borrower is given a copy of the consumer credit agreement before he or she becomes fully bound and signs it. That does seem to suggest a physical copy and a physical signing. Failure to comply with those provisions means that the credit provider cannot enforce the loan. The requirement of writing in certain contracts is something that is likely to prove a problem. On one hand we have things like the new Civil Evidence Act, which effectively says a document can be in any form such as a microfiche, electronic document or a scrappy bit of paper. Similarly, in the Copyright Designs and Patents Act 1988 a document can be written even though its in electronic form. But many UK Statutes seem to require some sort of physical hard copy in writing which is viewable by the human eye. Now if we are going to see full electronic for example, commerce, conveyances of title in land via electronic document interchange, electronic filing of patents (which the Patent Office is actively looking at, together with electronic filing of trademarks) there will need to be some amendments to the Interpretation Act to deal with this question of what is writing. Of course, a signature is not necessarily vital for credit card transactions online because one can give ones credit card details over a telephone line or over Email and still be bound by the resulting credit card transaction. However, if you are going to require a signature on some electronic contract that must be signed, there is the issue of digital signatures, as opposed to physical signatures.
0 1998 Elsevier Science Ltd
A signature has two purposes, It identifies a person and signals assent to the transaction. There are basically two models for digital signatures, the first being biometrics. These are things like fingerprints, iris patterns, or actual graphical scanned digitised ordinary real world hard copy signatures, But of course this may not work for remote transactions. It certainly wont work for automatic EDI transactions, if the transaction is being processed automatically by a computer unless you assume some sort of continuing authority to use, for example, somebody’s fingerprint or digitized signature. The other issue, and this is an approach that has been used in the US the private encryption key approach. Encryption is not necessarily used as much on the Internet as it could be. There are only 6% of all electronic commerce sites on the Internet that are actually encrypted secure sites, something which might come as a surprise to many people. Encryption on the Internet works like this: a program like Pretty Good Privacy works by a series of complicated algorithms based on prime numbers where the document is encrypted by a public encryption key and a private encryption key. It is only when the two are used on the document that the document is encrypted. The public encryption key is available for anybody, but it is only when the private key held by the person who encrypted the aocument is made available that the document can actually be decrypted. This is the basis of legislation such as the Utah Digital Signatures Act and the Illinois Digital Signatures Act. You compare the results of processing the encrypted document with the private key
with the results of processing with the public key, and if you get a match, then the document is signed because the person who had the private key must have applied that to the document and therefore assented to the document. It is also identification of that person and thus a digital signature for the purposes of that type of legislation. In the past, with computer evidence in particular, Courts and legislators have got themselves terribly tied up with new technology, and there is a danger that this can happen again. Under the old Civil Evidence Act computer evidence was treated with deep suspicion. This was 1960s legislation where computers were regarded as something that would not be common in private use and, in any event, were new and dangerous and could do all sorts of unexpected and terrible things to data that might make it unreliable in Court. There is a danger that that approach could be resurrected when were looking at digital signatures. There is a case, not on digital signatures itself, but on the use of private secure telex lines in banking transactions. You can imagine, with a bank doing foreign exchange transactions, that these may happen in the middle of the night when, the person authorizing the transaction may not be around. So what tends to happen is banks give each other private secure telex lines, and anything coming on that telex line is assumed to be a valid transaction. That is exactly what happened in this case Standard Bank London v Bank of Tokyo. A private telex line was used to effect a fraudulent transaction and the Standard Bank
13
Network Security
attempted to enforce against the Bank of Tokyo. The Court said that the recipient does not have to enquire into the authenticity of
July 7998
the message they receive unless he or she is on notice of dishonesty. The sender must keep secure any key, in this case a
Meta-Firewall: A Sixth Generation Firewall Part 2 Oliver Lau Terminology in the firewall area is still confusing. Proxies, packet filters, ‘stateful’ filters, hybrid approaches, fifth generation firewalls and many more rule the market, and thus rule the user’s mind of what is good and what is bad. But few people have thought about the relationships between all those technologies, how they can interact, and how they can be integrated to increase security on a perimeter network to a maximum. Let us call this approach a ‘meta-firewall’, designed to provide maximum security for dedicated purposes. All of the issues involved in planning for a solution for any network cannot be discussed, but it is an approach to a new way of thinking what can be done with firewalls and the like. This concluding part of a two-part article continues to build the layers of security to make a ‘meta-firewall’.
Adding a second obstacle Figure I shows how it is done.The proxy has been relocated to the DMZ. It no longer serves as a transition from the corporate network to the untrusted environment but as a singlehomed facility to control traffic on the application level. A proxy server placed in this manner is commonly known as a bastion host. If we don’t have a proxy to automatically translate IP addresses, then we need to have another solution to make seamless interaction between public and private networks
14
private telex line used authenticate a message.
single IP address (or sometimes a pool of them) which is the socalled ‘masquerading’ or ‘singleIP-resolution’. True NAT might also map ingress traffic to internal addresses depending on the original destination address and/or destination port. With this in mind, we should consider an RFCl631 -compliant firewall for our fictitious company, for it provides a maximum of scalability and a minimum of configuration changes. The traffic is now as follows.
Mail Incoming E-mail from the Internet is relayed through the proxy to the internal mail server. For packets to be routed inwards through the firewall, an entry to the NAT table like the following is added: untrustul
possible. Reminder: although it is possible to route a packet from a network with private IP addresses through a gateway outwards to a public network (the Internet), there are no routing table entries on any of the Internet routers that point back to private networks, so answers would never travel the other way round, instead replies would vanish silently. A facility to fulfill the task of network address translation (NAT) could be a firewall that is able to treat packets to and from a private network, referred to as a stub network, conforming to RX1631 (1). Some NAT facilities are only able to ‘hide’ internal addresses by mapping them to a
to
194.163.133.195,
tZU.hd
25
192.168.0.1,
25 TCP
This means that packets arriving on TCP port 25 (SMTP) at the external interface of the firewall (194.163.133.195) are redirected to the internal mail server (192.168.0.1) on port 25. Outgoing E-mail is processed by the internal mail server which decides whether to deliver mail locally or to relay to a host on the Internet.
Information services For incoming HTTP and FTP requests the situation has not changed. Outbound requests now first have to pass the firewall,
0 1998 Elsevier Science
Ltd
July 7998
most good auditors have far more experience than the defenders and it takes a lot less in the way of finances to find a few holes than to block all of them. This is one of the reasons you hear the defenders moan whenever the auditor starts to write something down, Here’s a near quote from a recent audit: “Oh no, look at that, he’s writing it down, I shouldn’t have said anything.” Defeated again by his own honesty, the defender acted like he lost some sort of battle. I consoled him by telling him that he was helping his company find out why more time, money and effort are required to support his efforts. It didn’t seem to cheer him up very much.
He was being a little bit humorous, and we were on fairly jovial terms, but ultimately, it’s not a very good idea for an auditor to become too friendly with the client’s personnel. This is another important point about IT auditing that many people seem to largely miss. While it is always important to be on a reasonably friendly basis with your clients, becoming too friendly in an audit situation is never good. It clouds the judgement. This may be one reason that people dread the auditors.
Summary and conclusion and I think that point counterpoint, question and answer, relate back to the
Electronic Commerce On The Internet - Part 1 Jane Rawlings Electronic Commerce is in one sense nothing new. In the UK for many years, electronic document interchange (EDI) has been used in logistics management. EDI relies upon three things: a managed data network; an electronic document interchange agreement between the supplier and those who seek to contract with them; and a protocol for exchange of messages. The point about electronic document interchange is that it happens automatically. The sort of systems we’re talking about are an inventory system saying ‘I’ve run out of widgets, better order some more” which places an electronic order with the widget supplier and the widget supplier’s computer instructs its human trainers and handlers to pick out the widgets and send them on to the person who is
0 1998 Elsevier Science
Ltd
placing the order, All of this happens automatically, so you can see that there are issues about the form of the messages, where the message is sent, when is it validly received by the receiving computer, what happens if the message is corrupted in transit, what happens if a message is fraudulently sent.
Socratic method that lies at the core of much of our modern social views on the value of the loyal opposition in bettering all of our lives. I also think that IT audit is a helpful tool in doing a better job of protecting information assets. While I hope I have clarified some muddy waters, I fear I may have muddied some clear ones today. I hope that any insight I have brought you about the hows and whys of IT audit are helpful. But perhaps, more importantly, I hope that you see some value in the purpose and methods of IT audits and that it helps to encourage you to do regular IT and audits - both internally externally.
The Internet, being the somewhat anarchic place that it is, has developed quite a different model of electronic commerce. This model seems to be mail order, rather as if you rang up a travel agent and booked your flights over the phone or you send off a form in the newspaper with your credit card details. This seems to be the way that most people have chosen to interact with those providing electronic commerce services on the Internet. EDI will still have a role with respect to the Internet on virtual private networks, but it will be business to business supply and logistics where businesses are prepared to enter into electronic document interchange agreements and to agree between themselves the types of document formats.
Creating the contract So, how creating
do you go about an enforceable
11
July 7998
Network Security
contract on the Internet? Let’s take a contract for sale. Let’s say that I’m running Amazon.com. the Internet book shop and you’re a user who wants to place an order with me. Actually, legally there’s surprisingly little difficulty. Assuming that E-mail happens instantaneously or without further human intervention creating the contract is almost like the classic offer and face-to-face acceptance. I stand in front of you and say I want to buy your books. You say, “Yes, I’ll sell you your books.” *How much do you want for them?” “This much?” “Fine, I’ll pay it.” Rather like the cases that deal with creation of contracts by fax or telex, the contract Is created at the time and place where acceptance of the offer is communicated by the offeror, There are some contract law issues about whether or not a Web site represents an invitation to treat, in other words whether its like an electronic shop where you pick out the goods and then go to the person organizing the shop and offer to pay for them and they accept your offer to buy the goods, Or, alternatively, whether the Web site itself is like an offer to the world which is accepted by sending the E-mail and the credit card details. This has some technical relevance in terms of when the contract is created and also potentially in terms of whose law applies. However, there is a more serious problem. A web site itself is displayed on a computer screen. There is only so much text that somebody can absorb on screen. It’s not so much a question of
12
having a Web site look pretty by keeping it simple, it’s a question of literally the persons ability to absorb what’s on the screen. If mail order is the model for most online transaction, then you face the problem of bringing your terms of supply to the attention of the customer. Basically, terms that are not brought to the customers attention before the contract is formed do not form part of the contract. Now this is of particular significance when you are seeking to exclude or limit liability for breach of contract or negligence in the supply of services or where you are seeking to exclude terms that are implied into the contract by statute, such as, for example, the Sale of Goods Act terms. Inclusion of contractual terms is an important point - but the problem here, of course, is a marketing and commercial problem. Do you really want people reading through screens of legal stuff, which many people find boring, and quite rightly so, before they actually sign up? Will they have just go away in boredom? This has been solved on Web sites in various ways by getting the person placing the Email order to, in effect, prove that they’ve read the terms and conditions of supply or that they agree to be bound or, alternatively, by the Web site receiving the E-mail and back an then sending acknowledgement of the E-mail together with the terms and conditions of supply which the purchaser can then assess. The latter, of course, is far more cumbersome. Better to have some little button on the site that brings up the terms and conditions of supply and to have some sort of acknowledgement
of the E-mail order form that the person placing the order has actually read the terms and agrees to be bound by them. The next question is actually quite an interesting one. Does the contract actually have to be a written physical document? The answer is no. Most contracts in England and Wales can be created without formality and need to be in writing, sale of goods transactions for example or buying a ticket to get on a bus or train, is another example.These are strictly speaking a contract of carriage, but not one where you have to sign your life away to the rail company to get on the train. However, that is not necessarily the case with all potential electronic transactions, because some contracts must be in writing, notably those transferring title to property. This is something that goes right back to the Statute of Frauds in 1633. The Statute of Frauds is a Gothically written statement to the effect that contracts which transfer property must be in writing and signed to prevent fraudulent transfers of property. So, for example, transfer of title to land under section 2 of the Law of Property and Miscellaneous Provisions Act 1989 and assignments of intellectual property rights must be in writing and signed, for example, copyright under the Copyright Designs and Patents Act 1988 must be written and signed. There is a further limitation to certain other types of contract, because it appears that some of these contracts must be not only written but actually physically signed, as opposed to signed in some other way. Consumer credit is a particularly good example. Sections 62 and 63 of the
0 1998 Elsevier Science Ltd
Network Security
July 7998
Consumer Credit Act 1974 deal with the requirements that the borrower is given a copy of the consumer credit agreement before he or she becomes fully bound and signs it. That does seem to suggest a physical copy and a physical signing. Failure to comply with those provisions means that the credit provider cannot enforce the loan. The requirement of writing in certain contracts is something that is likely to prove a problem. On one hand we have things like the new Civil Evidence Act, which effectively says a document can be in any form such as a microfiche, electronic document or a scrappy bit of paper. Similarly, in the Copyright Designs and Patents Act 1988 a document can be written even though its in electronic form. But many UK Statutes seem to require some sort of physical hard copy in writing which is viewable by the human eye. Now if we are going to see full electronic for example, commerce, conveyances of title in land via electronic document interchange, electronic filing of patents (which the Patent Office is actively looking at, together with electronic filing of trademarks) there will need to be some amendments to the Interpretation Act to deal with this question of what is writing. Of course, a signature is not necessarily vital for credit card transactions online because one can give ones credit card details over a telephone line or over Email and still be bound by the resulting credit card transaction. However, if you are going to require a signature on some electronic contract that must be signed, there is the issue of digital signatures, as opposed to physical signatures.
0 1998 Elsevier Science Ltd
A signature has two purposes, It identifies a person and signals assent to the transaction. There are basically two models for digital signatures, the first being biometrics. These are things like fingerprints, iris patterns, or actual graphical scanned digitised ordinary real world hard copy signatures, But of course this may not work for remote transactions. It certainly wont work for automatic EDI transactions, if the transaction is being processed automatically by a computer unless you assume some sort of continuing authority to use, for example, somebody’s fingerprint or digitized signature. The other issue, and this is an approach that has been used in the US the private encryption key approach. Encryption is not necessarily used as much on the Internet as it could be. There are only 6% of all electronic commerce sites on the Internet that are actually encrypted secure sites, something which might come as a surprise to many people. Encryption on the Internet works like this: a program like Pretty Good Privacy works by a series of complicated algorithms based on prime numbers where the document is encrypted by a public encryption key and a private encryption key. It is only when the two are used on the document that the document is encrypted. The public encryption key is available for anybody, but it is only when the private key held by the person who encrypted the aocument is made available that the document can actually be decrypted. This is the basis of legislation such as the Utah Digital Signatures Act and the Illinois Digital Signatures Act. You compare the results of processing the encrypted document with the private key
with the results of processing with the public key, and if you get a match, then the document is signed because the person who had the private key must have applied that to the document and therefore assented to the document. It is also identification of that person and thus a digital signature for the purposes of that type of legislation. In the past, with computer evidence in particular, Courts and legislators have got themselves terribly tied up with new technology, and there is a danger that this can happen again. Under the old Civil Evidence Act computer evidence was treated with deep suspicion. This was 1960s legislation where computers were regarded as something that would not be common in private use and, in any event, were new and dangerous and could do all sorts of unexpected and terrible things to data that might make it unreliable in Court. There is a danger that that approach could be resurrected when were looking at digital signatures. There is a case, not on digital signatures itself, but on the use of private secure telex lines in banking transactions. You can imagine, with a bank doing foreign exchange transactions, that these may happen in the middle of the night when, the person authorizing the transaction may not be around. So what tends to happen is banks give each other private secure telex lines, and anything coming on that telex line is assumed to be a valid transaction. That is exactly what happened in this case Standard Bank London v Bank of Tokyo. A private telex line was used to effect a fraudulent transaction and the Standard Bank
13
Network Security
attempted to enforce against the Bank of Tokyo. The Court said that the recipient does not have to enquire into the authenticity of
July 7998
the message they receive unless he or she is on notice of dishonesty. The sender must keep secure any key, in this case a
Meta-Firewall: A Sixth Generation Firewall Part 2 Oliver Lau Terminology in the firewall area is still confusing. Proxies, packet filters, ‘stateful’ filters, hybrid approaches, fifth generation firewalls and many more rule the market, and thus rule the user’s mind of what is good and what is bad. But few people have thought about the relationships between all those technologies, how they can interact, and how they can be integrated to increase security on a perimeter network to a maximum. Let us call this approach a ‘meta-firewall’, designed to provide maximum security for dedicated purposes. All of the issues involved in planning for a solution for any network cannot be discussed, but it is an approach to a new way of thinking what can be done with firewalls and the like. This concluding part of a two-part article continues to build the layers of security to make a ‘meta-firewall’.
Adding a second obstacle Figure I shows how it is done.The proxy has been relocated to the DMZ. It no longer serves as a transition from the corporate network to the untrusted environment but as a singlehomed facility to control traffic on the application level. A proxy server placed in this manner is commonly known as a bastion host. If we don’t have a proxy to automatically translate IP addresses, then we need to have another solution to make seamless interaction between public and private networks
14
private telex line used authenticate a message.
single IP address (or sometimes a pool of them) which is the socalled ‘masquerading’ or ‘singleIP-resolution’. True NAT might also map ingress traffic to internal addresses depending on the original destination address and/or destination port. With this in mind, we should consider an RFCl631 -compliant firewall for our fictitious company, for it provides a maximum of scalability and a minimum of configuration changes. The traffic is now as follows.
Mail Incoming E-mail from the Internet is relayed through the proxy to the internal mail server. For packets to be routed inwards through the firewall, an entry to the NAT table like the following is added: untrustul
possible. Reminder: although it is possible to route a packet from a network with private IP addresses through a gateway outwards to a public network (the Internet), there are no routing table entries on any of the Internet routers that point back to private networks, so answers would never travel the other way round, instead replies would vanish silently. A facility to fulfill the task of network address translation (NAT) could be a firewall that is able to treat packets to and from a private network, referred to as a stub network, conforming to RX1631 (1). Some NAT facilities are only able to ‘hide’ internal addresses by mapping them to a
to
194.163.133.195,
tZU.hd
25
192.168.0.1,
25 TCP
This means that packets arriving on TCP port 25 (SMTP) at the external interface of the firewall (194.163.133.195) are redirected to the internal mail server (192.168.0.1) on port 25. Outgoing E-mail is processed by the internal mail server which decides whether to deliver mail locally or to relay to a host on the Internet.
Information services For incoming HTTP and FTP requests the situation has not changed. Outbound requests now first have to pass the firewall,
0 1998 Elsevier Science
Ltd