Executive Summary
Total Page:16
File Type:pdf, Size:1020Kb
Mobile Commerce Security: Legal & Technological Perspectives Michael Triguboff Table of Contents EXECUTIVE SUMMARY 4 INTRODUCTION 7 The Need for Security 11 PART I TECHNOLOGY 12 Client-Side Vulnerabilities 12 Browser Software 13 Java Applets 14 ActiveX controls 16 JavaScript 18 Plug-Ins and Graphic Files 18 Push technology 18 Web Server Security 19 Front-end 20 Firewalls 22 Back-end Database vulnerabilities 23 Server- Side Middleware 24 Operating System Problems 25 Hardened versions of Operating Systems 36 Distributed systems 37 Software Testing 38 Mobile Commerce Issues 43 Device Properties 43 Wireless Communication 45 Wireless Communication Protocols 47 Ad Hoc Networks 49 Ad Hoc Networks and Key Management 51 Network Protection in Ad Hoc Networks 54 Location Dependent Information and Mobile Computing 55 Mobile Agents 56 Protecting the Host from the Mobile Agent 59 Safe Code Interpretation 61 Digital Signatures 63 Proof Carrying Code 63 Path Histories 64 Software-Based Fault Isolation [“Sandboxing”] 64 Protecting the Agent From the Host and Other Agents 64 Secure Control of Remote Agents 65 Read-Only/Append-Only 65 Partial Results Encapsulation 66 Code Obfuscation 67 Computing with Encrypted Functions 67 Environmental Key Generation 68 Execution Tracing 68 Itinerary Recording 69 Security Through Shared Secrets and Interlocking 69 Other Approaches 69 Attacks Based on Device Limitations 71 2 Prevention, Detection and Reaction 71 Intrusion Detection 72 Intrusion Detection and Mobile Agents 75 Part I Conclusion 76 PART 11 THE LEGAL PERSPECTIVE 80 The Debate: A Confluence of Two Streams 81 Uniform Electronic Transactions Act 85 Article 2B of the Uniform Commercial Code 85 The Electronic Signatures in Global and National Commerce Act [“E-Sign Act”] 88 Jurisdiction Selection 90 Reaction- Criminal Law 96 Convention on Cyber-Crime 97 Evidentiary or Procedural Law 99 Practical Considerations 100 Part II Conclusion 101 APPENDIX 103 Digital Millennium Copyright Act 103 BIBLIOGRAPHY 107 3 EXECUTIVE SUMMARY The objectives of this project are twofold. The first objective is to remedy what the author perceives to be a failure in his IT education to adequately address security issues. In the author’s experience, a common pattern in all the IT courses undertaken, in a number of universities, is to relegate security aspects to the end of the course timetable. Frequently, if time does not permit, the security aspect is not covered or not examined. The second goal is to attempt to analyse computer security issues from both a technical and a legal perspective. Security cannot be guaranteed by technology or law alone. Security must be based on a total infrastructure – technical, legal, social, economic and political. As with our homes, security does not necessarily flow from the existence of technological devices to deter unwanted intruders, though these devices help. Security comes from the knowledge that there are social, political, economic and legal systems that protect us and recognize our rights. It is the overall structure, and not any technology or law that creates the feeling of security. And for electronic commerce, that sense of security must be ‘felt’ by the end users; the fact that the computer professionals believe the system is secure is necessary but not sufficient to allow the development of electronic commerce, as witnessed by the reluctance of consumers to expose their credit card details on the Internet, even though there is less danger than exposing the credit card details to a waiter in a restaurant1. The author believes that few, if any, academics or practitioners have focused on both the technological and legal aspects of security to date. Interest in computer security has increased over the last year as a result of two factors. The events of September 11 ignited fears of a cyber-terrorist attack. Though many security experts are sceptical of the likelihood of a successful cyber-offensive, the fears have raised awareness as to the issue of computer security generally. The terrorist attacks of September 11 forced entities to acknowledge their dependence on, and vulnerability to, computer networks. A survey of information technology managers and chief information officers, conducted by Morgan Stanley shortly after the terrorist attacks of September 11, 2001, found that security software had jumped from fifth priority or lower to become their top priority2. The level of awareness of the importance of computer security has been further augmented by recent compliance concerns. As a result of recent changes to U.S. audit standards, companies are now required to ensure that information used to prepare public accounts is adequately secured. This has been widely interpreted to mean that a company’s entire network must be secure3. Schneier4 prophesises that just as chief executives are legally required to attest on a quarterly basis that the company’s financial accounts are correct, in certain publicly listed companies at least, chief information officers will soon be required to attest similar security declarations. A security system needs to encompass prevention, detection and reaction. If any of these three aspects are neglected, the security system will be inadequate. To date, most attention has been paid to preventive methods, with somewhat less attention to intrusion detection. Reaction requires a technical, legal and economic infrastructure which will be addressed below. The focus of this project has been on the security aspects of electronic commerce, and particularly on mobile electronic commerce. 1 Such reluctance is not logical, in that most credit card issuers around the world explicitly or implicitly limit liability for unauthorised purchases, if detected, to a relatively small amount. In Australia, for instance, the limit is about USD25. 2 as reported in The Economist, October 26 , 2004. 3 as reported in the Financial Times, September 28, 2002 4 Bruce Schneier, <http://www.counterpane.com/crypto-gram.html>. 4 Part 1 is an overview of some of the technological aspects of security. Since many of the security issues concerning mobile commerce security are inherited from traditional fixed line systems, the issues confronting these systems are first addressed. The client software, network server and back end databases are examined for vulnerabilities. The analysis of client software includes an examination of Java and ActiveX controls. Since operating system bugs are among the most common security flaws, some of the operating system protection mechanisms are focused upon. Part 1 also addresses mobile commerce issues including the limitations imposed by mobile devices and wireless communication. Ad hoc networks are analysed in some detail. Much of the envisaged mobile commerce will utilise ad hoc networks, which because of performance limitations, such as available bandwidth, memory and CPU power constraints is vulnerable. The requirement that certain authorisation and access control tasks be performed off-line, and the fact that there may be no centralised authority introduces new challenges which are addressed. The issue of ad hoc networks and key management without a certifying authority is also discussed. Mobile agents, compared to RPCs and message passing, are especially suited to mobile commerce. Mobile agent security issues are discussed, both in terms of protecting the host from a malicious agent, and protecting the agent from a malicious host or other agents. The incremental security issues of mobile agents compared to Java applets is examined. Intrusion detection is next examined. The deficiencies of current commercial intrusion detection systems are noted, both for traditional and for ad hoc networks. An interesting area has been the discussion of using mobile agents in intrusion detection schemes. Part 11 focuses on the reaction aspect from the legal perspective. The dichotomy and convergence of two distinct streams of law reform is analysed. These two separate movements, one with its origins in law, and the other with its origins in technology, represent two philosophies. One stream, labelled the ‘law revisionist’ , ‘minimalist’ or ‘technology neutral’ stream, focused on maintaining commercial laws to be generic and supportive, by seeking to eliminate distinctions between traditional transactions, evidenced by writing and signatures, and electronic transactions. This stream strove to maintain both technological neutrality and implementation neutrality, relying on the marketplace to make the appropriate choices. The express goal of the second stream , the ‘technological movement’, was to support and promote specific technologies, in particular the Public Key Infrastructure model. This stream is more paternalistic in nature, and does not rely on the marketplace to make the choice, believing that the market requires certainty more than choice. The divergence, often not as stark as presented above, is being discussed on many simultaneous fronts- at the U.S. state level, at the federal level in the U.S. Congress, at the ECU, and at the international level, all of which are examined. A perplexing issue in Internet law has been jurisdiction selection. Jurists, on the one hand, do not want to allow the possibility of ‘jurisdiction shopping’ for the most favourable forum, nor of abdicating national rights to protect its citizens, whilst promoting certainty and electronic commerce. Various approaches to determining the appropriate jurisdiction are examined. The criminal law system is examined in the context of its