Thông tin tài liệu
From the authors
of the best-selling
HACK PROOFING
™
YOUR NETWORK
Your E-commerce Site
™
1YEAR UPGRADE
BUYER PROTECTION PLAN
Your E-commerce Site
From the authors
of the best-selling
HACK PROOFING
™
YOUR NETWORK
Ryan Russell
Teri Bidwell
Oliver Steudler
Robin Walshaw
L. Brent Huston
Technical Editor
The Only Way to Stop a Hacker Is to Think Like One
• Step-by-Step Instructions for Securing Financial Transactions
and Implementing a Secure E-Commerce Site
• Hundreds of Tools & Traps and Damage & Defense Sidebars
and Security Alerts!
• Complete Coverage of How to Hack Your Own Site
134_ecomm_FC 6/19/01 2:14 PM Page 1
solutions@syngress.com
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
Solutions@syngress.com is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■
“Ask the Author”™ customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the max-
imum value from your investment. We’re listening.
www.syngress.com/solutions
134_ecomm_FM 6/19/01 11:49 AM Page i
134_ecomm_FM 6/19/01 11:49 AM Page ii
The Only Way to Stop a Hacker is to Think Like One
Your E-commerce Site
™
1 YEAR UPGRADE
BUYER PROTECTION PLAN
Your E-commerce Site
134_ecomm_FM 6/19/01 11:49 AM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production
(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from
the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold
AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-
dental or consequential damages arising out from the Work or its contents. Because some states do not allow
the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not
apply to you.
You should always use reasonable case, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks
of Syngress Media, Inc. “Ask the Author™,”“Ask the Author UPDATE™,” “Mission Critical™,” and “Hack
Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are
trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 AERAF43495
002 VNA49FU4FJ
003 CAKL3956FM
004 BNA424TURT
005 BNTUR495QF
006 596JFA3RRF
007 Y745T9TBLF
008 QW5VCD986H
009 BN3TE5876A
010 NVA384NHS5
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Hack Proofing Your E-Commerce Site
Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America.
Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis-
tributed in any form or by any means, or stored in a database or retrieval system, without the prior written
permission of the publisher, with the exception that the program listings may be entered, stored, and executed
in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-27-X
Technical edit by: L. Brent Huston Copy edit by: Darren Meiss and Beth A. Roberts
Technical review by: Kevin Ziese Freelance Editorial Manager: Maribeth Corona-Evans
Co-Publisher: Richard Kristof Index by: Robert Saigh
Developmental Editor: Kate Glennon Page Layout and Art by: Shannon Tozier
Acquisitions Editor: Catherine B. Nolan
Distributed by Publishers Group West in the United States.
134_ecomm_FM 6/19/01 11:49 AM Page iv
v
Acknowledgments
v
We would like to acknowledge the following people for their kindness and support
in making this book possible.
Richard Kristof and Duncan Anderson of Global Knowledge, for their generous
access to the IT industry’s best courses, instructors and training facilities.
Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight
into the challenges of designing, deploying and supporting world-class enterprise
networks.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Bill
Richter, Kevin Votel, and Brittin Clark of Publishers Group West for sharing their
incredible marketing experience and expertise.
Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan
Bunkell, and Klaus Beran of Harcourt International for making certain that our
vision remains worldwide in scope.
Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all
their help.
David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,
Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with
which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress
program.
Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help.
134_ecomm_FM 6/19/01 11:49 AM Page v
134_ecomm_FM 6/19/01 11:49 AM Page vi
vii
Contributors
Ryan Russell (CCNA, CCNP) is the best-selling author of Hack
Proofing Your Network: Internet Tradecraft (ISBN: 1-928994-15-6). He is MIS
Manager at SecurityFocus.com, has served as an expert witness on secu-
rity topics, and has done internal security investigation for a major soft-
ware vendor. Ryan has been working in the IT field for over 11 years, the
last 6 of which have been spent primarily in information security. He has
been an active participant in various security mailing lists, such as
BugTraq, for years. Ryan has contributed to four Syngress titles on the
topic of networking. He holds a Bachelors of Science degree in
Computer Science. Ryan wishes to thank Karen Mathews at the U.S.
Department of Energy for her assistance in preparing Chapter 10.
Mark S. Merkow (CCP) has been an Information Systems professional
since 1975, working in a variety of industries. For the last 12 years he has
been working for a Fortune 50 financial services company in Phoenix,
AZ. Mark holds a Masters in Decision and Information Systems from
Arizona State University’s College of Business and is completing his
Masters of Education in Educational Technology at ASU’s College of
Education, specializing in developing distance learning courses.Today he
serves as an e-commerce Security Advisor working with both internal
and external Web designers and developers. Mark has authored or co-
authored six books on computer technology since 1990, including
Breaking Through Technical Jargon, Building SET Applications for Secure
Transactions, Thin Clients Clearly Explained, Virtual Private Networks For
Dummies, A Complete Guide to Internet Security, and The ePrivacy Imperative.
In addition, Mark is a computer columnist for several local, national, and
international print publications, along with an e-zine hosted
at Internet.com.
Robin Walshaw (MCSE, DPM), author of Mission Critical Windows
2000 Server Administration (ISBN: 1-928994-16-4), is an independent
consultant who architects security and infrastructure solutions for large
134_ecomm_FM 6/19/01 11:49 AM Page vii
viii
corporations around the globe. By applying a combination of sound busi-
ness sense and technical insight, Robin is able to design and deliver scal-
able solutions targeted at enabling the enterprise to effectively leverage
technology.With a flair for developing strategic IT solutions for diverse
clients, he has worked in the world of computers in 8 countries, and has
traveled to over 30 in the last 10 years. A veteran of numerous global pro-
jects, Robin has honed his skills across a wide variety of businesses, plat-
forms, and technologies. He has managed to scratch his head and look
slightly confused in the world of security, network operating systems,
development, and research.
Having traversed the globe and seen its many beautiful wonders,
Robin is still captivated by the one thing that leaves him breathless—
Natalie, his wife. She is a light against the darkness, a beauty whose smile
can melt even the coldest heart.
Teri Bidwell (GCIA) has been involved in Internet security for over 10
years as an analyst, engineer, and administrator and is a SANS-Certified
GCIA Intrusion Analyst. Her career began securing Unix networks at the
University of Colorado and continued as a Cisco network engineer and
DNS manager for Sybase, Inc.Today,Teri is a security analyst for a firm
headquartered in Reston,VA. She is a key contributor to corporate secu-
rity strategy and is an advisor for e-business development. Her specialties
include policy creation, vulnerability assessment, penetration testing, and
intrusion detection for corporate environments.
Teri received a Computer Science degree from the University of
Colorado and sits on the SANS GCIA Advisory Board. She currently
lives and works in Boulder, CO with her family, Clint,Wes, and Michael.
Michael Cross (MCSE, MCP+I, CNA) is a Microsoft Certified System
Engineer, Microsoft Certified Product Specialist, Microsoft Certified
Professional + Internet, and a Certified Novell Administrator. Michael is
the Network Administrator, Internet Specialist, and a Programmer for the
Niagara Regional Police Service. He is responsible for network security
and administration, programming applications, and is Webmaster of their
Web site at www.nrps.com. He has consulted and assisted in computer-
related/Internet criminal cases, and is part of an Information Technology
134_ecomm_FM 6/19/01 11:49 AM Page viii
ix
team that provides support to a user base of over 800 civilian and uniform
users. His theory is that when the users carry guns, you tend to be more
motivated in solving their problems.
Michael owns KnightWare, a company that provides consulting, pro-
gramming, networking,Web page design, computer training, and other
services. He has served as an instructor for private colleges and technical
schools in London, Ontario Canada. He has been a freelance writer for
several years and has been published over two dozen times in books and
anthologies. Michael currently resides in St. Catharines, Ontario Canada
with his lovely fiancée Jennifer.
Oliver Steudler (CCNP, CCDP, CSE, CNE) is a Senior Systems
Engineer at iFusion Networks in Cape Town, South Africa. Oliver spe-
cializes in routing, switching, and security and has over 10 years of experi-
ence in consulting, designing, implementing, and troubleshooting
complex networks. He has written articles on TCP/IP, networking, secu-
rity, and data communications and also co-authored another Syngress title,
Managing Cisco Network Security (ISBN: 1-928994-17-2).
Kevin Ziese is a computer scientist at Cisco Systems, Inc. Prior to
joining Cisco, he was a senior scientist and founder of the Wheelgroup
Corporation, which was acquired by Cisco Systems in April of
1998. Before founding the Wheelgroup Corporation, he was Chief of the
Advanced Countermeasures Cell at the Air Force Information Warfare
Center.
134_ecomm_FM 6/19/01 11:49 AM Page ix
[...]... 568 570 570 571 572 573 573 574 575 576 577 578 578 580 581 Appendix B Hack Proofing Your E-Commerce Site Fast Track 583 Index 625 xxiii 134_ecomm_TOC 6/19/01 11:47 AM Page xxiv 134_ecomm_FRD_rev 6/19/01 11:48 AM Page xxv Foreword Hack Proofing Your E-Commerce Site was written in response to requests from readers of our first book, Hack Proofing Your Network: Internet Tradecraft Many of you asked us for... Why Are E-Commerce Sites Prime Targets for DDoS? A Growing Problem How the Media Feeds the Cycle What Motivates an Attacker to Damage Companies? Ethical Hacking: A Contradiction in Terms? Hacktivism Fifteen Minutes of Fame Hell Hath No Fury Like a Hacker Scorned Show Me the Money! Malicious Intent What Are Some of the Tools Attackers Use to Perform DDoS Attacks? Trinoo Understanding How Trinoo Works... example, the following line of code shows an input value of $100.00 associated with a variable called "cost." Using a text editor or HTML editing program, a hacker could alter the value so that the value is changed to a lower amount For example, the $100.00 could be changed to $1.00 This would allow buyers to purchase products at a significantly reduced amount... Internet Information Server 5.0 Security Hardening the Server Software Install Patches Disable Unneeded Ports, Services, and Components Delete Unneeded Scripts and Files Hardening the Overall System Password Hacking and Analysis Tools Web Design Issues Dealing with HTML Code Information in HTML Code Using Server Side Includes (SSI) in HTML Code Guidelines for Java, JavaScript, and Active X Understanding Java,... monitoring in place around it, either on the machine itself or via the network In order for the honeypot to be effective, as much information as possible must be collected about the attacker Chapter 7 Hacking Your Own Site Introduction Anticipating Various Types of Attacks Denial of Service Attacks Information Leakage Attacks File Access Attacks Misinformation Attacks Special File/Database Access Attacks... has more than 10 years of experience in IT, mostly in the areas of cyber security testing, network monitoring, scanning protocols, firewalls, viruses and virus prevention formats, security patches, and hacker techniques As President and CEO of his own information security company, MicroSolved, Inc., he and his staff have performed system and network security-consulting services for Fortune 500 companies... detail in this book will be useful in covering topics such as customer privacy policies and securing financial transactions As practitioners, we encounter two types of networks:Those that haven’t been hacked and those that have Our goal is to provide you with the tools and resources to avoid seeing your network become part of the latter group.To that end, this book is thoroughly practical.We recognize .
HACK PROOFING
™
YOUR NETWORK
Your E-commerce Site
™
1YEAR UPGRADE
BUYER PROTECTION PLAN
Your E-commerce Site
From the authors
of the best-selling
HACK. Damage
Companies? 70
Ethical Hacking: A Contradiction in Terms? 70
Hacktivism 72
Fifteen Minutes of Fame 72
Hell Hath No Fury Like a Hacker Scorned 73
Show Me
Ngày đăng: 20/01/2014, 01:20
Xem thêm: Tài liệu Hack Proofing P1 pdf