11

Security, Privacy, and Ethical Security, Privacy, and Ethical Issues in Information Issues in Information

Systems and the InternetSystems and the Internet

Chapter 9Chapter 9

22

Social Issues in Information Social Issues in Information SystemsSystems

Computer Waste & MistakesComputer Waste & Mistakes Computer CrimeComputer Crime PrivacyPrivacy Health ConcernsHealth Concerns Ethical IssuesEthical Issues Patent and copyright violationsPatent and copyright violations

33

Computer WasteComputer Waste

Discarding technology that still has valueDiscarding technology that still has value Unused systemsUnused systems Personal use of corporate time and Personal use of corporate time and

technologytechnology SpamSpam Time spent configuring / “optimizing” Time spent configuring / “optimizing”

computerscomputers

Companies should establish policies to Companies should establish policies to prevent waste and mistakesprevent waste and mistakes

44

Computer CrimeComputer Crime

55

Number of Incidents Reported to Number of Incidents Reported to CERTCERT

66

Computer Crime and Security Computer Crime and Security SurveySurvey

Source: http://www.gocsi.com/press/20020407.jhtml?_requestid=449980

(1996: 16%)

77

Identity theftIdentity theft

Fastest Growing Crime in the USFastest Growing Crime in the US Use someone else’s identity to obtain credit, Use someone else’s identity to obtain credit,

conduct crimes etcconduct crimes etc Necessary info: SSN, Name, (Date of Birth)Necessary info: SSN, Name, (Date of Birth) How often do you get a credit card application with How often do you get a credit card application with

your name on it?your name on it? Consumer complaints about fraud and identity theft:Consumer complaints about fraud and identity theft:

http://www.consumer.gov/sentinel/pubs/http://www.consumer.gov/sentinel/pubs/Top10Fraud_2002.pdf Top10Fraud_2002.pdf

Largest Identity theft case in US historyLargest Identity theft case in US history http://www.computerworld.com/securitytopics/security/cybhttp://www.computerworld.com/securitytopics/security/cyb

ercrime/story/0,10801,76252,00.htmlercrime/story/0,10801,76252,00.html

Identity theft survival guideIdentity theft survival guide http://money.cnn.com/2002/11/26/pf/saving/q_identity/ http://money.cnn.com/2002/11/26/pf/saving/q_identity/

88

Recent Cybercrime Recent Cybercrime HeadlinesHeadlines

12/4/03: Trojans on the Rise12/4/03: Trojans on the Rise 11/24/03: U.S. House Passes Controversial Antispam Bill11/24/03: U.S. House Passes Controversial Antispam Bill 11/19/03: Wi-Fi Starts Leaping Security Barriers11/19/03: Wi-Fi Starts Leaping Security Barriers 11/12/03: Microsoft Plugs Five New Security Holes 11/12/03: Microsoft Plugs Five New Security Holes

Source: Daily cybercrime report Source: Daily cybercrime report ((http://http://www.newsfactor.com/perl/section/cybercrimewww.newsfactor.com/perl/section/cybercrime//))

99

The Computer as a Tool to The Computer as a Tool to Commit CrimeCommit Crime

Social engineeringSocial engineering Posing as someone else to gain trust of user to give out Posing as someone else to gain trust of user to give out

passwordpassword Dumpster divingDumpster diving

Search garbage for clues on how to gain access to a Search garbage for clues on how to gain access to a systemsystem

Shoulder SurfingShoulder Surfing Stand next to someone in a public place to get vital Stand next to someone in a public place to get vital

informationinformation Install keyboard loggerInstall keyboard logger

Record every keystroke and send back to criminalRecord every keystroke and send back to criminal CyberterrorismCyberterrorism

E.g. Distributed Denial-of-service (DDOS) attackE.g. Distributed Denial-of-service (DDOS) attack

1010

Computers as Objects of Computers as Objects of CrimeCrime

Illegal access and useIllegal access and use Hackers Hackers

‘‘Hacking’ away at programming and using a computer to Hacking’ away at programming and using a computer to its fullest capabilitiesits fullest capabilities

Crackers (criminal hacker)Crackers (criminal hacker)

Information and equipment theftInformation and equipment theft Software and Internet piracySoftware and Internet piracy Computer-related scamsComputer-related scams

Nigerian 419Nigerian 419 Scamming the scammers: Scamming the scammers:

http://www.ebolamonkeyman.com/ http://www.ebolamonkeyman.com/ International computer crimeInternational computer crime

1111

Data Alteration and Data Alteration and DestructionDestruction

VirusVirus WormWorm Logic bombLogic bomb Trojan horseTrojan horse

© Hal Mayforth 2003

1212

Virus CharacteristicsVirus Characteristics Similar to biological Similar to biological

virusesviruses Replicates on its ownReplicates on its own May mutateMay mutate Can be benign or Can be benign or

maliciousmalicious Attaches to a ’host’ Attaches to a ’host’

programprogram Constructed by a Constructed by a

programmerprogrammer

Top 10 last month:Top 10 last month:http://http://www.sophos.com/www.sophos.com/virusinfo/topten/virusinfo/topten/

1313

Virus elementsVirus elements

Distribution VectorDistribution Vector How does it move from one computer to the next?How does it move from one computer to the next? Virus: Attaches to other program, user must take action Virus: Attaches to other program, user must take action

to spreadto spread Worm: Self-propagatesWorm: Self-propagates

PayloadPayload What does it do when it gets there?What does it do when it gets there? Types of damage (payload)Types of damage (payload)

Destruction of data, programs or hardwareDestruction of data, programs or hardware Loss of productivityLoss of productivity AnnoyanceAnnoyance

Ability to mutateAbility to mutate Makes it harder to detect, like the AIDS virusMakes it harder to detect, like the AIDS virus

1414

Virus DistributionVirus Distribution EmailEmail

Executable attachment that masquerades as image file (”Click to Executable attachment that masquerades as image file (”Click to see picture of Anna Kournikova!”)see picture of Anna Kournikova!”)

HTML code that executes automatically in email program (esp. HTML code that executes automatically in email program (esp. Outlook and Outlook Express)Outlook and Outlook Express)

WormWorm Spreads directly from computer to computerSpreads directly from computer to computer Often exploiting ’open ports’ or other vulnerabilitiesOften exploiting ’open ports’ or other vulnerabilities

Trojan Horse / Logic BombTrojan Horse / Logic Bomb Virus disguised inside other programVirus disguised inside other program

Greeting Cards (or other web sites)Greeting Cards (or other web sites) Clicking link may cause nasty things to happenClicking link may cause nasty things to happen

HoaxHoax Email about a ‘false’ threat. May ask user to delete important Email about a ‘false’ threat. May ask user to delete important

system file and forward email to other userssystem file and forward email to other users

1515

Virus Example: SoBig Email Virus Example: SoBig Email virusvirus

Distribution vector: EmailDistribution vector: Email Arrives in email message, installs own SMTP engine (allows for Arrives in email message, installs own SMTP engine (allows for

sending email without using installed email program)sending email without using installed email program) Sends itself to all email addresses in address booksSends itself to all email addresses in address books Forges Sender address, so the person that the email appears Forges Sender address, so the person that the email appears

to come from may not be infected (“email spoofing”)to come from may not be infected (“email spoofing”) User must execute attachment to be infectedUser must execute attachment to be infected Tried to copy itself to Windows shares (unsuccessful, due to Tried to copy itself to Windows shares (unsuccessful, due to

bugs)bugs) Payload: None (except for extra traffic)Payload: None (except for extra traffic)

Might download malicious software from web siteMight download malicious software from web site Expired September 10, 2003Expired September 10, 2003

Source: Source: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html mm.html

1616

Symantec’s Virus guidelinesSymantec’s Virus guidelines Turn off and remove unneeded services. By default, many operating Turn off and remove unneeded services. By default, many operating

systems install auxiliary services that are not critical, such as an FTP systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch attack and you have fewer services to maintain through patch updates. updates.

If a blended threat exploits one or more network services, disable, or If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. as HTTP, FTP, mail, and DNS services.

Enforce a password policy. Complex passwords make it difficult to Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files. as .vbs, .bat, .exe, .pif and .scr files.

Isolate infected computers quickly to prevent further compromising Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the your organization. Perform a forensic analysis and restore the computers using trusted media. computers using trusted media.

Train employees not to open attachments unless they are expecting Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser compromised Web site can cause infection if certain browser vulnerabilities are not patched. vulnerabilities are not patched.

1717

The Six Computer Incidents with The Six Computer Incidents with the Greatest Worldwide the Greatest Worldwide

Economic ImpactEconomic Impact

ILOVEYOU was started by student in Philippines who had a project rejected by a teacher!

1818

Measures of ProtectionMeasures of Protection

General controlsGeneral controls Physical Physical

A guard in front of a locked door can prevent A guard in front of a locked door can prevent many problems...many problems...

Biometric controlsBiometric controls fingerprint, hand print, retina scan, voice, ...fingerprint, hand print, retina scan, voice, ...

Data security controlData security control confidentiality, access control, data integrityconfidentiality, access control, data integrity

1919

Measures of ProtectionMeasures of Protection

Network Protection and FirewallsNetwork Protection and Firewalls Access controlAccess control EncryptionEncryption Firewalls: Most cost-effective defense, but not Firewalls: Most cost-effective defense, but not

100% effective100% effective Example: ZoneAlarmExample: ZoneAlarm

Protection can be assured by conducting Protection can be assured by conducting an auditan audit

Perhaps even hiring a hacker…Perhaps even hiring a hacker…

2020

Common Computer Crime Common Computer Crime MethodsMethods

2121

What can You Do What can You Do Personally?Personally?

Install security patchesInstall security patches For windows: For windows: www.windowsupdate.comwww.windowsupdate.com

Use a virus scannerUse a virus scanner Take backupTake backup Protect your password (beware of Protect your password (beware of social engineeringsocial engineering)) Install a FirewallInstall a Firewall Encrypt sensitive dataEncrypt sensitive data Don’t use IM chat software for sensitive Don’t use IM chat software for sensitive

communication communication (see (see http://news.com.com/2100-1023-976068.htmlhttp://news.com.com/2100-1023-976068.html) ) Changing: Vedndors coming out with ‘corporate’ versions Changing: Vedndors coming out with ‘corporate’ versions

Visit Visit www.grc.comwww.grc.com to make sure your Shields are Up to make sure your Shields are Up

2222

PrivacyPrivacy

2323

Privacy DilemmaPrivacy Dilemma

People’s right to privacy – not be People’s right to privacy – not be monitoredmonitored

Employers need to monitor activity on Employers need to monitor activity on their premisestheir premises Discourage time-wasting behaviorDiscourage time-wasting behavior Prevent criminal activity on networkPrevent criminal activity on network

Law enforcement needs to solve crimesLaw enforcement needs to solve crimes Anonymity makes some people more Anonymity makes some people more

criminal/amoralcriminal/amoral

2424

The Right to Know and the The Right to Know and the Ability to DecideAbility to Decide

2525

Email PrivacyEmail Privacy

Work email is not privateWork email is not private Employers have right to read employee emailEmployers have right to read employee email Can be used as evidence in courtCan be used as evidence in court Companies need to have a policy for storing Companies need to have a policy for storing

emailemail Can also cause problems for elected officialsCan also cause problems for elected officials

Recently Oshkosh School Board was ‘discovered’ Recently Oshkosh School Board was ‘discovered’ to delete messagesto delete messages

Violates open meeting lawsViolates open meeting laws

2626

The Work EnvironmentThe Work Environment

2727

Health ConcernsHealth Concerns

Repetitive Motion Disorder (Repetitive Stress Injury; Repetitive Motion Disorder (Repetitive Stress Injury; RSI)RSI) An injury that can be caused by working with computer An injury that can be caused by working with computer

keyboards and other equipmentkeyboards and other equipment Carpal Tunnel Syndrome (CTS)Carpal Tunnel Syndrome (CTS)

The aggravation of the pathway for nerves that travel The aggravation of the pathway for nerves that travel through the wrist (the carpal tunnel)through the wrist (the carpal tunnel)

Current research says computers do not cause Current research says computers do not cause permanentpermanent damage damage a few months without computer will helpa few months without computer will help Research is still being conductedResearch is still being conducted

Technology can also remove dangerous work Technology can also remove dangerous work situationssituations

2828

ErgonomicsErgonomics

The study of designing and positioning The study of designing and positioning computer equipment for employee health computer equipment for employee health and safetyand safety How high should your monitor be?How high should your monitor be? Where should keyboard, mouse be?Where should keyboard, mouse be? Good ways of working to minimize risksGood ways of working to minimize risks

Web sites on ergonomics:Web sites on ergonomics: http://www.ics.uci.edu/~abaker/ergo/http://www.ics.uci.edu/~abaker/ergo/ http://ergo.human.cornell.edu/ergoguide.htmlhttp://ergo.human.cornell.edu/ergoguide.html http://http://www.pao.gov.ab.cawww.pao.gov.ab.ca

/health/ergonomics/computer//health/ergonomics/computer/

2929

That’s itThat’s it

ExamExam Available Friday – Saturday (all minutes Available Friday – Saturday (all minutes

inclusive)inclusive) 2 hours to complete once started2 hours to complete once started

Exam scores on BlackboardExam scores on Blackboard Final grades will be available by Final grades will be available by

WednesdayWednesday