6-1 topic 6: security, legal, ethical and social issues 6.1 basic security issues 6.2 basic types of...

6-1

Module: Competing in the Network Economy

TOPIC 6: Security, Legal, Ethical and Social Issues

6.1 Basic security issues6.2 Basic types of network security attacks 6.3 Managing security 6.4 Ethical and legal issues in EC6.5 Difficulties in protecting privacy in EC

6.6 Issues of intellectual property rights in EC

6.7 Free speech and censorship on the Internet

6.8 EC fraud and protection6.9 Societal issues in EC6.10 Role and impact of virtual communities on EC6.11 The future of EC

6-2


Case Study: Brute Force Credit Card Attack Story

• The Problem– Spitfire Novelties usually generates between 5 and 30

transactions per day– On September 12, 2002 in a “brute force” credit card attack,

Spitfire’s credit card transaction processor processed 140,000 fake credit card charges worth $5.07 each (62,000 were approved)

– Total value of the approved charges was around $300,000 – Spitfire found out about the transactions only when they

were called by one of the credit card owners who had been checking his statement online and had noticed the $5.07 charge.

6-3



• The Problem– Brute force credit card attacks require minimal skill

– Hackers run thousands of small charges through merchant accounts, picking numbers at random

– When the perpetrator finds a valid credit card number it can then be sold on the black market

– Some modern-day black markets are actually member-only Web sites like carderplanet.com, shadowcrew.com, and counterfeitlibrary.com

6-4



• The Problem– Online Data’s credit card processing services: all a

perpetrator needed was a merchant’s password in order to request authorisation

– Online Data is a reseller of VeriSign Inc. credit card gateway services

• VeriSign blamed Online Data for the incident• Online Data blamed Spitfire for not changing their initial

starter password

6-5


• Another Problem– In April 2002, hackers got into the Authorize.Net card

processing system (largest gateway payment system on the Internet)

• Executed 13,000 credit card transactions, of which 7,000 succeeded

• Entry into the Authorize.Net system required only a log-on name, not a password


6-6


• What should have been done…..– Online Data should assign strong passwords at the start

– Customers should modify those passwords frequently

– Authorisation services such as VeriSign and Authorize.Net should have built-in safeguards that recognise brute force attacks

– Signals that something is amiss:• A merchant issues an extraordinary number of requests

• Repeated requests for small amounts emanating from the same merchants


6-7


• The results of the two attacks– VeriSign halted the transactions before they were

settled, saving Spitfire $316,000 in charges – Authorize.Net merchants were charged $0.35 for

each transaction– The criminals acquired thousands of valid credit

card numbers to sell on the black market


6-8


• What we can learn…– Any type of EC involves a number of players who

use a variety of network and application services that provide access to a variety of data sources

– A perpetrator needs only a single weakness in order to attack a system

– Some attacks require sophisticated techniques and technologies

– Most attacks are not sophisticated; standard security risk management procedures can be used to minimise their probability and impact


6-9


6.1: Basic Security Issues

• From the user’s perspective:– How can the user be sure that the Web server is

owned and operated by a legitimate company?– How does the user know that the Web page and

form do not contain some malicious or dangerous code or content?

– How does the user know that the owner of the Web site will not distribute the information the user provides to some other party?

6-10


• From the company’s perspective:– How does the company know the user will not

attempt to break into the Web server or alter the pages and content at the site?

– How does the company know that the user will not try to disrupt the server so that it is not available to others?


6-11


• From both parties’ perspectives:– How do both parties know that the network

connection is free from eavesdropping by a third party “listening” on the line?

– How do they know that the information sent back-and-forth between the server and the user’s browser has not been altered?


6-12


• Authentication: The process by which one entity verifies that another entity is who they claim to be

• Authorisation: The process that ensures that a person has the right to access certain resources

• Auditing: The process of collecting information about attempts to access particular resources, use particular privileges, or perform other security actions

• Integrity: As applied to data, the ability to protect data from being altered or destroyed in an unauthorised or accidental manner

• Nonrepudiation: The ability to limit parties from refuting that a legitimate transaction took place, usually by means of a signature.


6-13


Exhibit 11.1 General Security Issues at EC Sites


6-14


6.2: Types of Threats and Attacks

• Nontechnical attack: – An attack that uses chicanery to trick people into

revealing sensitive information or performing actions that compromise the security of a network

– Social engineering• A type of nontechnical attack that uses social pressures to

trick computer users into compromising computer networks to which those individuals have access

• Multiprong approach used to combat social engineering: – Education and training

– Policies and procedures

– Penetration testing

6-15


• Technical attack: – An attack perpetrated using software and systems

knowledge or expertise.

• Common (security) vulnerabilities and exposures (CVEs): – Publicly known computer security risks, which are

collected, listed, and shared by a board of security-related organisations (cve.mitre.org)


6-16


• Denial-of-service (DoS) attack: – An attack on a Web site in which an attacker uses

specialised software to send a flood of data packets to the target computer with the aim of overloading its resources

• Distributed denial-of-service (DDoS) attack: – A denial-of-service attack in which the attacker gains

illegal administrative access to as many computers on the Internet as possible and uses these multiple computers to send a flood of data packets to the target computer


6-17



Exhibit 11.2 Using Zombies in a Distributed Denial-of-Service Attack

6-18


• Malware: – A generic term for malicious software

• A number of factors have contributed to the overall increase in malicious code. Among these factors, the following are paramount:

– Mixing data and executable instructions

– Increasingly homogenous computing environments

– Unprecedented connectivity

– Larger clueless user base


6-19


• As the number of attacks increases, the following trends in malicious code are emerging:– Increased speed and volume of attacks

– Reduced time between the discovery of a vulnerability and the release of an attack to exploit the vulnerability

– Remotely-controlled bot networks are growing

– E-commerce is the most frequently targeted industry

– Attacks against Web application technologies are increasing

– A large percent of Fortune 100 companies have been compromised by worms


6-20


• Malicious code takes a variety of forms—both pure and hybrid– Virus:

• A piece of software code that inserts itself into a host, including the operating systems, to propagate; it requires that its host program be run to activate it

– Worm: • A software program that runs independently, consuming

the resources of its host in order to maintain itself and is capable of propagating a complete working version of itself onto another machine


6-21


• Malicious code takes a variety of forms—both pure and hybrid– Macro virus or macro worm:

• A virus or worm that is executed when the application object that contains the macro is opened or a particular procedure is executed

– Trojan horse: • A program that appears to have a useful function but

contains a hidden function that presents a security risk


6-22


6.3: Managing EC Security

• Common mistakes in managing their security risks (McConnell 2002):– Undervalued information– Narrowly defined security boundaries– Reactive security management– Dated security management processes– Lack of communication about security

responsibilities

6-23


• Security risk management: – A systematic process for determining the likelihood

of various security attacks and for identifying the actions needed to prevent or mitigate those attacks

– Phases of security risk management• Assessment

• Planning

• Implementation

• Monitoring


6-24


• Phases of security risk management– Assessment

• Evaluate security risks by determining assets, vulnerabilities of their system, and potential threats to these vulnerabilities

– Planning • To arrive at a set of policies defining which threats are tolerable

and which are not

– Implementation • Particular technologies are chosen to counter high-priority

threats

– Monitoring


6-25



6-26


Case Study: MP3.com, Napster, and Intellectual Property Rights

• The Problem– Before the advent of the Web, people made audiotape

copies of music and videos to give to friends and family or used them for their own personal enjoyment

– Such activities were ignored by the producers, distributors, and artists who had the legal rights to the content

– MP3.com enabled users to listen to music from any computer with an Internet connection without paying royalties

– Using peer-to-peer (P2P) technology, Napster supported the distribution of music and other digitised content among millions of users.

6-27



• The Problem– MP3 and Napster claimed to be supporting what had

been done for years and were not charging for their services

– Popularity of MP3.com and P2P services was too great for the content creators and owners to ignore

– To the creators and owners, the Web was becoming a vast copying machine

– MP3.com’s and Napster’s services could result in the destruction of many thousands of jobs and millions of dollars in revenue

6-28



• The Problem– Existing copyright laws were written for physical, not

digital, content

– The Copyright Infringement Act states, “the defendant must have willfully infringed the copyright and gained financially”

– The “no financial gain” loophole in the Act was later closed

6-29


• The Solution– In December 2000, EMusic (emusic.com) filed a

copyright infringement lawsuit against MP3.com

– In 2001, Napster faced similar legal claims, lost the legal battle, and was forced to pay royalties for each piece of music it supported—Napster collapsed—in October 2003 it reopened as “for fee only”


6-30


• The Results– In 1997, the No Electronic Theft Act (NET) was

passed, making it a crime for anyone to reproduce and distribute copyrighted works

• Applied to reproduction or distribution accomplished by electronic means

• Even if copyrighted products are distributed without charge, financial harm is experienced by the authors or creators of a copyrighted work.


6-31


• The Results– MP3.com suspended operations in April 2000 and

settled the lawsuit – Napster suspended service and settled its lawsuits

• Tried to resurrect itself as an online music subscription service with the backing of Bertelsmann AG

• Filed for bankruptcy in June 2002

• Purchased by Roxio with plans to revive Napster into a royalty-paying framework


6-32


• What we can learn…– All commerce involves a number of legal,

ethical, and regulatory issues – EC adds to the scope and scale of these issue – What constitutes illegal behavior versus

unethical, intrusive, or undesirable behavior?


6-33


6.4: Ethical and Legal Issues in EC

• Ethics: – The branch of philosophy that deals with what is

considered to be right and wrong• What is unethical is not necessarily illegal• Ethics are supported by common agreement in a

society as to what is right and wrong, but they are not subject to legal sanctions

6-34


• EC ethical issues– Non-work-related use of the Internet

• Employees use e-mail and the Web for non-work-related purposes

• The time employees waste while surfing non-work-related Web sites during working hours is a concern

• Can be minimised by having a Corporate code of ethics


6-35


• Major ethical/legal issues– Privacy– Intellectual property rights– Free speech versus censorship– Consumer and merchant protection against fraud– Unsolicited electronic ads and spamming (covered

in Lesson 4)


6-36


• Privacy: – The right to be left alone and the right to be free of

unreasonable personal intrusions– Privacy issues abound when collecting information

about individuals:• Web site registration• Cookies• Spyware and similar methods• RFID’s threat to privacy• Privacy of employees• Privacy of patients

6.5: Difficulties in Protecting Privacy in EC

6-37


• Privacy:– There are few restraints on the ways in which the

site can use this information• Use it to improve customer service or its own

business

• Or sell the information to another company that could use it in an inappropriate or intrusive manner


6-38


• Protection of privacy– Notice/awareness– Choice/consent

• Opt-out clause: Agreement that requires computer users to take specific steps to prevent collection of information

• Opt-in clause: Agreement that requires computer users to take specific steps to allow collection of information

– Access/participation– Integrity/security– Enforcement/redress


6-39


6.6: Intellectual Property Rights in EC

• Intellectual property: – Creations of the mind, such as inventions,

literary and artistic works, and symbols, names, images, and designs used in commerce

6-40


• Copyright: – An exclusive grant from the government that allows

the owner to reproduce a work, in whole or in part, and to distribute, perform, or display it to the public in any form or manner, including the Internet

• Literary works

• Musical works

• Dramatic works

• Artistic works

• Sound recordings, films, broadcasts, cable programs


6-41


• Copyright protection (against piracy of software, music, and other digitisable material)– Using software to produce digital content that

cannot be copied• Cryptography • Tracking copyright violations

– Digital watermarks: • Unique identifiers imbedded in digital content that

make it possible to identify pirated works


6-42


• Trademark: – A symbol used by businesses to identify their goods

and services; government registration of the trademark confers exclusive legal right to its use

– The owner of a registered trademark has exclusive rights to:

• Use the trademark on goods and services for which the trademark is registered

• Take legal action to prevent anyone else from using the trademark without consent on goods and services (identical or similar) for which the trademark is registered


6-43


• Cybersquatting: – The practice of registering domain names in order to sell

them later at a higher price

• Anticybersquatting – Consumer Protection Act of 1999 allows trademark

owners sue for statutory damages

• Juliaroberts.com

• Madonna.com


6-44


• Patent: – A document that grants the holder exclusive rights

on an invention for a fixed number of years• Patents serve to protect tangible technological

inventions• Patents are not designed to protect artistic or literary

creativity• Patents confer monopoly rights to an idea or an

invention, regardless of how it may be expressed


6-45


• Fan and hate sites– Cyberbashing:

• The registration of a domain name that criticises an organisation or person

• May violate the copyrights of the creators or distributors of intellectual property

• This issue shows the potential collision between protection of intellectual property and free speech


6-46


• One of the most important issues of Web surfers (as per surveys) is censorship

– Censorship• Governmental attempts to control broadcasted

material

– Controlling spam• Spamming: The practice of indiscriminately

broadcasting messages over the Internet (e.g., junk mail)

• Spam comprises 25 to 50% of all e-mail.

6.7: Free Speech and Censorship in EC

6-47


• Fraud on the Internet– Online auction fraud (87% of online crime)– Internet stock fraud (spread false rumors)– Other financial fraud

• Bogus investments• Phantom business opportunities• Other schemes

– Other fraud in EC—nonfinancial fraud• Customers receive poor-quality products and services• Customers do not get products in time• Customers are asked to pay for things they assume will be

paid for by sellers

6.8: EC Fraud and Consumer and Seller Protection

6-48


• Fraud on the Internet– Identity theft

• A criminal act in which someone presents himself (herself) as another person and uses that person’s social security number, bank account numbers, and so on, to obtain loans, purchase items, make obligations, sell stocks, etc.

– Phishing• The act of using fraudulent communications in an

attempt to obtain another individual’s identifying information.


6-49


• Consumer Protection– Third-party assurance services

• TRUSTe (truste.org)

• Better Business Bureau (bbbonline.com)

• WHICHonline (which.net)

• Web Trust Seal (TRUSTe, cpawebtrust.org, Gomes.com)

• Online Privacy Alliance

• Evaluation by consumers

– Authentication and Biometrics controls


6-50


• Seller Protection– Customers who deny that they placed an order– Customers who download copyrighted software

and/or knowledge and sell it to others– Customers who give false payment (credit card or

bad checks) information in payment for products and services provided

– Use of their name by others– Use of their unique words and phrases, names, and

slogans and their Web addresses by others


6-51


• What can sellers do?– Use intelligent software to identify possibly

questionable customers– Identify warning signals for possibly fraudulent

transactions– Ask customers whose billing address is different

from the shipping address to call their bank and have the alternate address added to their bank account


6-52


• Digital divide – The gap between those who have and those who do

not have the ability to access electronic technology in general, and the Internet and EC in particular

• Other societal issues– Education

• Virtual universities

• Companies use the Internet to retrain employees

• Home-bound individuals can get degrees

6.9: Societal Issues in EC

6-53


• Other societal issues– Public safety and criminal justice

• collaborative commerce• e-procurement• e-government—coordinating, information sharing, and

expediting legal work and cases• e-training of law enforcement officers

– Health aspects• Safer and healthier to shop from home than to shop in a

physical store• Some believe that exposure to cellular mobile

communication radiation may cause health problems• Collaborative commerce can help improve health care

6.9: Societal Issues in EC

6-54


• Virtual (Internet) community– A group of people with similar interests who interact

with one another using the Internet– Characteristics of Communities

• One possibility is to classify members as traders, players, just friends, enthusiasts, or friends in need

– The gathering of needs in one place enables vendors to sell more and community members to get discounts

6.10: Virtual (Internet) Communities

6-55


1. Search communities

2. Trading communities

3. Education communities

4. Scheduled events communities

5. Subscriber-based communities

6. Community consulting firms

7. E-mail-based communities

8. Advocacy communities

9. CRM communities

10. Mergers and acquisitions activities

Commercial Aspects of Communities


6-56


• Types of virtual communities:– Transaction

– Purpose or interest

– Relations or practice

– Fantasy

• Financial Viability of Communities: Revenue model of communities can be based on:– Sponsorship– Membership fees– Sales commissions– Advertising – Combination of these


6-57



• Increase traffic and participation in the community

• Focus on the needs of the members; use facilitators and coordinators

• Encourage free sharing of opinions and information—no controls

• Obtain financial sponsorship. This factor is a must. Significant investment is required

• Consider the cultural environment

• Provide several tools and activities for member use; communities are not just discussion groups

• Involve community members in activities and recruiting

• Guide discussions, provoke controversy, and raise sticky issues. This keeps interest high

Eight critical factors for community success:

6-58



Key Strategies for Successful Online Communities

• Handle member data sensitively• Maintain stability of the Web site with respect to the

consistency of content, services, and types of information offered

• Provide fast reaction time of the Web site• Offer up-to-date content• Offer continuous community control with regard to

member satisfaction• Establish codes of behavior (netiquette/guidelines) to

contain conflict potential

6-59


• Nontechnological success factors:– Internet Usage– Opportunities for Buying– M-Commerce– Purchasing Incentives– Increased Security and Trust– Efficient Information Handling– Innovative Organisations– Virtual Communities

6.11: The Future of EC

6-60


• Nontechnological success factors:– Payment Systems– B2B EC– B2B Exchanges– Auctions– Going Global– E-Government– Intra-business EC– E-Learning– EC Legislation


6-61


• EC technology trends:– Clients– Embedded Clients– Wireless Communications and M-Commerce– Pervasive Computing– Wearable Devices– RFID– Servers and Operating Systems– Networks


6-62


• EC technology trends:– EC software and services– Search engines– Peer-to-peer technology– Integration– Web services– Software agents– Interactive TV– Tomorrow’s Internet


6-63


• EC technology trends:– Utility computing

• Computing resources that flow like electricity on demand from virtual utilities around the globe—always on and highly available, secure, efficiently metered, priced on a pay-as-you-use basis, dynamically scaled, self-healing, and easy to manage

– Grid Computing coordinates the use of a large number of servers and storage, acting as one computer


6-64


• Integrating the marketplace and marketspace:– Probably the most noticeable integration of the two

concepts is in the click-and-mortar organisation– A major problem with the click-and-mortar

approach is how the two outlets can cooperate in planning, advertising, logistics, resource allocation, and so on and how the strategic plans of the marketspace and marketplace can be aligned

– The impact of EC on our lives will be as much as, and possibly more profound than, that of the Industrial Revolution


6-65


1. Have we budgeted enough for security?

2. What are the business consequences of poor security?

3. Which e-commerce sites are vulnerable to attack?

4. What steps should businesses follow in establishing a security plan?

5. Should organisations be concerned with internal security threats?

6. What sorts of legal and ethical issues should be of major concern to an EC enterprise?

7. What are the most critical ethical issues?

8. What impacts on business is EC expected to make?

Managerial Issues

6-1 topic 6: security, legal, ethical and social issues 6.1 basic security issues 6.2 basic types of...

Documents