1 Security, Privacy, and Ethical Issues in Information Systems and the Internet Chapter 9

2 Social Issues in Information Systems Computer Waste & Mistakes Computer Waste & Mistakes Computer Crime Computer Crime Privacy Privacy Health Concerns Health Concerns Ethical Issues Ethical Issues Patent and copyright violations Patent and copyright violations

3 Computer Waste Discarding technology that still has value Discarding technology that still has value Unused systems Unused systems Personal use of corporate time and technology Personal use of corporate time and technology Spam Spam Time spent configuring / “optimizing” computers Time spent configuring / “optimizing” computers Companies should establish policies to prevent waste and mistakes Companies should establish policies to prevent waste and mistakes

4 Computer Crime

5 Number of Incidents Reported to CERT Number of Incidents Reported to CERT

6 Computer Crime and Security Survey Source: (1996: 16%)

7 Identity theft Fastest Growing Crime in the US Fastest Growing Crime in the US Use someone else’s identity to obtain credit, conduct crimes etc Use someone else’s identity to obtain credit, conduct crimes etc Necessary info: SSN, Name, (Date of Birth) Necessary info: SSN, Name, (Date of Birth) How often do you get a credit card application with your name on it? How often do you get a credit card application with your name on it? Consumer complaints about fraud and identity theft: Consumer complaints about fraud and identity theft: Largest Identity theft case in US history Largest Identity theft case in US history story/0,10801,76252,00.html story/0,10801,76252,00.html story/0,10801,76252,00.html story/0,10801,76252,00.html Identity theft survival guide Identity theft survival guide

8 Recent Cybercrime Headlines 12/4/03: Trojans on the Rise 12/4/03: Trojans on the RiseTrojans on the RiseTrojans on the Rise 11/24/03: U.S. House Passes Controversial Antispam Bill 11/24/03: U.S. House Passes Controversial Antispam BillU.S. House Passes Controversial Antispam BillU.S. House Passes Controversial Antispam Bill 11/19/03: Wi-Fi Starts Leaping Security Barriers 11/19/03: Wi-Fi Starts Leaping Security BarriersWi-Fi Starts Leaping Security BarriersWi-Fi Starts Leaping Security Barriers 11/12/03: Microsoft Plugs Five New Security Holes 11/12/03: Microsoft Plugs Five New Security HolesMicrosoft Plugs Five New Security HolesMicrosoft Plugs Five New Security Holes Source: Daily cybercrime report Source: Daily cybercrime report ( (

9 The Computer as a Tool to Commit Crime Social engineering Social engineering Posing as someone else to gain trust of user to give out password Posing as someone else to gain trust of user to give out password Dumpster diving Dumpster diving Search garbage for clues on how to gain access to a system Search garbage for clues on how to gain access to a system Shoulder Surfing Shoulder Surfing Stand next to someone in a public place to get vital information Stand next to someone in a public place to get vital information Install keyboard logger Install keyboard logger Record every keystroke and send back to criminal Record every keystroke and send back to criminal Cyberterrorism Cyberterrorism E.g. Distributed Denial-of-service (DDOS) attack E.g. Distributed Denial-of-service (DDOS) attack

10 Computers as Objects of Crime Illegal access and use Illegal access and use Hackers Hackers ‘Hacking’ away at programming and using a computer to its fullest capabilities ‘Hacking’ away at programming and using a computer to its fullest capabilities Crackers (criminal hacker) Crackers (criminal hacker) Information and equipment theft Information and equipment theft Software and Internet piracy Software and Internet piracy Computer-related scams Computer-related scams Nigerian 419 Nigerian 419 Scamming the scammers: Scamming the scammers: International computer crime International computer crime

11 Data Alteration and Destruction Virus Virus Worm Worm Logic bomb Logic bomb Trojan horse Trojan horse © Hal Mayforth 2003

12 Virus Characteristics Similar to biological viruses Similar to biological viruses Replicates on its own Replicates on its own May mutate May mutate Can be benign or malicious Can be benign or malicious Attaches to a ’host’ program Attaches to a ’host’ program Constructed by a programmer Constructed by a programmer Top 10 last month: com/virusinfo/topten / com/virusinfo/topten /

13 Virus elements Distribution Vector Distribution Vector How does it move from one computer to the next? How does it move from one computer to the next? Virus: Attaches to other program, user must take action to spread Virus: Attaches to other program, user must take action to spread Worm: Self-propagates Worm: Self-propagates Payload Payload What does it do when it gets there? What does it do when it gets there? Types of damage (payload) Types of damage (payload) Destruction of data, programs or hardware Destruction of data, programs or hardware Loss of productivity Loss of productivity Annoyance Annoyance Ability to mutate Ability to mutate Makes it harder to detect, like the AIDS virus Makes it harder to detect, like the AIDS virus

14 Virus Distribution Executable attachment that masquerades as image file (”Click to see picture of Anna Kournikova!”) Executable attachment that masquerades as image file (”Click to see picture of Anna Kournikova!”) HTML code that executes automatically in program (esp. Outlook and Outlook Express) HTML code that executes automatically in program (esp. Outlook and Outlook Express) Worm Worm Spreads directly from computer to computer Spreads directly from computer to computer Often exploiting ’open ports’ or other vulnerabilities Often exploiting ’open ports’ or other vulnerabilities Trojan Horse / Logic Bomb Trojan Horse / Logic Bomb Virus disguised inside other program Virus disguised inside other program Greeting Cards (or other web sites) Greeting Cards (or other web sites) Clicking link may cause nasty things to happen Clicking link may cause nasty things to happen Hoax Hoax about a ‘false’ threat. May ask user to delete important system file and forward to other users about a ‘false’ threat. May ask user to delete important system file and forward to other users

15 Virus Example: SoBig virus Distribution vector: Distribution vector: Arrives in message, installs own SMTP engine (allows for sending without using installed program) Arrives in message, installs own SMTP engine (allows for sending without using installed program) Sends itself to all addresses in address books Sends itself to all addresses in address books Forges Sender address, so the person that the appears to come from may not be infected (“ spoofing”) Forges Sender address, so the person that the appears to come from may not be infected (“ spoofing”) User must execute attachment to be infected User must execute attachment to be infected Tried to copy itself to Windows shares (unsuccessful, due to bugs) Tried to copy itself to Windows shares (unsuccessful, due to bugs) Payload: None (except for extra traffic) Payload: None (except for extra traffic) Might download malicious software from web site Might download malicious software from web site Expired September 10, 2003 Expired September 10, 2003 Source: tml Source: tml tml tml

16 Symantec’s Virus guidelines Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.blended threatblended threat Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Configure your server to block or remove that contains file attachments that are commonly used to spread viruses, such as.vbs,.bat,.exe,.pif and.scr files. Configure your server to block or remove that contains file attachments that are commonly used to spread viruses, such as.vbs,.bat,.exe,.pif and.scr files. Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media. Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

17 The Six Computer Incidents with the Greatest Worldwide Economic Impact The Six Computer Incidents with the Greatest Worldwide Economic Impact ILOVEYOU was started by student in Philippines who had a project rejected by a teacher!

18 Measures of Protection General controls General controls Physical Physical A guard in front of a locked door can prevent many problems... A guard in front of a locked door can prevent many problems... Biometric controls Biometric controls fingerprint, hand print, retina scan, voice,... fingerprint, hand print, retina scan, voice,... Data security control Data security control confidentiality, access control, data integrity confidentiality, access control, data integrity

19 Measures of Protection Network Protection and Firewalls Network Protection and Firewalls Access control Access control Encryption Encryption Firewalls: Most cost-effective defense, but not 100% effective Firewalls: Most cost-effective defense, but not 100% effective Example: ZoneAlarm Example: ZoneAlarm Protection can be assured by conducting an audit Protection can be assured by conducting an audit Perhaps even hiring a hacker… Perhaps even hiring a hacker…

20 Common Computer Crime Methods Common Computer Crime Methods

21 What can You Do Personally? Install security patches Install security patches For windows: For windows: Use a virus scanner Use a virus scanner Take backup Take backup Protect your password (beware of social engineering) Protect your password (beware of social engineering) Install a Firewall Install a Firewall Encrypt sensitive data Encrypt sensitive data Don’t use IM chat software for sensitive communication (see Don’t use IM chat software for sensitive communication (see Changing: Vedndors coming out with ‘corporate’ versions Changing: Vedndors coming out with ‘corporate’ versions Visit to make sure your Shields are Up Visit to make sure your Shields are Upwww.grc.com

22 Privacy

23 Privacy Dilemma People’s right to privacy – not be monitored People’s right to privacy – not be monitored Employers need to monitor activity on their premises Employers need to monitor activity on their premises Discourage time-wasting behavior Discourage time-wasting behavior Prevent criminal activity on network Prevent criminal activity on network Law enforcement needs to solve crimes Law enforcement needs to solve crimes Anonymity makes some people more criminal/amoral Anonymity makes some people more criminal/amoral

24 The Right to Know and the Ability to Decide The Right to Know and the Ability to Decide

25 Privacy Work is not private Work is not private Employers have right to read employee Employers have right to read employee Can be used as evidence in court Can be used as evidence in court Companies need to have a policy for storing Companies need to have a policy for storing Can also cause problems for elected officials Can also cause problems for elected officials Recently Oshkosh School Board was ‘discovered’ to delete messages Recently Oshkosh School Board was ‘discovered’ to delete messages Violates open meeting laws Violates open meeting laws

26 The Work Environment

27 Health Concerns Repetitive Motion Disorder (Repetitive Stress Injury; RSI) Repetitive Motion Disorder (Repetitive Stress Injury; RSI) An injury that can be caused by working with computer keyboards and other equipment An injury that can be caused by working with computer keyboards and other equipment Carpal Tunnel Syndrome (CTS) Carpal Tunnel Syndrome (CTS) The aggravation of the pathway for nerves that travel through the wrist (the carpal tunnel) The aggravation of the pathway for nerves that travel through the wrist (the carpal tunnel) Current research says computers do not cause permanent damage Current research says computers do not cause permanent damage a few months without computer will help a few months without computer will help Research is still being conducted Research is still being conducted Technology can also remove dangerous work situations Technology can also remove dangerous work situations

28 Ergonomics The study of designing and positioning computer equipment for employee health and safety The study of designing and positioning computer equipment for employee health and safety How high should your monitor be? How high should your monitor be? Where should keyboard, mouse be? Where should keyboard, mouse be? Good ways of working to minimize risks Good ways of working to minimize risks Web sites on ergonomics: Web sites on ergonomics: er/ er/ er/ er/

29 That’s it Exam Exam Available Friday – Saturday (all minutes inclusive) Available Friday – Saturday (all minutes inclusive) 2 hours to complete once started 2 hours to complete once started Exam scores on Blackboard Exam scores on Blackboard Final grades will be available by Wednesday Final grades will be available by Wednesday