Transcript File

Law, Ethics, and
Cyber Crime
Prentice Hall, 2003
1
Learning Objectives
Describe the difference between legal and
ethical issues
Understand the difficulties of protecting
privacy in EC
Discuss issues of intellectual property rights in
EC
Understand the conflict between free speech
and censorship on the Internet
2
Learning Objectives (cont.)
Document the rapid rise in computer and
network security attacks
Understand the factors contributing to the rise of
EC security breaches
Describe the key security issues facing EC sites
Discuss some of the major types of cyber
attacks against EC sites
Describe some of the technologies used to
secure EC sites
3
MP3, Napster, and
Intellectual Property Rights
The Problem
MP3.com enabled users to listen to music
from any computer with an Internet connection
without paying royalties
Napster supported the free distribution of
music and other digitized content among
millions utilizing peer-to-peer (P2P) technology
These services could not be ignored because
they could result in the destruction of millions
of jobs and revenue
4
MP3, Napster, and
Intellectual Property Rights (cont.)
The Solution
Emusic.com filed a copyright infringement
lawsuit against MP3.com
Copyright laws and copyright cases have been
in existence for years but:
Were not written for digital content
Financial gain loophole was not closed
5
MP3, Napster, and
Intellectual Property Rights (cont.)
The Results
All commerce involves a number of legal,
ethical, and regulatory issues
EC adds a number of questions about what
constitutes illegal behavior versus unethical,
intrusive, or undesirable behavior
6
Legal Issues vs. Ethical Issues
Ethics—the branch of philosophy that deals
with what is considered to be right and
wrong
Businesspeople engaging in e-commerce need
guidelines as to what behaviors are reasonable
under any given set of circumstances
What is unethical in one culture may be perfectly
acceptable in another
7
Privacy
Privacy—the right to be left alone and the
right to be free of unreasonable personal
intrusions
Two rules have been followed fairly closely in
court decisions:
1. The right of privacy is not absolute.
Privacy must be balanced against the
needs of society
2. The public ’s right to know is superior to
the individual’s right of privacy
8
Privacy Advocates
Take On DoubleClick
DoubleClick is one of the leading providers
of online advertising
DoubleClick uses cookies to personalize ads
based on consumers’ interests
In January 1999, DoubleClick bought catalog
marketer Abacus Direct and announced plans
to merge Abacus’s off-line database with their
online data
9
Privacy Advocates
Take On DoubleClick (cont.)
Several class action lawsuits were brought against
DoubleClick, claiming that the company was
“tracking Internet users and obtaining personal and
financial information with-out the individual’s
knowledge
In violation of the state’s Consumer Protection
Act and asked it to stop placing cookies on
consumers’ computers without their permission
In January 2001, the FTC ruled that DoubleClick
had not violated FTC policies
10
Privacy Advocates
Take On DoubleClick (cont.)
DoubleClick agreed to enhance its privacy
measures and to pay legal fees and costs up
to $18 million
Key provision of the settlement requires
DoubleClick to “obtain permission from
consumers before combining any personally
identifiable data with Web surfing history”
11
Web-Site Self-Registration
Registration questionnaires
50% disclose personal information on a Web site
for the chance to win a sweepstakes
Uses of the private information collected:
For planning the business
May be sold to a third party
Must not be used in an inappropriate manner
12
Cookies
Cookie—a small piece of data that is passed
back and forth between a Web site and an
end user’s browser as the user navigates the
site; enables sites to keep track of users’
activities without asking for identification
Cookies can be used to invade an individual ’s
privacy
Personal information collected via cookies has
the potential to be used in illegal and unethical
ways
13
Cookies (cont.)
Solutions to unwanted cookies
Users can delete cookie files stored in their
computer
Use of anti-cookie software
Passport—a Microsoft component that lets
consumers permanently enter a profile of
information along with a password and use this
information and password repeatedly to access
services at multiple sites
14
Protection of Privacy
Notice/awareness
Choice/consent
Access/participation
Integrity/security
Enforcement/redress
Supported in the U.S. by the Federal Internet
Privacy Protection Act
Supported in the European Union by EU Data
Protection Directive
15
Intellectual Property Rights
Intellectual property (IP)—creations of the
mind, such as inventions, literary and
artistic works, and symbols, names,
images, and designs used in commerce
©
®
16
Intellectual Property Rights (cont.)
Copyright—an exclusive grant from the
government that allows the owner to
reproduce a work, in whole or in part, and
to distribute, perform, or display it to the
public in any form or manner, including the
Internet
Digital watermarks—unique identifiers
imbedded in digital content that make it
possible to identify pirated works
17
Intellectual Property Rights (cont.)
Trademarks—a symbol used by businesses to identify
their goods and services; government registration of
the trademark confers exclusive legal right to its use
Gives exclusive rights to:
Use trademark on goods and services registered to
that sign
Take legal action to prevent anyone from using
trademark without consent
Patent—a document that grants the holder exclusive
rights on an invention for a fixed number of years
18
Free Speech and
Censorship on the Internet
The issue of censorship is one of the most
important to Web surfers
“Most citizens are implacably opposed to
censorship in any form — except censorship of
whatever they personally happen to find offensive.”
Citizen action groups desiring to protect every
ounce of their freedom to speak
Children ’s Online Protection Act (COPA)
Governments protective of their role in society
19
Controlling Spamming
Spamming—the practice of indiscriminately
broadcasting messages over the Internet (e.g., junk
mail)
Spam comprised 25 to 50% of all e-mail
Slows the internet in general; sometimes Shuts ISPs
down completely
Electronic Mailbox Protection Act
ISPs are required to offer spam-blocking software
Recipients of spam have the right to request
termination of future spam from the same sender and
to bring civil action if necessary
20
Cyber Crime
Fraud
Intentional deceit or trickery, often with the aim of
financial gain
Cyber attack
An electronic attack, either criminal trespass over
the Internet (cyber intrusion) or unauthorized
access that results in damaged files, pro-grams, or
hardware (cyber vandalism)
21
The Players: Hackers, Crackers,
and Other Attackers
Hackers
Original hackers created the Unix operating system
and helped build the Internet, Usenet, and World
Wide Web; and, used their skills to test the strength
and integrity of computer systems
Over time, the term hacker came to be applied to
rogue programmers who illegally break into
computers and networks
22
The Players: Hackers, Crackers,
and Other Attackers (cont.)
Crackers
People who engage in unlawful or damaging
hacking short for “criminal hackers”
Other attackers
“Script kiddies” are ego-driven, unskilled
crackers who use information and software
(scripts) that they download from the Internet
to inflict damage on targeted sites
23
Internet Security
Cyber attacks are on the rise
Internet connections are increasingly a
point of attack
The variety of attacks is on the rise
Why now?
Because that’s where the money and
information is!
24
Internet Security (cont.)
Factors have contributed to the rise in cyber
attacks:
Security and ease of use are antithetical to one
another
Security takes a back seat to market pressures
Security of an EC site depends on the security of the
Internet as a whole
Security vulnerabilities are mushrooming
Security is compromised by common applications
25
Basic Security Issues
From the user ’s perspective:
How can the user be sure that the Web server
is owned and operated by a legitimate
company?
How does the user know that the Web page
and form do not contain some malicious or
dangerous code or content?
How does the user know that the Web server
will not distribute the information the user
provides to some other party?
26
Basic Security Issues (cont.)
From the company ’s perspective:
How does the company know the user will not
attempt to break into the Web server or alter the
pages and content at the site?
How does the company know that the user will not
try to disrupt the server so that it is not available to
others?
27
Basic Security Issues (cont.)
From both parties ’perspectives:
How do they know that the network
connection is free from eavesdropping by a
third party “listening in ”on the line?
How do they know that the information sent
back and forth between the server and the
user ’s browser has not been altered?
28
Basic Security Issues (cont.)
Authorization
The process that ensures that a person has
the right to access certain resources
Authentication
The process by which one entity verifies that
another entity is who they claim to be by
checking credentials of some sort
29
Basic Security Issues (cont.)
Auditing
The process of collecting information about
attempts to access particular resources, use
particular privileges, or perform other security
actions
Confidentiality (privacy)
Integrity
As applied to data, the ability to protect data
from being altered or destroyed in an
unauthorized or accidental manner
30
Basic Security Issues (cont.)
Integrity
As applied to data, the ability to protect data
from being altered or destroyed in an
unauthorized or accidental manner
Availability
Nonrepudiation
The ability to limit parties from refuting that a
legitimate transaction took place, usually by
means of a signature
31
Exhibit 9.2
General Security Issues at E-Commerce Sites
32
Types of Cyber Attacks
Technical attack
An attack perpetrated using software and systems
knowledge or expertise
Nontechnical attack
An attack in which a perpetrator uses chicanery or
other form of persuasion to trick people into
revealing sensitive information or performing
actions that compromise the security of a network
33
Types of Cyber Attacks (cont.)
Common vulnerabilities and exposures (CVEs)
Publicly known computer security risks or problems;
these are collected, enumerated, and shared by a
board of security-related organizations
(cve.mitre.org)
Denial-of-service (DoS) attack
An attack on a Web site in which an attacker uses
specialized software to send a flood of data packets
to the target computer with the aim of overloading
its resources
34
Types of Cyber Attacks (cont.)
Distributed denial of service (DDoS) attack
A denial-of-service attack in which the attacker
gains illegal administrative access to as many
computers on the Internet as possible and uses
these multiple computers to send a flood of data
packets to the target computer
Malware
A generic term for malicious software
35
Exhibit 9.3
Using Zombies in a DDoS Attack
36
Types of Cyber Attacks (cont.)
Virus
A piece of software code that inserts itself into a
host, including the operating systems, to
propagate; it cannot run independently but
requires that its host program be run to activate it
Worm
A software program that runs independently,
consuming the resources of its host from within in
order to maintain itself and propagating a
complete working version of itself onto another
machine
37
Types of Cyber Attacks (cont.)
Trojan horse
A program that appears to have a useful function
but that contains a hidden function that presents
a security risk
Two of the better-known Trojan horses “Back
Orifice ”and “NetBus”
Self-contained and self-installing utilities that can
be used to remotely control and monitor the
victim ’s computer over a network (execute
commands, list files, upload and download files on
the victim’s computer)
38
Trojan Horse Attack
on Bugtraq List
BugTraq—a full disclosure moderated
mailing list for the detailed discussion and
announcement of computer security
vulnerabilities:
What they are
How to exploit them
How to fix them
39
Trojan Horse Attack
on Bugtraq List (cont.)
SecurityFocus.com experts have been
fooled
Sent the code containing a Trojan horse
to its 37,000 BugTrac subscribers
Network Associates server found itself under
attack
The way the list is moderated did not change
40
Security Technologies
Internet and EC security is a thriving business
Firewalls and Access Control
One major impediments to EC is the concern
about the security of internal networks
Sidestep the issue by letting third parties
host their Web sites
Primary means of access control is password
41
Security Technologies (cont.)
Firewall
A network node consisting of both hardware
and software that isolates a private network
from a public network
Intrusion detection system (IDS)
A special category of software that can
monitor activity across a network or on a host
computer, watch for suspicious activity, and
take automated action based on what it sees
42
Security Technologies (cont.)
Security risk management
A systematic process for determining the
likelihood of various security attacks and for
identifying the actions needed to prevent or
mitigate those attacks
Assessment
Planning
Implementation
Monitoring
43
Managerial Issues
How can the global nature of EC impact
business operations?
What sorts of legal and ethical issues should
be of major concern to an EC enterprise?
What are the business consequences of poor
security?
44
Managerial Issues (cont.)
Are we safe if there are few visitors
to our EC site?
Is technology the key to EC security?
Where are the security threats likely
to come from?
45
Summary
Describe the differences between legal and
ethical issues in EC
Understand the difficulties of protecting privacy
in EC
Discuss the issues of intellectual property rights
in EC.proven to be particularly
Understand the conflict between free speech
and censorship on the Internet
46
Summary (cont.)
Document the rapid rise in computer and network
security attacks
Understand the factors contributing to the rise of
EC security breaches
Describe the key security issues facing EC sites
Discuss some of the major types of cyber attacks
against EC sites
Describe some of the technologies used to secure
EC sites
47