prentice hall, 2003 1 chapter 9 law, ethics, and cyber crime

Prentice Hall, 2003 1

Chapter 9

Law, Ethics, andCyber Crime


Learning Objectives

Describe the difference between legal and ethical issuesUnderstand the difficulties of protecting privacy in ECDiscuss issues of intellectual property rights in ECUnderstand the conflict between free speech and censorship on the Internet


Learning Objectives (cont.)

Document the rapid rise in computer and network security attacksUnderstand the factors contributing to the rise of EC security breachesDescribe the key security issues facing EC sitesDiscuss some of the major types of cyber attacks against EC sitesDescribe some of the technologies used to secure EC sites


MP3, Napster, andIntellectual Property Rights

The ProblemMP3.com enabled users to listen to music from any computer with an Internet connection without paying royaltiesNapster supported the free distribution of music and other digitized content among millions utilizing peer-to-peer (P2P) technologyThese services could not be ignored because they could result in the destruction of millions of jobs and revenue


MP3, Napster, andIntellectual Property Rights (cont.)

The SolutionEmusic.com filed a copyright infringement lawsuit against MP3.com

Copyright laws and copyright cases have been in existence for years but:

Were not written for digital content

Financial gain loophole was not closed


MP3, Napster, andIntellectual Property Rights (cont.)

The ResultsAll commerce involves a number of legal, ethical, and regulatory issues

EC adds a number of questions about what constitutes illegal behavior versus unethical, intrusive, or undesirable behavior


Legal Issues vs. Ethical Issues

Ethics—the branch of philosophy that deals with what is considered to be right and wrong

Businesspeople engaging in e-commerce need guidelines as to what behaviors are reasonable under any given set of circumstancesWhat is unethical in one culture may be perfectly acceptable in another


Privacy

Privacy—the right to be left alone and the right to be free of unreasonable personal intrusions

Two rules have been followed fairly closely in court decisions:1. The right of privacy is not absolute.

Privacy must be balanced against the needs of society

2. The public ’s right to know is superior to the individual’s right of privacy


Privacy Advocates Take On DoubleClick

DoubleClick is one of the leading providers of online advertising

DoubleClick uses cookies to personalize ads based on consumers’ interests

In January 1999, DoubleClick bought catalog marketer Abacus Direct and announced plans to merge Abacus’s off-line database with their online data


Privacy Advocates Take On DoubleClick (cont.)

Several class action lawsuits were brought against DoubleClick, claiming that the company was “tracking Internet users and obtaining personal and financial information with-out the individual’s knowledge

In violation of the state’s Consumer Protection Act and asked it to stop placing cookies on consumers’ computers without their permission

In January 2001, the FTC ruled that DoubleClick had not violated FTC policies


Privacy Advocates Take On DoubleClick (cont.)

DoubleClick agreed to enhance its privacy measures and to pay legal fees and costs up to $18 million

Key provision of the settlement requires DoubleClick to “obtain permission from

consumers before combining any personally identifiable data with Web surfing history”


Web-Site Self-Registration

Registration questionnaires50% disclose personal information on a Web site for the chance to win a sweepstakes

Uses of the private information collected:For planning the business

May be sold to a third party

Must not be used in an inappropriate manner


Cookies

Cookie—a small piece of data that is passed back and forth between a Web site and an end user’s browser as the user navigates the site; enables sites to keep track of users’ activities without asking for identification

Cookies can be used to invade an individual ’s privacyPersonal information collected via cookies has the potential to be used in illegal and unethical ways


Cookies (cont.)

Solutions to unwanted cookiesUsers can delete cookie files stored in their computerUse of anti-cookie softwarePassport—a Microsoft component that lets consumers permanently enter a profile of information along with a password and use this information and password repeatedly to access services at multiple sites


Protection of Privacy

Notice/awarenessChoice/consentAccess/participationIntegrity/securityEnforcement/redress

Supported in the U.S. by the Federal Internet Privacy Protection ActSupported in the European Union by EU Data Protection Directive


Intellectual Property Rights

Intellectual property (IP)—creations of the mind, such as inventions, literary and artistic works, and symbols, names, images, and designs used in commerce

© ®


Intellectual Property Rights (cont.)

Copyright—an exclusive grant from the government that allows the owner to reproduce a work, in whole or in part, and to distribute, perform, or display it to the public in any form or manner, including the Internet

Digital watermarks—unique identifiers imbedded in digital content that make it possible to identify pirated works


Intellectual Property Rights (cont.)

Trademarks—a symbol used by businesses to identify their goods and services; government registration of the trademark confers exclusive legal right to its use

Gives exclusive rights to:Use trademark on goods and services registered to that signTake legal action to prevent anyone from using trademark without consent

Patent—a document that grants the holder exclusive rights on an invention for a fixed number of years


Free Speech and Censorship on the Internet

The issue of censorship is one of the most important to Web surfers

“Most citizens are implacably opposed to censorship in any form — except censorship of whatever they personally happen to find offensive.”Citizen action groups desiring to protect every ounce of their freedom to speakChildren ’s Online Protection Act (COPA)Governments protective of their role in society


Controlling Spamming

Spamming—the practice of indiscriminately broadcasting messages over the Internet (e.g., junk mail)

Spam comprised 25 to 50% of all e-mail Slows the internet in general; sometimes Shuts ISPs down completelyElectronic Mailbox Protection ActISPs are required to offer spam-blocking softwareRecipients of spam have the right to request termination of future spam from the same sender and to bring civil action if necessary


Cyber Crime

FraudIntentional deceit or trickery, often with the aim of financial gain

Cyber attackAn electronic attack, either criminal trespass over the Internet (cyber intrusion) or unauthorized access that results in damaged files, pro-grams, or hardware (cyber vandalism)


The Players: Hackers, Crackers, and Other Attackers

HackersOriginal hackers created the Unix operating system and helped build the Internet, Usenet, and World Wide Web; and, used their skills to test the strength and integrity of computer systemsOver time, the term hacker came to be applied to rogue programmers who illegally break into computers and networks


The Players: Hackers, Crackers, and Other Attackers (cont.)

CrackersPeople who engage in unlawful or damaging hacking short for “criminal hackers”

Other attackers“Script kiddies” are ego-driven, unskilled crackers who use information and software (scripts) that they download from the Internet to inflict damage on targeted sites


Internet Security

Cyber attacks are on the riseInternet connections are increasingly a point of attackThe variety of attacks is on the riseWhy now?

Because that’s where the money and information is!


Internet Security (cont.)

Factors have contributed to the rise in cyber attacks:

Security and ease of use are antithetical to one anotherSecurity takes a back seat to market pressuresSecurity of an EC site depends on the security of the Internet as a wholeSecurity vulnerabilities are mushroomingSecurity is compromised by common applications


Basic Security Issues

From the user ’s perspective:How can the user be sure that the Web server is owned and operated by a legitimate company?How does the user know that the Web page and form do not contain some malicious or dangerous code or content?How does the user know that the Web server will not distribute the information the user provides to some other party?


Basic Security Issues (cont.)

From the company ’s perspective:How does the company know the user will not attempt to break into the Web server or alter the pages and content at the site?How does the company know that the user will not try to disrupt the server so that it is not available to others?



From both parties ’perspectives:How do they know that the network connection is free from eavesdropping by a third party “listening in ”on the line?

How do they know that the information sent back and forth between the server and the user ’s browser has not been altered?



AuthorizationThe process that ensures that a person has the right to access certain resources

AuthenticationThe process by which one entity verifies that another entity is who they claim to be by checking credentials of some sort



AuditingThe process of collecting information about attempts to access particular resources, use particular privileges, or perform other security actions

Confidentiality (privacy)Integrity

As applied to data, the ability to protect data from being altered or destroyed in an unauthorized or accidental manner



IntegrityAs applied to data, the ability to protect data from being altered or destroyed in an unauthorized or accidental manner

AvailabilityNonrepudiation

The ability to limit parties from refuting that a legitimate transaction took place, usually by means of a signature


Exhibit 9.2General Security Issues at E-Commerce Sites


Types of Cyber Attacks

Technical attackAn attack perpetrated using software and systems knowledge or expertise

Nontechnical attackAn attack in which a perpetrator uses chicanery or other form of persuasion to trick people into revealing sensitive information or performing actions that compromise the security of a network


Types of Cyber Attacks (cont.)

Common vulnerabilities and exposures (CVEs)

Publicly known computer security risks or problems; these are collected, enumerated, and shared by a board of security-related organizations (cve.mitre.org)

Denial-of-service (DoS) attackAn attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources



Distributed denial of service (DDoS) attackA denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses these multiple computers to send a flood of data packets to the target computer

MalwareA generic term for malicious software


Exhibit 9.3Using Zombies in a DDoS Attack



Virus A piece of software code that inserts itself into a host, including the operating systems, to propagate; it cannot run independently but requires that its host program be run to activate it

Worm A software program that runs independently, consuming the resources of its host from within in order to maintain itself and propagating a complete working version of itself onto another machine



Trojan horseA program that appears to have a useful function but that contains a hidden function that presents a security risk

Two of the better-known Trojan horses “Back Orifice ”and “NetBus”

Self-contained and self-installing utilities that can be used to remotely control and monitor the victim ’s computer over a network (execute commands, list files, upload and download files on the victim’s computer)


Trojan Horse Attack on Bugtraq List

BugTraq—a full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities:

What they areHow to exploit themHow to fix them


Trojan Horse Attack on Bugtraq List (cont.)

SecurityFocus.com experts have been fooled

Sent the code containing a Trojan horse to its 37,000 BugTrac subscribersNetwork Associates server found itself under attackThe way the list is moderated did not change


Security Technologies

Internet and EC security is a thriving business

Firewalls and Access ControlOne major impediments to EC is the concern about the security of internal networksSidestep the issue by letting third parties host their Web sitesPrimary means of access control is password


Security Technologies (cont.)

FirewallA network node consisting of both hardware and software that isolates a private network from a public network

Intrusion detection system (IDS)A special category of software that can monitor activity across a network or on a host computer, watch for suspicious activity, and take automated action based on what it sees


Security Technologies (cont.)

Security risk managementA systematic process for determining the likelihood of various security attacks and for identifying the actions needed to prevent or mitigate those attacks

AssessmentPlanningImplementationMonitoring


Managerial Issues

How can the global nature of EC impact business operations?What sorts of legal and ethical issues should be of major concern to an EC enterprise?What are the business consequences of poor security?


Managerial Issues (cont.)

Are we safe if there are few visitors to our EC site?Is technology the key to EC security?Where are the security threats likely to come from?


Summary

Describe the differences between legal and ethical issues in ECUnderstand the difficulties of protecting privacy in ECDiscuss the issues of intellectual property rights in EC.proven to be particularlyUnderstand the conflict between free speech and censorship on the Internet


Summary (cont.)

Document the rapid rise in computer and network security attacksUnderstand the factors contributing to the rise of EC security breachesDescribe the key security issues facing EC sitesDiscuss some of the major types of cyber attacks against EC sitesDescribe some of the technologies used to secure EC sites

prentice hall, 2003 1 chapter 9 law, ethics, and cyber crime

Documents