ICT1 - Information: Nature, Role and Context
Topic 10 - Computer Security and Computer Crime
See PowerPoint Presentations on Computer Crime by the class of 2001
Ethics and the Law
Issues of computer crime need to be considered from both a legal and an ethical perspective
ETHICS is the study of morality - issues of "right" and "wrong". Traditionally, these have been based on religious principles (e.g. the 10 commandments, the parables of Jesus or the Koran). Recently, non-religious moral codes have arisen such as Humanism. In our increasingly secular society, many people have a vague idea of morality based on a "Situationist" philosophy (this is the view that nothing is inherently right or wrong - it all depends on the situation).
Whatever your point of view, a good ethical argument is one that is supported by reason and evidence.
THE LAW differs greatly from country to country. A major impact of the Internet is that people can increasingly circumvent the law in their own country by taking advantage of the fact that national boundaries are almost irrelevant on the Internet. Because of this globalisation, police forces increasingly have to cooperate with each other and there is a movement to harmonise certain areas of the law relating to computer crime. For example, there have been calls for a common European law.
CODES OF ETHICS can be drawn up by professional bodies. What do you think would be included in a code of conduct for teachers or doctors? Organisations such as the British Computer Society have promoted codes of professional ethics covering such issues as:
Computer Crimes
1. Hacking
Hacking is unauthorised access to a computer system.
Hackers circumvent security measures such as password protection.
The extent of hacking is difficult to quantify because so little is detected and, even when it is detected, it is often not reported.
Hacking could pose a threat to national security. In the future, war could be waged on a country by attacking its computers.
Some hacks are relatively harmless pranks.
Case Study - When the Labour Party's web site was hacked into, the photo of Tony Blair was replaced by a photo of his Spitting Image puppet. This was online for some time before the Labour Party noticed. Some notorious hacks have been preserved for posterity at the Archive of Hacked Web Sites.
Other hacks are more sinister - money can be stolen and other wider damage is possible.
Case Study - In 1992 a computer whizz kid, with no more than a standard PC and a modem, managed to take control of the US Navy's Atlantic Fleet. Fortunately he was working for the military at the time - helping them improve their security.
Hacking is now a major issue for business. Unfortunately, many business do not report hacks because a company's share price can suffer if it is reported that they are the victim of an attack. Computer companies don't like to report hacks because they don't want it to be thought that their systems are insecure. Every one of the FTSE to 100 companies have been the victim of hackers.
Case Study - Raymond Cheng, President of a computer company in Malaysia, claimed that his system was impenetrable and offered £12,000 to anyone who could hack it. Two hackers (saying it took only minutes) hacked his system and he paid them the money.
2. Theft of Money
Common methods are:
Case Study - British banks were sued by hundreds of customers in 1992 who complained of "phantom withdrawals" from their accounts.
Case Study - A criminal gang rented a shop and set up a fake ATM (cashpoint) machine. Customers inserted their cards and the gang scanned the magnetic strip and recorded the PIN number. The customer got a message that the machine was out of order and the gang made up fake cards that they used in real ATMs to steal money.
3. Theft of Data
Company secrets can be stolen.
Case Study - the recent hack against Microsoft where it was suggested that source code was stolen.
Microsoft Hack - How badly hurt is Microsoft?
Case Study - in 1992 a military officer had his notebook computer stolen. Unfortunately the computer contained top secret plans for the forthcoming Gulf War.
4. Viruses
The first virus appeared at the University of Delaware in 1987. By 1997 there were 9,000 viruses "in the wild".
Viruses attach themselves to an executable file (a program) on the computer. When the program is run, the virus copies itself to other files on the computer. If a floppy disk is inserted in the machine, it can become infected and, if that floppy is put into another machine, the virus will spread to that computer as well. Viruses are usually caught by transferring files by floppy disk and by downloading an infected file from the Internet.
Some viruses will lie dormant until a certain date e.g. Friday 13th when they will then start causing damage. Some viruses cause minimal damage (their intention is to annoy or sometimes even to be amusing). Other viruses are very destructive - files can be corrupted and data lost. A good virus checker, such as Dr Solomon's or Norton Anti Virus is essential. This software should be updated monthly (usually the updates can be downloaded from the Internet).
SARC - Symantec Anti Virus Research Centre
Case Study - The ILOVEYOU virus attached itself to an Email with the subject line "ILOVEYOU". Curious people opened the file attachment and were immediately infected with a virus. The virus then automatically sent itself to every person in the user's Email address book. The virus spread through the world in hours, trashing computers at several major corporations and universities. The media labelled it "The Love Bug" see the BBC Report
BBC News Story: Virus Sentence Sends Out Shockwaves
5. Logic Bombs
This involves hacking into a computer of a major corporation and planting a program that will destroy data on the computer. The company is then contacted and blackmailed. The threat is made that, if they don't pay a certain amount of money, the logic bomb will be detonated. If the company pays, the hacker defuses the bomb. Often no bomb has been planted but businesses often pay anyway. Victims have paid up to £13m at a time.
6. Software Piracy
When you buy a computer program, you do not "own" the program. It is someone else's "intellectual property". What you have bought is a licence to use the program on one computer. If you sell the computer, you are supposed to remove all the software first or you have to give up the right to use the software yourself. If you own two computers (e.g. a laptop and a desktop) you are supposed to buy two copies of any software you need.
A "single user licence" allows you to run the software on one computer
A "network licence" allows you to run the software on a specified number of machines
A "site licence" allows you to run the software anywhere on the site
Software piracy involves copying the diskettes or CDs or downloading the software from illegal Internet sites. Software companies guard against piracy by:
Software companies can guard against piracy
Even the software companies themselves have been guilty of piracy e.g. Apple sued Microsoft (unsuccessfully) because they claimed that Microsoft copied the "look and feel" of their operating system. Other companies steal chunks of code from one program to use in their own. Some developers now insert hidden "fingerprints" into the code so they can see if they turn up in a competitors product.
See FAST - Federation Against Software Theft for more information on piracy.
Case Study - Napster is a free software product that allows Internet users to share MP3 music files with each other. Some musicians have tried (so far unsuccessfully) to get Napster shut down because they say that their intellectual property is being stolen by millions of users who are downloading free music. Napster claim that they do not intend their system to be used in this way - they say they want to help unsigned musicians reach a wider audience by allowing people to sample their music. Napster also claim that there is some evidence that people by more CDs after using Napster.
Read lots of different views on Napster
Case Study - in some countries the overwhelming majority of computer software sold is "counterfeit" i.e. people are openly selling counterfeit CDs at knock-down prices in high street shops. In 1997, Bill Gates made a plea for Russians to do something about their counterfeit industry. Office 97 was officially retailing at £315 but the average price on the Russian black market was just £3. 91% of software in Russia was said to be pirated. This sort of activity costs the software industry £300m. One stallholder pointed out that Bill Gates makes £18m a month and he said that he didn't feel guilty about what he was doing.
The Law
1. Computer Misuse Act 1990
Makes the following illegal:
2. Copyright Designs and Patents Act 1988
Covers issues of "intellectual property", which includes music, software, literature, art, and photography.
It is illegal to:
3. Defamation Act 1996
If you say something about someone, you should be able to prove it is true.
The Defamation Act worries ISPs because they can be held responsible for what someone writes on a homepage.
Computers Against Crime
Computers are increasingly used by the police to fight crime (not just computer crime). In the past, detectives tracked down criminals by searching through thousands of paper records. For example, the Yorkshire Ripper was interviewed several times by the police but factors which linked him to the crimes were lost in the millions of paper records that were kept. Nowadays, they could use HOLMES (Home Office Large Major Enquiry System) in which police can search databases of past crimes, stolen vehicles, fingerprints, criminal records and suspects. They can query this database to look for common factors e.g. a common modus operandi.
Problems with the police keeping computer records:
Internal and External Threats to IT Systems
Internal threats include:
External threats include:
Case Study - NHSNet is the system used by the NHS to store patients' records. Staff can access the system with a swipe card and there is a firewall between the computer system and the Internet. The NHS says that the system will only be accessed by authorised people who have a clear need to use it and that all operations on the system will be monitored. Others suggest that the sheer number of people who will be using the system will mean that the swipe card system is not a sufficient level of security. Heathcote lists groups of people who might want to steal data from the NHS:
Measures to Protect IT Systems
1. Physical restrictions (e.g. ID badges for employees, an entry control system to the IT department)
2. User IDs and passwords for the company network
3. Access levels (different groups of people have access to different parts of the network)
4. Software on the network that tracks all network activity (e.g. an "audit trail" that tracks who was on what station at what time)
5. Encryption (data is encrypted before being transmitted)
How Encryption Works: http://www.learnthenet.com/english/animate/encrypt.html
6. Backup Procedures
7. Virus checkers
8. Staff training (so that staff know how to use the system and do not, therefore, do accidental damage)
9. In the case of a laptop, it could be given a "boot lock" and sensitive data on the computer could be encrypted.
10. Firewalls and Internet monitoring
Case Study - PGP (Pretty Good Privacy)
PGP is a software product that encrypts data. It is a way in which Email can be coded so that it can only be read by the intended recipient. Attached files can also be encrypted, as can whole computers.
In the past some governments have banned the export of software like PGP because they fear the security implications of there being codes that they can't crack.
The history of the Enigma Machine and the recent bizarre events, allegedly perpetrated by a man names Yates, are a good illustration of the importance of encryption systems during wartime. See the BBC news report.
Focus on Backup
Online Backup is a system by which all data is stored onto three separate disks (if one disk fails, the transaction is still processed).
Periodic Backup means backing up at specified intervals (e.g. every day). For extra security, the backup tape is often moved to a secure location e.g. a fireproof safe or a completely different building.
Case Study - Backup Online is a system by which data can be backed up onto the Internet (putting data on the Internet means you can be sure you have a backup, even if your house or business burns to the ground).
Internet Issues
Some companies and schools use the Internet through a "firewall" that controls what is accessible on the Internet e.g. a school may have a filtering system so that students cannot access undesirable material.
Businesses also have the incentive to stop employees wasting work time by surfing the Internet for their own amusement. Managers are also worried that employees might be downloading pornography or using the company Email system improperly. There is also a fear of litigation, especially in the United States where some women have sued for "sexual harrassment" because they have been sent offensive files or messages.
Case Study - in 1999 the New York Times fired 23 office staff who had been Emailing smutty jokes to each other.