Cybersecurity and Identity Theft Quiz

Questions and Answers

What small business was affected by the Target Security Breach in Fall 2013?

• Eastside Mechanical
• Fazio Mechanical (correct)
• Western Cooling Solutions
• Smith Refrigeration

Which demographic is most commonly victimized by identity theft?

• 18-29 year-olds (correct)
• 30-45 year-olds
• 50-65 year-olds
• Children under 18

What is phishing?

• Malware that disables a user's computer
• Requests for personal information disguised as legitimate communication (correct)
• A technique to physically steal credit cards
• Voice phishing over the phone

Which of the following actions can lead to security breaches?

Poorly written software (A)

What is the potential consequence for small businesses after a security breach?

They often go out of business (C)

What is pharming in the context of identity theft?

Creating false websites to gather information (D)

What is a significant risk factor for identity theft related to E-commerce?

Increased anonymity in online transactions (D)

Which method is used to deceive individuals via text messages to obtain personal information?

Smishing (B)

What does the Computer Fraud and Abuse Act (CFAA) primarily address?

Unauthorized access to computers (C)

How did the USA PATRIOT Act modify the consequences of hacking?

It expanded the definition of loss to include response costs. (A)

Which method do security professionals NOT use to catch hackers?

Inviting hackers to prison (B)

What is one common outcome for young hackers who are caught?

They often receive fines and probation. (D)

What was a significant change in the treatment of young hackers by the year 2000?

A young hacker received time in juvenile detention for the first time. (B)

How do investigators often trace hacking attacks?

Using ISP records and router logs. (A)

What difficulty arises in sentencing young hackers?

There is temptation to over or under punish them. (D)

What is the primary purpose of white hat hackers?

To demonstrate system vulnerabilities and enhance security (B)

What element is NOT part of the CFAA's expanded coverage?

Social networks (C)

What stance has the Pentagon taken regarding certain cyber attacks?

They may respond with military force to some cyber attacks (A)

What type of system did Stuxnet specifically target?

Control systems in uranium enrichment (C)

Which factor does NOT contribute to security weaknesses?

The effectiveness of security tools (D)

What is a common use of firewalls in security?

To monitor and block suspicious communications (A)

Who is responsible for maintaining system security?

Developers, businesses, and home users (B)

What did historical attitudes toward security initially fail to account for?

The risks associated with open access to the Internet (A)

What is the main issue with the security measures implemented in response to hacking?

Security often reacts to vulnerabilities after they are discovered (D)

What definition best describes hacking in its original context during the early 1960s to 1970s?

Creative programming characterized by clever coding. (C)

Which phase marks the transition of hacking from a positive to a negative connotation?

1970s to mid 1990s. (D)

Which of the following is an example of hacktivism?

A group of hackers promoting political causes through cyber attacks. (B)

What significant risk is associated with 'harmless hacking'?

It may accidentally cause significant damage. (D)

What is a common consequence of the growth of the Web on hacking practices?

Rapid propagation of viruses and worms. (B)

Which activity is specifically associated with 'phone phreaking'?

Unauthorized access to phone networks. (A)

What is a serious concern regarding large-scale theft of information as seen in recent hacking incidents?

It can lead to personal and financial ruin for individuals. (C)

What differentiates hacktivism from vandalism?

Intent and purpose behind the hacking action. (B)

What is one method used to authenticate customers and prevent the use of stolen numbers?

Not displaying full card numbers on receipts (B)

What is the purpose of a fraud alert in the context of identity theft?

To flag the credit report in case of stolen information (C)

What technology is used to securely store data so that it becomes useless if stolen?

Encryption (D)

Which of the following is a characteristic of biometric systems?

They are based on biological characteristics unique to an individual (A)

What can happen to corporations that operate in multiple countries regarding legal compliance?

They must comply with the laws of all involved countries (C)

What was the legal issue faced by Yahoo regarding the sale of Nazi memorabilia?

Whether French law should apply to Yahoo's servers in the U.S. (C)

What is a service designed to protect the user's credit card information during online transactions?

PayPal acting as a third party (B)

What is one disadvantage of authenticating customers more stringently when preventing the use of stolen numbers?

It might trade convenience for security (D)

What is one principle that suggests publishers must block access to illegal material in certain countries?

Responsibility-to-prevent-access (D)

Which of the following describes a limitation of the WTO agreement regarding cross-border services?

It does not address legality differences in services. (B)

What ethical dilemma arises when a majority supports prohibitions on certain content?

The balance between majority rule and minority rights. (B)

What action can the government of Country A take regarding illegal material?

Block illegal material at its borders. (D)

What is meant by 'respecting cultural differences' in the context of law and ethics?

Considering cultural values while navigating legal frameworks. (B)

What can be inferred about the dissemination and sale of copyrighted educational work?

It undermines the integrity of the original work. (D)

How does the international community often resolve discrepancies in laws regarding online content?

By creating international agreements. (A)

What is one potential consequence of a country blocking access to legal content from another country?

Limitations on access to diverse ideas and information. (C)

Flashcards

White hat hackers

Security researchers who use skills to find system vulnerabilities and improve security.

Stuxnet

A sophisticated worm targeting control systems; damaged uranium enrichment plant equipment in Iran.

Hacking (early definition)

Creative programming, leading to clever code, in the early 1960s to 1970s.

Cyber Attacks as Acts of War

The Pentagon considers some cyberattacks as acts of war, possibly leading to military response.

Security Weaknesses

Various factors contribute to security issues, including: internet history, complex systems, fast app development, economics, and human behavior.

Hacking (later definition)

Unauthorized access to computer systems, a negative term, involving malicious activity, in the late 1970s to mid 1990s.

Hacking (modern definition)

Includes spreading viruses/worms, phone phreaking, and later, web/mobile-based hacking, such as hacktivism or denial-of-service (DoS) attacks, beginning in the mid-1990s.

Internet Origins

Early internet design prioritized open access, sharing information, and research, creating initial security vulnerabilities.

Hacktivism

Using hacking to promote a political cause.

Developer Responsibility

Developers should prioritize security throughout the development process.

Business Security Responsibility

Businesses need to use security measures and monitor systems to prevent attacks.

Denial-of-service (DoS) attack

A cyberattack that overwhelms a website or server, making it unavailable to users.

User Security Responsibility

Home users need to be security-aware, understand tools like firewalls, and use anti-virus/spyware.

Unauthorized access

Accessing a computer system without permission.

Harmless hacking

Hacking that is not malicious or intended to cause damage, but using resources unnecessarily.

Computer security

Measures put in place to protect computer systems from unauthorized access.

Computer Fraud and Abuse Act (CFAA)

A US law that criminalizes accessing computers without authorization, targeting government, financial, and medical systems, and activities involving computers across multiple states.

CFAA targets (examples)

Government computers, financial and medical systems, activities involving computers across multiple states (including those connected to the internet).

Unauthorized computer access

Accessing a computer system without the owner's permission, considered illegal under the CFAA.

Expanding the definition of loss

The USA PATRIOT Act expanded the definition of loss to include costs beyond just direct financial harm, for example, the response time, assessment, and restoration efforts required after an attack.

Catching hackers

Law enforcement uses various methods like undercover work, analyzing newsgroups and other archives, using honey pots (websites that attract hackers), computer forensics, and examining ISP and router records to track and catch hackers.

Honey Pots

Web sites set up to attract hackers without being harmful. These websites allow law enforcement and security professionals to record and study hacker behavior without facing real harm to systems.

Computer forensics specialists

Experts who recover evidence from computers, often even after files are deleted or disks are erased.

Young hackers' penalties

Sentencing often involves probation, community service, or fines for young hackers, depending on their intent and the damage done.

Encryption

The process of converting information into a code, making it unreadable without a key, protecting sensitive data.

Fraud Alert

A notification that warns potential creditors of suspected identity theft, making it harder for thieves to open new accounts in your name.

Biometrics

Using unique biological traits for identification, such as fingerprints or facial recognition.

Customer Authentication

Verifying a customer's identity to prevent unauthorized access, creating security and reducing fraud.

PayPal

A third-party service enabling online payments without revealing your credit card details to merchants.

Whose Laws Rule the Web?

The question of which country's laws apply to online actions, especially when they cross borders.

Fazio Mechanical

A small business specializing in supermarket refrigeration systems that was targeted in a major data breach in 2013.

Yahoo and French Censorship

A legal case where Yahoo faced prosecution in France for allowing access to Nazi memorabilia on its US-based websites, even though it's legal in the US.

Phishing

An attack in which criminals send emails disguised as legitimate business communication to steal personal and financial information.

Legal Issue: Jurisdiction Online

Determining which country's laws apply to online actions, especially when a website or service is based in one country but accessed by users in another.

Smishing

Similar to phishing, but the attack is carried out through text messages.

Vishing

A phone-based version of phishing, where criminals call victims pretending to be from a legitimate organization to steal information.

Pharming

An attack in which criminals plant false URLs in Domain Name Servers to redirect users to fake websites designed to steal personal and financial information.

Identity Theft

A crime in which criminals use the identity of an unknowing person to commit fraud.

Credit Card Fraud

A type of identity theft involving the illegal use of a credit card.

Why are small businesses vulnerable to security breaches?

Small businesses often can't afford a security staff, are gateways to larger systems, and may face financial ruin after a breach.

Respecting Cultures vs. Laws

There's a difference between respecting diverse cultures and accepting all laws. Ethical questions arise when majority laws restrict minority rights, like free speech, religion, etc.

WTO Agreement on Trade

The World Trade Organization (WTO) agreement discourages countries from blocking their citizens from buying legal services from other countries.

Responsibility-to-Prevent-Access

This principle says publishers should prevent access to content in countries where it's illegal.

Authority-to-Prevent Entry

A country can try to block illegal content entering its borders, but cannot enforce its laws on creators/publishers in other countries.

International Agreements on Online Content

Resolving conflicts between different countries' online content laws is challenging. International agreements and alternative principles are being explored.

Ethical Considerations for Online Content

Balancing freedom of expression and cultural values is crucial in online content regulation. Striking a balance between rights and responsibilities is key.

Challenges of Global Online Content

Different countries have different laws and values, making it difficult to regulate online content globally.

Finding Solutions for Global Content

Finding solutions for online content differences between countries includes international agreements, responsibility-to-prevent-access, and authority-to-prevent entry.

Study Notes

Chapter 5: Crime and Security

• The chapter covers hacking, identity theft, and laws governing the web.

What We Will Cover

• Hacking
• Identity theft and credit card fraud
• Whose laws rule the web

Hacking (1 of 17)

• Intentional unauthorized access to computer systems.
• The term "hacking" has evolved over time.
• Phase 1 (1960s-1970s): "Hacking" was a positive term, referring to creative programmers and clever code.
• Phase 2 (1970s-mid 1990s): "Hacking" took on negative connotations associated with unauthorized access and spreading computer viruses/worms.
• Phase 3 (mid 1990s to present): The growth of the web and mobile devices led to new hacking techniques. Increased spread of viruses/worms, political hacking (hacktivism), denial-of-service (DOS) attacks, and large-scale theft of financial/personal information became prominent.

Hacking (4 of 17)

• Is "harmless hacking" harmless?
• Responding to nonmalicious hacking still uses resources.
• Hacking can cause accidental, significant damage.
• Most hacking is a form of trespass.

Hacking (5 of 17)

• Hacktivism (political hacking): Use of hacking to promote a political cause.
• Debates exist about whether it is a form of civil disobedience.
• Some actors hide criminal activities under a mask of hacktivism.
• Determining the difference between hacktivism and vandalism remains a challenge.

Hacking (6 of 17)

• Hackers as security researchers ("White Hat Hackers"): Use their skills to demonstrate system vulnerabilities.
• Aim is to improve system security.

Hacking (7 of 17)

• Hacking as foreign policy.
• The increase in government hacking.
• Potential for cyber attacks to be viewed as acts of war, prompting potential military responses.
• Need for making critical systems more secure.

Hacking (8 of 17)

• Stuxnet: An extremely sophisticated worm targeting specific control systems.
• Damaged equipment in a uranium enrichment plant in Iran (2008).

Hacking (9 of 17)

• Security: Hacking is a problem, as is also poor security.
• Factors contributing to security weaknesses:
  • History of the internet and the web
  • Complexity of computer systems
  • Speed of new application development
  • Economic and business factors
  • Human nature

Hacking (10 of 17)

• Internet's openness as a means of information sharing.
• Attitudes toward security were slow to catch the risk of these systems.
• Use of firewalls to monitor/filter communication from untrusted sources.
• Cybersecurity is reactive to vulnerabilities as they are discovered and exploited..

Hacking (11 of 17)

• Responsibility for security:
  • Developers: Develop systems with security as a goal.
  • Businesses: Use security tools and monitor their systems.
  • Home users: Educate themselves and use security tools.

Hacking (12 of 17)

• Discussion questions:
  • Is hacking that has no direct damage a victimless crime?
  • Is hiring former hackers to improve security a good or bad idea and why?

Hacking (13 of 17)

• The Law: Catching and punishing hackers.
• 1984: The Computer Fraud and Abuse Act (CFAA).
  • Covers computers of government, finance, and medicine that connect to the internet.
  • Includes accessing a computer without authorization under the CFAA is illegal.
  • The USA Patriot Act expanded the definition of loss to include the cost of responding to an attack and assessing damage and restoring systems.

Hacking (14 of 17)

• Catching Hackers.
• Law enforcement use of hacker newsletters and undercover techniques.
• Identifying hackers by tracking online handles (newsgroup/archives).
• Use of "honey pots" (web sites) to attract hackers for study and record.
• Computer forensics for retrieving evidence from computers.
• Tracking hacking attacks using ISP records and router logs.

Hacking (15 of 17):

• Penalties for young hackers:
  • Many young hackers mature and become productive and responsible.
  • Sentencing varies on intent and damage done.
  • Probation, community service, and/or fines are typical penalties.
  • Juvenile detention is rare for young hackers.

Hacking (16 of 17)

• Criminalizing virus writing and hacker tools: Is this a good idea and why?

Hacking (17 of 17)

• Expansion of the Computer Fraud and Abuse Act (CFAA) to encompass newer/sophisticated ways to access and gather information.
• Use of CFAA to prosecute companies/individuals with unauthorized information gathering, and data collection.
• Is violating terms of agreement a form of hacking?

Small Business Insecurity (1 of 2)

• Fazio Mechanical: Specialized in supermarket refrigeration systems, an example of small business insecurity.
• Target Security Breach (2013) exposed issues with large scale data breaches from small businesses being gateways to larger systems.
• Consequences of breach could lead to the closure of affected small businesses.

Small Business Insecurity (2 of 2)

• Small businesses often lack resources for security staff.
• They are often gateways to larger systems.
• Often go out of business after a breach.

Security

• Security breaches are often due to poorly written software and poorly configured networks/applications.
• Security researchers/Cybersecurity professionals deal with whistle-blowing versus responsible disclosure.

Identity Theft and Credit Card Fraud (1 of 5)

• Identity theft: Criminals use an unknowing individual's identity.
• Common victims are young adults (18-29).
• e-commerce makes stealing/using card numbers easier without a physical card.

Identity Theft and Credit Card Fraud (2 of 5)

• Techniques used to steal information include:
  • Phishing (email)
  • Smishing (text messaging)
  • Vishing (voice phishing)
  • Pharming (false websites).

Identity Theft and Credit Card Fraud (3 of 5)

• Responses to identity theft include:
  • Authentication of email and websites.
  • Encryption to secure data.
  • Authenticating customers to prevent stolen numbers.
  • Fraud alerts to flag credit reports.

Identity Theft and Credit Card Fraud (4 of 5)

• Responses to identity theft (continued):
  • Activation for new credit cards.
  • Retailers not printing full card numbers/expiration dates.
  • Software that detects unusual spending.
  • Services like PayPal prevent direct credit card information exchange.

Identity Theft and Credit Card Fraud (5 of 5)

• Biometrics: Unique physiological characteristics.
• No external items are stolen; useful for highly secured areas (ex. airport).
• Systems are becoming more sophisticated to prevent being fooled.

Whose Laws Rule the Web (1 of 8)

• Laws vary between countries.
• Corporations doing business in multiple countries must comply with the laws in each country involved.
• Actions legal in one country could be illegal in another.

Whose Laws Rule the Web (2 of 8)

• Yahoo and French censorship.
• Yahoo company was sued for French citizens accessing Nazi memorabilia on their websites, while the actual website was in the US not France.
• French law was questioned.

Whose Laws Rule the Web (3 of 8)

• Applying US copyright law to foreign companies.
• Russian company circumvented controls embedded in electronic books.
• The program, even if legal in Russia, was illegal in the US.
• Author, Dmitry Sklyarov, was arrested, then after protests he was able to return to Russia.

Whose Laws Rule the Web (4 of 8)

• Arresting executives of online gambling and payment companies.
• British executive arrested in Dallas while transferring planes.
• The executive's action did not directly break US law since the sports betting in Britain is considered acceptable under British Law.

Whose Laws Rule the Web (5 of 8)

• Libel, speech, and commercial law.
• Exact laws and associated penalties vary between countries.
• The burden of proof differs in libel cases.

Whose Laws Rule the Web (6 of 8)

• Libel tourism practices.
• Traveling to a country with stricter libel laws in order to pursue a legal action.
• The speech act of 2010 makes foreign libel judgements unenforceable in the US, and does not violate the 1st Amendment.
• Foreign governments retain ability to seize assets.
• The costs of travel could be associated in cases that take time in court, and may require numerous trips.
• Freedom of speech is restricted when companies adhere to laws from the most restrictive countries.

Whose Laws Rule the Web (7 of 8)

• Some countries have strict regulations on commercial speech and advertising.

Whose Laws Rule the Web (8 of 8)

• Discussion questions:
  • Suggest solutions for resolving issues that arise from differing laws in various countries.
  • Suggest what is likely to work, and what is likely to fail.

Culture, Law, and Ethics

• Respecting cultural differences is not equivalent to respecting laws.
• If a majority of people support restrictions on content in a given country, does it make sense to then violate the basic human rights of minorities around the world?

Potential Solutions (1 of 2)

• International agreements between countries, particularly those related to the World Trade Organization (WTO) might help.
• The WTO does not help when a specific product, service, or information are legal in one country and not another.

Potential Solutions (2 of 2)

• Alternative principles.
  • Responsibility-to-Prevent-Access: Publishers must restrict access to material/services.
  • Authority-to-Prevent-Entry: Country A can act within its borders, but may not be able to enforce its laws on Country B, even when the action is illegal in country A.

Description

Test your knowledge on the impacts of cybersecurity, particularly focusing on identity theft and security breaches. This quiz covers essential concepts such as phishing, pharming, and the legal frameworks that address hacking. Learn about the risks facing small businesses and the demographic trends in identity theft.