Ethics for the Information Age, Chapter 7, Computer and Network Security

Ethics for the Information Age Eighth Edition Chapter 7 Computer and Network Security Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Learning Objectives 7.1 Introduction 7.2 Hacking 7.3 Malware 7.4 Cyber crime and cyber attacks 7.5 Online voting Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved 7.1 Introduction Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved 7.1 Introduction Increasing use of computers → growing importance of computer security Harmful consequences of lack of security – Stolen information – Extortion Computers and networks can be weaponized, allowing attacks on cyber infrastructure of governments and organizations Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved 7.2 Hacking Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Hackers, Past and Present Original meaning of hacker: explorer, risk taker, system innovator – MIT’s Tech Model Railroad Club in 1950s 1960s-1980s: Focus shifted from electronics to computers and networks – 1983 movie WarGames Modern meaning of hacker: someone who gains unauthorized access to computers and computer networks Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Obtaining Login Names, Passwords Eavesdropping Dumpster diving Social engineering Brute-force searches Dictionary attacks Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Password Dos and Don’ts Do not use short passwords. Do not rely solely on words from the dictionary. Do not rely on substituting numbers for letters. Do not reuse passwords. Give ridiculous answers to security questions. Enable two-factor authentication if available. Have password recoveries sent to a secure email address. Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Computer Fraud and Abuse Act Criminalizes wide variety of hacker-related activities – Transmitting code that damages a computer – Accessing any Internet-connected computer without authorization – Transmitting classified government information – Trafficking in computer passwords – Computer fraud – Computer extortion Maximum penalty: 20 years in prison and $250,000 fine Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Electronic Communications Privacy Act Illegal to intercept … – Telephone conversations – Email – Any other data transmission Crime to access stored email messages without authorization Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved FBI and the Locked iPhone (1 of 3) December 2015 – Syed Rizwan Farook and Tashfeen Malik killed 14, wounded 22 others at holiday gathering in San Bernardino, California – Malik pledged allegiance to the Islamic State – Farook and Malik died in shootout with police – FBI recovered Malik’s work-issued iPhone 5C, but it was locked Built-in security features of iPhone 5C – All personal data encrypted – After 10 consecutive incorrect passcode entry attempts, encryption key deleted, rendering all personal data inaccessible – When incorrect passcodes are entered, delay introduced between passcode entry attempts Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved FBI and the Locked iPhone (2 of 3) February 2016 – FBI asked Apple to create a new version of iOS that disabled the passcode security features – Apple refused to cooperate – FBI convinced a US magistrate to issue an order for Apple to comply Apple’s argument – If “backdoor” version of iOS that disabled security features fell into wrong hands, criminals would be able to unlock any iPhone – All iPhone users would be harmed Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved FBI and the Locked iPhone (3 of 3) Department of Justice’s argument – Apple could maintain custody of software – Apple could destroy software after being used by F BI March 2016 – Department of Justice withdrew request, declared it had gotten into locked iPhone – Inspector General of DoJ later determined FBI had made request of Apple before exploring whether FBI had means to unlock iPhone – Skeptics claimed FBI more interested in getting legal precedent than gaining access to Farook’s data Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Sidejacking Sidejacking: hijacking of an open Web session by capturing a user’s cookie Sidejacking possible on unencrypted wireless networks because many sites send cookies “in the clear” Internet security community complained about sidejacking vulnerability for years, but ecommerce sites did not change practices Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Case Study: Firesheep October 2010: Eric Butler released Firesheep extension to Firefox browser Firesheep made it possible for ordinary computer users to easily sidejack Web sessions More than 500,000 downloads in first week Attracted great deal of media attention Early 2011: Facebook and Twitter announced options to use their sites securely Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Act Utilitarian Analysis Release of Firesheep led media to focus on security problem Benefits were high: a few months later Facebook and Twitter made their sites more secure Harms were minimal: no evidence that release of Firesheep caused big increase in identity theft or malicious pranks Conclusion: Release of Firesheep was good Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Virtue Ethics Analysis By releasing Firesheep, Butler helped public understand lack of security on unencrypted wireless networks Butler’s statements characteristic of someone interested in protecting privacy Butler demonstrated courage by taking responsibility for the program Butler demonstrated benevolence by making program freely available His actions and statements were characteristic of someone interested in the public good Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Kantian Analysis (1 of 2) Accessing someone else’s user account is an invasion of their privacy and is wrong Butler provided a tool that made it much simpler for people to do something that is wrong, so he has some moral accountability for their misdeeds Butler was willing to tolerate short-term increase in privacy violations in hope that media pressure would force Web retailers to add security He treated victims of Firesheep as a means to his end It was wrong for Butler to release Firesheep Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved 7.3 Malware Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Viruses Virus: Piece of self-replicating code embedded within another program (host) Viruses associated with program files – Hard disks, floppy disks, CD-ROMS – Email attachments How viruses spread – Diskettes or CDs – Email – Files downloaded from Internet Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved One Way a Virus Can Replicate (a) A computer user executes program P, which is infected with a virus. (b) The virus code begins to execute. It finds another executable program Q and creates a new version of Q infected with the virus. (c) The virus passes control to program P. The user, who expected program P to execute, suspects nothing Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Email Attachment with Possible Virus Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved How an Email Virus Spreads A computer user reads an email with an attachment (1). The user opens the attachment, which contains a virus (2). The virus reads the user’s email address book (3). The virus sends emails with virus-containing attachments (4). Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Antivirus Software Packages Allow computer users to detect and destroy viruses Must be kept up-to-date to be most effective Many people do not keep their antivirus software packages up-to-date Consumers need to beware of fake antivirus applications Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Worm Self-contained program Spreads through a computer network Exploits security holes in networked computers Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Worm Propagation A worm spreads to other computers by exploiting security holes in computer networks. Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved The Internet Worm Robert Tappan Morris, Jr. – Graduate student at Cornell – Released worm onto Internet from MIT computer Effect of worm – Spread to significant numbers of Unix computers – Infected computers kept crashing or became unresponsive – Took a day for fixes to be published Impact on Morris – Suspended from Cornell – 3 years’ probation + 400 hours community service – $150,000 in legal fees and fines Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Ethical Evaluation (1 of 2) Kantian evaluation – Morris used others by gaining access to their computers without permission Social contract theory evaluation – Morris violated property rights of organizations Utilitarian evaluation – Benefits: Organizations learned of security flaws – Harms: Time spent by those fighting worm, unavailable computers, disrupted network traffic, Morris’s punishments Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Ethical Evaluation (2 of 2) Virtue ethics evaluation – Morris selfishly used Internet as experimental lab – He deceitfully released worm from M I T instead of Cornell – He avoided taking responsibility for his actions Morris was wrong to have released the Internet worm Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Sasser Worm Launched in April 2004, infected 18 million computers Disrupted operations at Delta Airlines, European Commission, Australian railroads, British coast guard German juvenile Sven Jaschan confessed to crime Sentenced to 30 hours of community service and 18 months’ probation Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Instant Messaging Worms Choke and Hello (2001) Kelvir (2005) – Reuters had to remove 60,000 subscribers from its instant messaging service Palevo (2010) – Spread through Romania, Mongolia, Indonesia Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Conficker Worm Conficker (a.k.a. Downadup) worm appeared 2008 on Windows computers Millions of copies of worm are circulating among computers running older software without appropriate security patches – Often legacy systems in factories or health-care facilities Purpose of worm seems to be simply to propagate Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Cross-Site Scripting Another way malware may be downloaded without user’s knowledge Problem appears on Web sites that allow people to read what others have posted Attacker injects client-side script into a Web site Victim’s browser executes script, which may steal cookies, track user’s activity, or perform another malicious action Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Drive-By Downloads Unintentional downloading of malware caused by visiting a compromised Web site Also happens when Web surfer sees pop-up window asking permission to download software and clicks “Okay” Google Anti-Malware Team says 1.3 percent of queries to Google’s search engine return a malicious U R L somewhere on results page Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Trojan Horses and Backdoor Trojans Trojan horse: Program with benign capability that masks a sinister purpose Backdoor Trojan: Trojan horse that gives attack access to victim’s computer Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Ransomware Definition: Malware designed to extort money from victim How installed – Drive-by download – Trojan Horse – Email attachment – Other means Early versions accused victims of illegal activities, demanded “fines” Modern versions encrypt all files on victim’s computer and demand payment in return for decryption key Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Rootkits Rootkit: A set of programs that provides privileged access to a computer Activated every time computer is booted Uses security privileges to mask its presence Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Spyware and Adware Spyware: Program that communicates over an Internet connection without user’s knowledge or consent – Monitor Web surfing – Log keystrokes – Take snapshots of computer screen – Send reports back to host computer Adware: Type of spyware that displays pop-up advertisements related to user’s activity Backdoor Trojans often used to deliver spyware and adware Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Bots Bot: A kind of backdoor Trojan that responds to commands sent by a command-and-control program on another computer First bots supported legitimate activities – Internet Relay Chat – Multiplayer Internet games Other bots support illegal activities – Distributing spam – Collecting person information for ID theft – Denial-of-service attacks Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Bots and Botnets Bot: Type of backdoor Trojan that responds to commands from a command-and-control program on another computer Botnet: Collection of bot-infected computers controlled by the same command-and-control program Some botnets have over a million computers in them Bot herder: Someone who controls a botnet Uses of botnets – Distribute spam – Launch distributed denial-of-service attacks Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Protecting Your Internet-Connected Devices Make sure you’ve installed latest security patches. Install anti-malware tools on your computer. Before buying an Internet-connected device, see if manufacturer is taking reasonable security precautions. Immediately change the default password of devices you connect to the Internet. Choose a different password for each of your devices. Consider replacing insecure Internet-of-Things devices. Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Security Risks of “Bring Your Own Device” 87% of U S companies rely on employees accessing mobile business aps from their personal smartphones Benefits of “Bring Your Own Device” – Employers reduce hardware, software expenditures – Increased productivity and job satisfaction of employees Potential harms of “Bring Your Own Device” – Company data may be compromised if device stolen – Insecure device can make company vulnerable to data breach Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved “Bring Your Own Device” Policy Questions What are the security standards for personal devices (password requirements, anti-malware packages, etc.)? What applications can employees run from their devices? What level of support will company’s I T department provide? Does the company have right to erase all data from a personal device that has been stolen? When employees leave company, how will company data be removed from their devices? Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved 7.4 Cyber Crime and Cyber Attacks Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Phishing and Spear-Phishing Phishing: Large-scale effort to gain sensitive information from gullible computer users – At least 124,000 phishing attacks globally in second half of 2014 – New development: phishing attacks on Chinese e- commerce sites Spear-phishing: Variant of phishing in which email addresses chosen selectively to target particular group of recipients Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved SQL Injection Method of attacking a database-driven Web application with improper security Attack inserts (injects) S Q L query into text string from client to application Application returns sensitive information Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Denial-of-Service and Distributed Denial-of-Service Attacks Denial-of-service attack: Intentional action designed to prevent legitimate users from making use of a computer service Aim of a D o S attack is not to steal information but to disrupt a server’s ability to respond to its clients Distributed denial-of-service attack: D o S attack launched from many computers, such as a botnet Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Internet-of-Things Devices Co-opted for DDoS Attack DDoS attack of October 21, 2016 on domain name service provider Dyn – Netflix, Twitter, Spotify, Reddit, PayPal, Pinterest, CNN, Fox News, the Guardian, the New York Times, the Wall Street Journal unreachable for several hours Attack launched by Mirai botnet, perhaps 100,000 devices – Network routers – Security cameras – Baby monitors IoT devices easy to co-opt – Many people never change default passwords – Some devices have no password protection Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Cyber Crime Criminal organizations making significant amounts of money from malware Jeanson James Ancheta Pharmamaster Albert Gonzalez Avalanche Gang Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved The Rise and Fall of Blue Security Part I: The Rise : Blue Security: An Israeli company selling a spam deterrence system Blue Frog bot would automatically respond to each spam message with an opt-out message Spammers started receiving hundreds of thousands of opt-out messages, disrupting their operations 6 of 10 of world’s top spammers agreed to stop sending spam to users of Blue Frog Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved The Rise and Fall of Blue Security Part II: The Fall One spammer (PharmaMaster) started sending Blue Frog users 10-20 times more spam PharmaMaster then launched D D o S attacks on Blue Security and its business customers Blue Security could not protect its customers from D D o S attacks and virus-laced emails Blue Security reluctantly terminated its anti-spam activities Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Politically Motivated Cyber Attacks Estonia (2007) Georgia (2008, 2009) Exiled Tibetan Government (2009) United States and South Korea (2009) Iran (2009) Espionage attributed to People’s Liberation Army Anonymous Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Attacks on Twitter and Other Social Networking Sites Massive D D o S attack made Twitter service unavailable for several hours on August 6, 2009 Three other sites attacked at same time: Facebook, LiveJournal, and Google All sites used by a political blogger from the Republic of Georgia Attacks occurred on first anniversary of war between Georgia and Russia over South Ossetia Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Fourth of July Attacks 4th of July weekend in 2009: D D o S attack on governmental agencies and commercial Web sites in United States and South Korea Attack may have been launched by North Korea in retaliation for United Nations sanctions Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Supervisory Control and Data Acquisition (SCADA) Systems Industrial processes require constant monitoring Computers allow automation and centralization of monitoring Today, SCADA systems are open systems based on Internet Protocol – Less expensive than proprietary systems – Easier to maintain than proprietary systems – Allow remote diagnostics Allowing remote diagnostics creates security risk Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved SCADA Systems Carry Security Risks Internet-based supervisory control and data acquisition (S CADA) systems can save money and make systems easier to administer, but they also carry security risks. (Dave and Les Jacobs/Kolostock/Blend Images) Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Stuxnet Worm (2009) Attacked SCADA systems running Siemens software Targeted five industrial facilities in Iran that were using centrifuges to enrich uranium Caused temporary shutdown of Iran’s nuclear program United States and Israel cooperated to develop and launch the worm Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Cyber Espionage Attributed to People’s Liberation Army Hundreds of computer security breaches over a decade in more than a dozen countries investigated by Mandiant Hundreds of terabytes of data stolen Mandiant blamed Unit 61398 of the People’s Liberation Army China’s foreign ministry stated that accusation was groundless and irresponsible US government disclosed in 2015 that SSNs and other personal information from 22 million Americans stolen from Office of Personnel Management computers Prime suspect: Unit 61398 of People’s Liberation Army Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Anonymous Anonymous: loosely organized international movement of hacktivists (hackers with a social or political cause) Various DDoS attacks attributed to Anonymous members Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Actions Attributed to Anonymous Year Victim Reason 2008 Church of Scientology Attempted suppression of Tom Cruise interview 2009 RIAA, MPAA RIAA, MPAA’s attempt to take down the Pirate Bay 2009 PayPal, VISA, Financial organizations freezing funds flowing MasterCard to Julian Assange of WikiLeaks 2012 U.S. Dept. of Justice, U.S. Dept. of Justice action against RIAA, MPAA Megaupload 2013 Israel Protest Israeli treatment of Palestinians 2014 City of Cleveland Protest killing of 12-year-old Tamir Rice by a Cleveland police officer 2015 Jihadist groups Terrorist attack on Paris office of Charlie Hebdo magazine Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Convictions of Anonymous Members Dozens of people around the world have been arrested for participation in Anonymous cyber attacks Dmitriy Guzner (Church of Scientology attacks): 366 days in prison and $37,500 in restitution Brian Mettenbrink (Church of Scientology attacks): 1 year in prison and $20,000 in restitution Jake Davis (Sony Pictures attacks): 2 years in prison Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved 7.5 Online Voting Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Motivation for Online Voting 2000 U.S. Presidential election closely contested Florida pivotal state Most Florida counties used keypunch voting machines Two voting irregularities traced to these machines – Hanging chad – “Butterfly ballot” in Palm Beach County Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved The Infamous “Butterfly Ballot” The layout of the “butterfly ballot” apparently led thousands of Palm Beach County, Florida, voters supporting candidate Al Gore to punch the hole associated with Pat Buchanan by mistake. (AP Photo/Gary I. Rothstein) Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Benefits of Online Voting More people would vote Votes would be counted more quickly No ambiguity with electronic votes Cost less money Eliminate ballot box tampering Software can prevent accidental over-voting Software can prevent under-voting Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Risks of Online Voting Gives unfair advantage to those with home computers More difficult to preserve voter privacy More opportunities for vote selling Obvious target for a DDoS attack Security of election depends on security of home computers Susceptible to vote-changing virus or remote access Trojan Susceptible to phony vote servers No paper copies of ballots for auditing or recounts Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Utilitarian Analysis Suppose online voting replaced traditional voting Benefit: Time savings – Assume 50% of adults actually vote – Suppose voter saves 1 hour by voting online – Average pay in U.S. is $21.00/hour – Time savings worth $10.50 per adult American Harm of DDoS attack difficult to determine – What is probability of a DDoS attack? – What is the probability an attack would succeed? – What is the probability a successful attack would change the outcome of the election? Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Kantian Analysis (2 of 2) The will of each voter should be reflected in that voter’s ballot The integrity of each ballot is paramount Ability to do a recount necessary to guarantee integrity of each ballot There should be a paper record of every vote Eliminating paper records to save time and/or money is wrong Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Conclusions Existing systems are highly localized Widespread tainting more possible with online system No paper records with online system Evidence of tampering with online elections Relying on security of home computers means system vulnerable to fraud All in all, strong case for not allowing online voting Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Summary We all have something to lose if computer systems are insecure Security often a trade-off between safety and convenience Many ways for personal computers to become infected with malware New twist: malware infecting Internet-of-Things devices Cyber attacks becoming more common – at what point does a cyber attack become an act of war? Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved Copyright This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials. Copyright © 2020, 2017, 2015 Pearson Education, Inc. All Rights Reserved

Ethics for the Information Age, Chapter 7, Computer and Network Security

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue