IC322Fall 2013

Cyber Ethics

BackgroundWorld population:

7,000,000,000 (7 billion) humans 80,000,000 (80 million) added to

population each year1,600,000,000 (1.6 billion) estimated Internet

users

Thousands of new hackers born every dayHackers can directly affect 23% of world

population

What are Cyber Ethics?Cyber Ethics == EthicsCyber Morals == Morals

The same rules apply in cyberspace as in the real world:

Trespassing is wrongStealing services (Internet access) is wrongStealing information is wrongDamaging somebody else’s property is wrongReading somebody else’s mail is wrongLying about yourself (e.g. name/age/background) is

wrongNetwork owners make the rules; users follow themIt is easy to convince yourself that you can’t be

committing a crime in your own home, at your own computer, so people often act immoral

online. Don’t fall into that trap.

DefinitionsHacker – which definition is most appropriate?

a) Orig. – member of the computer programmer subculture in 1960s academia, esp. at MIT

b) (neg.) Person committed to circumvention of computer security

c) (neg.) Computer criminald) (pos.) Person who enjoys the details of

programmable systems, especially networks

http://en.wikipedia.org/wiki/Hacker_definition_controversy

The term “hacker” is controversial and means different things to different people. Hackers are usually only in the news when they are arrested, so the term picked up negative connotations in mainstream usage.

DefinitionsCracker – Computer security penetration

expertThe same word applies to both moral and

immoral actorsEtymology is from “hacker” and “safe-

cracker”

Definitions“Pentesting” – Penetration Testing

Evaluating computer security by simulating an attack from malicious outsiders

Generally a third-party evaluationExposes vulnerabilities so sysadmin can

repair themCare must be taken to hire a competent and

ethical teamPentesting is by contract

Penetration rules are clearly spelled out in advanceComplete results are given to the network ownerNever pentest without written permission from the

network owner

Network threats - externalOrganized crimeTerroristsGovernmentsCorporate competitionHacktivists (e.g. Anonymous)Hired guns (crackers hired by one of the

above)Script-kiddie trying to make a name for

himself

Network threats - internalDisgruntled employees (e.g. alleged

Wikileaks scandal)Clueless employees (e.g. accidental

security compromises)CustomersSuppliersVendorsBusiness partnersContractors/temps/consultants

These groups often use their legitimate network access to try to find information about competition or an edge with contract bids

Types of HackersBlack Hat Hacker

Violates computer security for maliciousness or personal gainOrganized crime sets up zombie networksKeyboard loggersPassword-stealingIdentify theft

Looking for kicksBreaking into a network “just to prove you can do it”You qualify as Black Hat whether the network is

damaged or not. Trespassing/breaking and entering are crimes.

Types of HackersWhite Hat Hacker

Breaks into computer systems for non-malicious reasons“Ethical Hackers” – as defined by the people who

own the networkPenetration testers under contract“Ethical Hacking” certificates available:

http://www.eccouncil.org/

Types of HackersGrey Hat Hacker

Many definitions; ethics are questionable and heavily debated

Term originated with the debate over where to disclose security vulnerabilities:White Hats: support full disclosure to vendors, customers, etc.Black Hats: do not disclose security flaws, keep them for private

useGrey Hats: report flaws to vendors and the hacking community

onlyOther uses:

White Hat hackers who engage in Black Hat activity at nightFreelance hackers who browse the Internet looking for security

holes, and then tell the sysadmin about them, possibly asking for a fee

A hacker who acts illegally, but with the intent to improve securityNavy ethics policy: “If there is doubt, there is no doubt.”

Types of Hackers“Hacktivist”

A hacker who uses technology to spread their personal messageSocialIdeologicalPoliticalReligious

Usually involves web defacement and denial-of-service attacks

Hacktivists act immorally, but would argue that it is for “the greater good”Anonymous taking down Church of Scientology websitesPersonal information about Bill O’Reilly’s web subscribers

posted onlineEgyptian gov’t websites hacked during 2011 demonstrationsDDOS attacks vs. Visa/Mastercard following Julian Assange’s

arrest

Levels of Hacker CompetenceElite Hacker

Highly skilledUnderstand the OS extremely wellSpeaks multiple languages

C++/Assembler/Machine codeSQL/PHP/Javascript

Finds new zero-day exploitsAuthors tools like Metasploit to break into

networksMay be White, Black, or Grey Hats

Levels of Hacker CompetenceScript-Kiddie

Non-expertUses OTS cracking/penetration tools like

Metasploit, without understanding how they work

Usually Black-HatOften young and immatureMost common attacks involve web

defacement/deleting filesAkin to graffiti “artists”

Rate the ethics…A hacker breaks into a server, touches

nothing, then emails the sysadmin with proof of the hack (e.g. screenshot) and tells them where their security weakness is.

Highlyunethical

Highlyethical

1 2 3 4 5 6 7 8 9

An intruder breaks into your house, touches nothing, then mails a photo of himself in your living room and a note that says your back door is unlocked.

Highlyunethical

Highlyethical

1 2 3 4 5 6 7 8 9

Judging online ethics…People make the mistake of thinking online

ethics are more permissive than real-world ethics

When in doubt, find a real-world analogy to online behavior, and use that to judge if an action is right or wrong:

Ten Commandments of Computer EthicsFrom the Computer Ethics Institute1. Thou Shalt Not Use A Computer To Harm Other People.

2. Thou Shalt Not Interfere With Other People’s Computer Work.

3. Thou Shalt Not Snoop Around In Other People’s Computer Files.

4. Thou Shalt Not Use A Computer To Steal.

5. Thou Shalt Not Use A Computer To Bear False Witness.

6. Thou Shalt Not Copy Or Use Proprietary Software For Which You have Not Paid.

Ten Commandments of Computer EthicsFrom the Computer Ethics Institute7. Thou Shalt Not Use Other People’s Computer Resources Without Authorization Or Proper Compensation.

8. Thou Shalt Not Appropriate Other People’s Intellectual Output.

9. Thou Shalt Think About The Social Consequences Of The Program You Are Writing Or The System You Are Designing.

10. Thou Shalt Always Use A Computer In Ways That Ensure Consideration And Respect For Your Fellow Humans.

Ethical or unethical?Breaking into a secure network to steal gov’t

secrets?Breaking into a network but not reading any files?Running a port-scanning tool on the USNA network

to see whether it is at risk?Reading wireless network traffic at a public

location?Logging into an unsecured “linksys” wireless

router?Defacing a website that you find morally

reprehensible?Logging into Facebook under an alias?

Legal policies affecting network accessComputer Fraud and Abuse Act – 1986

Originally intended to protect nat’l security data on federal networks

Expanded to penalize anybody who knowingly “exceeds authorized access” on a computer to obtain informationCan be interpreted as “violating user agreements on a social

networking site”Broad enough to include online mischief as well as criminals

Fines & imprisonment up to 20 yearshttp://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

Acceptable Use Policy for USNA IT ResourcesSimilar policy in every commandLoss of privileges – impacts your ability to be either a mid or

officerConduct/legal repercussionshttp://intranet.usna.edu/IRC/policies/AcceptableUse.htm

Can a policy cover all contingencies? 4. PERMISSIBLE USES OF THE INTERNET ARE DEFINED TO INCLUDE ALL USESNOT PROHIBITED BY LAW, REGULATION, INSTRUCTION OR COMMAND POLICY.

5. PROHIBITED USES INCLUDE (NOT AN ALL INCLUSIVE LIST):