IC322 Fall 2013 Cyber Ethics. Background World population: 7,000,000,000 (7 billion) humans...
-
Upload
alison-cain -
Category
Documents
-
view
217 -
download
2
Transcript of IC322 Fall 2013 Cyber Ethics. Background World population: 7,000,000,000 (7 billion) humans...
BackgroundWorld population:
7,000,000,000 (7 billion) humans 80,000,000 (80 million) added to
population each year1,600,000,000 (1.6 billion) estimated Internet
users
Thousands of new hackers born every dayHackers can directly affect 23% of world
population
What are Cyber Ethics?Cyber Ethics == EthicsCyber Morals == Morals
The same rules apply in cyberspace as in the real world:
Trespassing is wrongStealing services (Internet access) is wrongStealing information is wrongDamaging somebody else’s property is wrongReading somebody else’s mail is wrongLying about yourself (e.g. name/age/background) is
wrongNetwork owners make the rules; users follow themIt is easy to convince yourself that you can’t be
committing a crime in your own home, at your own computer, so people often act immoral
online. Don’t fall into that trap.
DefinitionsHacker – which definition is most appropriate?
a) Orig. – member of the computer programmer subculture in 1960s academia, esp. at MIT
b) (neg.) Person committed to circumvention of computer security
c) (neg.) Computer criminald) (pos.) Person who enjoys the details of
programmable systems, especially networks
http://en.wikipedia.org/wiki/Hacker_definition_controversy
The term “hacker” is controversial and means different things to different people. Hackers are usually only in the news when they are arrested, so the term picked up negative connotations in mainstream usage.
DefinitionsCracker – Computer security penetration
expertThe same word applies to both moral and
immoral actorsEtymology is from “hacker” and “safe-
cracker”
Definitions“Pentesting” – Penetration Testing
Evaluating computer security by simulating an attack from malicious outsiders
Generally a third-party evaluationExposes vulnerabilities so sysadmin can
repair themCare must be taken to hire a competent and
ethical teamPentesting is by contract
Penetration rules are clearly spelled out in advanceComplete results are given to the network ownerNever pentest without written permission from the
network owner
Network threats - externalOrganized crimeTerroristsGovernmentsCorporate competitionHacktivists (e.g. Anonymous)Hired guns (crackers hired by one of the
above)Script-kiddie trying to make a name for
himself
Network threats - internalDisgruntled employees (e.g. alleged
Wikileaks scandal)Clueless employees (e.g. accidental
security compromises)CustomersSuppliersVendorsBusiness partnersContractors/temps/consultants
These groups often use their legitimate network access to try to find information about competition or an edge with contract bids
Types of HackersBlack Hat Hacker
Violates computer security for maliciousness or personal gainOrganized crime sets up zombie networksKeyboard loggersPassword-stealingIdentify theft
Looking for kicksBreaking into a network “just to prove you can do it”You qualify as Black Hat whether the network is
damaged or not. Trespassing/breaking and entering are crimes.
Types of HackersWhite Hat Hacker
Breaks into computer systems for non-malicious reasons“Ethical Hackers” – as defined by the people who
own the networkPenetration testers under contract“Ethical Hacking” certificates available:
http://www.eccouncil.org/
Types of HackersGrey Hat Hacker
Many definitions; ethics are questionable and heavily debated
Term originated with the debate over where to disclose security vulnerabilities:White Hats: support full disclosure to vendors, customers, etc.Black Hats: do not disclose security flaws, keep them for private
useGrey Hats: report flaws to vendors and the hacking community
onlyOther uses:
White Hat hackers who engage in Black Hat activity at nightFreelance hackers who browse the Internet looking for security
holes, and then tell the sysadmin about them, possibly asking for a fee
A hacker who acts illegally, but with the intent to improve securityNavy ethics policy: “If there is doubt, there is no doubt.”
Types of Hackers“Hacktivist”
A hacker who uses technology to spread their personal messageSocialIdeologicalPoliticalReligious
Usually involves web defacement and denial-of-service attacks
Hacktivists act immorally, but would argue that it is for “the greater good”Anonymous taking down Church of Scientology websitesPersonal information about Bill O’Reilly’s web subscribers
posted onlineEgyptian gov’t websites hacked during 2011 demonstrationsDDOS attacks vs. Visa/Mastercard following Julian Assange’s
arrest
Levels of Hacker CompetenceElite Hacker
Highly skilledUnderstand the OS extremely wellSpeaks multiple languages
C++/Assembler/Machine codeSQL/PHP/Javascript
Finds new zero-day exploitsAuthors tools like Metasploit to break into
networksMay be White, Black, or Grey Hats
Levels of Hacker CompetenceScript-Kiddie
Non-expertUses OTS cracking/penetration tools like
Metasploit, without understanding how they work
Usually Black-HatOften young and immatureMost common attacks involve web
defacement/deleting filesAkin to graffiti “artists”
Rate the ethics…A hacker breaks into a server, touches
nothing, then emails the sysadmin with proof of the hack (e.g. screenshot) and tells them where their security weakness is.
Highlyunethical
Highlyethical
1 2 3 4 5 6 7 8 9
An intruder breaks into your house, touches nothing, then mails a photo of himself in your living room and a note that says your back door is unlocked.
Highlyunethical
Highlyethical
1 2 3 4 5 6 7 8 9
Judging online ethics…People make the mistake of thinking online
ethics are more permissive than real-world ethics
When in doubt, find a real-world analogy to online behavior, and use that to judge if an action is right or wrong:
Ten Commandments of Computer EthicsFrom the Computer Ethics Institute1. Thou Shalt Not Use A Computer To Harm Other People.
2. Thou Shalt Not Interfere With Other People’s Computer Work.
3. Thou Shalt Not Snoop Around In Other People’s Computer Files.
4. Thou Shalt Not Use A Computer To Steal.
5. Thou Shalt Not Use A Computer To Bear False Witness.
6. Thou Shalt Not Copy Or Use Proprietary Software For Which You have Not Paid.
Ten Commandments of Computer EthicsFrom the Computer Ethics Institute7. Thou Shalt Not Use Other People’s Computer Resources Without Authorization Or Proper Compensation.
8. Thou Shalt Not Appropriate Other People’s Intellectual Output.
9. Thou Shalt Think About The Social Consequences Of The Program You Are Writing Or The System You Are Designing.
10. Thou Shalt Always Use A Computer In Ways That Ensure Consideration And Respect For Your Fellow Humans.
Ethical or unethical?Breaking into a secure network to steal gov’t
secrets?Breaking into a network but not reading any files?Running a port-scanning tool on the USNA network
to see whether it is at risk?Reading wireless network traffic at a public
location?Logging into an unsecured “linksys” wireless
router?Defacing a website that you find morally
reprehensible?Logging into Facebook under an alias?
Legal policies affecting network accessComputer Fraud and Abuse Act – 1986
Originally intended to protect nat’l security data on federal networks
Expanded to penalize anybody who knowingly “exceeds authorized access” on a computer to obtain informationCan be interpreted as “violating user agreements on a social
networking site”Broad enough to include online mischief as well as criminals
Fines & imprisonment up to 20 yearshttp://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
Acceptable Use Policy for USNA IT ResourcesSimilar policy in every commandLoss of privileges – impacts your ability to be either a mid or
officerConduct/legal repercussionshttp://intranet.usna.edu/IRC/policies/AcceptableUse.htm