CIS 381: Social & Ethical Issues of Computing
Security Dr. David Koop
D. Koop, CIS 381, Spring 2019
Privacy• Privacy related to notion of access • Access
- Physical proximity to a person - Knowledge about a person
• Privacy is a "zone of inaccessibility" • Privacy violations are an affront to human dignity • Too much individual privacy can harm society • Where to draw the line?
�2
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Solove’s Taxonomy of Privacy• Information collection: Activities that gather personal information • Information processing: Activities that store, manipulate, and use
personal information that has been collected • Information dissemination: Activities that spread personal
information • Invasion: Activities that intrude upon a person’s daily life, interrupt
someone’s solitude, or interfere with decision-making
�3
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Data Mining by the Government• Data mining: Process of searching through one or more databases
looking for patterns or relationships among the data • Examples:
- IRS Audits: match information from different sources and find returns that appear likely to have errors resulting in underpayment
- Syndromic Surveillance Systems: search for patterns indicating the outbreak of an epidemic or bioterrorism
- NSA Telecommunications Records Database: analyze calling patterns to detect terrorist networks
- Predictive Profiling
�4D. Koop, CIS 381, Spring 2019
Code of Fair Information Practices• "Bill of Rights for the Information Age" (1970s) • Code
- No secret databases - People should have access to personal information in databases - Organizations cannot change how information is used without
consent - People should be able to correct or amend records - Database owners, users responsible for reliability of data and
preventing misuse
�5
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Information Dissemination• Legislation to restrict information dissemination
- Family Education Rights and Privacy Act - Video Privacy Protection Act - Health Insurance Portability and Accountability Act
• Examples of information dissemination - Freedom of Information Act - Toll booth records used in court
�6D. Koop, CIS 381, Spring 2019
Invasion• Government actions to prevent invasion
- Do Not Call Registry: shielding people from telemarketers judged to be greater than harm caused by limiting telephone advertising
- CALM Act: ensure television commercials are played at same volume as programs they are interrupting
• Invasive government actions - Requiring identification for pseudoephedrine purchases
• used to make meth • require identification/signature and limit amount
- Advanced Imaging Technology scanners at airports • initially created revealing images • TSA develops new software to show generic outlines
�7
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Term Paper Topic Selection• Topics have been assigned • 4-5 people per group • Term papers are individual • Topic presentations are done in groups, but each person should
speak for 3-4 minutes • As a group, rank your preferred presentation days
- April 17, April 19, April 22, April 24, April 29, May 1 • Individual term papers are due May 6 (assigned exam date) • Need to evaluate issues using ethical frameworks • Groups can choose to examine different issues related to a topic or
examine a similar issue using different frameworks
�8D. Koop, CIS 381, Spring 2019
Why is Security Important?• Computers getting faster and less expensive • Utility of networked computers increasing
- Shopping and banking - Managing personal information - Controlling industrial processes
• Increasing use of computers → growing importance of computer security
�9
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Hackers, Past and Present• Original meaning of hacker:
explorer, risk taker, system innovator (e.g. MIT’s Tech Model Railroad Club in 1950s)
• Change in meaning from electronics to computers and networks
• WarGames (1983): Hacking military supercomputer
• Modern meaning of hacker: someone who gains unauthorized access to computers and computer networks
�10D. Koop, CIS 381, Spring 2019
[M. J. Quinn]
Obtaining Login Names & Passwords• Guessing • Eavesdropping: watching keystrokes • Dumpster diving: discarded manuals sometimes have passwords • Social engineering: manipulating persons to gain access to info • Brute-force searches • Dictionary attacks
�11
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Password Advice• Do not use short passwords • Do not rely solely on words from the dictionary • Do not rely on substituting numbers for letters • Do not reuse passwords • Give ridiculous answers to security questions • Enable two-factor authentication if available • Have password recoveries sent to a secure email address
�12
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Computer Fraud and Abuse Act• Criminalizes wide variety of hacker-related activities
- Transmitting code that damages a computer - Accessing any Internet-connected computer without authorization - Transmitting classified government information - Trafficking in computer passwords - Computer fraud - Computer extortion
• Maximum penalty: 20 years in prison and $250,000 fine
�13
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Sidejacking• Sidejacking: hijacking an open Web session by capturing a user’s
cookie • Sidejacking possible on unencrypted wireless networks because
many sites send cookies “in the clear” • Internet security community complained about sidejacking
vulnerability for years, but ecommerce sites did not change practices
�14
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Case Study: Firesheep• October 2010: Eric Butler released Firesheep extension to Firefox
browser • Firesheep made it possible for ordinary computer users to easily
sidejack Web sessions • More than 500,000 downloads in first week • Attracted great deal of media attention • Early 2011: Facebook and Twitter announced options to use their
sites securely
• Evaluate: Was this a good action?
�15
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Act Utilitarian Analysis• Release of Firesheep led media to focus on security problem • Benefits were high: a few months later Facebook and Twitter made
their sites more secure • Harms were minimal: no evidence that release of Firesheep caused
big increase in identity theft or malicious pranks • Conclusion: Release of Firesheep was good
�16
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Virtue Ethics Analysis• By releasing Firesheep, Butler helped public understand lack of
security on unencrypted wireless networks • Butler’s statements characteristic of someone interested in
protecting privacy • Butler demonstrated courage by taking responsibility for the
program • Butler demonstrated benevolence by making program freely
available • His actions and statements were characteristic of someone
interested in the public good
�17
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Kantian Analysis• Accessing someone else’s user account is an invasion of their
privacy and is wrong • Butler provided a tool that made it much simpler for people to do
something that is wrong, so he has some moral accountability for their misdeeds
• Butler was willing to tolerate short-term increase in privacy violations in hope that media pressure would force Web retailers to add security
• He treated victims of Firesheep as a means to his end • It was wrong for Butler to release Firesheep
�18
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Malware• Viruses • Worms • Cross-Site Scripting • Drive-by Downloads • Trojan Horses • Rootkits • Spyware & Adware • Botnets
�19
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Viruses• Virus: Piece of self-replicating code
embedded within another program (host)
• Viruses associated with program files - Hard disks, floppy disks, CD-
ROMS - Email attachments
• How viruses spread - Diskettes or CDs - Email - Files downloaded from Internet
�20
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
How an Email Virus Spreads
�21
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Antivirus Software Packages• Allow computer users to detect and destroy viruses • Must be kept up-to-date to be most effective • Many people do not keep their antivirus software packages up-to-
date • Consumers need to beware of fake antivirus applications
�22
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Worm• Self-contained program • Spreads through a computer network • Exploits security holes in networked computers
�23
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
How a Worm Spreads
�24
7.3 Malware 329
WW
W
W
W
Figure 7.4 A worm spreads to other computers by exploiting security holes in computernetworks.
punk: Outlaws and Hackers on the Computer Frontier, written by Katie Hafner and JohnMarkoff [25].
BACKGROUND OF ROBERT TAPPAN MORRIS JR.
Robert Tappan Morris Jr. began learning about the Unix operating system when he wasstill in junior high school. His father was a computer security researcher at Bell Labs, andyoung Morris was given an account on a Bell Labs computer that he could access froma teletype at home. It didn’t take him long to discover security holes in Unix. In a 1982interview with Gina Kolata, a writer for Smithsonian magazine, Morris admitted he hadbroken into networked computers and read other people’s email. “I never told myselfthat there was nothing wrong with what I was doing,” he said, but he acknowledgedthat he found breaking into systems challenging and exciting, and he admitted that hecontinued to do it.
As an undergraduate at Harvard, Morris majored in computer science. He quicklygained a reputation for being the computer lab’s Unix expert. After his freshman year,Morris worked at Bell Labs. The result of his work was a technical paper describing asecurity hole in Berkeley Unix.
While at Harvard, Morris was responsible for several computer pranks. In one ofthem, he installed a program that required people logging in to answer a question posedby “the Oracle” and then to ask the Oracle another question. (The Oracle programworked by passing questions and answers among people trying to log in.)
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
The Internet Worm• Robert Tappan Morris, Jr.
- Graduate student at Cornell - Released worm onto Internet from MIT computer
• Effect of worm - Spread to significant numbers of Unix computers - Infected computers kept crashing or became unresponsive - Took a day for fixes to be published
• Impact on Morris - Suspended from Cornell - 3 years’ probation + 400 hours community service - $150,000 in legal fees and fines
�25
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Ethical Evaluation• Kantian evaluation: Morris used others by gaining access to their
computers without permission • Social contract theory evaluation: Morris violated property rights of
organizations • Utilitarian evaluation
- Benefits: Organizations learned of security flaws - Harms: Time spent by those fighting worm, unavailable computers,
disrupted network traffic, Morris’s punishments • Virtue ethics evaluation
- Morris selfishly used Internet as experimental lab - He deceitfully released worm from MIT instead of Cornell - He avoided taking responsibility for his actions
• Morris was wrong to have released the Internet worm
�26
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Sasser Worm• Launched in April 2004, infected 18 million computers • Disrupted operations at Delta Airlines, European Commission,
Australian railroads, British Coast Guard • German juvenile Sven Jaschan confessed to crime • Sentenced to 30 hours of community service and 18 months’
probation
�27
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Instant Messaging Worms• Choke and Hello (2001) • Kelvir (2005)
- Reuters had to remove 60,000 subscribers from its instant messaging service
• Palevo (2010) - Spread through Romania, Mongolia, Indonesia
�28
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Conficker Worm• Conficker (a.k.a. Downadup) worm appeared 2008 on Windows
computers • Particularly difficult to eradicate • Uses pseudorandom domains to download from • Different variants released (type E installs malware) • Millions of copies of worm are circulating • Purpose of worm still unknown
�29
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Cross-site Scripting• Another way malware may be downloaded without user’s
knowledge • Problem appears on Web sites that allow people to read what
others have posted • Attacker injects client-side script into a Web site • Victim’s browser executes script, which may steal cookies, track
user’s activity, or perform another malicious action
�30
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Drive-by Downloads• Unintentional downloading of malware caused by visiting a
compromised Web site • Also happens when Web surfer sees pop-up window asking
permission to download software and clicks “Okay” • Google Anti-Malware Team says 1.3 percent of queries to Google’s
search engine return a malicious URL somewhere on results page
�31
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Trojan Horses and Backdoor Trojans• Trojan horse:
- Program with benign capability that masks a sinister purpose - Performs expected task but also unknown, sinister actions
• Backdoor Trojan: Trojan horse that gives attack access to victim’s computer
�32
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Rootkits• Rootkit: A set of programs that provides privileged access to a
computer • Activated every time computer is booted • Uses security privileges to mask its presence
�33
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Spyware and Adware• Spyware: Program that communicates over an Internet connection
without user’s knowledge or consent - Monitor Web surfing - Log keystrokes - Take snapshots of computer screen - Send reports back to host computer
• Adware: Type of spyware that displays pop-up advertisements related to user’s activity
• Backdoor Trojans often used to deliver spyware and adware
�34
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Bots• Bot: A kind of backdoor Trojan that responds to commands sent by
a command-and-control program on another computer • First bots supported legitimate activities
- Internet Relay Chat - Multiplayer Internet games
• Other bots support illegal activities - Distributing spam - Collecting person information for ID theft - Denial-of-service attacks
�35
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Botnets and Bot Herders• Botnet: Collection of bot-infected computers controlled by the
same command-and-control program • Bot herder: Someone who controls a botnet • Some botnets have over a million computers in them
�36
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Defensive Measures• Security patches: Code updates to remove security vulnerabilities • Anti-malware tools: Software to scan hard drives, detect files that
contain viruses or spyware, and delete these files • Firewall: A software application installed on a single computer that
can selectively block network traffic to and from that computer
�37
[M. J. Quinn]D. Koop, CIS 381, Spring 2019