Repercussions of Hacking

Document Sample
Repercussions of Hacking Powered By Docstoc

 Legal Issues & Risks
   Reading:
       Computer Security: Principles & Practice, W Stallings, L Brown: Chapter 18
   The student shall be able to:
       Understand the legal consequences of hacking.
       Describe the main crimes covered in the Computer Fraud and Abuse Act.
       Describe the main crimes covered by the Electronic Communications Privacy Act
       Describe how to avoid copyright/trademark infringement, and child
        pornography handling violations.
       Describe the industries covered by Sarbanes-Oxley, FISMA, HIPAA, and Gramm-
       Define the basic purpose of PCI DSS and state breach notification law.
       Describe the requirements that must proven in prosecuting hackers – and
        describe what a company must do to achieve such proof.
       Define copyright, patent, trade secret and the differences between these.
       Describe how to reduce negligence relating to security in civil law suits.
       List the six steps of risk analysis.
Law Enforcement Challenges
Repercussions of Hacking
Recent Cybercrime Cases
   Considering cybercrime cases from January 2008
    through May 2009:
          Type of crime                                      % of Cases
          Trespassing(unauthorized access)                   40.7%
          Identity Theft                                     28.3%
          Virus dissemination                                12.4%
          Stalking                                           4.4%
          DDoS                                               5.3%
          “Understanding Cybercrime” by Derrick J. Neufeld

   There are many other types of hacking/cybercrimes
    that are punishable by state and federal laws.
“Hacking Leads to Prison Sentence”
   19-year old illegally accessed web site and
    collected credit card numbers from almost 5,000

   Prison Sentence: 2 years
   Fine: $5,250 for restitution
“5-year Jail term for Pinoy cyber hacker”

   Jeanson Ancheta, 20 years old, hijacked around
    400,000 computers, including military servers, and
    infected them with malicious software.

   Prison Sentence: Nearly 5 years
   Fine: $15,000 for restitution

   “„Your worst enemy is your own intellectual
    arrogance that somehow the world cannot touch you
    on this,‟ the judge told Ancheta.”
“Houston Computer Administrator Sentenced to Two Years in
 Prison for Hacking Former Employer‟s Computer Network”

     Former employee accessed database, deleting records,
      accounting invoice files, software applications and
      various backup files.

     Prison Sentence: 2 years followed by 3 years
     Fine: $94,222 for restitution
“Computer Hacker Sentenced to 37 months…for scheme to
   Steal and Launder Money from Brokerage Accounts”

    Aleksey Volynsky hacked into victims‟ brokerage
     accounts at Charles Schwab, laundered more than
     $246,000 and sold about 180 stolen credit card

    Prison Sentence: 37 months
    Fine: $30,000 for restitution
“Michigan Man Gets 30 Months for Conspiracy to Order
 Destructive Computer Attacks on Business Competitors”

   19-year old Jason Arabo conspired to have friend,
    Jasmine Singh, attack websites and online sales
    operations of some of Arabo‟s business competitors.

   Prison Sentence: 30 months
   Fine: $504,495 for restitution

   Singh was also sentenced to 5 years prison and fined
    $35,000 for restitution
“Hacker Sentenced to 20 Years in Massive Data Theft”

   Albert Gonzalez, 28, of Miami, pleaded guilty to
    conspiring to hack into computer networks supporting
    major US retail and financial organizations.

   Prison Sentence: 20 years
   Fine: $28,000 for restitution

   Five other men have also been sentenced as part of Mr.
    Gonzalez‟s schemes.
    Interested in more arrest stories?
Case                                                              Prison      Fines
Former Federal Computer Specialist Sentenced                      5 months    $40,000
Cleveland, Ohio Man Sentenced to Prison for Bank Fraud and        32 months   $300,748
Former Officer of Internet Company Sentenced in Case of Massive   96 months   N/A
Data Theft
Hacker Sentenced to Prison for Breaking into Lowe's Companies'    68 months   N/A
Former Employee of Viewsonic Sentenced to One Year for Hacking    12 months   N/A
into Company‟s Computer, Destroying Data
Former Hellmann Logistics Computer Programmer Sentenced for       12 months   $80,713
Unauthorized Computer Intrusion

       The list goes on and on:
So, what‟s the point of all this?
   It‟s a serious crime!
   You will get caught and you will be punished!

   Prison
   Fines
   Destroyed reputation
   Loss of job
   Damage to other people‟s lives
    Computer Fraud and Abuse Act (CFAA): 18
    U.S.C. Section 1030

   Protects the confidentiality, integrity, and availability of data and systems
   Prohibited access includes: hacking, viruses, logic bombs, ping floods, other
   Violations can result in criminal case and/or civil suit

Criminal Acts:
 Unauthorized access of government, nonpublic and protected computer to
   commit fraud
 Intentional acts causing damage to computers

 Trafficking of passwords affecting interstate commerce or government
 Threats or extortion related to damage of protected computers

 Unauthorized access to national security information
Computer Fraud and Abuse Act (CFAA): 18
U.S.C. Section 1030
„Protected computer‟ 1030(e)(2):     Damage:
 Computer used by a financial        At least $5,000 loss (includes cost
   institution or the US govt., or     of incident response, lost revenue,
 Computer used in interstate or
                                       restoration of data/systems)
   foreign commerce or                Medical diagnosis, treatment, or
   communications or                   care for one or more individuals
 Computers outside of the US that    Physical injury
   affect US interstate commerce      A threat to public health or
   (2001 USA PATRIOT Act)              safety
                                      Information relating to justice,
                                       national defense, or national
Computer Fraud and Abuse Act (CFAA): 18
U.S.C. Section 1030
Unauthorized Access
 E.g., Unauthorized access of government, nonpublic
  and protected computer to commit fraud
 Access without or in excess of authorization

 Examples: Trespass or obtaining root access when not
 Guilty: IRS auditor looking at taxpayer documents
  other than the case the agent is investigating
  Computer Fraud & Abuse Act
Law             Provisions                                          Charge
Computer        Trespass ‘Protected’ Computer:                      Misdemeanor:
Fraud & Abuse   Access computer without or in excess of             Maximum 1      year
Act:            authorization and obtaining financial information   sentence
1030(a)(2)      relating to interstate commerce or communication
                In combination with $5000 damage, financial gain,   Felony
                commercial advantage, or criminal purposes
1030(a)(3)      Trespass Government Computer:                       First time offense:
                Any unauthorized access                             Misdemeanor
1030(a)(4)      Fraud:                                              First time offense:
                Unauthorized access with intent to defraud          Felony,     Maximum
                                                                    $250,000 fine,
                                                                    5-year jail
                Trespass (use computer time), no damage             No offense
1030(a)(5)      Malware:                                            Felony
                Intentional release of worms and viruses, denial of
                service, intrusion
                Reckless damage due to unauthorized access
                Damage due to negligence and unauthorized Misdemeanor
Electronic Comm. Privacy Act (ECPA)
Electronic               Electronic Eavesdropping: Text or speech          Felony,
Communication            Prohibits endeavoring to:                         Civil suits for
Privacy Act              intercept communication or                        actual,
                         disclose or use information obtained illegally.
(ECPA)                   Example: Packet sniffers                          statutory,   &
18 USC Section 2511(a)   Example: Monitoring VP’s emails without           punitive
                         consent                                           damages
                         Except in cases of self-defense or consent        No offense
                         Employer can protect rights and property
                         Consent: Provide banner, organizational
                         policies, and/or employee handbook
                         Example: Sys Admin watching hacker’s actions
ECPA                     Stored Communications                             Misdemeanor
18 USC Section           Accessing information of any public or private
2701                     communications provider (i.e. has email
                         server), with unauthorized access (e.g., Sys
                         Admin with cause is ok)
                         Requirement: Company policy must define
                         unauthorized access.
Pornography & Homeland Security

 Child        Child Pornography:                            Felony
 Pornography  Prohibits knowing possession of any
 18      USC  printed, video, or digital file containing
 Section      child pornography.
 2252/2252A   Requirement:      Transported     interstate,
              knowledge of minority, and knowledge of
              sexually explicit material.     (Unopened
              email ok.) However, must take immediate
              action to delete when found.
 Homeland     Extensions:                                   Felony
 Security Act With     commercial       gain,    malicious
 extensions   destruction, or in furtherance of a criminal
              or tortuous act
Breach Notification Laws
                    The Oregonian, May 2006
        In one of Oregon‟s largest security breaches, Providence
        Health System disclosed that a burglar stole unencrypted
         medical records on 365,000 patients kept on disks and
                tapes left overnight in an employee‟s van

 State Laws, called Breach Notification Laws require CEs to notify
             patients when their PHI has been breached
If data is encrypted and laptop is lost, notification is not required
 This often applies to any industry that uses personal information,
                   such as Social Security Numbers
Intellectual Property

                        Trade Secret
                         secret: recipe,
                         customer DB
   protects tangible or fixed expression of an idea but
    not the idea itself
   is automatically assigned when created
   may need to be registered in some countries
   exists when:
     proposed work is original
     creator has put original idea in concrete form
     e.g. literary works, musical works, dramatic works,
      pantomimes and choreographic works, pictorial, graphic,
      and sculptural works, motion pictures and other audiovisual
      works, sound recordings, architectural works, software-
      related works.
Copyright Rights

   copyright owner has these exclusive rights, protected
    against infringement:
     reproduction   right
     modification right

     distribution right

     public-performance right

     public-display right
   grant a property right to the inventor
       to exclude others from making, using, offering for sale, or
        selling the invention
   types:
     utility - any new and useful process, machine, article of
      manufacture, or composition of matter
     design - new, original, and ornamental design for an article of
     plant - discovers and asexually reproduces any distinct and
      new variety of plant
   e.g. RSA public-key cryptosystem patent
   a word, name, symbol, or device
     used in trade with goods
     indicate source of goods

     to distinguish them from goods of others

   trademark rights may be used to:
     prevent others from using a confusingly similar mark
     but not to prevent others from making the same goods or
      from selling the same goods or services under a clearly
      different mark
Copyright vs. Patent

Copyright: Protect expression of an                Patent: Patent protects results of science,
   implementation of an idea                          technology, engineering
  Copyright protects result of art, literature,      Excludes: laws of nature and mental
   written scholarship                                 processes: 1+1=2
  Creative work: Story, photograph,                  Protects the device or process for carrying
   music, drawing                                      out an idea
 “original works of authorship fixed in any           Patent goes to the person who first invented
    tangible medium of expression,… from               the idea – not the first patent applicant
          which they can be perceived,                Patent infringement applies even if idea is
            reproduced, or otherwise                   produced independently
      communicated, either directly or with
     the aid of a machine or device” – U.S.           Cannot promote an obvious use: cardboard
                  copyright law                        as a book mark
  Protects an individual‟s right to make a           Owner of patent is author, unless
   living                                              employee‟s job duties included inventing
                                                       the product.
  Allows author the exclusive right to sell
   copies of the expression
Copyright vs Patent: Software
Copyrights:                     Patents:
 Copyright covers lines of      Patents accepted if
  code but not the algorithm      software algorithm + novel
 Copying code is prohibited,     process
  but re-implementing the            E.g.: No Patent: Conversion
  algorithm is permitted              from decimal to binary
 Condition: The work must
                                     E.g.: Patentable: Calculate
  be published/distributed.           the time to cure rubber
 Copyright vs. Patent - Infringement

Copyright: U.S. No Electronic Theft Act,          Patent: Patent holder must oppose all
   1997: Criminal offense to reproduce               infringement
   or distribute copyright works (even
   without charge): software/digital               Patent infringement defense can
   recordings                                        include any of the following:
 Copyright may choose to pursue only                  No infringement: Ideas are
   sufficiently large court cases                        sufficiently different
 The copyright law: When you buy a                    Patent is invalid: Prior infringement
   CD, you are buying the right to use the               was not opposed
                                                       Invention is not novel: Idea is not
     Use: Play it, lend it, give it or sell it
       (single copy).                                    worthy of patent
     This is not true for a „license‟ which           Infringer invented object first:
       can be specified as a lease                       Infringer should be patent-holder
 Lasts for 70 years beyond author‟s
   death or 95 years after date of
   publication for company/organization
Copyright: Who is Author?
   Author is the owner of the work except when „work for hire‟:
     The employer has a supervisory relationship and oversees the work
     The employer can fire the employee
     The employer arranges for work to be done before the work was
       created (e.g. not a sale)
     A written contract states that the employee was hired to do certain work
   Employment contracts often define:
     Employer claims rights to developed software including copyright and
       right to market
     Employer claims right to all inventions and copyrights, not just those that
       follow from employment.
Discussion: Who owns rights?
   A contractor develops software for a company.
   A contractor works for a company and develops
    software in her spare time but using the company‟s
    computers and library – re patent, copyright
   A contractor works for a company and develops
    software in his spare time on his own computers – re
    patent, copyright
Discussion: Who owns rights?
   A contractor develops software for a company.
       The company unless contract says otherwise
   A contractor works for a company and develops
    software in her spare time but using the company‟s
    computers and library – re patent, copyright
       Depends on contract
   A contractor works for a company and develops
    software in his spare time on his own computers – re
    patent, copyright
       Depends on contract
Trade Secret
Trade Secret: Information that gives a company a competitive
   edge over others.
 Examples: Customer list, recipes.

 A trade secret must always be kept secret

 If a trade secret is improperly obtained and profited from, the

   owner can recover profits, damages, lost revenues and legal
 If someone discovers a trade secret independently, rights of

   trade secret evaporate
 Reverse engineering: Studying output or decoding object code
Intellectual Property Law

Economic        Stealing/Obtaining proprietary trade secrets with Civil cases
Espionage Act   the knowledge or intent that the owner of the     are     filed
18 USC Sections secret would suffer injury.            Additional under
1831-39         requirements include: unauthorized access,        state
                relates to interstate commerce. Applicable to     trade-
                insiders and outsiders.                           secret law.
Criminal        Copyright Infringement:                           Fine
Infringement of Intentional     electronic    reproduction     of and/or
Copyright       copyrighted works with a value exceeding          imprisonm
18 USC Section $2500.                                             ent
2319-20         Criminal Trademark Infringement:                  Fine
                Using/selling pirated copies of software or music and/or
                with a counterfeited mark                         imprisonm
                  Contraband stored by a hacker or internal user, No fault
                  against company policies, and company reacts
                  quickly after offending material is discovered.
   Industry-specific legislation
Gramm-Leach-        Banking/Financial Industry:                                       Felony
Bliley              Restrictions for banking/financial industry with aim (in general)
Safeguards          to “develop, implement, and maintain a comprehensive
                    information security program that is written in one or more
                    readily accessible parts and contains administrative, technical
                    and physical safeguards that are appropriate to its size and
                    complexity, the nature and scope of its activities, and the
                    sensitivity of any customer information at issue.”
Health Insurance  Personal Health:                                               Felony
Portability   and Protection of personal health information, including
Accountability    appropriate administrative, technical and physical safeguards.
Act               (Perform risk assessment and adopt security measures
                  commensurate with potential risk.)
Sarbanes-Oxley Fraud:                                                            Felony,
404               Annual audit must state responsibility of mgmt for jail.
                  establishing/maintaining adequate internal control structure
                  and assess the internal control structure.
Federal     Info. Federal Information CIA:
Security Mgmt. Protection of information via inventory, risk assessment, and
Act (FISMA)       security plan, controls, certification and monitoring.
                  Due Diligence

     Due Diligence = Did careful risk assessment
Due Care = Implemented recommended controls from RA
  Liability minimized if reasonable precautions taken

                Senior Mgmt Support
     Security Evaluation:
     Risk Assessment
Five Steps include:
1. Assign Values to Assets:
         Where are the Crown Jewels?
2.   Determine Loss due to Threats & Vulnerabilities
         Confidentiality, Integrity, Availability
3.   Estimate Likelihood of Exploitation
         Weekly, monthly, 1 year, 10 years?
4.   Compute Expected Loss
         Loss = Downtime + Recovery + Liability + Replacement
         Risk Exposure = ProbabilityOfVulnerability * $Loss
5.   Treat Risk
         Survey & Select New Controls
         Reduce, Transfer, Avoid or Accept Risk
         Risk Leverage = (Risk exposure before reduction) – (risk exposure after
          reduction) / (cost of risk reduction)
US Privacy Law
   Affects federal agencies
   have Privacy Act of 1974 which:
     permits individuals to determine records kept
     permits individuals to forbid records being used for
      other purposes
     permits individuals to obtain access to records
     ensures agencies properly collect, maintain, and use
      personal info
     creates a private right of action for individuals

   also have a range of other privacy laws
What would happen if…?
Who would have the strongest case in the following
 situations: the defense or the prosecution? What law(s),
 if any, would be violated? What would the defense be
 liable for? (misdemeanor, felony, or no criminal
 offense). (Note: Wisconsin may have specific laws that
 are not documented in these notes.)

A student in a security audit of an external company
 accesses records outside the scope of the audit?

 modifies data to demonstrate vulnerability within the
  scope of the audit?
What would happen if…?
Who would have the strongest case in the following situations:
 the defense or the prosecution? What law(s), if any, would
 be violated? What would the defense be liable for, worst
 case? (misdemeanor, felony, or no criminal offense). (Note:
 Wisconsin may have specific laws that are not documented
 in these notes.)

A student in a security audit of an external company
 accesses records outside the scope of the audit?
       Misdemeanor unless combined with financial loss, 1030 (a)(2)
   modifies data to demonstrate vulnerability within the scope
    of the audit?
       Felony if losses are in excess of $5000 (a)(2) or fraud is proven
What would happen if…?
An employee of Ace          A hacker logs onto your
  Hardware looks at           computer without your
  another employee‟s          knowledge
  medical records            and changes nothing?
 and does not modify        and copies files?
                             and runs programs
 and does modify them?       which slow down your
 and does not modify         response time
  them, but works for the     tremendously?
  city of Kenosha?
What would happen if…?
An employee of Ace Hardware looks at      A hacker logs onto your computer
   another employee‟s medical records        without your knowledge
 and does not modify them?                and changes nothing?

       Misdemeanor: 1030 (a)(2).                1030 (a)(4) no offense
       HIPAA violation                          1030 (a)(2) trespass: misdemeanor
                                             and copies files?
   and does modify them?                        Copyright infringement
   and does not modify them, but works          Felony: intent to defraud 1030 (a)(4)
    for the city of Kenosha?                     Civil case: Economic Espionage Act
       Felony: Possible fraud, damage            1831 (trade secrets)
       HIPAA violation                      and runs programs which slow down
                                              your response time tremendously?
                                                 Felony: $5000 damage or criminal
                                                  purpose 1030 (a)(2) or (a)(5)
What would happen if…?
An ex-employee logs onto SC        You receive child pornography
  Johnson‟s computers                by email and you don‟t open
 and retrieves financial files?
                                     or delete it (but still on disk)
 and inadvertently changes
  non-financial, non-medical          With email names such as
  files?                               “Exposing Tender Young
An employee sends a damaging          With email names such as “Hi”
  virus to his old place of
 intentionally?

 unintentionally?
    What would happen if…?
An ex-employee logs onto SC Johnson‟s computers                You receive child pornography by
   and retrieves financial files?                                 email and you don‟t open or
                                                                   delete it (but still on disk)
       Economic Espionage Act 18 USC 1831-39 Proprietary
        secrets -> Civil case
       1030(a)(2) Misdemeanor or Felony if >$5000 damage         With email names such as
       1030(a)(4) Intent to Defraud – Felony                      “Exposing Tender Young Things”
       Breach Notification if personal information divulged          18 USC 22252/(A) Felony – Must
                                                                       delete file
   and inadvertently changes non-financial, non-
    medical files?                                                With email names such as “Hi”
       Homeland Security Act Extension – Felony                      18 USC 22252/(A) intention not
                                                                       shown -> No offense
       1030(a)(2) >$5000 damage
       1030(a)(5) reckless damage
       Breach Notification

An employee sends a damaging virus to his old place of
   intentionally?
       If proven: 1030(a)(5) - felony
   unintentionally?
       1030(a)(5) if unauthorized - misdemeanor
Payment Card Industry Data Security Standard

     PCI DSS:
         Developed by payment card companies (Visa, Mastercard, etc.)
          to protect consumers personal information

         Six main groups of requirements:
             Maintain an Information Security Policy
             Build and Maintain a Secure Network
             Protect Cardholder Data
             Maintain a Vulnerability Management Program
             Implement Strong Access Control Measures
             Regularly Monitor and Test Networks

         Companies that handle any payment card information must
          adhere to these requirements or risk losing the ability to accept
          credit/debit card payments, fines and liability if data is
PCI DSS: Requirement Groups 1 & 2

   Build and Maintain a Secure Network
     Requirement 1: Install and maintain a firewall
      configuration to protect cardholder data
     Requirement 2: Do not use vendor-supplied defaults for
      system passwords and other security parameters
   Protect Cardholder Data
     Requirement 3: Protect stored cardholder data
     Requirement 4: Encrypt transmission of cardholder data
      across open, public networks
PCI DSS: Requirement Groups 3 & 4

   Maintain a Vulnerability Management Program
     Requirement   5: Use and regularly update anti-virus
     Requirement 6: Develop and maintain secure systems
      and applications
   Implement Strong Access Control Measures
     Requirement 7: Restrict access to cardholder data by
      business need-to-know
     Requirement 8: Assign a unique ID to each person with
      computer access
     Requirement 9: Restrict physical access to cardholder
PCI DSS: Requirement Groups 5 & 6

   Regularly Monitor and Test Networks
     Requirement 10: Track and monitor all access to
      network resources and cardholder data
     Requirement 11: Regularly test security systems and
   Maintain an Information Security Policy
     Requirement  12: Maintain a policy that addresses
      information security
Ethical Hierarchy
Codes of Conduct
   see ACM, IEEE and AITP codes
   place emphasis on responsibility other people
   have some common themes:
    1.   dignity and worth of other people
    2.   personal integrity and honesty
    3.   responsibility for work
    4.   confidentiality of information
    5.   public safety, health, and welfare
    6.   participation in professional societies to improve standards
         of the profession
    7.   the notion that public knowledge and access to technology
         is equivalent to social power
   Computer Administrator Pleads Guilty to Hacking Former
         Employer's Computer System. (30 April). PR
         Newswire. Retrieved May 27, 2010, from ABI/INFORM
         Dateline. (Document ID: 1693007401).
   Matt O'Connor, Tribune staff reporter. (2006, December 8).
         Hacking leads to prison sentence :[Chicago Final
         Edition]. Chicago Tribune, p. 2C.5. Retrieved May 27,
         2010, from Chicago Tribune. (Document ID: 1176460771).
   5-year jail term for Pinoy cyber hacker. (2006, May 15). The
         Filipino Express, p. 1,35. Retrieved May 27, 2010, from Ethnic
         NewsWatch (ENW). (Document ID: 1060654311).
   Understanding Cybercrime, (2010). Proceedings of the 43rd Hawaii
         International Conference on System Sciences.