Repercussions of Hacking - University of Wisconsin–Parkside
Download
Report
Transcript Repercussions of Hacking - University of Wisconsin–Parkside
NETWORK SECURITY
Legal Issues & Risks
Objectives
Reading:
Computer Security: Principles & Practice, W Stallings, L Brown: Chapter 18
The student shall be able to:
Understand the legal consequences of hacking.
Describe the main crimes covered in the Computer Fraud and Abuse Act.
Describe the main crimes covered by the Electronic Communications Privacy Act
Describe how to avoid copyright/trademark infringement, and child
pornography handling violations.
Describe the industries covered by Sarbanes-Oxley, FISMA, HIPAA, and GrammLeach-Bliley.
Define the basic purpose of PCI DSS and state breach notification law.
Describe the requirements that must proven in prosecuting hackers – and
describe what a company must do to achieve such proof.
Define copyright, patent, trade secret and the differences between these.
Describe how to reduce negligence relating to security in civil law suits.
List the six steps of risk analysis.
Law Enforcement Challenges
Repercussions of Hacking
Recent Cybercrime Cases
Considering cybercrime cases from January 2008
through May 2009:
Type of crime
% of Cases
Trespassing(unauthorized access)
40.7%
Identity Theft
28.3%
Virus dissemination
12.4%
Stalking
4.4%
DDoS
5.3%
“Understanding Cybercrime” by Derrick J. Neufeld
There are many other types of hacking/cybercrimes
that are punishable by state and federal laws.
“Hacking Leads to Prison Sentence”
19-year old illegally accessed web site and
collected credit card numbers from almost 5,000
people.
Prison Sentence: 2 years
Fine: $5,250 for restitution
“5-year Jail term for Pinoy cyber hacker”
Jeanson Ancheta, 20 years old, hijacked around
400,000 computers, including military servers, and
infected them with malicious software.
Prison Sentence: Nearly 5 years
Fine: $15,000 for restitution
“‘Your worst enemy is your own intellectual
arrogance that somehow the world cannot touch you
on this,’ the judge told Ancheta.”
“Houston Computer Administrator Sentenced to Two Years in
Prison for Hacking Former Employer’s Computer Network”
Former employee accessed database, deleting records,
accounting invoice files, software applications and
various backup files.
Prison Sentence: 2 years followed by 3 years
supervision
Fine: $94,222 for restitution
“Computer Hacker Sentenced to 37 months…for scheme to
Steal and Launder Money from Brokerage Accounts”
Aleksey Volynsky hacked into victims’ brokerage
accounts at Charles Schwab, laundered more than
$246,000 and sold about 180 stolen credit card
numbers.
Prison Sentence: 37 months
Fine: $30,000 for restitution
“Michigan Man Gets 30 Months for Conspiracy to Order
Destructive Computer Attacks on Business Competitors”
19-year old Jason Arabo conspired to have friend,
Jasmine Singh, attack websites and online sales
operations of some of Arabo’s business competitors.
Prison Sentence: 30 months
Fine: $504,495 for restitution
Singh was also sentenced to 5 years prison and fined
$35,000 for restitution
“Hacker Sentenced to 20 Years in Massive Data Theft”
Albert Gonzalez, 28, of Miami, pleaded guilty to
conspiring to hack into computer networks supporting
major US retail and financial organizations.
Prison Sentence: 20 years
Fine: $28,000 for restitution
Five other men have also been sentenced as part of Mr.
Gonzalez’s schemes.
Interested in more arrest stories?
Case
Prison
Fines
Former Federal Computer Specialist Sentenced
5 months
$40,000
Cleveland, Ohio Man Sentenced to Prison for Bank Fraud and
Conspiracy
32 months
$300,748
Former Officer of Internet Company Sentenced in Case of Massive
Data Theft
96 months
N/A
Hacker Sentenced to Prison for Breaking into Lowe's Companies'
Computers
68 months
N/A
Former Employee of Viewsonic Sentenced to One Year for Hacking
into Company’s Computer, Destroying Data
12 months
N/A
Former Hellmann Logistics Computer Programmer Sentenced for
Unauthorized Computer Intrusion
12 months
$80,713
The list goes on and on:
http://www.cybercrime.gov/cccases.html
So, what’s the point of all this?
It’s a serious crime!
You will get caught and you will be punished!
Prison
Fines
Destroyed reputation
Loss of job
Damage to other people’s lives
Legislation
Computer Fraud and Abuse Act (CFAA): 18
U.S.C. Section 1030
Protects the confidentiality, integrity, and availability of data and systems
Prohibited access includes: hacking, viruses, logic bombs, ping floods, other
threats
Violations can result in criminal case and/or civil suit
Criminal Acts:
Unauthorized access of government, nonpublic and protected computer to
commit fraud
Intentional acts causing damage to computers
Trafficking of passwords affecting interstate commerce or government
computers
Threats or extortion related to damage of protected computers
Unauthorized access to national security information
Computer Fraud and Abuse Act (CFAA): 18
U.S.C. Section 1030
‘Protected computer’ 1030(e)(2):
Computer used by a financial
institution or the US govt., or
Computer used in interstate or
foreign commerce or
communications or
Computers outside of the US that
affect US interstate commerce
(2001 USA PATRIOT Act)
Damage:
At least $5,000 loss (includes cost
of incident response, lost revenue,
restoration of data/systems)
Medical diagnosis, treatment, or
care for one or more individuals
Physical injury
A threat to public health or
safety
Information relating to justice,
national defense, or national
security
Computer Fraud and Abuse Act (CFAA): 18
U.S.C. Section 1030
Unauthorized Access
E.g., Unauthorized access of government, nonpublic
and protected computer to commit fraud
Access without or in excess of authorization
Examples: Trespass or obtaining root access when not
authorized
Guilty: IRS auditor looking at taxpayer documents
other than the case the agent is investigating
Computer Fraud & Abuse Act
Law
Computer
Fraud & Abuse
Act:
1030(a)(2)
1030(a)(3)
1030(a)(4)
1030(a)(5)
Provisions
Trespass ‘Protected’ Computer:
Access computer without or in excess of
authorization and obtaining financial information
relating to interstate commerce or communication
In combination with $5000 damage, financial gain,
commercial advantage, or criminal purposes
Trespass Government Computer:
Any unauthorized access
Fraud:
Unauthorized access with intent to defraud
Charge
Misdemeanor:
Maximum 1
sentence
year
Felony
First time offense:
Misdemeanor
First time offense:
Felony,
Maximum
$250,000 fine,
5-year jail
No offense
Felony
Trespass (use computer time), no damage
Malware:
Intentional release of worms and viruses, denial of
service, intrusion
Reckless damage due to unauthorized access
Damage due to negligence and unauthorized Misdemeanor
access
Electronic Comm. Privacy Act (ECPA)
Electronic
Communication
Privacy Act
(ECPA)
18 USC Section 2511(a)
ECPA
18 USC Section
2701
Electronic Eavesdropping: Text or speech
Prohibits endeavoring to:
intercept communication or
disclose or use information obtained illegally.
Example: Packet sniffers
Example: Monitoring VP’s emails without
consent
Except in cases of self-defense or consent
Employer can protect rights and property
Consent: Provide banner, organizational
policies, and/or employee handbook
Example: Sys Admin watching hacker’s actions
Stored Communications
Accessing information of any public or private
communications provider (i.e. has email
server), with unauthorized access (e.g., Sys
Admin with cause is ok)
Requirement: Company policy must define
unauthorized access.
Felony,
Civil suits for
actual,
statutory,
&
punitive
damages
No offense
Misdemeanor
Pornography & Homeland Security
Child
Pornography
18
USC
Section
2252/2252A
Child Pornography:
Felony
Prohibits knowing possession of any
printed, video, or digital file containing
child pornography.
Requirement:
Transported
interstate,
knowledge of minority, and knowledge of
sexually explicit material.
(Unopened
email ok.) However, must take immediate
action to delete when found.
Homeland
Extensions:
Felony
Security Act With
commercial
gain,
malicious
extensions
destruction, or in furtherance of a criminal
or tortuous act
Breach Notification Laws
The Oregonian, May 2006
In one of Oregon’s largest security breaches, Providence
Health System disclosed that a burglar stole unencrypted
medical records on 365,000 patients kept on disks and
tapes left overnight in an employee’s van
State Laws, called Breach Notification Laws require CEs to notify
patients when their PHI has been breached
If data is encrypted and laptop is lost, notification is not required
This often applies to any industry that uses personal information,
such as Social Security Numbers
Intellectual Property
Trade Secret
Proprietary
secret: recipe,
customer DB
Copyright
protects tangible or fixed expression of an idea but
not the idea itself
is automatically assigned when created
may need to be registered in some countries
exists when:
proposed work is original
creator has put original idea in concrete form
e.g. literary works, musical works, dramatic works,
pantomimes and choreographic works, pictorial, graphic,
and sculptural works, motion pictures and other audiovisual
works, sound recordings, architectural works, softwarerelated works.
Copyright Rights
copyright owner has these exclusive rights, protected
against infringement:
reproduction
right
modification right
distribution right
public-performance right
public-display right
Patents
grant a property right to the inventor
to exclude others from making, using, offering for sale, or
selling the invention
types:
utility - any new and useful process, machine, article of
manufacture, or composition of matter
design - new, original, and ornamental design for an article of
manufacture
plant - discovers and asexually reproduces any distinct and
new variety of plant
e.g. RSA public-key cryptosystem patent
Trademarks
a word, name, symbol, or device
used in trade with goods
indicate source of goods
to distinguish them from goods of others
trademark rights may be used to:
prevent others from using a confusingly similar mark
but not to prevent others from making the same goods or
from selling the same goods or services under a clearly
different mark
Copyright vs. Patent
Copyright: Protect expression of an
implementation of an idea
Copyright protects result of art, literature,
written scholarship
Creative work: Story, photograph,
music, drawing
“original works of authorship fixed in any
tangible medium of expression,… from
which they can be perceived,
reproduced, or otherwise
communicated, either directly or with
the aid of a machine or device” – U.S.
copyright law
Protects an individual’s right to make a
living
Allows author the exclusive right to sell
copies of the expression
Patent: Patent protects results of science,
technology, engineering
Excludes: laws of nature and mental
processes: 1+1=2
Protects the device or process for carrying
out an idea
Patent goes to the person who first invented
the idea – not the first patent applicant
Patent infringement applies even if idea is
produced independently
Cannot promote an obvious use: cardboard
as a book mark
Owner of patent is author, unless
employee’s job duties included inventing
the product.
Copyright vs Patent: Software
Copyrights:
Copyright covers lines of
code but not the algorithm
Copying code is prohibited,
but re-implementing the
algorithm is permitted
Condition: The work must
be published/distributed.
Patents:
Patents accepted if
software algorithm + novel
process
E.g.: No Patent: Conversion
from decimal to binary
E.g.: Patentable: Calculate
the time to cure rubber
seals
Copyright vs. Patent - Infringement
Copyright: U.S. No Electronic Theft Act,
1997: Criminal offense to reproduce
or distribute copyright works (even
without charge): software/digital
recordings
Copyright may choose to pursue only
sufficiently large court cases
The copyright law: When you buy a
CD, you are buying the right to use the
CD.
Use: Play it, lend it, give it or sell it
(single copy).
This is not true for a ‘license’ which
can be specified as a lease
agreement
Lasts for 70 years beyond author’s
death or 95 years after date of
publication for company/organization
Patent: Patent holder must oppose all
infringement
Patent infringement defense can
include any of the following:
No infringement: Ideas are
sufficiently different
Patent is invalid: Prior infringement
was not opposed
Invention is not novel: Idea is not
worthy of patent
Infringer invented object first:
Infringer should be patent-holder
Copyright: Who is Author?
Author is the owner of the work except when ‘work for hire’:
The employer has a supervisory relationship and oversees the work
performed
The employer can fire the employee
The employer arranges for work to be done before the work was
created (e.g. not a sale)
A written contract states that the employee was hired to do certain work
Employment contracts often define:
Employer claims rights to developed software including copyright and
right to market
Employer claims right to all inventions and copyrights, not just those that
follow from employment.
Discussion: Who owns rights?
A contractor develops software for a company.
A contractor works for a company and develops
software in her spare time but using the company’s
computers and library – re patent, copyright
A contractor works for a company and develops
software in his spare time on his own computers – re
patent, copyright
Discussion: Who owns rights?
A contractor develops software for a company.
A contractor works for a company and develops
software in her spare time but using the company’s
computers and library – re patent, copyright
The company unless contract says otherwise
Depends on contract
A contractor works for a company and develops
software in his spare time on his own computers – re
patent, copyright
Depends on contract
Trade Secret
Trade Secret: Information that gives a company a competitive
edge over others.
Examples: Customer list, recipes.
A trade secret must always be kept secret
If a trade secret is improperly obtained and profited from, the
owner can recover profits, damages, lost revenues and legal
costs
If someone discovers a trade secret independently, rights of
trade secret evaporate
Reverse engineering: Studying output or decoding object code
Intellectual Property Law
Economic
Espionage Act
18 USC Sections
1831-39
Stealing/Obtaining proprietary trade secrets with
the knowledge or intent that the owner of the
secret would suffer injury.
Additional
requirements include: unauthorized access,
relates to interstate commerce. Applicable to
insiders and outsiders.
Criminal
Copyright Infringement:
Infringement of Intentional
electronic
reproduction
of
Copyright
copyrighted works with a value exceeding
18 USC Section $2500.
2319-20
Criminal Trademark Infringement:
Using/selling pirated copies of software or music
with a counterfeited mark
Civil cases
are
filed
under
state
tradesecret law.
Fine
and/or
imprisonm
ent
Fine
and/or
imprisonm
ent
Contraband stored by a hacker or internal user, No fault
against company policies, and company reacts
quickly after offending material is discovered.
Industry-specific legislation
Gramm-LeachBliley
Safeguards
Health Insurance
Portability
and
Accountability
Act
Banking/Financial Industry:
Felony
Restrictions for banking/financial industry with aim (in general)
to “develop, implement, and maintain a comprehensive
information security program that is written in one or more
readily accessible parts and contains administrative, technical
and physical safeguards that are appropriate to its size and
complexity, the nature and scope of its activities, and the
sensitivity of any customer information at issue.”
Personal Health:
Felony
Protection of personal health information, including
appropriate administrative, technical and physical safeguards.
(Perform risk assessment and adopt security measures
commensurate with potential risk.)
Sarbanes-Oxley Fraud:
Felony,
404
Annual audit must state responsibility of mgmt for jail.
establishing/maintaining adequate internal control structure
and assess the internal control structure.
Federal
Info. Federal Information CIA:
Security Mgmt. Protection of information via inventory, risk assessment, and
Act (FISMA)
security plan, controls, certification and monitoring.
Due Diligence
Due Diligence = Did careful risk assessment
Due Care = Implemented recommended controls from RA
Liability minimized if reasonable precautions taken
Senior Mgmt Support
Security Evaluation:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:
2.
Determine Loss due to Threats & Vulnerabilities
3.
Weekly, monthly, 1 year, 10 years?
Compute Expected Loss
5.
Confidentiality, Integrity, Availability
Estimate Likelihood of Exploitation
4.
Where are the Crown Jewels?
Loss = Downtime + Recovery + Liability + Replacement
Risk Exposure = ProbabilityOfVulnerability * $Loss
Treat Risk
Survey & Select New Controls
Reduce, Transfer, Avoid or Accept Risk
Risk Leverage = (Risk exposure before reduction) – (risk exposure after
reduction) / (cost of risk reduction)
US Privacy Law
Affects federal agencies
have Privacy Act of 1974 which:
permits
individuals to determine records kept
permits individuals to forbid records being used for
other purposes
permits individuals to obtain access to records
ensures agencies properly collect, maintain, and use
personal info
creates a private right of action for individuals
also have a range of other privacy laws
What would happen if…?
Who would have the strongest case in the following
situations: the defense or the prosecution? What law(s),
if any, would be violated? What would the defense be
liable for? (misdemeanor, felony, or no criminal
offense). (Note: Wisconsin may have specific laws that
are not documented in these notes.)
A student in a security audit of an external company
accesses records outside the scope of the audit?
modifies data to demonstrate vulnerability within the
scope of the audit?
What would happen if…?
Who would have the strongest case in the following situations:
the defense or the prosecution? What law(s), if any, would
be violated? What would the defense be liable for, worst
case? (misdemeanor, felony, or no criminal offense). (Note:
Wisconsin may have specific laws that are not documented
in these notes.)
A student in a security audit of an external company
accesses records outside the scope of the audit?
Misdemeanor unless combined with financial loss, 1030 (a)(2)
modifies data to demonstrate vulnerability within the scope
of the audit?
Felony if losses are in excess of $5000 (a)(2) or fraud is proven
(a)(4)
What would happen if…?
An employee of Ace
Hardware looks at
another employee’s
medical records
and does not modify
them?
and does modify them?
and does not modify
them, but works for the
city of Kenosha?
A hacker logs onto your
computer without your
knowledge
and changes nothing?
and copies files?
and runs programs
which slow down your
response time
tremendously?
What would happen if…?
An employee of Ace Hardware looks at
another employee’s medical records
and does not modify them?
A hacker logs onto your computer
without your knowledge
and changes nothing?
Misdemeanor: 1030 (a)(2).
HIPAA violation
and does modify them?
and does not modify them, but works
for the city of Kenosha?
Felony: Possible fraud, damage
HIPAA violation
and copies files?
1030 (a)(4) no offense
1030 (a)(2) trespass: misdemeanor
Copyright infringement
Felony: intent to defraud 1030 (a)(4)
Civil case: Economic Espionage Act
1831 (trade secrets)
and runs programs which slow down
your response time tremendously?
Felony: $5000 damage or criminal
purpose 1030 (a)(2) or (a)(5)
What would happen if…?
An ex-employee logs onto SC
Johnson’s computers
and retrieves financial files?
and inadvertently changes
non-financial, non-medical
files?
You receive child pornography
by email and you don’t open
or delete it (but still on disk)
An employee sends a damaging
virus to his old place of
employment
intentionally?
unintentionally?
With email names such as
“Exposing Tender Young
Things”
With email names such as “Hi”
What would happen if…?
An ex-employee logs onto SC Johnson’s computers
and retrieves financial files?
Economic Espionage Act 18 USC 1831-39 Proprietary
secrets -> Civil case
1030(a)(2) Misdemeanor or Felony if >$5000 damage
1030(a)(4) Intent to Defraud – Felony
Breach Notification if personal information divulged
and inadvertently changes non-financial, nonmedical files?
Homeland Security Act Extension – Felony
1030(a)(2) >$5000 damage
1030(a)(5) reckless damage
Breach Notification
An employee sends a damaging virus to his old place of
employment
intentionally?
If proven: 1030(a)(5) - felony
unintentionally?
1030(a)(5) if unauthorized - misdemeanor
You receive child pornography by
email and you don’t open or
delete it (but still on disk)
With email names such as
“Exposing Tender Young Things”
18 USC 22252/(A) Felony – Must
delete file
With email names such as “Hi”
18 USC 22252/(A) intention not
shown -> No offense
Payment Card Industry Data Security Standard
PCI DSS:
Developed by payment card companies (Visa, Mastercard, etc.)
to protect consumers personal information
Six main groups of requirements:
Maintain an Information Security Policy
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Companies that handle any payment card information must
adhere to these requirements or risk losing the ability to accept
credit/debit card payments, fines and liability if data is
compromised.
PCI DSS: Requirement Groups 1 & 2
Build and Maintain a Secure Network
Requirement
1: Install and maintain a firewall
configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for
system passwords and other security parameters
Protect Cardholder Data
Requirement
3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data
across open, public networks
PCI DSS: Requirement Groups 3 & 4
Maintain a Vulnerability Management Program
Requirement
5: Use and regularly update anti-virus
software
Requirement 6: Develop and maintain secure systems
and applications
Implement Strong Access Control Measures
Requirement
7: Restrict access to cardholder data by
business need-to-know
Requirement 8: Assign a unique ID to each person with
computer access
Requirement 9: Restrict physical access to cardholder
data
PCI DSS: Requirement Groups 5 & 6
Regularly Monitor and Test Networks
Requirement
10: Track and monitor all access to
network resources and cardholder data
Requirement 11: Regularly test security systems and
processes
Maintain an Information Security Policy
Requirement
12: Maintain a policy that addresses
information security
Ethical Hierarchy
Codes of Conduct
see ACM, IEEE and AITP codes
place emphasis on responsibility other people
have some common themes:
1.
2.
3.
4.
5.
6.
7.
dignity and worth of other people
personal integrity and honesty
responsibility for work
confidentiality of information
public safety, health, and welfare
participation in professional societies to improve standards
of the profession
the notion that public knowledge and access to technology
is equivalent to social power
References
Computer Administrator Pleads Guilty to Hacking Former
Employer's Computer System. (30 April). PR
Newswire. Retrieved May 27, 2010, from ABI/INFORM
Dateline. (Document ID: 1693007401).
Matt O'Connor, Tribune staff reporter. (2006, December 8).
Hacking leads to prison sentence :[Chicago Final
Edition]. Chicago Tribune, p. 2C.5. Retrieved May 27,
2010, from Chicago Tribune. (Document ID: 1176460771).
5-year jail term for Pinoy cyber hacker. (2006, May 15). The
Filipino Express, p. 1,35. Retrieved May 27, 2010, from Ethnic
NewsWatch (ENW). (Document ID: 1060654311).
Understanding Cybercrime, (2010). Proceedings of the 43rd Hawaii
International Conference on System Sciences.
Cybercrime.gov