Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control 1 11/30/09.

Similar presentations


Presentation on theme: "Access Control 1 11/30/09."— Presentation transcript:

1 Access Control 1 11/30/09

2 Access Control Two parts to access control
Authentication: Who goes there? Determine whether access is allowed Authenticate human to machine Authenticate machine to machine Authorization: Are you allowed to do that? Once you have access, what can you do? Enforces limits on actions Note: Access control often used as synonym for authorization 2 11/30/09

3 Authentication Strong passwords Kerberos CHAP Digital Certificates
11/30/09

4 Who Goes There? How to authenticate a human to a machine?
Can be based on… Something you know For example, a password Something you have For example, a smartcard Something you are For example, your fingerprint 11/30/09

5 2 - Factor Authentication
Requires 2 out of 3 of Something you know Something you have Something you are Examples ATM: Card and PIN Credit card: Card and signature Password generator: Device and PIN Smartcard with password/PIN 11/30/09

6 Something You Know Passwords Lots of things act as passwords! PIN
Social security number Mother’s maiden name Date of birth Name of your pet, etc. 6 11/30/09

7 Trouble with Passwords
“Passwords are one of the biggest practical problems facing security engineers today.” “Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed.)” 11/30/09

8 Why Passwords? Why is “something you know” more popular than “something you have” and “something you are”? Cost: passwords are free Convenience: easier for SA to reset pwd than to issue user a new thumb 11/30/09

9 Good and Bad Passwords Bad passwords Good Passwords? frank Fido
4444 Pikachu 102560 AustinStamp Good Passwords? jfIej,43j-EmmL+y P0kem0N FSa7Yago 0nceuP0nAt1m8 PokeGCTall150 11/30/09

10 Strong Passwords Minimum 6 to 8 characters in password
At least one letter and one digit Case sensitive Avoid well-known substitutions 0 for letter ‘O’ 2 for ‘to’ 4 for ‘for’ 5 for ‘S’ Set expiration date for password 11/30/09

11 Kerberos Developed at MIT in 1983 Meant for internal networks
Passwords are sent in cleartext Developed for authenticating users in a single or multi-server environment Current version # is 5 Freeware (http://web.mit.edu/is/help/kerberos) Sets up a key for every specified service for the authenticated user 11/30/09

12 Kerberos How authentication works?
User logs in with userid and password User wants access to use a service (e.g. FTP) Request goes to an Authentication Server (AS) in encrypted form using the password of user AS verifies the user using the password associated with the userid AS sends two data items back to user. One of the data items is encrypted with user’s password. It is called the Ticket. The other data item is encrypted with the requested service’s master key, called the Session key. 11/30/09

13 Kerberos The user decrypts the ticket with their password to verify that the response came from AS. Then the user creates an authenticator using their userid and timestamp. Finally, the user encrypts the authenticator with the session key and sends it to the service. The service decrypts the information with its master key and identifies the authenticator. Then the user is allowed to use the service. 11/30/09

14 Kerberos – Single service diagram
Key Distribution Center Authentication Server (AS) User Service 1 2 3 4 11/30/09

15 Kerberos The previous description is suited for a single-server single-service environment. For multi-server multi-service environment a different authentication process is used. Upon initial login, the user is automatically authenticated and a Ticket-Granting Ticket (TGT) is created. The user sends the TGT for any service needed to the Ticket Granting Server (TGS) and obtains the necessary key to access the service. 11/30/09

16 Kerberos Assumptions made by Kerberos systems:
User has the correct password. Does not prevent dictionary attack to guess password Assumes physical security of all devices on the network Does not prevent denial of service attacks All authenticating devices must have their clocks synchronized in order for time stamps to match 11/30/09

17 Challenge Handshake Authentication Protocol
CHAP is a point-to-point protocol Used where hosts are connected to routers using switched circuits or dial-up lines Host asks the AS permission to use CHAP AS responds with permission to use CHAP AS sends a challenge message to host 11/30/09

18 Challenge Handshake Authentication Protocol
Host selects a one-way hash function and hashes the message from AS. The hashed value is sent to AS. AS calculates the same hash value using the same hash function. If the values match then connection is maintained, otherwise the connection is terminated. Under CHAP, AS periodically sends challenge sequences to verify authenticity of host 11/30/09

19 Digital Certificates Issued by trusted third parties known as Certificate Authorities (CAs) Verisign is a trusted third party Used to authenticate an individual or an organization Digital Certificates are usually given for a period of one year They can be revoked It is given at various security levels. Higher the security level, the CA verifies the authenticity of the certificate seeker more. 11/30/09

20 Digital Certificates Digital Certificates can be issued by any one as long as there are people willing to believe them Major CAs are: Verisign GeoTrust BeTrusted Thawte 11/30/09

21 Digital Certificates Digital Certificates are part of the authentication mechanism. The other part is Digital Signature. When a user uses the digital signature, the user starts with their private key and encrypts the message and sends it. The receiver uses the sender’s public key and decrypts the message In traditional encryption, the sender uses the public key of the receiver and encrypts the message and sends it and the receiver decrypts the message with their private key 11/30/09

22 Digital Certificates Additional authentication means used by CAs are:
Security token Passive token Active token One time password 11/30/09

23 Digital Certificates Security token is usually a hardware device such as a Smart Card If the security token is a software token, it is usually associated with a particular workstation Security tokens use two-factor authentication using a password and a device (or an appropriate hardware identifier) 11/30/09

24 Digital Certificates Passive token is a storage device that holds multiple keys. Appropriate key is transmitted using the transmission device used. Inexpensive to manufacture Sometimes an extra PIN is required to use the passive token Examples: Garage door opener ATM card 11/30/09

25 Digital Certificates An Active token does not transmit any data, unlike a passive token Active tokens create another form of the base key (such as one-time password) or an encrypted form of the base key Smart cards are commonly used for active tokens 11/30/09

26 Digital Certificates A One-time password has a limited duration validity on a single use Generated using a counter-based token or a clock-based token Counter-based token is an active token that generates a one-time password based on a counter in the server and the secret key of the user Clock-based token is an active token that generates one-time passwords based on the server clock 11/30/09

27 Authentication vs Authorization
Authentication  Who goes there? Restrictions on who (or what) can access system Authorization  Are you allowed to do that? Restrictions on actions of authenticated users Authorization is a form of access control Authorization enforced by Access Control Lists Capabilities 11/30/09

28 CAPTCHA CAPTCHA  Completely Automated Public Turing test to tell Computers and Humans Apart Automated  test is generated and scored by a computer program Public  program and data are public Turing test to tell…  humans can pass the test, but machines cannot pass the test Like an inverse Turing test (sort of…) 11/30/09

29 CAPTCHA Paradox “…CAPTCHA is a program that can generate and grade tests that it itself cannot pass…” “…much like some professors…” Paradox  computer creates and scores test that it cannot pass! CAPTCHA used to restrict access to resources to humans (no computers) CAPTCHA useful for access control 11/30/09

30 CAPTCHA Uses? Original motivation: automated “bots” stuffed ballot box in vote for best CS school Free services  spammers used bots sign up for 1000’s of accounts CAPTCHA employed so only humans can get accts Sites that do not want to be automatically indexed by search engines HTML tag only says “please do not index me” CAPTCHA would force human intervention 11/30/09

31 Do CAPTCHAs Exist? Test: Find 2 words in the following
Easy for most humans Difficult for computers (OCR problem) 11/30/09

32 CAPTCHA’s and AI Computer recognition of distorted text is a challenging AI problem But humans can solve this problem Same is true of distorted sound Humans also good at solving this Hackers who break such a CAPTCHA have solved a hard AI problem Putting hacker’s effort to good use! May be other ways to defeat CAPTCHAs… 11/30/09

33 What is Ethics ? Study of what it means to "do the right thing"
View ethical rules as fundamental & universal made up to provide a framework to interact with other people Behaving ethically is often practical Needs courage sometimes ... 11/30/09

34 Ethics vs. CyberEthics Ethics: CyberEthics:
Set of principles or framework that you create to tell you what is right and what is wrong How you behave It defines who you are CyberEthics: Application of ethics as related to computers and the Internet Includes responsible use of technology 11/30/09

35 Driving Without a License
Can compare to a car Can learn mechanics of driving a car Without laws/rules that govern that tool, results can be devastating Accidents Hurt someone Using the Internet without a framework of responsible use can be just as devastating. 11/30/09

36 Real World vs. Virtual World
Rules that apply to you in the real world apply to you in the virtual world or cyberspace. Stealing Giving out personal information Copying someone else’s information Reading someone else’s mail Trashing someone’s personal property Are these things okay to do in the Real World? Then why would it be okay to do it in the virtual world? 11/30/09

37 Intellectual Property Rights
Intellectual property (IP)—creations of the mind, such as inventions, literary and artistic works, and symbols, names, images, and designs used in commerce 11/30/09

38 Intellectual Property Rights (cont.)
Copyright—an exclusive grant from the government that allows the owner to reproduce a work, in whole or in part, and to distribute, perform, or display it to the public in any form or manner, including the Internet Digital watermarks—unique identifiers imbedded in digital content that make it possible to identify pirated works 11/30/09

39 Copyright Infringement
Enormous Potential for Abuse and Legal Action “Who Will Ever Know…” “Copyright Police” & Digital Tracking Watermarks Digital Download Trace Web Bots & Search Spiders 21 BILLION copyrighted pages, songs, photos, gif’s, and videos on the www. New CRIMINAL, not CIVIL, penalties carry FELONY convictions . Ten copies of any copyrighted work, distributed for use, can result in a $100,000 fine and five years in prison. Consider 1.5 MILLION downloads on KaZaA every day. 11/30/09

40 Copyright Copying and/or selling things that do not belong to you
Movies - motion pciture Music CDs - sound recording Books - written text Artwork - graphic images, sculpture Architecture Computer programs - source codes After January 1, 1978 don’t need to copyright property 11/30/09

41 Copyrights Anything that you produce is copyrighted.
This includes written work, images, and audio. You own the rights to its reproduction, display, distribution, and adaptation to derivative works. Works before 1989 carry a copyright notice; works after 1989 do not. Official copyrighting gives you legal clout. 11/30/09

42 Intellectual Property
Pirated software - the unauthorized use, duplication, distribution or sale of copyrighted software. Counterfeit software - software that is manufactured to look like the real thing and sold as such. 11/30/09

43 Easy to reproduce and distribute Tied to computer hardware
WHY INTELLECTUAL PROPERTY IS A SPECIAL ETHICAL ISSUE WHEN APPLIED TO SOFTWARE Easy to reproduce and distribute Tied to computer hardware Made possible a huge acceleration in the rate of innovation Can be used by several people at the same time 11/30/09

44 Copyright and Patent Protection Promoting Technical Progress
Three theories: The opportunity for profit from licensing software may be an incentive that entices good researchers to work on new software Provides a way for researchers to openly publish their results (which would encourage future research based on their discoveries) while still making a profit from their works Places society's resources in the hands of those most likely to use it for making future technological contributions 11/30/09

45 Plagiarism Copying other people’s words and calling them your own
Turning in someone else’s homework Copying off the internet and pasting it into your work without giving credit to the source 11/30/09

46 MP3, Napster, and Intellectual Property Rights
The Problem MP3.com enabled users to listen to music from any computer with an Internet connection without paying royalties Napster supported the free distribution of music and other digitized content among millions utilizing peer-to-peer (P2P) technology These services could not be ignored because they could result in the destruction of millions of jobs and revenue 11/30/09

47 MP3, Napster, and Intellectual Property Rights (cont.)
The Solution Emusic.com filed a copyright infringement lawsuit against MP3.com Copyright laws and copyright cases have been in existence for years but: Were not written for digital content Financial gain loophole was not closed 11/30/09

48 Internet Copyright Myths
No © Symbol Means No Copyright Exists Material On the Net Is Automatically OK to Copy It’s Free Advertising and Distribution for the Author Attribution Makes Using the Material Legal Copyrighted Material on a Free Website Is OK to Use Material On the Web is Public Domain I’m a teacher/student…Fair Use Protects Me The Hague Accords (1998) give copyright protection the instant material is created and saved in any retrievable format. A © symbol is not required. Attribution or author credit provides NO protection from copyright rules. Failing to include author or publisher metadata may yield additional penalties. Fair Use Doctrine allows limited use of copyrighted material for Research, Scholarship, Criticism, Commentary, News Reporting, or Non-Profit Education. Posting a DILBERT cartoon to your school web site is a clear copyright violation…Fair Use will NOT protect you. 11/30/09

49 Copyright Myths If it doesn’t have a copyright notice, it’s not copyrighted. If I don’t charge for it, it’s not a violation. If it’s on the Internet, it’s public domain. “My posting was just fair use!” “They ed me a copy, so I can post it.” 11/30/09

50 Fair Use: 4 Criteria All four criteria must be met to qualify as fair use.
Purpose: Is it for educational, non-profit use? Nature: Is it a novel, short story, article, song, or movie? Consumables and works which require royalties may not be copied. Amount: How many copies are being made? Excessive quantities aren’t allowed. Effect: Is the creator being denied a profit due to copying? 11/30/09

51 Some Laws The Digital Millennium Copyright Act (1998)
The Napster© Case Hollywood vs. The DVD Hackers (DeCSS) Strict Liability Applies Statutory Damages of $20,000 Per Case $100,000 Per Case for “Willful Infringement” Fair Use DOES NOT Protect teachers/students 11/30/09

52 Privacy Privacy—the right to be left alone and the right to be free of unreasonable personal intrusions Two rules have been followed fairly closely in court decisions: The right of privacy is not absolute. Privacy must be balanced against the needs of society The public ’s right to know is superior to the individual’s right of privacy 11/30/09

53 Privacy/ Personal Information
Freedom from being contacted without permission Infringe on other’s privacy - go where you’re not suppose to go Giving out any personal information on the Internet People lured to give information because of prizes or large amounts of money 11/30/09

54 Web-Site Self-Registration
Registration questionnaires 50% disclose personal information on a Web site for the chance to win a sweepstakes Uses of the private information collected: For planning the business May be sold to a third party Must not be used in an inappropriate manner 11/30/09

55 Cookies Cookie—a small piece of data that is passed back and forth between a Web site and an end user’s browser as the user navigates the site; enables sites to keep track of users’ activities without asking for identification Cookies can be used to invade an individual’s privacy Personal information collected via cookies has the potential to be used in illegal and unethical ways 11/30/09

56 Protection of Privacy Notice/awareness Choice/consent
Access/participation Integrity/security Enforcement/redress Supported in the U.S. by the Federal Internet Privacy Protection Act Supported in the European Union by EU Data Protection Directive 11/30/09

57 Spam Spamming—the practice of indiscriminately broadcasting messages over the Internet (e.g., junk mail) Spam comprised 25 to 50% of all Slows the internet in general; sometimes Shuts ISPs down completely Electronic Mailbox Protection Act ISPs are required to offer spam-blocking software Recipients of spam have the right to request termination of future spam from the same sender and to bring civil action if necessary 11/30/09

58 Privacy E-mail is completely insecure.
Each you send results in at least 3 or 4 copies being stored on different computers. You can take measures to protect your . 11/30/09

59 Privacy and Ethics Information privacy Information privacy laws
Federal Privacy Act of 1974 Electronic Communications Privacy Act of 1986 Communications Act of 1996 HIPAA of 1996 Computer Security Act of 1987 Gramm – Leach – Bliley Act of 1999 USA PATRIOT Act of 2001 Sarbanes – Oxley Act of 2002 Ethical aspects of information handling 11/30/09

60 Information Privacy Privacy refers to personally identifiable information about an individual or an organization Privacy does not mean absolute freedom from observation Privacy means “state of being free from unsanctioned intrusion” Financial and medical institutions treat privacy as part of their compliance requirements Information is collected by cookies and points of sale 11/30/09

61 Information Privacy Privacy is a risk management issue
Ability to collect information from multiple sources and combine them in different ways have resulted in powerful databases that can shed more light than previously possible 11/30/09

62 Information Privacy Laws
Federal Privacy Act of 1974 Requires all government agencies from protecting the privacy information of individuals and businesses Certain agencies have exemption to release aggregate data Census Bureau National Archives Congress Comptroller General Credit agencies 11/30/09

63 Information Privacy Laws
Electronic Communications Privacy Act of 1986 Regulates interception of wire, electronic, and oral communications Works in conjunction with the Fourth Amendment providing protection against unlawful search and seizure 11/30/09

64 Information Privacy Laws
Computer Security Act of 1987 Deals with federal government’s information systems Mandates that all federal information systems containing classified information have security mechanisms built-in Requires periodic training for all people dealing with classified information about handling secure systems 11/30/09

65 Information Privacy Laws
Communications Act of 1996 Regulates interstate and international communications Communications decency was part of this Act 11/30/09

66 Information Privacy Laws
Health Insurance Portability and Accountability Act (HIPAA) of 1996 Protect confidentiality and security of health care data Electronic signatures are allowed Patients have a right to know who have access to their information and who accessed it 11/30/09

67 Information Privacy Laws
HIPAA’s five core principles: Consumer controls medical information Medical information can be used only within predefined boundaries People using the private information are accountable for its use Balance public impact on use of information over individual protection Provide security for all information 11/30/09

68 Information Privacy Laws
Gramm – Leach – Bliley Act of 1999 Deals with financial services Focuses on privacy aspects of information handling by banks, insurance companies, securities firms, and other financial service providers like tax preparers Emphasizes privacy of information held by these financial institutions Distinguishes between a customer and consumer Customer is one who has a continuing relationship with the provider such as a bank Consumer is one who uses the services of the provider occasionally, such as a check cashing service Only customers’ privacy is protected 11/30/09

69 Information Privacy Laws
USA PATRIOT Act of 2001 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Gives extensive powers to the government to suspend notification provisions of existing laws Provides authorization for information search without knowledge of the individual 11/30/09

70 Sarbanes – Oxley Act The law requires:
The relevance for us is with reference to ethical aspects Establishment of a public company accounting oversight board Independence of auditor with respect to the company being audited Enhanced financial disclosures Conflicts of interest disclosure of people and firms involved in audit White collar crime penalty enhancements Corporate accountability 11/30/09

71 Access Device Fraud Act of 1984 (18 USC §1029)
Bars interstate commerce in counterfeit access devices Any unauthorized device designed or used for fraudulent access to resources Money (funds transfers, payments. . .) Services (phone, network, cable TV. . .) Includes credit cards obtained fraudulently or generated independently for fraud Also governs equipment for making such devices 11/30/09

72 Computer Fraud and Abuse Act of 1986 (18 USC §1030)
CFA is the most important US law governing behavior in cyberspace Protects federal-interest computers Governments at any level Governmental agencies including military Financial institutions Medical institutions Contractors to these institutions 11/30/09

73 CFA cont’d Prohibits unauthorized access
Obtaining or trafficking in confidential data Installing unauthorized software Mentions reckless disregard of consequences Fines up to $250,000 & 5 years in prison Robert T. Morris Jr convicted under CFA Internet worm of 2 Nov  90,000 computers down for 1-2 days 400 hours community service $10,500 fine 3 years probation 11/30/09

74 Wire Fraud (18 USC §1343) Fraudulent activity involving interstate wire (electronic) communications Thus use of electronic communications in carrying out some other fraud exacerbates the crime Unauthorized access to confidential information Was not considered to be enough basis for conviction under Wire Fraud statutes Needed to show monetary damages 11/30/09

75 Wire Fraud (cont’d) US v. Riggs & Neidorf 1990
Robert Riggs obtained enhanced-911 manual illegally from BellSouth Allegedly “secret” document worth “$100,000” Craig Neidorf altered document, posted on BBS Prosecuted under Wire Fraud Act Case collapsed Actually turned out to be available to public for $13 UNITED STATES of America, Plaintiff, v. Robert J. RIGGS, also known as Robert Johnson, also known as Prophet, and Craig Neidorf, also known as Knight Lightning, Defendants. 743 F.Supp. 556 (N.D. Ill. 1990) 11/30/09

76 Wire Fraud (cont’d) US v. LaMacchia (1994)
David LaMacchia was 21 year-old MIT student Invited anyone to upload and download illegal copies of proprietary software Could not be tried under copyright violations 18 USC § 506(a) because he derived no personal monetary benefit UNITED STATES of America v. David LaMACCHIA. Crim. A. No RGS. United States District Court, D. Massachusetts. Dec. 28, 1994. _________________________________ The UCLA Online Institute for Cyberspace Law and Policy The 'No Electronic Theft' Act On December 16, 1997, President Clinton signed HR the 'No Electronic Theft' Act -- into law. The act, sponsored by Representative Goodlatte (R-Virginia), was passed in the House on 11/4/97 and in the Senate on 11/13/97. HR 2265 was viewed as "closing a loophole" in the criminal law. Under the old statutory scheme, people who intentionally distributed copied software over the Internet did not face criminal penalties if they did not profit from their actions. The act was strongly backed by the software and entertainment industries but opposed by science and academic groups. UNITED STATES PUBLIC LAWS 105TH CONGRESS--FIRST SESSION PUBLIC LAW [H.R. 2265] DECEMBER 16, 1997 105 P.L. 147; 111 Stat. 2678; 1997 Enacted H.R. 2265; 105 Enacted H.R. 2265 An Act To amend the provisions of titles 17 and 18, United States Code, to provide greater copyright protection by amending criminal copyright infringement provisions, and for other purposes. 11/30/09

77 Wire Fraud (cont’d) LaMacchia indicted under Wire Fraud statute
Case dismissed No money, no fraud SCOTUS ruled that illegal copies of intellectual property are not property that is “stolen, converted or taken by fraud” under Stolen Property Act Led directly to passage of the No Electronic Theft Act of 1997 Removed requirement for financial gain from 17 USC §506(a) as basis for prosecution For 17 USC §506(a) see For No Electronic Theft Act see 11/30/09

78 Criminal Infringement of Copyright (17 USC §506a)
Copyright Act of 1976 (amended 1982) Motives: Commercial advantage Private financial gain Method: Unauthorized reproduction or distribution 180 day period 1 or more copies of copyright work(s) Total retail value > $1,000 Requirement: Must show intent For 17 USC §506(a) see 11/30/09

79 Counterfeit Trademarks (18 USC §2320)
Trademark Counterfeit Act of 1984 “Trafficking in Counterfeit Goods or Services” Intentional trafficking in counterfeit goods and services Max penalties $2M + 10 years in jail for individual $5M for corporate entity Repeat offenders $5M + 20 years for recidivist $15M for corporation § Trafficking in Counterfeit Goods or Services (a) Whoever intentionally traffics or attempts to traffic in goods or services and knowingly uses a counterfeit mark on or in connection with such goods or services shall, if an individual, be fined not more than $2,000,000 or imprisoned not more than 10 years, or both, and, if a person other than an individual, be fined not more than $5,000,000. In the case of an offense by a person under this section that occurs after that person is convicted of another offense under this section, the person convicted, if an individual, shall be fined not more than $5,000,000 or imprisoned not more than 20 years, or both, and if other than an individual, shall be fined not more than $15,000,000. (b) Upon a determination by a preponderance of the evidence that any articles in the possession of a defendant in a prosecution under this section bear counterfeit marks, the United States may obtain an order for the destruction of such articles. (c) All defenses, affirmative defenses, and limitations on remedies that would be applicable in an action under the Lanham Act shall be applicable in a prosecution under this section. In a prosecution under this section, the defendant shall have the burden of proof, by a preponderance of the evidence, of any such affirmative defense. 11/30/09

80 Mail Fraud (18 USC §1341) Use of U.S. Postal Service in furtherance of a fraud is itself a felony Use of and phone in such schemes also covered Pyramid sales schemes may be mail fraud Junk includes list of names Put your name on list, remove oldest Send out useless instructions by US Mail US Postal Inspectors have declared the instructions to be pro forma only Can send copies of to Postmasters in each ZIP code for followup TITLE 18 > PART I > CHAPTER 63 > Sec Frauds and swindles Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, or to sell, dispose of, loan, exchange, alter, give away, distribute, supply, or furnish or procure for unlawful use any counterfeit or spurious coin, obligation, security, or other article, or anything represented to be or intimated or held out to be such counterfeit or spurious article, for the purpose of executing such scheme or artifice or attempting so to do, places in any post office or authorized depository for mail matter, any matter or thing whatever to be sent or delivered by the Postal Service, or deposits or causes to be deposited any matter or thing whatever to be sent or delivered by any private or commercial interstate carrier, or takes or receives therefrom, any such matter or thing, or knowingly causes to be delivered by mail or such carrier according to the direction thereon, or at the place at which it is directed to be delivered by the person to whom it is addressed, any such matter or thing, shall be fined under this title or imprisoned not more than five years, or both. If the violation affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both 11/30/09

81 Identity Theft and Assumption Deterrence Act (18 USC §1028)
Identity theft fastest growing form of fraud today Criminals use SSN, public records to establish line of credit in victim’s name Debts assigned to victim Burden of proof of innocence placed on victim Catastrophic results on innocent people Felony Up to 20 years jail TITLE 18 > PART I > CHAPTER 47 > Sec Fraud and related activity in connection with identification documents and information (a) Whoever, in a circumstance described in subsection (c) of this section - (1) knowingly and without lawful authority produces an identification document or a false identification document; (2) knowingly transfers an identification document or a false identification document knowing that such document was stolen or produced without lawful authority; (3) knowingly possesses with intent to use unlawfully or transfer unlawfully five or more identification documents (other than those issued lawfully for the use of the possessor) or false identification documents; (4) knowingly possesses an identification document (other than one issued lawfully for the use of the possessor) or a false identification document, with the intent such document be used to defraud the United States; (5) knowingly produces, transfers, or possesses a document-making implement with the intent such document-making implement will be used in the production of a false identification document or another document-making implement which will be so used; (6) knowingly possesses an identification document that is or appears to be an identification document of the United States which is stolen or produced without lawful authority knowing that such document was stolen or produced without such authority; or (7) knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law; shall be punished as provided in subsection (b) of this section 11/30/09

82 RICO (18 USC §1961) Racketeer Influenced and Corrupt Organizations Act
Attacks organized crime groups Racketeering includes violence, obscenity, fraud, interstate gambling, copyright violations Fines, imprisonment up to life, forfeiture Victims may sue for damages in civil court Recover triple damages + fees Controversial because of application to businesses not thought of as gangs TITLE 18 > PART I > CHAPTER 96 > Sec Definitions As used in this chapter - (1) ''racketeering activity'' means (A) any act or threat involving murder, kidnapping, gambling, arson, robbery, bribery, extortion, dealing in obscene matter, or dealing in a controlled substance or listed chemical (as defined in section 102 of the Controlled Substances Act), which is chargeable under State law and punishable by imprisonment for more than one year; (B) any act which is indictable under any of the following provisions of title 18, United States Code: Section 201 (relating to bribery), section 224 (relating to sports bribery), sections 471, 472, and 473 (relating to counterfeiting), section 659 (relating to theft from interstate shipment) if the act indictable under section 659 is felonious, section 664 (relating to embezzlement from pension and welfare funds), sections (relating to extortionate credit transactions), section 1028 (relating to fraud and related activity in connection with identification documents), section 1029 (relating to fraud and related activity in connection with access devices), section 1084 (relating to the transmission of gambling information), section 1341 (relating to mail fraud), section 1343 (relating to wire fraud), section 1344 (relating to financial institution fraud), section 1425 (relating to the procurement of citizenship or nationalization unlawfully), section 1426 (relating to the reproduction of naturalization or citizenship papers), section 1427 (relating to the sale of naturalization or citizenship papers), sections (relating to obscene matter), section 1503 (relating to obstruction of justice), section 1510 (relating to obstruction of criminal investigations), section 1511 (relating to the obstruction of State or local law enforcement), 11/30/09

83 Prohibits interference with communications
Wire and Electronic Communications Interception and Interception of Oral Communications (18 USC §2511) Prohibits interference with communications Wire Oral Electronic Radio transmissions Several exceptions Consent given by one party (except in conspiracies) Lawful warrants FCC activities Intelligence gathering by US govt agents TITLE 18 > PART I > CHAPTER 119 > Sec Interception and disclosure of wire, oral, or electronic communications prohibited (1) Except as otherwise specifically provided in this chapter any person who - (a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication; (b) intentionally uses, endeavors to use, or procures any other person to use or endeavor to use any electronic, mechanical, or other device to intercept any oral communication when - (i) such device is affixed to, or otherwise transmits a signal through, a wire, cable, or other like connection used in wire communication; or (ii) such device transmits communications by radio, or interferes with the transmission of such communication; or (iii) such person knows, or has reason to know, that such device or any component thereof has been sent through the mail or transported in interstate or foreign commerce; or (iv) such use or endeavor to use (A) takes place on the premises of any business or other commercial establishment the operations of which affect interstate or foreign commerce; or (B) obtains or is for the purpose of obtaining information relating to the operations of any business or other commercial establishment the operations of which affect interstate or foreign commerce; or (v) such person acts in the District of Columbia, the Commonwealth of Puerto Rico, or any territory or possession of the United States; (c) intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection; (d) intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection; or (e) (i) intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, intercepted by means authorized by sections 2511(2)(a)(ii), 2511(2)(b)-(c), 2511(2)(e), 2516, and 2518 of this chapter, (ii) knowing or having reason to know that the information was obtained through the interception of such a communication in connection with a criminal investigation, (iii) having obtained or received the information in connection with a criminal investigation, and (iv) with intent to improperly obstruct, impede, or interfere with a duly authorized criminal investigation, shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5) 11/30/09

84 Unlawful Access to Stored Communications (18 USC §2701)
Governs , stored and transmitted documents Intentional access without authorization Interference with access Government access permitted under warrant Provider of service must cooperate Penalties Max ½ to 2 years jail + fine Depends on purpose, recidivism TITLE 18 > PART I > CHAPTER 121 > Sec Unlawful access to stored communications (a) Offense. - Except as provided in subsection (c) of this section whoever - (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section 11/30/09

85 Electronic Communications Privacy Act of 1986*
Bars intentional attack on wire, oral or electronic communications including Interception Attempt to intercept Conspiracy to intercept Fines and imprisonment Felony to use content of illegally-intercepted communications if perpetrator knows or should know it was illegally obtained One party to a communication may authorize interception for lawful reason See Stevens, G. & C. Doyle (2003). Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping. Report for Congress, Congressional Research Service, The Library of Congress. Available for download as PDF file through Electronic Privacy Information Center (EPIC) at Summary This report provides an overview of federal law governing wiretapping and electronic eavesdropping. It also surveys state law in the area and contains a bibliography of legal commentary. It is a federal crime to wiretap or to use a machine to capture the communications of others without court approval, unless one of the parties has given their prior consent. It is likewise a federal crime to use or disclose any information acquired by illegal wiretapping or electronic eavesdropping. Violations can result in imprisonment for not more than 5 years; fines up to $250,000 (up to $500,000 for organizations); in civil liability for damages, attorneys fees and possibly punitive damages; in disciplinary action against any attorneys involved; and in suppression of any derivative evidence. Congress has created separate but comparable protective schemes for electronic mail ( ) and against the surreptitious use of telephone call monitoring practices such as pen registers and trap and trace devices. Each of these protective schemes comes with a procedural mechanism to afford limited law enforcement access to private communications and communications records under conditions consistent with the dictates of the Fourth Amendment. The government has been given even more narrowly confined authority to engage in wiretapping and electronic eavesdropping in the name of foreign intelligence gathering in the Foreign Intelligence Surveillance Act. 11/30/09

86 ECPA (cont’d) Communications carriers
May intercept, disclose and use client communications Must be as part of necessary procedures Or for property or rights protection Permission of sender or any recipient of a message can authorize disclosure or publication Wireless phone calls are also protected by ECPA Cellular mobile phones Wireless domestic phones The USAPATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) Act modified some of the legal provisions for obtaining warrants for wiretaps. See the analysis at for a civil libertarian analysis of the changes wrought by the USAPATRIOT Act. 11/30/09

87 ECPA (cont’d) ECPA does not apply to purely internal messaging
However, reasonable expectation of privacy may interfere with corporate surveillance Be sure to ensure NO expectation of privacy in use of corporate resources Smyth v. Pillsbury Smyth & other employees assured of confidentiality in use of company system & specifically told would not be used as grounds for termination of employment Pillsbury fired Smyth for “unprofessional” comments in to supervisor Smyth sued Pillsbury for wrongful dismissal Judge dismissed case because he denied reasonable expectation of privacy in use of corporate Michael A. Smyth v. The Pillsbury Company C.A. NO UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA MEMORANDUM OPINION AND ORDER WEINER, J. JANUARY 18, 1996 In this diversity action, plaintiff, an at-will employee, claims he was wrongfully discharged from his position as a regional operations manager by the defendant. Presently before the court is the motion of the defendant to dismiss pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure. For the reasons which follow, the motion is granted. A claim may be dismissed under Fed.R.Civ.P. 12(b)(6) only if the plaintiff can prove no set of facts in support of the claim that would entitle him to relief. ALA, Inc. v. CCAIR, Inc., 29 F.3d 855, 859 (3d Cir. 1994). The reviewing court must consider only those facts alleged in the Complaint and accept all of the allegations as true. Id. Applying this standard, we find that plaintiff has failed to state a claim upon which relief can be granted. Defendant maintained an electronic mail communication system (" ") in order to promote internal corporate communications between its employees. Complaint at P 8. Defendant repeatedly assured its employees, including plaintiff, that all communications would remain confidential and privileged. Complaint at P 9. Defendant further assured its employees, including plaintiff, that communications could not be intercepted and used by defendant against its employees as grounds for termination or reprimand. Complaint at P 10. In October 1994, plaintiff received certain communications from his supervisor over defendant's system on his computer at home. Complaint at P 11. In reliance on defendant's assurances regarding defendant's system, plaintiff responded and exchanged s with his supervisor. Id. At some later date, contrary to the assurances of confidentiality made by defendant, defendant, acting through its agents, servants and employees, intercepted plaintiffs private messages made in October Complaint at P 12. On January 17, 1995, defendant notified plaintiff that it was terminating his employment effective February 1, 1995, for transmitting what it deemed to be inappropriate and unprofessional comments [FN1] over defendant's system in October, Complaint at PP 13, 11/30/09

88 ECPA (cont’d) Exceptions for law enforcement
With suitable warrant or subpoena Under emergency conditions Steve Jackson Games & Operation Sundevil Related to the BellSouth claims against Riggs and Neidorf concerning 911 documentation Secret Service raided Steve Jackson Games and thought games manuals were hacking instructions (!) Seized SJG’s computers & deleted data from disks Caused layoffs, delays in publishing, serious $$ losses Jackson sued, alleging violations of ECPA Judge decided in favor of SJG: search and seizure of computers not warranted under ECPA The Electronic Frontier Foundation (EFF) has extensive archives concerning the prosecution of Steve Jackson Games at UNITED STATES DISTRICT COURT WESTERN DISTRICT OF TEXAS AUSTIN DIVISION STEVE JACKSON GAMES INCORPORATED, et al., Plaintiffs, v. UNITED STATES SECRET SERVICE, UNITED STATES OF AMERICA, et al., Defendants 11/30/09

89 Cyber Stalking 47 United States Code telecommunications harassment statute Amended January 5, 2006 Section 113 of the Violence Against Women Act - addition to 47 USC 223 11/30/09

90 Section 113 Prohibits anyone from using a telephone or telecommunications device without disclosing his identity and with intent to annoy, abuse, threaten, or harass any person Penalties: Up to 2 years imprisonment or fines 11/30/09

91 Spam “Spam accounts for 9 out of every 10 s in the United States.” MessageLabs, Inc., an management and security company based in New York. “We do not object to the use of this slang term to describe UCE (unsolicited commercial ), although we do object to the use of the word “spam” as a trademark and the use of our product image in association with that term” 11/30/09

92 Can-Spam Act of 2003 Controlling the Assault of Non-Solicited Pornography and Marketing Act (Can-Spam) Signed into law by President Bush on Dec 16, 2003 Took effect Jan 1, 2004 Unsolicited commercial must: Be labeled Include Opt-Out instructions No false headers FTC is authorized (but not required) to establish a “do-not- ” registry –lists all the latest in federal, state, and international laws 11/30/09

93 The Hacker Ethic Argue that they follow an ethic that both guides their behavior and justifies their break-ins All information should be free Belongs to everyone and there should be no boundaries or restraints to prevent anyone from examining information 11/30/09

94 Implications Privacy is no longer possible Not individual property
Anyone may access / alter Loss of control Accuracy cannot be trusted Economic arguments Expense of info collection and protection 11/30/09

95 The Idle System Argument
Systems not in service to provide a general-purpose user environment Used in commerce, medicine, public safety, research, and government functions Unused capacity is present for future needs and sudden surges of activity 11/30/09

96 The Student Hacker Argument
Doing no harm and changing nothing simply learning about how computer systems operate or write complex programs Arguments against Not educational Intruder can cause accidental damage Systems could not be fully trusted 11/30/09

97 The Social Protector Argument
Hackers break into systems to watch for instances of data abuse and to help keep "Big Brother" at bay Protectors rather than criminals Arguments against Ends justify means – assumes ability to achieve good end Resulted in more data restrictions 11/30/09

98 THE TEN COMMANDMENTS FOR COMPUTER ETHICS
from the Computer Ethics Institute Thou shalt not use a computer to harm other people. Thou shalt not interfere with other people's computer work. Thou shalt not snoop around in other people's files. Thou shalt not use a computer to steal. Thou shalt not use a computer to bear false witness. Thou shalt not use or copy software for which you have not paid. Thou shalt not use other people's computer resources without authorization. Thou shalt not appropriate other people's intellectual output. Thou shalt think about the social consequences of the program you write. Thou shalt use a computer in ways that show consideration and respect. 11/30/09

99 Assessment #2 75 Questions Books and Notes Week 8 Week 9
Wk 8 – 15, Wk 9 – 7, Wk 10 – 13, Wk 11 – 10, Wk 12 – 10, Wk 13 – 16, BONUS - 4 Books and Notes Week 8 Access control, firewall types, NAT, PAT, Cisco PIX, limitations, defense in depth, diversity of defense Week 9 VPN definition, devices used, features, limitations, protocols, uses 11/30/09

100 Assessment #2 Week 10 Week 11 Week 12
IDS types, actions it can take, types of attacks they can see, False Positives/Negatives, etc. Week 11 Disaster Recovery, backups, site locations, Cold/Warm/Hot sites, Acceptable Use Policies, Incident Response Policies & Team members, Business Continuity Plans Week 12 Biometrics technical properties, major components, Type I/II Errors, characteristics each method uses, Static/Dynamic, Multimode 11/30/09

101 Assessment #2 Week 13 Authentication, Kerberos, RADIUS, laws, ethics, CAPTCHA, copyrights, patents 11/30/09


Download ppt "Access Control 1 11/30/09."

Similar presentations


Ads by Google