IC322 Fall 2013 Cyber Ethics

Background World population: 7,000,000,000 (7 billion) humans 80,000,000 (80 million) added to population each year 1,600,000,000 (1.6 billion) estimated Internet users Thousands of new hackers born every day Hackers can directly affect 23% of world population

What are Cyber Ethics? Cyber Ethics == Ethics Cyber Morals == Morals The same rules apply in cyberspace as in the real world: Trespassing is wrong Stealing services (Internet access) is wrong Stealing information is wrong Damaging somebody else’s property is wrong Reading somebody else’s mail is wrong Lying about yourself (e.g. name/age/background) is wrong Network owners make the rules; users follow them It is easy to convince yourself that you can’t be committing a crime in your own home, at your own computer, so people often act immoral online. Don’t fall into that trap.

Definitions Hacker – which definition is most appropriate? a) Orig. – member of the computer programmer subculture in 1960s academia, esp. at MIT b) (neg.) Person committed to circumvention of computer security c) (neg.) Computer criminal d) (pos.) Person who enjoys the details of programmable systems, especially networks The term “hacker” is controversial and means different things to different people. Hackers are usually only in the news when they are arrested, so the term picked up negative connotations in mainstream usage.

Definitions Cracker – Computer security penetration expert The same word applies to both moral and immoral actors Etymology is from “hacker” and “safe-cracker”

Definitions “Pentesting” – Penetration Testing Evaluating computer security by simulating an attack from malicious outsiders Generally a third-party evaluation Exposes vulnerabilities so sysadmin can repair them Care must be taken to hire a competent and ethical team Pentesting is by contract Penetration rules are clearly spelled out in advance Complete results are given to the network owner Never pentest without written permission from the network owner

Network threats - external Organized crime Terrorists Governments Corporate competition Hacktivists (e.g. Anonymous) Hired guns (crackers hired by one of the above) Script-kiddie trying to make a name for himself

Network threats - internal Disgruntled employees (e.g. alleged Wikileaks scandal) Clueless employees (e.g. accidental security compromises) Customers Suppliers Vendors Business partners Contractors/temps/consultants These groups often use their legitimate network access to try to find information about competition or an edge with contract bids

Types of Hackers Black Hat Hacker Violates computer security for maliciousness or personal gain Organized crime sets up zombie networks Keyboard loggers Password-stealing Identify theft Looking for kicks Breaking into a network “just to prove you can do it” You qualify as Black Hat whether the network is damaged or not. Trespassing/breaking and entering are crimes.

Types of Hackers White Hat Hacker Breaks into computer systems for non-malicious reasons “Ethical Hackers” – as defined by the people who own the network Penetration testers under contract “Ethical Hacking” certificates available:

Types of Hackers Grey Hat Hacker Many definitions; ethics are questionable and heavily debated Term originated with the debate over where to disclose security vulnerabilities: White Hats: support full disclosure to vendors, customers, etc. Black Hats: do not disclose security flaws, keep them for private use Grey Hats: report flaws to vendors and the hacking community only Other uses: White Hat hackers who engage in Black Hat activity at night Freelance hackers who browse the Internet looking for security holes, and then tell the sysadmin about them, possibly asking for a fee A hacker who acts illegally, but with the intent to improve security Navy ethics policy: “If there is doubt, there is no doubt.”

Types of Hackers “Hacktivist” A hacker who uses technology to spread their personal message Social Ideological Political Religious Usually involves web defacement and denial-of-service attacks Hacktivists act immorally, but would argue that it is for “the greater good” Anonymous taking down Church of Scientology websites Personal information about Bill O’Reilly’s web subscribers posted online Egyptian gov’t websites hacked during 2011 demonstrations DDOS attacks vs. Visa/Mastercard following Julian Assange’s arrest

Levels of Hacker Competence Elite Hacker Highly skilled Understand the OS extremely well Speaks multiple languages C++/Assembler/Machine code SQL/PHP/Javascript Finds new zero-day exploits Authors tools like Metasploit to break into networks May be White, Black, or Grey Hats

Levels of Hacker Competence Script-Kiddie Non-expert Uses OTS cracking/penetration tools like Metasploit, without understanding how they work Usually Black-Hat Often young and immature Most common attacks involve web defacement/deleting files Akin to graffiti “artists”

Rate the ethics… A hacker breaks into a server, touches nothing, then s the sysadmin with proof of the hack (e.g. screenshot) and tells them where their security weakness is. Highly unethical Highly ethical An intruder breaks into your house, touches nothing, then mails a photo of himself in your living room and a note that says your back door is unlocked. Highly unethical Highly ethical

Judging online ethics… People make the mistake of thinking online ethics are more permissive than real-world ethics When in doubt, find a real-world analogy to online behavior, and use that to judge if an action is right or wrong:

Ten Commandments of Computer Ethics From the Computer Ethics Institute 1. Thou Shalt Not Use A Computer To Harm Other People. 2. Thou Shalt Not Interfere With Other People’s Computer Work. 3. Thou Shalt Not Snoop Around In Other People’s Computer Files. 4. Thou Shalt Not Use A Computer To Steal. 5. Thou Shalt Not Use A Computer To Bear False Witness. 6. Thou Shalt Not Copy Or Use Proprietary Software For Which You have Not Paid.

Ten Commandments of Computer Ethics From the Computer Ethics Institute 7. Thou Shalt Not Use Other People’s Computer Resources Without Authorization Or Proper Compensation. 8. Thou Shalt Not Appropriate Other People’s Intellectual Output. 9. Thou Shalt Think About The Social Consequences Of The Program You Are Writing Or The System You Are Designing. 10. Thou Shalt Always Use A Computer In Ways That Ensure Consideration And Respect For Your Fellow Humans.

Ethical or unethical? Breaking into a secure network to steal gov’t secrets? Breaking into a network but not reading any files? Running a port-scanning tool on the USNA network to see whether it is at risk? Reading wireless network traffic at a public location? Logging into an unsecured “linksys” wireless router? Defacing a website that you find morally reprehensible? Logging into Facebook under an alias?

Legal policies affecting network access Computer Fraud and Abuse Act – 1986 Originally intended to protect nat’l security data on federal networks Expanded to penalize anybody who knowingly “exceeds authorized access” on a computer to obtain information Can be interpreted as “violating user agreements on a social networking site” Broad enough to include online mischief as well as criminals Fines & imprisonment up to 20 years Acceptable Use Policy for USNA IT Resources Similar policy in every command Loss of privileges – impacts your ability to be either a mid or officer Conduct/legal repercussions

Can a policy cover all contingencies? 4. PERMISSIBLE USES OF THE INTERNET ARE DEFINED TO INCLUDE ALL USES NOT PROHIBITED BY LAW, REGULATION, INSTRUCTION OR COMMAND POLICY. 5. PROHIBITED USES INCLUDE (NOT AN ALL INCLUSIVE LIST):