Security (Computer crime and dangers associated with computer use). Legislation (Data Protection, Computer Misuse and Copyright Acts). 4 th module

“Why do we need to be secured? What is computer crime?”. Computers have given workers in most fields new tools to work with. Unfortunately, this is as true for criminals as it is for other professionals. Some categories of computer crime are: Unauthorised access Fraud. Phishing Publication of illicit material

“What is unauthorised access?”. Unauthorised access is usually referred to as ‘hacking’ or ‘cracking’. It involves infiltrating a system to which the individual does not have authorised access. The purpose behind the infiltration varies with the individual. For some hackers the gaining of access is sufficient, some others are more destructive in their intentions.

“What is phishing?”. Phishing is fraudulent computer use in order to steal someone’s identity. This can be done by fraudulently obtaining personal details such as bank accounts, usernames, passwords, usernames...

“What are illicit materials?”. Material such as hard-core pornography cannot legally be published and sold in many countries. However, the Internet is transnational in its scope so illicit material can be created in a country where is legal and viewed in a country where it is not. Another example is the publication of material likely to incite racial hatred. Were materials of this kind made available through a shop, the owner and publisher could be prosecuted. It is much harder to do so online due to the international ‘ownerless’ nature of the internet.

“Are we really secure?”. Before we explain other dangers or the legislation that deals with these crimes, let’s watch some interesting videos on the topic: -Cyber crime risk exposedCyber crime risk exposed -Growing threat of cyber crimeGrowing threat of cyber crime -Is your PC doing a hacker’s dirty work?Is your PC doing a hacker’s dirty work? -How cyber criminals attack websitesHow cyber criminals attack websites

“What is a virus?”. A virus is a computer program that has been specifically designed to infiltrate a `host’ computer, to hide itself in that computer, and then, following a designated trigger event, perform actions that are, at best, an annoyance and, at worst, catastrophically destructive. A virus is so called because, like its biological counterpart, it has the ability to replicate itself and spread to other ‘hosts’ infecting them as it does so. There are two types of virus: File viruses (they attach themselves to an executable file) and Macro viruses (they use the macro facility offered by some programs such as Microsoft Office products).

“Examples of viruses”. An example of a virus is Zeus (as seen in “growing threats of cyber crime” video). It was distributed to unsuspecting users as an innocent looking . Once activated, Zeus infected the computer and secretly logged sensitive information like passwords, account numbers and financial information. Hackers then used this information to make unauthorised money transfers. Viruses can be extremely advanced and controversial. Stuxnet includes highly specialized malware written specifically to target the nuclear plants in Iran. There has been speculation that Stuxnet was in fact programmed and released into the wild by the American and/or Israeli government(s).

“The evil nature of Botnets”. Botnets are networks of compromised computers which are now under the control of the hackers. As we have seen in the introductory videos, botnets are used to control, manage and distribute malicious things such as viruses, spams and DDoS attacks. Compromised users have no knowledge that they are part of a botnet. Botnet owners take pride in who has the most bots and the “quality” of their infected machines, like university, corporate or even government machines.

“DDoS Attacks (Distributed Denial of Service)”. DDoS attacks are a combination of two different concepts. A denial of service attack occurs when a computer sends so much data to another computer that they become unable to process any other requests. The other component of a DDoS is its distributed nature. As we have seen with botnets, it is no longer the case that hackers attack with single machines. Imagine a DoS attack against your company’s website. Now, multiply that by 5 million. That’s one estimate of the number of infected users during Zeus’ peak.

“DDoS Attacks (Distributed Denial of Service)”.

“Some advice to stay on the safe side”. -Don't click on any links in s that are from people you don't know (or dodgy-looking mails from people you do know as they could be unsuspecting victims) - it could install a key logger onto your system for example. -Install and continually update anti-virus software. -Virus check all external storage media before using them. -Scan and check any software downloaded from the Internet

“Protecting systems”. Some advice to protect your system: -Firewalls (combination of hardware and software resources, designed to check the legitimacy of incoming messages and requests for services). -Access procedures (always protect access to networks by password systems. Make sure that the password is complex and secure and not just your birthday, pet’s name, etc). -Encryption (it may be used to make stored data more secure).

“Complying with the law” All organisations have to operate within a legal framework. Because an organization is responsible for the actions of its employees while they are at work, it must ensure that they are fully aware of their rights and responsibilities under the law. There are a wide range of laws, but we will only centre on some key pieces of legislation that affect organisations in the UK: Data Protection Act, Computer Misuse Act, Health and Safety at Work Act (which we saw in our first module) and Copyright Designs and Patents Act.

“The Data Protection Act 1998” The DPA first became law in It was amended in 1998 after the EU published its Data Protection Directive (1995). It was the consequence of increasing concerns about the number of computer-based systems that store data. The main aim of this legislation is to protect the rights of individuals who have data held on them by organisations. The organization needs to ensure that data is held securely, that its accuracy is maintained and that it is used legitimately.

“The Computer Misuse Act 1990” The Computer Misuse Act became a law in It was designed to prevent computer crimes involving unlawful access to information systems. Offences under the Computer Misuse Act are: 1.Gaining unauthorised access to data or programs on a computer. 2.Gaining unauthorised access with intent to commit a further serious offence. 3.Intentional unauthorised modification to impair operation.

“Copyright Designs and Patents Act 1988” The Copyright Designs and Patents Act of 1988 is designed to protect the ownership rights of the originators of intellectual property such as design, music and software. The three main areas where legislation may be needed in relation to ICT are: -Software piracy and licensing: the use of ICT to copy or download material such as music/video/text-based files, thus avoiding the price of purchase. -The theft by one company of the ideas and methods of other companies.

“Health and Safety at Work Act 1974” Health and safety legislation is designed to protect employees in the workplace. There are some specific concerns relating to the use of ICT (as we saw in our first module) and organisations must have measures in place to ensure the welfare of their employees. If an organization is negligent in this area and an employee suffers injury as a consequence, the organization can be deemed liable and may have to make compensations payments.

“Conclusion” In this fourth module we have seen: -The three major categories of computer crime. -Computer dangers such as viruses, botnets and Ddos attacks. -Some measurements to stay secure online. -The key pieces of legislation that deals with computer. (Don’t forget to re-read the class handouts for our last exam!)