Computers Are Your Future Twelfth Edition Chapter 9: Privacy, Crime, and Security Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 1

Privacy, Crime, and Security Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 2

Objectives Understand how technological developments are eroding privacy and anonymity. List the types of computer crime and cybercrime. List the types of computer criminals. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 3

Objectives Understand computer system security risks. Describe how to protect your computer system and yourself. Define encryption and explain how it makes online information secure. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4

Objectives Describe the issues the government faces when balancing the need to access encrypted data and the public’s right to privacy. Distinguish between electronic discovery and computer forensics. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 5

Privacy in Cyberspace Privacy o Individual’s ability to restrict or eliminate the collection, use, and sale of confidential personal information o Some people contend that privacy isn’t important unless you have done something wrong. o However our concern is not primarily the gathering of private information, but the use of this information in ways that harms people. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 6

Bill of Rights for Social Network Users Proposed by the Electronic Frontier Foundation Websites should provide a clear interface that allows users the following rights o The right to informed decisions Allow users to make choices about who sees their data and how it is used o The right to control The user maintains control over the use and disclosure over their data o The right to leave The user should have the right to delete data from database or to remove their account Should also be able to transfer their data to another site Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 7

The Problem: Collection of Information Without Consent People must divulge information to various agencies (e.g., banks, public agencies) in order to obtain services Much information to public agencies is legally required to be public upon request Much of this information becomes part of computerized databases Databases contain much personal information o Previous & current addresses and employers, current & former spouses, bankruptcies, lawsuits, property ownership, driver license information, criminal records, purchasing habits, medical records. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 8

The Problem: Collection of Information Without Consent Claims of companies that maintain databases o These databases do not pose a threat to privacy o They are highly ethical firms and have security measures in place o They will not release information to the general public There are always people seeking to violate that security TJX, a large retail conglomerate operating 2,500 stores, reported a security breach in Jan o Stores included T.J.Maxx, Marshall’s, Home Goods, Bob’s Stores, A.J. Wright, Winners, and Homesense o The system compromised handled customer credit cards, debit cards, checks, merchandise return transactions. o More than 45 million credit and debit card numbers were stolen Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 9

The Problem: Collection of Information Without Consent Investigation results o Intruders could decode account nrs & create counterfeit cards. o TJX had been out of compliance with accepted security standards for years o TJX had trouble determining what data had been compromised and when this happened. Consequences o Thieves were able to steal 8 million in merchandise from Wal- Mart stores in Florida o Credit card providers that issued the credit card had to pay for the loss, even though they were not at fault. Google “social security numbers” provides a number of websites run by private investigators who will find someone’s social security information for a small fee o Useful in stealing a person’s identity Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 10

The Problem: Collection of Information Without Consent Anonymity o Means to communicate without disclosing one’s identity o U.S. Supreme court ruled anonymity as necessary to preserve a free society Help assure citizens have access to the full range of possible ideas to use to make decisions for themselves o More difficult to preserve with the use of computers and the Internet o Essential to protect whistle blowers o Recently, a court challenged anonymity in ruling that bloggers have no right to privacy in what is essentially the public act of publishing. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 11

The Problem: Collection of Information Without Consent Technologies that jeopardize anonymity o Cookies o Global unique identifiers o Ubiquitous computing o Radio frequency identification Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 12

The Problem: Collection of Information Without Consent Cookies o Small files written to your hard disk by Web sites visited o Examples include: Track your browsing habits Gather personal information without your consent o You can disable, but then at many sites will either be unable to access site or have restricted privileges. o Helpful in remembering login and password information but also provide other sites with information on habits and purchasing tendencies o Banner ads—targeted display ads based on cookies Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 13

The Problem: Collection of Information Without Consent Cookie Content (cont.) o Hold non-permanent information like contents of your shopping cart o First party cookies come from sites you are visiting and can be temporary or persistent o Third party cookies come from other websites like pop-up or banner ads and may track your web use for marketing purposes o Only one cookie from a website can be put on the systems hard drive o If user has multiple computers, a cookie from sites will be placed on multiple computers. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 14

The Problem: Collection of Information Without Consent Cookies (cont) o Internet ad networks like DoubleClick use cookies to track users’ browsing actions across thousands of the most popular networks. o When you enter a website with an ad network, a cookie containing a unique ID number is deposited on hard drive o This cookie tracks your browsing habits & preferences o When visiting a site, the cookie is detected, read, and matched with profile of your previous browsing o Next, the ad network selects and displays a banner ad that matches the type of product you were browsing through o Ad companies claim they do not link information collected with users name and addresses. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 15

The Problem: Collection of Information Without Consent Current Technology allows Internet ad companies to collect the following: o Your address o Your full name o Your mailing address (street, city, state, zip code) o Your phone number o Transactional data Products purchased online Details of plane ticket reservations Phases used in search engines Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 16

The Problem: Collection of Information Without Consent User Controls o Can prevent any cookie from being placed on your hard drive o However, many websites will not allow you to browse if the cookie option is disabled o You can accept using a cookie but have your browser to inform you every time a site sends values into the cookie on your hard drive o This last option often limits your website interaction. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 17

The Problem: Collection of Information Without Consent Global unique identifer (GUID) o Identification number produced by software or a piece of hardware o Web servers read the GUID. o Users are not always aware of the GUID. o Can limit ability of users to use net anonymously o If used, companies typically allow users to opt out. o Power to control whether this device is used lies with the manufacturer and not the user. o Civil liberties groups and public concern have decreased the use of GUIDs. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 18

The Problem: Collection of Information Without Consent Ubiquitous computing o Interacting with multiple networked devices Example: adjusting heat or light based on signals sent by monitors built into clothing o Allows technology to be embedded into the things we use o Active badge—transmits infrared signals to create an electronic trail, tracking your every movement o Allows s, messages, calls to be forwarded to where you are o Current devices—hold private information that can be exploited if the device is lost or stolen Example: smartphones Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 19

The Problem: Collection of Information Without Consent Radio frequency identification (RFID) o Uses radio waves to track a chip or tag o Implanted into passports and credit cards o Used for inventory control in stores o Recognizes microchips in pets o May compromise anonymity and privacy if information stored on RFID tags attached to U.S. passports Tags/chips can be read up to 30 feet away Broadcasts contain same data as on passport Owners identity could be stolen or location tracked without their awareness or consent o Can be blocked with RFID blocking products like wallets, covering shields, cell phone cases Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 20

The Problem: Collection of Information Without Consent Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 21

The Problem: Collection of Information Without Consent European Union o Be informed when information about them is being collected and how it will be used. o Give or deny consent to have their information collected and choose how collected information will be used. o Request that information about themselves be removed from marketing and other databases. United States o Legislation currently in place includes: Fair Credit Reporting Act Health Insurance Portability and Privacy Act Family Education Rights and Privacy Act o No comprehensive federal law governing the overall privacy rights of U.S. citizens. o Most laws only limit what government agencies can do o Industry often argues for self-regulation Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 22

The Problem: Collection of Information Without Consent SPAM o Unsolicited messages sent in bulk over electronic mailing systems o CAN-SPAM Act of 2003 U.S. law that provided tools to combat spammers. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 23

The Problem: Collection of Information Without Consent Protecting privacy online o Use products such as Anonymous Surfing or IronKey Secure USB flash. o Use free Web-based throwaway addresses in chat rooms and for mailing lists. o Tell children not give out personal information. o Complete forms only if you see a privacy statement. o Turn off cookies Prevent the activity of Web beacons o Transparent graphic images placed on a Web site or in an —used to monitor Web or behavior Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 24

The Problem: Collection of Information Without Consent Protecting privacy at home o Create logins and passwords for each person using the computer. o Do not save account numbers or passwords. o Close a secured account site when not using a computer. o Use strong passwords Do use: difficult to guess passwords; at least 14 characters or more long; uppercase letters, lowercase letters, numbers, and special characters Don’t use: a recognizable word or phrase; name of anything or anyone close to you, including names of family members or pets; recognizable strings of numbers, such as social security numbers or birth dates Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 25

The Problem: Collection of Information Without Consent Do not leave cell phones in public places. Turn off services not in use, especially Bluetooth. Verify that devices have secure configurations. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 26

The Problem: Collection of Information Without Consent Employee monitoring o Majority of large U.S. employers observe employee phone calls, s, Web browsing habits, and computer files Protecting privacy at work o Refrain from making personal calls on a work phone o Avoid using company for personal purposes o Assume you are monitored o Be aware of shoulder surfing o Do not allow others to tailgate Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 27

The Problem: Collection of Information Without Consent Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 28

Computer Crime and Cybercrime Computer crimes o Computer-based activities that violate the law Cybercrimes o Crimes perpetrated through the Internet o Many Web sites educate users about cybercrime and cybercriminals Cyberlaw o Area of law dedicated to computer crime Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 29

Computer Crime and Cybercrime Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 30

Computer Crime and Cybercrime Types of computer crime o Identify theft—criminal access to personal information in order to impersonate someone Can take up to 2 years full time work to correct Victims loose about $1K to resolve Majority have difficulty removing negative information 43% know the perpetrator Below are ways thieves get your information o Dumpster diving—disgruntled employees or thieves go through a company’s trash to find information they can steal o Phishing attacks—legitimate-looking s or Web sites created in an attempt to obtain confidential data about a person o Spear phishing (similar to phishing)—uses targeted fake e- mails and social engineering to trick recipients into providing personal information to enable identity theft Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 31

Computer Crime and Cybercrime Types of computer crime (cont.) o Malware (short for malicious software)—programs that intentionally harm a computer system or allow individuals to gain access without permission Tips to protect yourself from malware: o Know who you are dealing with o Keep your Web browser and operating system up to date o Back up important files o Protect children online o Use security software tools and keep them up to date o Use strong passwords o Learn what to do if something goes wrong Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 32

Computer Crime and Cybercrime Types of computer crime (con’t.) o Spyware—software that gathers private information and tracks Web use Adware—form of spyware that generates annoying pop-up and banner ads Keyloggers—record keystrokes to provide cybercriminals with confidential data Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 33

Computer Crime and Cybercrime Types of computer crime (con’t.) o Computer virus—code concealed inside a program that can harm or destroy files Many spread through attachments File infectors—attach themselves to files Payload—refers to the dangerous actions a virus performs. Macro viruses—attach to data files and take advantage of application macros Boot sector viruses—execute each time you start the computer SPIM—spam text message sent via a cell phone or instant messaging service Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 34

Computer Crime and Cybercrime Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 35

Rogue programs o Logic bomb—hidden computer code that sits dormant on a system until triggered o Time bomb—virus program that remains dormant on a computer system until activated o Worm—similar to a virus but does not need action of a user to execute Computer Crime and Cybercrime Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 36

More rogue programs Denial of service (DoS) attack—assaults an Internet server with so many requests it can’t function o Distributed denial of service (DD0S)—attack involves multiple computer systems Commandeered computers form a botnet (robot network) Bot (short for robot)—connects individual computers to the controller, usually a server under the control of the botnet controller The individual computers are called zombies. Computer Crime and Cybercrime Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 37

More rogue programs (con’t.) o Syn flooding—form of denial of service attack in which synchronization packets are repeatedly sent to every port on the server Uses up all available network connections Locks them until they time out o Rootkit—malicious program that is disguised as a useful program Enables attacker to gain administrator level access Allows attacker to have repeated and undetected access o Trojan horse—normal-looking program that includes concealed instructions to cause harm Often useful program is a game or a utility Damage may be to erase the data on your hard disk or to cause damage to your computer. Computer Crime and Cybercrime Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 38

Computer Crime and Cybercrime Fraud, theft, and piracy o May involve theft of computer equipment to get data Often inside jobs o Memory shaving Thief removes some of RAM chips o Software piracy Unauthorized copying and distributing software Result is loss in revenue and many jobs Cybergaming crime Tricks for obtaining passwords Salami shaving and data diddling o Diverts small amounts of money to embezzler’s account Forgery o Making messages and data appear to come from one place when it is really from another. o Used to steal scholarship & post racial comments that led to cyber attack. Internet Scams at auction sites like ebay o Illegal bidding, etc. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 39

Computer Crime and Cybercrime Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 40 The attackers o Hackers—computer hobbyists attempting unauthorized access, generally subscribing to an unwritten code of conduct—hacker ethic o Cybergangs—groups of hackers working together to coordinate attacks o IP spoofing—sends a message with an IP address disguised as a message from a trusted source o Honeypots—computers baited with fake data and purposely left vulnerable to study how intruders operate to prepare stronger defenses

Computer Crime and Cybercrime Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 41 The Attackers (con’t.) o Crackers (also called black hats)—attempt to enter highly secure computer systems to destroy data or steal information o Ethical hackers (also called white hats) use expertise to shore up computer system defenses o Computer virus authors—create viruses and other types of malware to vandalize computer systems o Swindlers perpetuate frauds: Bogus work-at-home opportunities Illegal pyramid schemes Bogus franchises Phony goods that won’t be delivered Over-priced scholarship searches

Computer Crime and Cybercrime Cyberstalkers o Use the Internet, social networking sites, and to harass or threaten o Most perpetrators are men o Most victims are college-age women o One in every 12 women and 1 in every 45 men will be stalked during their lifetime. Cyberbullying o Sending threatening messages via or text message o Usually involves minors Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 42

Security Computer security risk o Any intentional or unintentional action resulting in damaging a computer system or its data Even when no actual harm has been done, fixing breaches and checking to see no damage has been done requires time, resources, and money. Security cost account for 10%-20% of corporate computer expenses Cost to corporations & individuals is billions annually due to impact on customer service, worker productivity, etc. o Increased by wireless LANs because transmissions occur over shared airwaves instead of dedicated lines Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 43

Security Computer security risk (con’t) o Wireless LAN security options include: WEP (Wired Equivalent Privacy) o Earliest security method for wireless & only method for especially older devices. Protects against casual hackers WPA (WiFi Protected Access) o Much better security than WEP WPA2 o Uses an advanced encryption standard o Vacation hacking—tricking travelers into using phony WiFi hot spots—evil twins Users believe they are using a valid WiFi access point Instead, the information entered is being captured by criminals. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 44

Security Computer system security threats o Corporate espionage—unauthorized access of corporate information, usually to the benefit of a competitor Pod slurping—using removable storage media to create unauthorized copies of confidential data Trap doors—security holes created by employees allowing entry to company systems after leaving the firm – often used by employees to transfer data o Protective Steps Use write and password and create regular backups Make employees aware of security policys Review policies annually, or more frequently Regular auditing and monitoring Force password changes every 5 days or less on critical data Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 45

Security o Information warfare—use of information technologies to corrupt or destroy an enemy’s information and industrial infrastructure An enemy attack is likely to also include o a concerted effort to destroy and damage our computer systems, o hacker-like attacks on electronic banking o attacks on systems that support transportation, finance, energy, and telecommunications Explosive attacks against 100 key computer installations could be devastating. Currently, inadequate defenses against these attacks o Attacks like above occurred in Estonia – Occurred after a Soviet-era war monument was relocated against wishes of Russia. o At least 20 other countries have been targeted with similar actions. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 46

Security o Google vs China over control of searches On Jan Google announced it would no longer censor search results in China Chinese govt threatened to block web sites if Google discontinued censoring searches At least 20 other o Public Safety Computers are a part of safety-critical systems like air traffic control. By paralyzing transportation and power infrastructures, attackers could disrupt distribution of electricity, food, water, and medical supplies. o Attacks on safety-critical systems o Terrorism Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 47

Protecting your computer system o Uninterruptible power supply (UPS)—provides additional power during outages or electrical current fluctuations o Always use a surge protector o Control access to computer systems through appropriate password selection and know-and-have authentication, which requires using tokens to generate a login code.Security Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 48

Security Protecting your computer system (con’t.) o Biometric authentication—use of voice recognition, retinal scans, and fingerprint scans for authentication o Firewalls, hardware or software, to prevent unauthorized access o Controlling Acess Password authentication is critical Use of strong passwords is critical to prevent intruders Know-and-have authentication require using tokens o Hand-held devices which generate a logon code Smart cards are about the size of a credit card and can reliably establish your identity. Most secure is a biometric authentication o Built in biometric fingerprints o Retina recognizaton Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 49

Protect yourself—avoid scams o Do business with reputable companies. o Read documents carefully. o Don’t give out personal information o Do not post a user profile. o Be skeptical of chat room information. o Be cautious if meeting someone you’ve contacted online. o If you become uncomfortable or afraid, contact the policeSecurity Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 50

The Encryption Debate Cryptography o Study of transforming information into an encoded or scrambled format Cryptographers o Individuals who practice cryptography Encryption o Coding or scrambling process that renders a message unreadable by anyone other than the intended recipient Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 51

The Encryption Debate Plaintext o Readable message that has not been encrypted Encryption key o Formula that makes a plaintext message unreadable Encryption Basics o Letter by letter substitution can make text unreadable by amateurs. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 52

The Encryption Debate Symmetric key encryption o Uses same key for both encryption and decryption o Can take a very long time to determine the key (e.g.,100 year) Key interception o Occurs when a symmetric key encryption is stolen, allowing others to decrypt messages encrypted with that encryption key Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 53

Public key encryption o Also referred to as asymmetric key encryption o Uses two keys: Public key to encrypt Private key to decrypt o Essential for e-commerce o Used to implement: Digital signatures—guarantee messages are secure Digital certificates—validate identity Secure electronic transaction (SET) o Uses digital certificates o Enable parties engaged in Internet-mediated transactions to confirm each other’s identities The Encryption Debate Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 54

The Encryption Debate Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 55

Public key infrastructure (PKI) o Uniform set of encryption standards o No dominant standard o Public fear of a monopoly if a PKI is chosen The Encryption Debate Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 56

Encryption and public security issues o U.S. government continues search for ways to balance the public’s right to privacy and the government’s need to know The Encryption Debate Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 57

Prosecuting Violators E-discovery o Obligation of parties to a lawsuit to exchange documents existing only in electronic form Computer forensics o Legal evidence found in computers and digital storage media Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 58

Summary Understand how technological developments are eroding privacy and anonymity. List the types of computer crime and cybercrime. List the types of computer criminals. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 59

Summary Understand computer system security risks. Describe how to protect your computer system and yourself. Define encryption and explain how it makes online information secure. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 60

Summary Describe the issues the government faces when balancing the need to access encrypted data and the public’s right to privacy. Distinguish between electronic discovery and computer forensics. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 61

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America. Copyright © 2012 Pearson Education, Inc. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 62 Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall