Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (18)
Destaque
Destaque (20)
Semelhante a Computer crime hacking
Semelhante a Computer crime hacking (20)
Mais de tangytangling
Computer crime hacking
- 1. COMPUTER CRIME - HACKING A Gift of Fire Third edition Sara Baase - P.282 to P.306
- 2. HACKING • Hacking – currently defined as to gain illegal or unauthorized access to a file, computer, or network • The term has changed over time • Phase 1: early 1960s to 1970s • It was a positive term • A "hacker" was a creative programmer who wrote elegant or clever code • A "hack" was an especially clever piece of code
- 3. HACKING (CONT.) • Phase 2: 1970s to mid 1990s • Hacking took on negative connotations • Breaking into computers for which the hacker does not have authorized access • Still primarily individuals • Includesthe spreading of computer worms and viruses and ‘phone phreaking’ • Companies began using hackers to analyze and improve security
- 4. HACKING (CONT.) • Phase 3: beginning with the mid 1990s • The growth of the Web changed hacking; viruses and worms could be spread rapidly • Political hacking (Hacktivism) surfaced • Denial-of-service (DoS) attacks used to shut down Web sites • Large scale theft of personal and financial information
- 5. HACKING (CONT.) Hacktivism, or Political Hacking: • Use of hacking to promote a political cause • Disagreement about whether it is a form of civil disobedience and how (whether) it should be punished • Some use the appearance of hacktivism to hide other criminal activities • How do you determine whether something is hacktivism or simple vandalism?
- 6. HACKING (CONT.) The Law: Catching and Punishing Hackers: • 1986 Congress passed the Computer Fraud and Abuse Act (CFAA) • Covers government computers, financial and medical systems, and activities that involve computers in more than one state, including computers connected to the Internet • The USA Patriot Act expanded the definition of loss to include the cost of responding to an attack, assessing damage and restoring systems
- 7. HACKING (CONT.) The Law: Catching and Punishing Hackers (cont.): • A variety of methods for catching hackers • Law enforcement agents read hacker newsletters and participate in chat rooms undercover • They can often track a handle by looking through newsgroup archives • Security professionals set up ‘honey pots’ which are Web sites that attract hackers, to record and study • Computer forensics is used to retrieve evidence from computers
- 8. HACKING (CONT.) The Law: Catching and Punishing Hackers (cont.): • Penalties for young hackers • Many young hackers have matured and gone on to productive and responsible careers • Temptation to over or under punish • Sentencing depends on intent and damage done • Most young hackers receive probation, community service, and/or fines • Not until 2000 did a young hacker receive time in juvenile detention
- 9. HACKING (CONT.) The Law: Catching and Punishing Hackers (cont.): • Security • Internet started with open access as a means of sharing information for research • Attitudes about security were slow to catch up with the risks • Firewalls are used to monitor and filter out communication from untrusted sites or that fit a profile of suspicious activity • Security is often playing catch-up to hackers as new vulnerabilities are discovered and exploited
- 10. HACKING (CONT.) The Law: Catching and Punishing Hackers (cont.): • Responsibility for Security • Developers have a responsibility to develop with security as a goal • Businesses have a responsibility to use security tools and monitor their systems to prevent attacks from succeeding • Home users have a responsibility to ask questions and educate themselves on the tools to maintain security (personal firewalls, anti-virus and anti-spyware)
- 11. HACKING DISCUSSION QUESTIONS • Ishacking that does no direct damage or theft a victimless crime? • Do you think hiring former hackers to enhance security is a good idea or a bad idea? Why?
Notas do Editor
- \n
- Hacking was more of an exploratory activity, pioneering computer science through learning to do new things. \n\n“exploring the details of programmable systems and how to stretch their capabilities.” New Hackers Disctionary\n\nHelped with the development of computer systems in learning to do new things with computers. “The only limits are those that we set ourselves”\n
- The definition took a new twist owing to hackers beginning to test authority, manipulate systems and spread viruses.\n\nAlong with this came pranks and thefts of information, software or even money.\n\nThe challenge of hacking became more about taking on research centres, government agencies or corporations. Bigger they are, harder they fall mentality. Led to rise of ‘Trophy Hacking’ 1986 one hacker broke into 30-60 computers at Stanford University, 15 Silicon Valley companies, three government laboratories and numerous other sites.\n\nHacking became a serious threat with the development of sniffer programs (programs designed to extract passwords). 1994 estimates suggest one million passwords might have been compromised over the Internet.\n\nMore people realised possibilities with hacking. \n\nRussian man steals US $400,000 from Citcorp, transfers US $11 million to bank ac’s in other countries.\nKevin Mitnick - hacked and stole files and software from companies such as Nokia and Motorola.\nRobert Morris - Cornell Univerity graduate sent a worm over the Internet causing huge impact to the running of UNIX systems.\n\n\n
- Even before Windows 98 had shipped a hacker had already written a virus for it.\n\nHackers modified an online gambling site in 1998 so that everyone won. The site lost US $1.9 million\n\nDefacing on web-sites such as US Army web-site. Tried to make it look like the work of the Chinese. CIA web site defaced to Central Stupidity Agency. The Department of Justice became the Department of Injustice. Even Web pages of the White House altered.\n\nHackers stealing information to threaten people, particularly hacks coming out of Eastern Europe. Rise of hacking groups or syndicates. Leads to systematic and planned attacks.\n\nSafety systems compromised including airport towers.\n\nILOVEYOU virus spread through Windows and via Microsoft Outlook, damaging media files, modified the OS and Internet browser settings. Furthermore it collected passwords. Major Corporations affected Form and Siemens plus government agencies e.g. NASA and British Parliament. Approx US $10 billion in damages.\n\nIncreased availability of hacking programs on the Net. Rise of script kiddies.\n\nDDoS attacks, overloading a target site with with hundreds of thousands of requests for webpages and other information. The attacks are planted in many different computer systems to carry out the attack, hence the term distributed.\n\nWhere could this all go: - as technology use grows and spreads, then hacking will increase and potentially become more destructive. Now that we have computer technology that controls devices and not just information, the potential for hackers to wreak havoc is huge.\n\nIs hacking harmless? Difficult for systems administrators to distinguish a hacker with no malicious intent from a thief, terrorist or spy. Cost to business and inconvenience to clients / customers. For example, young Danish hackers broke into the National Weather Service. Cost the weather service resources, plus the associated police work. Hackers with no intent to cause harm can make mistakes. It is the uncertainty that is the biggest fear.\n
- Hactivism - legitimate form of civil disobediance? Dependence on perspective and stakeholders. Difference between freedom of speech and compelling people to listen. In countries where there is free speech it is less easy to justify hactivism. There is also the embarrassment to consider for those who are affected.\n\nHactivism was also used as a decoy for groups intent on doing greater damage.\n
- Intentional access to and use of a computer without authorisation are now criminal offences in the US. Federal legislation to cover state differences.\n\nIncludes when done knowingly and exceeding level of authorisation. Includes accessing a computer system, using network services, accessing files, copying data / programs, modifying / destroying data or files.\n\nComputers connected to the Internet are covered, thus can be used for DDoS attacks.\n\nStrong penalties 1- 10 year prison sentence for first offence and fines of up to US $250,000.\n\nStill ambiguity over what constitutes authorisation. Some may say the ability to reasonable do their work is compromised by a lack of authorisation. Also, it is hard to define ‘poor judgement’\n\nAnti-terrorism response to the attacks of September 11, resulting in the USA Patriot Act made amendments to the CFAA and with several amendments made to toughen the stance on hackers.\n\n
- Track a hacker BBC video.\n\nCan take a reasonably quick time to catch a hacker, many hackers of major crimes are caught within one week.\n\nHoney pots sites. Also estimated that 30% of the subscribers to 2600, a computer hacking magazine, a law enforcement agents, so that they are familiar with the language.\n\nSearch via handles on forums of those hackers bragging about exploits,\n\nComputer / Digital Forensics - collecting evidence from computer files or disks. Traces of ISP logs and logs of routers.\n\nEach time a hacker is ousted, remaining hackers learn what mistakes to avoid. \n\nCriminal charges are usually filed and a trial takes place where the crime was committed. Laws therefore, differ between countries and states. This makes it difficult to carry out investigations in other countries. The person who wrote the ILOVEYOU virus was from the Philippines, which had no law that applied to his actions.\n\n\n
- One would think that the crime for hacking should fit the crime. For example, terrorists who kill thousands of people through hacking should receive the same penalty as those who carried out September 11. Unauthorised access should be treated the same way as trespassing. Web defacing the same way as vandalism. So, it goes on.\n\nParticular problem with young hackers who are inexperienced, do not intend to damage and through accident and / or immaturity do far more damage than they can pay for.\n\nMost hackers under the age of 18 in the Western World receive light sentences e.g. two / three years probabtion, community service, small fine for damages.\n\nInconsistency for those just over 18.\n\nSome want heavier penalties to send a message because of the costs involved and damage that it can do to people. However, we should not punish because of the future potential to do something.\n\nArgued that we want hackers to mature and use their skills in better ways for the benefit of society. For example, give them a job helping a company improve its security and understand how it is vulnerable. We also need appropriate penalties, education and, most of all, parental responsibiliy about safe behaviour with computers. \n
- Argument that what hackers were able to access posed no risk. Hence, computer security continued to be weak.\n\nThe Internet was not designed with security in mind, it was a means of communication and sharing of information.\n\nIncreased storage of information through networked systems that security now has to be a bigger issue that needs addressing. With many developments security was largely ignored until something happened. A reactionary approach, therefore, existed. This reaction is very much a human trait - the horse has already bolted. This attitude has now changed as we have become more security conscious.\n\nFirewalls are now very common!\n
- Change in attitude for systems developers, security is now a goal.\n\nBusiness responsibility not only to themselves but to their clients and customers.\n\nCompanies have begun to provide ‘hacker insurance’ in a similar way that Insurance companies lower the premium for home with burglar alarms and other anti-theft devices. Similarly credit is given for having spyware and anti-virus software.\n\nAs mentioned, some companies also invest in hackers texsting their security systems. The use of hackers for such purposes has been called into question.\n\nWhile many companies invest very heavily in security, it must be recognised that computer systems are complex and that perfection cannot be achieve and unexpected flaws will always surface.\n\nLarge market now exists for computer security products. Very big development in biometric authentication.\n
- \n