Professional Practices Exam 2: Chapter 16

Explain why protecting user security is ethically and legally obligatory.

Ethically - the golden rule | secure products increase “the good” both individually or for society as a whole | social contract mandates work products that promote honest and ethical interactions

Legally - failing to protect users is civilly actionalbe | violating security boundaries and systems is a crime

Computer Fraud and Abuse Act of 1984 (CFAA)

Protects most computer use, illegal to access any system without authorization

Cons:

pen-testers prosecuted even when its part of their job description

the law Is vague

Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (PATRIOT)

expanded coverage to ANY attack that incurs costs to repel, assess damage, or restore the targeted system

Great Morris Worm

Launched by Robert Tappan Morris, Jr in 1998

Intended as proof of concept, but worked too well

caused up to $10 million in damage

Led to Computer Emergency Response Team Coordination Center (CERT/CC)

Resulted in first CFAA felony conviction

Sentenced to 3 years probation, 400 hours community service, $13k probation costs

How to not be a victim of hackers

Backups

Beware of scams

Avoid public wifi

avoid phishing emails

use firewall

install antivirus/antimalware

chang default credentials

2 step authentication

avoid common/basic passwords

US v. Drew (2009)

Lori suspected megan was gossiping about her daughter online

She made a fake myspace account as a guy and started talking to megan.

then she pretended to be a guy and pushed megan to commit suicide, and when she did, lori tried covering it up.

Missouri pursued CFAA violation claiming a breach of ToS and obtaining megan’s personal information

Jury deadlocked on felony charges but convicted Lori of 3 misdeamnors (later voided by the judge)

Ruling emphasized that breaching ToS is not a criminal act

Following the case, 20 U.S. states criminalized cyberbullying.

David Nosal

Resigned from Korn/Ferry with 1 year non-compete clause

Launched his own firm 3 months later using confidential info given by 3 friends who still worked there

All were indicted on 20 CFAA felony charges for “hacking”

Employees had authorization but their use of the data was unauthorized

a person can be criminally charged with felonies for violating their employer’s computer user policy

Nosal was sentenced to 366 days in federal prison

Sergey Aleynikov

open-source contributor earning 400k annually writing software for Goldman Sachs

Left for a competitor with 3x the pay, taking code he claimed was “open source”

Goldman Sachs alleged the code was proprietary and valuable

Aleynikov arrested, but his CFAA charges were dismissed. Convicted of theft and economic espionage. US Court of Appeals vacated his conviction due to criminal code wording

New York State re-prosecuted for same crime, clearing him of 3 charges.

Matthew Keys

Journalist

anonymously made “silly” changes to some online stories

Charged with 3 felony counts under CFAA

Convicted and sentenced to 2 years for online vandalism

VTECH

webite vulnerability has no encryption

web designer found it

VTECH fined 640k and given probation

Web designer Thomas Hounsell arrested in the UK and charged with computer misuse

Aaron Swartz

famous hacktivist

downloaded 2.7 million academic papers freely available

Arrested and charged with 11 CFAA violations because he used unmarked and unlocked network closet connection to improve connection speeds

committed suicide after prosecutors refused to a plea bargain.