1 Legal and Ethical Aspects of Computer Hacking ECE4112 – Internetwork Security Georgia Institute of Technology Acknowledgement: Kiran Tajani.

1

Legal and Ethical Aspects of Computer Hacking

ECE4112 – Internetwork Security

Georgia Institute of Technology

Acknowledgement: Kiran Tajani

ECE 4883 - Internetwork Security 2

In Class Today

• What is hacking?• What policies and or laws exist?• Are there any ethical issues?


What is Hacking?

• An event where one enjoys learning the details of a computer system

• A culture where people find their computer and its surroundings fascinating.

• The process of creating a new program or making changes to existing programs using complicated software


Some History of Hacking

• December 1993 USENET posting by Farmer and Venema

• Idea of using techniques of an intruder to evaluate system security

• Approach can help companies secure systems

• Distributed Security Analysis Tool for Auditing Networks (SATAN)


Types of Hacking

• Possible categories of Hacking Good Hacking- work on software to improve

performance, expose system vulnerabilities, done with company permission (security professional)

Bad Hacking-accidental or not fully understood damage caused by for example kiddy scripts (juvenile delinquents)

Dangerous Hacking- intentional damage caused by criminals (professional criminals)


Ethical Hacking

• Approval from the organization inside which the hacking will occur

• Tiger team uses tools and techniques to evaluate security

• Inform owner of files and systems before the fact


Hacktivism

• The use of hacking to promote a political cause

• Modern form of civil disobedience• Political form of cyber-terrorism• A cover for ordinary pranks


Hackers

• Term coined by the media back when computer time was stolen by unauthorized users

• Prior to this media coined term, a Hacker was: “a person who enjoys exploring the details of programmable systems and how to stretch their capabilities; … one who programs enthusiastically.”


Hacker categories:

• Novice or newbies – not sure how code works, run kiddy scripts

• Experienced hacker – understand the software and are able to create attack code.

• Expert hacker – develop tool sets for attack, create code quickly for exposed vulnerabilities.


Hacker categories (cont):

• Internal hackers – from within a company, could be ex-employees or current workers,have access and knowledge about where sensitive information is located

• White hats – trustworthy, professional security analysists


Hacker’s Motivation

• At one end same motivation as graffiti

• Some argue that they help find security flaws and force improved network security

• Some are professionals and are motivated by the profession


Learning to Hack

• Hacking Schools Zi Hackademy, Paris Civil Hackers school, Moscow

• Hacking Classes This class Government Training Company training


Ethical or Not?

• So who is responsible for the outcome from these teachings? It’s the teachers! They are the ones teaching

such techniques and tools and inflicting painful examinations.

It’s the students! They are responsible for the actions they decide to take after learning tools that others use to attack. How can you figure out how to defend yourself if you do not understand the attacks?

Only through knowledge can you defend yourself


The Law

• What types of policies are in place? • How do they differ from each other? • What kind of defined lines are there? • Should these laws exist? • Are these laws clear enough?


United States Code Title 18Crimes and Criminal Procedure

• Part 1 > Chapter 119 > Section 2511 Interception and disclosure of wire, oral,

or electronic communications prohibited.

• Part 1 > Chapter 121 > Section 2701 Unlawful access to stored

communications

http://www4.law.cornell.edu/uscode/18/


Georgia Computer Systems Protection Act HB 822

• Computer Invasion of Privacy Any person who uses a computer or

computer network with the intention of examining any employment, medical, salary, credit, or any other financial or personal data relating to any other person with knowledge that such examination is without authority shall be guilty of the crime of computer invasion of privacy.


Patriot Act:

• USA Patriot Act: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act

• U.S. government’s anti-terrorism policy


Homeland Security

• Department of Homeland Security• Some call this a National Police Force• Connects 22 different Agencies• Exchange of information becomes a

norm• Centralized institution with the power

to keep track of computer and email usage


Georgia Institute of Technology

• Computer and Network Usage Policy Available for all students and faculty http://www.oit.gatech.edu/

information_security/policy/usage/• Authorize users and uses• Privileges for individuals• User Responsibilities

Access to Facilities and Information


4.6. Attempts to circumvent security

Users are prohibited from attempting to circumvent or subvert any system.s security measures. This section does not prohibit use of security tools by personnel authorized by OIT or their unit.

4.6.1. Decoding access control information

Users are prohibited from using any computer program or device to intercept or decode passwords or similar access control information.

4.6.2. Denial of service

Deliberate attempts to degrade the performance of a computer system or network or to deprive authorized personnel of resources or access to any Institute computer system or network are prohibited.

4.6.3. Harmful activities

Harmful activities are prohibited. Examples include IP spoofing; creating and propagating viruses; port scanning; disrupting services; damaging files; or intentional destruction of or damage to equipment, software, or data.

GIT Computer and Network Usage Policy


Policy Maker Questions:

• How easy is it to catch hackers and how many hackers have been caught?

• Are these policies good enough? • Do the current policies actually define the

limits of “hacking”?• Can companies hack into their own

systems and find vulnerabilities? • Can other find vulnerabilities for them

without being asked to?


What if?

• A Georgia Tech student uses their personal PC and the school’s network to do a port scan on a commercial web site.

• A Georgia Tech student uses their personal PC and a commercial ISP to do a port scan on a commercial web site.

• A Georgia Tech student sends a “spoofed mail” from the school account that appears to come from another user.

• A Georgia Tech student uses a school computer and password guessing software to access and crack the administrator password.

• A Georgia Tech student discovers that another user failed to log off when departing. The student uses the account to send an inflammatory email to the department chair.


1. Pfleeger, Charles. (2000). Security In Computing (2nd ed.). Upper Saddle River, NJ: Printice Hall PTR.

2. From RedDragon on IRC, handed to newbies. January 16, 2001. http://newdata.box.sk/2001/jan/are.you.a.hacker.html

3. Protect Yourselves From Hackers CDs. 2002. http://www.onedollarcds.com/hack

4. Vasilyev, Ilya V. Civil Hackers' School. April 12, 1999. http://klein.zen.ru/hscool/

5. Coomarasamy, James. Learning to Hack. December 1, 2001. http://news.bbc.co.uk/1/hi/world/europe/1686450.stm

6. Georgia Computer Systems Protection Act. Last Modified: June 29, 2002. http://www.security.gatech.edu/policy/law_library/gcspa.html

7. Title 18, Part 1, Chapter 119, Section 2511 – Interception and disclosure of wire, oral, or electronic communications prohibited. US Code Collection. http://www4.law.cornell.edu/uscode/18/2511.html

8. Title 18, Part 1, Chapter 121, Section 2701 – Unlawful access to stored communications. US Code Collection. http://www4.law.cornell.edu/uscode/18/2511.html

9. Minow, Mary. The USA PATRIOT Act and Patron Privacy on Library Internet Terminals. February 15, 2002. http://www.llrx.com/features/usapatriotact.htm

10. Bush Homeland Security bill nears passage by US Congress. The Editorial Board. November 18, 2002. http://www.wsws.org/articles/2002/nov2002/home-n18.shtml

11. Georgia Institute of Technology Computer and Network Usage Policy. Office of Information Technology. Last Modified October 20, 2003. http://www.oit.gatech.edu/information_security/policy/usage/

12. Baase, Sara. A Gift of Fire: Social, Legal, and Ethical Issues for Computers and the Internet. 2nd edition. Prentice Hall. 2003. Page 289.

13. Palmer, C.C. Ethical Hacking. International Business Machines Corporation. Copyright 2001. www.research.ibm.com/journal/sj/403/palmer.html

14. Harvey, Brian. Computer Hacking and Ethics. April 1985. www.cs.berkeley.edu/~bh/hackers.html

15. Shell, Barry. Ethical Hacking. Georgia Straight Weekly, Vancouver, BC. September 14, 2000. http://css.sfu.ca/update/ethical-hacking.html

References

http://newdata.box.sk/2001/jan/are.you.a.hacker.html







http://www.onedollarcds.com/hack



http://klein.zen.ru/hscool/









http://news.bbc.co.uk/1/hi/world/europe/1686450.stm








http://www.security.gatech.edu/policy/law_library/gcspa.html







http://www4.law.cornell.edu/uscode/18/2256.html







1 Legal and Ethical Aspects of Computer Hacking ECE4112 – Internetwork Security Georgia Institute of Technology Acknowledgement: Kiran Tajani.

Documents

attack code

expert hacker

hacker categories cont

security flaws

code works

computer time

system vulnerabilities

computer systema culture