Computer Security 2014 –Ymir Vigfusson
Some slides borrowed from Dick Steflik, and material from PBS

We now understand some of the
technical details behind compromise

But what about ethics, law and privacy?

Real, ongoing dilemmas
2

Scott Moulton, December 1999. Canton, GA
 Set up a router to connect the police department to E911
 Was concerned this would cause security risks, so did a
rudimentary port scan of the networks involved
 Scanned a third party web site, they emailed him back and he
explained his action.
 They call the police and have him arrested for allegedly
violating CFAA (1030(a)(5)(B))
▪ Against those who „intentionally accesses a protected computer
without authorization, and as a result of such conduct, causes
damage”
 Civil case dismissed before trial, eventually all charges
dropped
▪ “Court holds that plaintiff's act of conducting an unauthorized port
scan and throughput test of defendant's servers does not constitute a
violation of either the Georgia Computer Systems Protection Act or
the Computer Fraud and Abuse Act.”—Civ. Act. No. 1:00-CV-434-TWT
(N.D. Ga. November 6, 2000)
3

Many states have their own law on computer abuse
 Some of which can arguably label “ping“ packets as abusive

Countries also differ
 “A 17-year-old youth was convicted in Finland of attempted
computer intrusion for simply port scanning a bank. He was
fined to cover the target's investigation expenses. ”
 “An Israeli judge acquitted Avi Mizrahi in early 2004 for
vulnerability scanning the Mossad secret service. Judge
Abraham Tennenbaum even commended Avi in his ruling:”
▪ In a way, Internet surfers who check the vulnerabilities of Web sites are
acting in the public good. If their intentions are not malicious and they do
not cause any damage, they should even be praised.
 „Broad cybercrime laws took effect in 2008 in Germany and
England that ban distribution and possession of „hacking
tools“
4
http://bandwidthco.com/whitepapers/netforensics/recon/scan/Finding%20Fences%20in%20Cyberspac
e%20Privacy,%20Property%20and%20Open%20Access.pdf

Title I
 Criminalizes the interception of wire or electronic
communications and the use or disclosure of such
communications when the interception of such
communications were known to be in violation of ECPA.
 Also criminalizes the use of "devices" to intercept
communications and the manufacture, distribution,
possession or advertising of devices whose main commercial
use is the intercept wire or electronic communications.
 Provides persons whose communications are intercepted in
violation of ECPA a civil cause of action.

Title II
 Criminalizes unauthorized access (or access in excess of
authorization) of a facility where electronic communications
are stored as well as unauthorized disclosure of electronic
communication.
5
Borrowed from slides by Dick Steflik

Computer Fraud and Abuse Act of 1984
 Makes it a crime to knowingly access a federal computer

Electronic Communications Privacy Act of 1986
 Updated the Federal Wiretap Act act to include electronically stored data

U.S. Communications Assistance for Law Enforcement Act of 1996
 Amended the Electronic Communications Act to require all communications
carriers to make wiretaps possible

Economic and Protection of Proprietary Information Act of 1996
 Extends definition of privacy to include proprietary economic information ,
theft would constitute corporate or industrial espionage

Health Insurance Portability and Accountability Act of 1996
 Standards for the electronic transmission of healthcare information

National Information Infrastructure Protection Act of 1996
 Amends Computer Fraud and Abuse Act to provide more protection to
computerized information and systems used in foreign and interstate
commerce or communications

The Graham-Lynch-Bliley Act of 1999
 Limits instances of when financial institution can disclose nonpublic
information of a customer to a third party
6

The case of Albert Gonzales
and Stephen Watt
7

Average armed robber will get $2500-$7500 and risk being
shot or killed; 50-60% will get caught , convicted and spent
an average of 5 years of hard time

Average computer criminal will net $50K-$500K with a risk
of being fired or going to jail; only 10% are caught, of those
only 15% will be turned in to authorities; less than 50% of
them will do jail time

Prosecution
 Many institutions fail to prosecute for fear of advertising
 Many banks absorb the losses fearing that they would lose
more if their customers found out and took their business
elsewhere
▪ Fix the vulnerability and continue on with business as usual
8
Work from anywhere
Minimal risk
No meetings or regular work hours
International colleagues
Compensation: $50,000-$500,000 per month
Skill profile:
Basic computer security know-how
Successful candidates have programming
or social engineering skills
• http://www.informationisbeautiful.net/visuali
zations/worlds-biggest-data-breaches-hacks/
ICELAND
“FORTUNE FAVORS
THE BOLD“
I WAS LUCKY
IF YOU GAINED ACCESS TO A BOTNET,
WHAT WOULD YOU DO?
IF YOU COULD HACK CRIMINALS,
WHAT WOULD YOU DO?
IF YOU COULD BREAK IN ANYWHERE,
WHAT WOULD YOU DO?
IF YOU GAINED ACCESS TO A BOTNET,
WHAT WOULD YOU DO?
IF YOU COULD HACK CRIMINALS,
WHAT WOULD YOU DO?
IF YOU COULD BREAK IN ANYWHERE,
WHAT WOULD YOU DO?
USE YOUR SKILLS TO
IMPROVE OUR WORLD
void sudo_debug(int level, const char *fmt, ...) {
va_list ap;
char *fmt2;
if (level > debug_level)
return;
}
/* Backet fmt with prog name and a newline to make it a single write */
easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
va_start(ap, fmt);
vfprintf(stderr, fmt2, ap);
va_end(ap);
efree(fmt2);
17
char exten[AST_MAX_EXTENSION];
static int handle_message(struct skinny_req *req, struct skinnysession *s) {
case KEYPAD_BUTTON_MESSAGE:
struct skinny_device *d = s->device;
struct skinny_subchannel *sub;
int lineInstance;
int callReference;
lineInstance = letohl(req->data.keypad.lineInstance);
callReference = letohl(req->data.keypad.callReference);
if (lineInstance) {
sub = find_subchannel_by_instance_reference(d, lineInstance, callReference);
} else {
sub = d->activeline->activesub;
}
if (sub && ((sub->owner && sub->owner->_state < AST_STATE_UP) || sub->onhold)) {
char dgt; int digit = letohl(req->data.keypad.button);
if (digit == 14) {
dgt = '*';
} else if (digit == 15) {
dgt = '#';
} else if (digit >= 0 && digit <= 9) {
dgt = '0' + digit;
} else {
dgt = '0' + digit;
ast_log(LOG_WARNING, "Unsupported digit %d\n", digit);
}
d->exten[strlen(d->exten)] = dgt;
d->exten[strlen(d->exten)+1] = '\0';
} else
res = handle_keypad_button_message(req, s);
}
break;
18
void sighndlr(int dummy) {
syslog(LOG_NOTICE,user_dependent_data);
// *** Initial cleanup code, calling the following somewhere:
free(global_ptr2);
free(global_ptr1);
// *** 1 *** >> Additional clean-up code - unlink tmp files, etc <<
exit(0);
}
/**************************************************
* This is a signal handler declaration somewhere *
* at the beginning of main code.
*
**************************************************/
signal(SIGHUP,sighndlr);
signal(SIGTERM,sighndlr);
// *** Other initialization routines, and global pointer
// *** assignment somewhere in the code (we assume that
// *** nnn is partially user-dependent, yyy does not have to be):
global_ptr1=malloc(nnn);
global_ptr2=malloc(yyy);
// *** 2 *** >> further processing, allocated memory <<
// *** 2 *** >> is filled with any data, etc... <<
19
/* Log a message to syslog, pre-pending the username and splitting the message into parts if it is longer than MAXSYSLOGLEN. */
static void do_syslog( int pri, char * msg ) {
int count;
char * p;
char * tmp;
char save;
for ( p=msg, count=0; count < strlen(msg)/MAXSYSLOGLEN + 1; count++ ) {
if ( strlen(p) > MAXSYSLOGLEN ) {
for ( tmp = p + MAXSYSLOGLEN; tmp > p && *tmp != ' '; tmp-- )
;
if ( tmp <= p )
tmp = p + MAXSYSLOGLEN;
/* NULL terminate line, but save the char to restore later */
save = *tmp;
*tmp = '\0';
if ( count == 0 )
SYSLOG( pri, "%8.8s : %s", user_name, p );
else
SYSLOG( pri,"%8.8s : (command continued) %s",user_name,p );
/* restore saved character */
*tmp = save;
/* Eliminate leading whitespace */
for ( p = tmp; *p != ' '; p++ )
;
} else {
if ( count == 0 )
SYSLOG( pri, "%8.8s : %s", user_name, p );
else
SYSLOG( pri,"%8.8s : (command continued) %s",user_name,p );
}
}
}
20
/*
* Pointer to an array containing all allocated channels. The array is
* dynamically extended as needed.
*/
static Channel **channels = NULL;
/*
* Size of the channel array. All slots of the array must always be
* initialized (at least the type field); unused slots set to NULL
*/
static u_int channels_alloc = 0;
Channel *channel_by_id(int id)
{
Channel *c;
}
if (id < 0 || (u_int)id > channels_alloc) {
logit("channel_by_id: %d: bad id", id);
return NULL;
}
c = channels[id];
if (c == NULL) {
logit("channel_by_id: %d: bad id: channel free", id);
return NULL;
}
return c;
21