Uploaded by lee xd

LESM-A204 U08 219

Security Practice and Management
Unit 8
HKMU Course Team
Course Development Coordinator:
Dr Raymond W K Lau, HKMU
Dr Hilton Chan, Consultant
Dr Raymond W K Lau, HKMU
Instructional Designer:
Louise Aylward, HKMU
Dr Garland Liu, HKMU
Dr Czeslaw Tubilewicz, HKMU
External Course Assessor
Dr Dennis S W Wong, City University of Hong Kong
Office for Advancement of Learning and Teaching (ALTO)
Copyright © Hong Kong Metropolitan University, 2001, 2011.
Reprinted 2021.
All rights reserved.
No part of this material may be reproduced in any form
by any means without permission in writing from the
President, Hong Kong Metropolitan University. Sale of this
material is prohibited.
Hong Kong Metropolitan University
Ho Man Tin, Kowloon
Hong Kong
This course material is printed on environmentally friendly paper.
Computer crime and security
What is computer crime?
Characteristics of computer crime
Computer crime and security surveys
Introducing computer networks and the Internet
Understanding network security
Legal aspects of computer security
Feedback on activities
Telecommunication systems
Computer networks
The Internet
Illustration: computer security in e-commerce
Unit 8
More and more aspects of our daily life are associated with computers.
The bus, train, tram, MTR or private car by which you travel to work all
have computer parts. The microwave oven that you use to reheat food
runs on a computer chip. For years now, I have not written anything by
hand but rather have written directly on the computer. Except for
withdrawing cash, many people now carry out their banking transactions
on the Internet. Computers have revolutionized our daily life. But so have
they revolutionized crime. As a result, a whole new area of security is
born: computer security.
As you will learn, computer security is a highly technical matter that is
the special field of professional IT (information technology) experts. As a
professional security manager, the technical aspects of computer security
are beyond your scope. However, as we have emphasized several times in
this course, the job of a modern-day professional security manager
requires much more than putting guards at entrances and exits. It requires
someone who has a broad basic knowledge of and sensitivity to issues
such as criminology, law and socio-political-economic developments.
That is why in this course we have included units on or introduced you to
these issues. It is easy to learn about things like installing fire hydrants.
You do not need a ten-credit course for that. But as we have shown (e.g.
in Unit 7), a professional security sense requires much more than things
like that to be developed. Moreover, although the technical IT issues of
computer security are not the security manager’s area, a basic knowledge
of and sensitivity to what computer security is about is required. In large
organizations, the security manager is likely to have occasions in which
he or she will need to work with IT professionals in planning the
organization’s overall security requirements. For instance, the processes
and procedures of physical security of large organizations are likely to be
computerized. What if these computerized data are being electronically
stolen or altered? Clearly, if the security manager were totally ignorant of
what computer security is about, he or she would be working at a serious
This unit first examines what computer crime is. You learn that there is
considerable confusion even among experts on the topic. To overcome
such confusion, the issue is examined first with reference to the concept
of legal category, and then with reference to the nature of computer crime
in relation to computerized data. This allows us to understand that
computer security is mainly about protecting computerized data. After
that, we introduce you to the characteristics of computer crime, as well as
provide you with a brief survey of the state of computer crime.
Much of computer crime is committed on and via the Internet. Hence, an
understanding of this type of crime and of computer security requires a
basic knowledge of the infrastructural basis of the computer network and
the Internet. This is done in the second section (‘Introducing computer
networks and the Internet’). The following section provides a basic
examination of the various aspects of computer security (focusing on
network security). You learn about the major threats to network security,
LESM A204 Security Practice and Management
as well as the most common and important measures to ensure network
security. The next section (‘Illustration: computer security in ecommerce’) pursues the matter further by focusing on e-commerce
security. You learn about what the specific security concerns are, as well
as the measures available to address these concerns.
The final section looks at the legal aspects of computer security. This
picks up from the discussion in the first section in which you learned why
and how computerization, especially network computerization, has led to
unprecedented legal problems. An examination of Hong Kong’s efforts to
deal with the various issues involved is provided.
In short, the unit:
examines what computer crime is and describes its characteristics;
provides a basic understanding of computer networks and the
discusses the major concerns of computer security;
discusses measures to ensure various aspects of computer security;
discusses various legal aspects of computer security with a focus on
Hong Kong.
Unit 8
Computer crime and security
The first challenge in understanding computer crime and security is
defining what computer crime is.
What is computer crime?
This looks like a simple question, but I can tell you that it is not.
To see why, look at the following example of computer crime given by
Donn B Parker (1998, 59):
For example, extortion and kidnapping involve ransom notes … If the
ransom information is written by hand and sent through the postal
service, the crime is an ordinary one. If the information is written and
communicated electronically, it is a cybercrime.
Such a way of defining cyber (or computer) crime seems strange. Let us
say the kidnappers make the ransom demand neither by mail nor email (a
form of electronic communication), but convey the demand through a
simple phone call. Do we call the kidnapping a ‘telephone’ crime? We
would, if Parker’s logic in the above quotation is followed. In fact, if a
ransom demand conveyed by email constitutes computer crime, we
should not call a ransom demand conveyed by post an ordinary crime, but
a ‘postal’ crime. Let us consider another example of computer crime
mentioned by Parker:
A computer-controlled robot stabbed a repairman to death after his
associate failed to put the robot into a safe mode for maintenance
Again, it seems rather odd to call this a computer crime. Let us say a
repairman is electrocuted when repairing an electrical device, because his
colleague forgot to switch on the safe mode for the device. Do we call it
an ‘electrical’ crime? Obviously not.
In the above examples mentioned by Parker, it seems that the simple
involvement of a computer itself constitutes the criterion on which to
define computer crime. But, as we all know, more and more aspects of
our daily life involve objects (from the microwave oven office workers
use to reheat their lunches to the bus they take to go to work) that use
computers or computerized parts. This implies that if the mere
involvement of computers constitutes the definitional criterion, more and
more crimes would become computer crimes. Then, the term computer
crime becomes so broad as to make it meaningless.
Parker is not alone in facing the difficulty of how to define what
computer crime is. Thus, the FBI distinguishes between two types of
computer crime:
the computer as the tool of the criminal
the computer as the target of the criminal.
LESM A204 Security Practice and Management
Such a contrast between ‘tool’ and ‘target’ is a commonly used criterion.
As you will see shortly, this contrast is useful. However, there are
problems with it, too. For instance, a thief steals a PC (personal
computer). The computer is the target of the thief, but it seems odd to call
it a computer crime instead of simple theft. Take another example.
Money launderers use e-banking (carrying out banking transactions such
as money transfers from one account to another via the Internet; ‘e’
means ‘electronic’) for money laundering. When this happens, the money
launderers use a computerized process (e-banking) as a tool in
committing their crime, but there seems to be no good reason why it
should be regarded as a computer crime. Instead, it is simple money
laundering; the use of e-banking is purely incidental to the crime.
Activity 8.1
Some criminals use sophisticated computers to print forged banknotes.
According to the FBI’s classification, what kind of crime is this? Do you
agree with such a categorization? If so, why? If not, why not?
If you look at different texts on computer crime, you will find different
definitions. In the above, we only cited the examples of Parker and the
FBI for illustration. Why is there such confusion about what constitutes
computer crime? This question is difficult to answer. Perhaps experts and
law enforcement agencies are overwhelmed by the new phenomenon of
computer crime, so instead of trying to think through carefully what it is
conceptually, they simply hasten to lump everything criminal in which
computers are involved under the general label of computer crime. In any
case, what we want to do here is to make you think about the matter more
First, you will recall from Unit 4 that white-collar crime is not a legal
category but a sociological-criminological concept. So, the first question
we need to ask is whether or not computer crime is a legal category. It is
clear that although computer crime in general is not a legal category (i.e.
a specific offence), certain specific forms of computer crime can
constitute legal categories punishable as such by legislation. For instance,
in some countries ‘hacking’ (unauthorized access to computers) is a
specific offence. However, this is not the only way to deal with such
criminal activities. Let’s say a computer whiz kid writes a virus program
that will delete data on the hard disk of the computer struck by the virus
and spreads it, thereby wiping out such data of his or her victims. Instead
of trying to create a new specific offence for this, many places simply
make it a form of criminal damage. In this case, the legal category is
criminal damage, not the computer crime of spreading a virus. In sum, it
is important to note:
The concept of computer crime in general is not a legal category.
Some specific forms of computer crime can be, and are, made into
legal categories (i.e. specific offences) in some places.
Unit 8
But (2) is not the only way to deal with such criminal activities.
The advantage of the above analysis is that it immediately shows why it
is ridiculous to call the above kidnapping case a computer crime. Even if
a country or place decides to make as many specific forms of computer
crime as possible into legal categories, it is unimaginable to have a
specific offence of ‘kidnapping with the ransom demand sent
electronically’. It would indeed be crazy if any such attempt were made.
The same applies to the other similar examples discussed in this section.
A later section examines the legal aspects of computer crime more fully.
Let us proceed. Given point (1) above (that computer crime in general is
not a legal category), the next question is precisely how we should define
computer crime in general. In the following discussion, our purpose is
not so much to provide an infallible definition as to provide guidance on
how to think about this issue conceptually, which will further enable us to
appreciate what computer security is about. Other experts may not
entirely agree with our conceptualization, but we think it is superior to
the various existing definitions.
Take the example of the whiz kid again. It is clear that the data on the
victims’ hard disks are the target of the crime (see the FBI’s first class of
computer crime). Now consider another case. In shopping with an
Internet retailer, you submit details of your credit card electronically.
Unfortunately, the retailer’s Web page is insecure (Web page security is
discussed later) and the details you submitted were intercepted by a
hacker. The hacker subsequently used them to make purchases (retail
shopping on the Internet requires details of your name, credit card
number and expiry date only; no signature is needed). Here, the hacker
uses the Internet as a tool (see the FBI’s second class of computer crime)
to obtain data concerning your credit card. In both of the above cases,
you will note that data are the target. In the first case, it is computerized
data (on the hard disk) that is targeted. In the second case, the victim’s
personal credit card data are submitted through a computerized process
(e-shopping). In so doing, the credit card data become computerized
(digitized), and as a result they become a target that is obtainable by
another person through the computerized process of hacking. In short, in
both cases, it is computerized data that are targeted. As you know,
computers are really only sophisticated machines to handle data. Hence,
from this point of view, a valuable way of understanding computer crime
is the following:
Computer crime is unlawful activities whose target is computerized
data. Since these data are computerized, they can only be targeted by
means of computerized processes.
In contrast to using the mere involvement of computers as a defining
criterion, this conceptualization is useful for two reasons. At one and the
same time it allows us to avoid the embarrassing pitfalls of, for instance,
calling a simple kidnapping case a computer crime; and it enables us to
appreciate what computer security is about. Let me explain.
You may ask: Just as the kidnapping case remains the same kidnapping
case whether the ransom demand is conveyed by phone, post or email,
LESM A204 Security Practice and Management
what is the difference between a criminal physically stealing the victim’s
credit card and obtaining its details, and the above example of obtaining
the data in the Internet? Indeed, from the legal point of view, both are
theft. But in the above, it was explained that even if a certain specific
form of computer crime (such as spreading a virus) can be made into a
legal category (a specific offence), many countries choose not to do so,
and prefer to handle these criminal activities by existing legal categories
(such as criminal damage). Hence, although according to the law, both of
the above cases are theft, this does not mean that we should not consider
the latter case (stealing credit card details on the Internet) a computer
crime. In fact, there is a distinct advantage in regarding it as a computer
crime (based on the fact that the target is computerized data illegally
obtained by computerized processes), because in doing so it enables us to
understand what computer security is about. Computer security is about
the protection of computerized data. Thus, in the latter case, the security
concern is whether or not the retailer’s Web page is secure to protect the
transmission of computerized data. In the former case, the security
concern is different: it is to avoid being physically pick-pocketed.
Computerized theft and physical theft are different and hence call for
different security measures. This differentiation does not apply to the
kidnapping case. Whether the ransom demand is conveyed by phone, post
or email, the security concern remains the same: the physical prevention
of getting kidnapped. There is no question of providing security against
receiving ransom demand phone calls, ransom demand mail, or ransom
demand email. This is why it is ridiculous to call kidnapping a computer
crime if the ransom demand is made through email instead of phone or
post. But it makes a lot of conceptual and security sense to regard the
theft of credit card data that become computerized (by being submitted on
the Internet) and illegally obtained through computerized processes as a
computer crime.
To summarize, in this section we explain that a lot of confusion exists,
even among experts, about the term computer crime and how it should be
defined. Many define it on the criterion of the mere involvement of
computers, which sometimes results in ridiculous labelling. We then
explain how computer crime is more usefully conceptualized. This is
done first by examining the issues of whether or not computer crimes in
general and specific forms of computer crime are legal categories. We
then explain that the nature of computer crime is that it is targeted at
computerized data that can be illegally obtained only by computerized
processes. The usefulness of this conceptualization is shown by how it
enables us to understand what computer security is about. Before moving
on to the next section, you should note that various terms are used in
addition to computer crime, the most common of which is cyber crime. In
my view, these two terms (computer and cyber crime) are synonymous.
However, there are other terms which really only reflect the abovementioned state of confusion. These include: computer-related crime (as
mentioned, fewer and fewer aspects of our daily life are not computerrelated), high-tech crime (how do you define high-tech?), and information
crime (can information not be conveyed non-electronically?).
Unit 8
Activity 8.2
The following two types of fraud are among the most common on the
Internet in the US. For each, explain whether or not you consider it to be
a computer crime.
Auction fraud: Many auctioneers host a website at which auctions are
held electronically. Let’s say you have topped the last bidder for a
Ming Dynasty vase. You send the cheque, but the vase never arrives,
or it turns out to be a fake.
Porn sites: You can get railroaded into one of these sites, and before
you know it your phone bill is in the four-digit range, because the site
operator has got details of your Web connection and uses it.
Characteristics of computer crime
Because computer crime concerns digitized data and the bulk of such data
are or can be transmitted globally via the Internet, computer crime
behaves very differently from traditional crimes. Let’s examine some of
its unique features:
Boundary-free crime
In cyber crime via the Internet, the criminal can launch a remote
attack, in which he is physically in one country while the attack takes
place in another country.
Extra-territorial jurisdiction
In view of the distributed design of computer networks, it is difficult
to define the jurisdiction of the criminal act. For example, in an
Internet gambling scenario, the gambling server (the term ‘server’
will be explained later) is in country A, the payment server is in
country B, the Web hosting server is in country C, while the program
is running on the client computer in country D. Where is the
gambling taking place in?
Cyber criminals can easily hide their real identities with bogus names
and addresses.
Small cost, huge benefit and damage
The risk and cost of mugging a man in the street for $1,000 are much
smaller than the risk and cost of robbing $1 million from the bank.
But in computer crime, in technical complexity and risk, there is
virtually no difference between altering financial data of $1 or $1
million. This means that for a relatively low cost, large sums of
money can be targeted in computer crime.
LESM A204 Security Practice and Management
Invaluable information
There is no universal formula in calculating information loss. For
example, a copy of a company’s customer database is leaked to its
competitor. Is it the physical cost of the CD-ROM? The investment
costs in building the company’s customer database since the
beginning? Or the loss in future revenues, public confidence and
good will?
The victim may not be aware until it is too late
When you physically lose a credit card, you know about the loss very
soon and hence have time to remedy the situation (for example, by
calling the credit card company to stop honouring the card). But
victims of computer crime are often unaware of their victimization
until it is too late — for example, when the credit card statement
arrives showing huge purchases that the owner has never made.
Technical complexity — digital evidence
Forensic investigation of traditional crime relies on the law of physics
and chemistry, such as DNA, ballistic examination, fingerprints, etc.
Computer crime investigation involves computer forensics, Internet
data analysis, system log analysis, email head analysis, etc. to
discover, collect, analyse and recover digital evidence from the cyber
trail of a virtual crime scene.
Laissez-faire cyber culture
The rapid growth of Internet is largely contributed to by the freeware,
‘copyleft’ (opposite of copyright), shareware and laissez-faire cyber
culture. Regulation of the Internet will likely be regarded
unfavourably by most Internet users. It is this culture that makes
enforcement against computer crime on the Internet much more
Having understood the characteristics of computer crime, we can see that
the protection of information over the Internet has created unprecedented
legal problems. Enforcement action require international cooperation,
increased public awareness, government-private sector collaboration,
computer forensics, and internal corporate information security policy.
Reading 8.1
Chan, H K H (2000) ‘Cyber crime — a global threat to ecommerce’, Computer Society.
Carter, D L and Katz, A J (1996) ‘Computer crime and
security: the perceptions and experiences of corporate security
directors’, Security Journal, 7: 101–8.
Unit 8
Computer crime and security surveys
Over the years, numerous surveys have been conducted to understand the
computer security and crime problem. In 1989, Hoffer and Straub (1989)
revealed that 32% of computer abuse was discovered by accident, 45%
by normal system controls, and 12.5% by computer security officers and
The Information Security Survey 2000 conducted by the Hong Kong
Productivity Council (HKCERT/CC) revealed that 19% of the
interviewed companies experienced computer attacks within the last 12
months. Over 90% were computer virus, 3% sabotage, 1% unauthorized
access, 1% denial of service (explained later), and 1% system penetration.
Vandalism was the dominant type (77%) of website attack, followed by
denial of service (15%) and theft of transaction information (8%). Total
financial loss amounted to about HK $1.4 million. An interesting finding
was that only 18% of the interviewees reported the attacks to the police.
In the US, most organizations are concerned with negative publicity and
hence are also reluctant to report to the police.
The 2001 FBI Computer Crime and Security Survey revealed that 85% of
the respondents detected computer security breaches within the last 12
months. The total financial loss was about US $378 million, compared to
US $266 million in 2000. The most serious financial loss was due to theft
of proprietary information. Thirty-six percent of the respondents had
reported the incident to police, 94% detected a computer virus, 91%
detected abuse of Internet access privileges by employees, 40% detected
external system penetration, and 38% detected denial of service attacks.
Reading 8.2
Chan, H K H (2001) ‘A comparative study of reported and
unreported computer crimes’, UMI Dissertation Services,
‘Information Security Survey 2001’ (2001) Hong Kong
Productivity Council, October,
Session, W S (1991) ‘Computer crimes — an escalating crime
trend’, FBI Law Enforcement Bulletin, February, 12–15.
Activity 8.3
Compare computer abuses and crimes in the US and Hong Kong.
The reporting of computer crime to police in US is higher than Hong
Kong. Explain why.
LESM A204 Security Practice and Management
Introducing computer networks
and the Internet
The bulk of computer crime is committed on the Internet. Hence, the
biggest concern of computer security is security on the Internet. In order
to understand what is involved in security on the Internet, it is necessary
to have a basic understanding of the Internet.
Telecommunication systems
Computer networks use telecommunications systems to connect the
various computers belonging to the same network. Such networks consist
of a number of components. Regardless of how far apart the computers
belonging to the network are from one another, the components remain
the same. They are:
the central or host computer which processes information
terminals or any input-output devices for accessing information
communication channels: the medium carrying information from one
computer to another
communication processor: the equipment serving as the intermediary
between computers and the communication channel
computer programs that govern the data traffic.
Let me explain what these components are. The first two are computers
and can be located anywhere within the network. An example of
component 1 is a central computer that provides airline flight schedule
data. A user can access the data by means of a desktop computer at home,
or a laptop while travelling in a taxi, or even his or her Internet-capable
cellular phone while having coffee at Delifrance. The desktop, laptop and
cellular phone all constitute the terminal, i.e. component 2. In some
networks, some terminals actually host data that can be accessed by other
terminals. When this happens, it serves as both component 1 in relation to
these data, as well as a terminal (component 2) for accessing data stored
in the host computer.
Component 3 can be in various forms. Thus, hooking up (connecting)
computers within the same office is often done by means of dedicated
(i.e. specially for the purpose) wires, whereas linking your home
computer to the office network is mostly done using existing telephone
lines. Other forms of communication channel include fibre optic cables
and wireless media (microwave transmission, satellites, cellular phone
transmission, etc.).
The function of component 4 is to transform the digital data from the
computer (host computer and terminals) into a format that the
communication channel (component 3) can transmit, and vice versa. For
instance, telephone lines transmit analog signals; hence a communication
processor such as a modem is needed to transform digital into analog
Unit 8
signals and vice versa, in order for data to be transmitted through the
network, and readable in digital form on the computers of the network.
Components 1 to 4 are the hardware. Component 5 is the software that
controls input and output activities and manages other functions of the
Computer networks
Computer networks are organized hierarchically. At the lowest level, a
group of computers is linked together to form a local area network or
LAN. In, for example, an office, LAN is the network that links together
by means of dedicated wires all of the office’s computers. In an Internet
Service Provider (ISP, a firm providing access to the Internet for its endusers), the end-users’ computers (i.e. terminals) are connected to the
ISP’s LAN by telephone lines.
A group of LANs within the same metropolitan area may be linked
together in a regional network. These regional networks are often known
as wide area networks (WAN). Thus, communication between two
computers belonging to different LANs is done through the WAN that
incorporates both LANs. Different WANs are, in turn, connected into
higher level networks which are known as backbone networks. By means
of such a hierarchical structure, computers in different parts of the world
can communicate with one another, with the Internet being the worldwide
To route data between two computers, their locations must be known to
one another. Such locations are known as IP addresses or simply
addresses (IP means Internet Protocol). IP addresses are pretty much like
telephone numbers, and consist of four groups of numbers (e.g. As you can see, unlike telephone numbers, IP addresses
are difficult to memorize. Hence, they are given aliases. For example, the
alias of the above IP address is www.hkmu.edu.hk. It is, however,
necessary to translate the human readable alias into its IP address. This is
done by conversion tables that are stored in the Domain Name Server
(DNS). DNS service is usually provided by a dedicated computer on the
LAN. You can now understand why email addresses are structured in the
form of user@domain. The domain name (e.g. hkmu.edu.hk) behind the
sign @ identifies, after translation by the DNS, the IP address of the
LAN. The user name in front of the sign @ identifies the specific user
within the LAN.
The Internet
As noted, the Internet is the worldwide network. Its origins can be traced
to the 1960s, when the US Department of Defense set up a network called
ARPANET to facilitate information exchange among university
professors and other research scientists. Later, the US National Science
Foundation (NSF) formed a new network called the NSFNET, which
LESM A204 Security Practice and Management
eventually replaced ARPANET as the backbone network (see above) for
the research and academic community.
It was, however, only in the early 1990s that commercial networks (i.e.
ISPs) were connected to the NSFNET. This allowed end-users of these
commercial networks to access the NSFNET. More importantly, by
means of the NSFNET backbone network, end-users of different ISPs
could now communicate with one another. As a result, a gigantic network
was created which eventually developed into what we now call the
Today, backbone networks are offered by a host of companies. These
networks are connected through interchange points known as
Commercial Internet Exchanges (CIX), which have formed into an
association. Not surprisingly, large telephone companies and cable
operators operate many of these companies. For instance, members of the
CIX include:
telecom firms such as AT&T in the US, Cable & Wireless and British
Telecom in Britain
cable TV operators such as Time-Warner, Media One, etc.
independent backbone carriers such as PSINet, UUNet, etc.
The Internet has many applications, the most common of which include
email, news forums, interactive communication (such as ICQ), remote
computer access (instructions can be submitted to a remote computer to
perform any task on that computer), and information retrieval.
Information retrieval is the function that largely accounts for the
explosive growth of the Internet. Information can be hierarchically
organized into pages, known as Web pages, which contain texts, photo
images and audiovisual media, and stored in dedicated computers (known
as servers). By connecting to these servers, users can systematically
retrieve information. A Web page is identified by its Web address or
uniform resource locator (URL). Thus, the URL of HKMU’s homepage is
http://www.hkmu.edu.hk. As you can see, the URL contains the domain
name, which is the alias of the Web page’s IP address.
Anyone can, if he or she wishes, set up his or her own website. The same
applies to any organization. To do so, the site’s URL has to be
established. As you probably know, the domain name easily identifies the
type of organization. Thus, sites of commercial firms are identified by
<.com> (<.co> in Britain) in the URL, educational institutions by <.edu>
(<.ac> in Britain), non-profit organizations by <.org>, governmental
organs by <.gov>, etc. When you set up a website, you have to register
your domain name with any one of a number of non-profit organizations
that keep centralized records of domain names. When registering, you
also provide information on the nature of your website. The reason for
this is simple. By doing so, it can be ensured that your domain name is
not already used by someone else. Further, you probably know what a
search engine (such as Yahoo!) is. When you use a search engine to
Unit 8
search for sites on a certain topic (e.g. diving in Bali), the search engine
goes through the records of domain names and uses the information on
the type of website you supplied to identify the relevant websites.
Because communication on the Internet goes in both directions, it is
possible to conduct business via the Internet. Thus, many businesses have
set up websites not only in order to promote themselves, but also to
conduct business transactions. E-business, as such business is called, is of
two main types:
B2C or B to C: business selling to consumers, or more generally
transactions between business firms and consumers
B2B or B to B: business-to-business transactions
In the following activity, you take a look at several B2C examples. Later,
we discuss computer network security in relation to e-commerce
Activity 8.4
Check out the kinds of B2C transaction you can conduct on the following
Amazon: http://www.amazon.com
Hongkong Bank (click online@hsbc): https://www.hsbc.com.hk/
South China Morning Post (click archive): http://www.scmp.com
One final point before we move on to the next section. On the Internet,
there is no privacy. This lack of privacy can be understood in a number of
senses. For instance, the network administrator has a complete record of
all of your Internet activities (e.g. the email you send and receive, the
websites that you have visited, etc.). Of course, we assume that network
administrators observe the ethics of not prying into your activities. The
following section explores this issue more fully. Meanwhile, you should
note that the lack of privacy (or, conversely, the openness of the Internet,
and hence of any computer logged on to it) means that technical
sophistication is required to provide security. It also means that forensic
investigation into computer crimes is possible by means of collecting (or
discovering) and analysing the cyber trail left behind by cyber criminals
(though sophisticated cyber criminals are capable of disguising such
LESM A204 Security Practice and Management
Understanding network security
This section gives you a basic introduction to the topic of network
security. The next section explores the issue of computer security in
greater detail by examining security in e-commerce.
In a recent survey (2001) conducted by the Information Technology
Association of America or ITAA (in conjunction with an accountancy
firm) among IT executives, it was found that the major concerns of
network security are:
privacy and confidentiality: we pointed this out at the end of the
previous section
data integrity: uncertainty about whether or not data is not interfered
with by malicious parties (data integrity is the completeness and
soundness of the data)
authentication: uncertainty about the true identity and credentials of
the parties with whom one communicates
infrastructure security: uncertainty about whether or not the network
infrastructure is robust enough to withstand malicious attacks.
As you can see, security concerns range widely, but basically, we can
classify network security threats into two groups:
Client-server: Any computer logged on to the Internet (including an
ISP’s host-server and its end-users’ terminals) is subject to remote
manipulation by a malicious third party.
Data and transaction: An unauthorized party without the owner’s
knowledge may access confidential data; parties assuming a false
identity may carry out transactions.
Let us discuss these two groups of threat in greater detail. Under the
category of ‘client-server’ threats, the most common types are:
malicious code threats, e.g. computer viruses that instruct the victim’s
computer to perform self-destructive tasks, as well as spread to other
computers linked to the initial batch of victim computers
unauthorized modification of data contained in the victim’s computer
by remote hackers, i.e. destroying data integrity
service overloading, e.g. denial of service (DoS) attacks (targeted at
host servers, in which hackers create enormous numbers of data
requests from the host server, thereby overloading it, with the result
that genuine end-users making genuine service requests from the host
server are denied its service)
message overloading, e.g. hackers send a large number of very large
files to an email server, causing it to crash.
Unit 8
Under the category ‘data and transaction’ threats, the most common types
Data security: unauthorized access to confidential data, achieved
either through eavesdropping on the network or gaining access to the
computer hosting the data.
Message integrity: unauthorized alteration of an important message or
document such as a business contract.
Authentication: false identity assumed by parties with whom one
communicates or does business on the Internet.
Let us now take a general look at some of the typical security measures
that can be taken:
Restriction of access: Only legitimate users are allowed to access the
network, for instance, by using passwords. However, hackers are able
to eavesdrop on the network and obtain the password during its
transmission, hence necessitating the further measure of encrypting
passwords (see below on encryption).
Establishing a firewall between the network and the Internet: A
firewall is typically a computer or a router device (a device that
forwards packets of data from one LAN or WAN to another) that
stands between the network (typically the LAN) and the Internet,
controlling and monitoring all traffic between them. By means of the
firewall, computers within the LAN have full access to the Internet,
but outside access to the LAN is restricted. For instance, in addition
to a user name and password, outside user authentication (based on an
IP address and other identifiers) may be required to access the LAN.
Moreover, even authenticated outside users may be restricted to
perform only certain functions on the LAN. Firewalls are also
frequently used to filter incoming data traffic (e.g. filtering out data
from pornographic websites — the firewall is able to identify these
websites because, as you will recall, when a website is registered,
information on the nature of the website has to be provided. There is
no point in providing false information, for in that case search
engines will not be able to pick up the website correctly, and hence
Internet users interested in this kind of websites will not get to know
about it).
Data and message encryption: To encrypt data (messages are also
data) is to scramble them (by coding techniques based on highly
sophisticated mathematics) so that outsiders will not be able to read
them (e.g. the number 123, after encryption may, for example, become
something like x*=&_|4(#-). Only insiders who have the decrypting
(i.e. decoding) algorithms will be able to recover them in their original
state. Encryption was first developed for military and diplomatic
purposes but is now essential for doing business on the Internet.
Third-party authentication: Two communicating parties on the
Internet authenticate each other’s identity through an authenticating
third party. We discuss this more fully in the following section.
LESM A204 Security Practice and Management
Activity 8.5
Log on to www.hsbc.com.hk. Click the ‘security’ button on the menu bar
at the top of the web browser. A box appears on the screen. What do you
read in the box? Now click OK to close the box. Click online@hsbc ‘new
user’. Then click ‘apply now’ on the new screen. Select any one of the
four options (ATM, Credit Card, etc.) on the new screen. When the new
screen appears, click the ‘security’ button on the menu bar at the top of
the Web browser. A box appears. What do you read there?
Reading 8.3 (optional)
Kalakota, R and Whinston, AB (1996) Frontiers of Electronic
Commerce, Reading, MA: Addison Wesley, Chapter 5. We
recommend and provide you with this reading as an optional
reading. It provides a good account of network security.
Illustration: computer security in
In this section, we examine computer security in e-commerce, to give you
a fuller idea about computer security in general. Before you read on, it
would be useful to go through Reading 8.4.
Reading 8.4
Fukuyama, F (2001) ‘The virtual handshake: e-commerce and the
challenge of trust’, Merrill Lynch Forum White Paper,
In Activity 8.2, we drew your attention to auction fraud on the Internet.
When you shop at a street retailer and pay a deposit for merchandise for
subsequent delivery, you trust that the shop will still be there if the
delivery fails to occur, so that you can pursue the matter. Of course,
sometimes shoppers are defrauded of their deposits by retailers shutting
up shop before delivery. However, this is a relatively infrequent
occurrence. It’s different on the Internet. Anyone can create a website and
sell things or services through it. How can consumers be sure that the
website is a genuine and trustworthy business? This simple example
shows you that many difficulties face e-commerce, all related to
computer security. Let us take a look at what these difficulties are:
Authentication: As noted, the need is to ensure the authentic identity
of the parties with whom one communicates and transacts business on
the Internet. Common authentication measures in cyberspace include
Unit 8
PIN (personal identity number) and digital signature, the latter of
which is discussed later on in this section.
Confidentiality: Consumers must be assured that the personal data
they submit via Internet will not be illegally accessed during
transmission by third parties. In Activity 8.5, we came across the
most effective technique for ensuring confidentiality in this respect,
encryption. However, encryption is expensive, and hence only large
businesses are able to afford it. If you log on to smaller businesses on
the Internet and check their website’s security information, you will
find that most of them do not offer encrypted security, and hence it is
unsafe to send personal data to them on the Internet. One way to get
round this problem is to combine Internet transactions with nonInternet ones. For instance, a hotel resort on Phi Phi Island (Phuket,
Thailand) may have a website through which you can make room
bookings. Since no encrypted security is provided, clients are not
asked to send credit card details to them electronically. Instead, the
resort’s bank account number is given. Clients can make the deposit
through this bank account and fax the receipt to the resort. On
receiving the fax, the room booking is confirmed, and the outstanding
amount is paid on arrival at the resort.
Data integrity: As already noted, it is important to ensure that data
and messages (including documents such as contracts) sent on the
Internet are not altered by malicious third parties during transmission.
This is particularly important in B2B transactions, since, for instance,
an extra ‘0’ added or deleted from the contract sum in a business
contract can be financially fatal. Various techniques are available to
guard against impairment of data integrity, ranging from a simple
checksum operation to the more effective cryptographic technique of
hashing. Since these are rather technical, there is no need to explain
them in this unit.
Availability: In the above, we came across denial of service (DoS)
attacks. For businesses doing transactions on the Internet or portals
(websites providing a large variety of services such as news,
entertainment, etc. to anyone logging on to them, mostly for free,
which make money through advertising), a DoS attack can mean
significant losses in business revenue and goodwill (the good name of
the business, inspiring customers’ trust). You may recall that even
giant search engines-cum-portals such as Yahoo! have suffered from
DoS attacks. When this happens, data and services from the website
become unavailable.
Access control: We came across this when discussing firewalls in the
previous section.
Non-repudiation: let’s say Company A places an order of $1 million
with Company B via B’s website. What if B produces the
merchandise ordered but then A repudiates that it has ever placed the
order? How can it be ensured that when B receives the order from A
on the Internet, B can show (if A repudiates having placed the order)
that the order could only have originated from A and no one else? In
LESM A204 Security Practice and Management
non-electronically conducted business transactions, the contracting
parties’ physical signatures on the contract ensure non-repudiation. In
electronic transactions, an effective tool to ensure non-repudiation is
the digital signature.
As mentioned, a digital signature is able to ensure both authenticity of the
contracting parties (or, more generally, communicating parties) as well as
non-repudiation. How does it work? For our purpose, it is not necessary
to go into details, so only a simplified explanation is given. Since the use
of a digital signature incorporates encryption (and decryption), it also
serves to ensure data integrity and confidentiality.
Organizations as well as individuals that wish to communicate or transact
on the Internet while ensuring the above aspects of computer security
(authenticity, etc.) can use what is called the digital certificate, which
incorporates the digital signature feature. Basically, there are
organizations known as Certificate Authorities or CA (in Hong Kong the
Post Office offers Certificate Authority services). Any person or
organization (called the subscriber) can apply to the CA for a digital
certificate (DC). The CA verifies the subscriber’s identity and issues it a
DC. All DCs are published in the CA’s repository, so that parties wanting
to communicate or transact with a subscriber can check it. The CA
provides the subscriber with a pair of ‘public keys’ and ‘private keys’.
Now, let’s say subscriber X wants to send a message to subscriber Y. X
uses its private key to encrypt the message. Since each subscriber’s
private key is unique to it, any message sent using that key could only
come from the subscriber. In this way, authenticity is ensured (the
identity of the sender of the out-going message is guaranteed through the
CA), and so is non-repudiation (since the message could only have been
sent by the subscriber with the particular key, it cannot repudiate having
sent the message) and confidentiality/data integrity (as a result of the
encryption process). On receiving the message, Y can check with the
CA’s repository on the validity of the DC of X. If it is in order, Y can
obtain X’s public key from the CA, which is used to decrypt the message.
In this way, messages transmitted are signed with the digital signature
provided for by the pair of private-public keys.
The above mechanism is known as the Public Key Infrastructure or PKI.
Although it is a very powerful mechanism to ensure computer security in
Internet communication and transaction, it, too, has problems. Because of
these problems, originally the Hong Kong Post Office’s PKI had a target
of issuing more than 100,000 digital certificates in the first year of its
launch. However, so far (as of late 2001), only several thousand have
been issued. If you are interested in the problems with PKI, read the
article ‘Ten risks of PKI: what you’re not being told about public key
infrastructure’ by C Ellison and B Schneier, in Vol. XVI (1 Nov 2000) of
the Computer Security Journal, available on
Before proceeding to the next section, there is one point worth
mentioning. In Unit 7, we called your attention to the need for
professional security managers of large organizations and communities to
be sensitive to and aware of socio-political-economic developments. In
Unit 8
the development of cryptographic technology (such as PKI) for nongovernmental and non-military use, governments actually have
reservations, though they see the benefits of its commercial application.
The reason is simple. If powerful cryptographic technologies become
easily available, criminals can use them too. Communications between
criminals can become encrypted, thereby rendering wiretapping and the
like useless. If you are interested in this issue, you can read the article by
G A Keyworth II and D E Colton, ‘The computer revolution, encryption
and true threats to national security’, available from
http://www.pff.org/issuespubs/futureinsights/fi3.5computerrevolution.html. Reading 8.5 gives you
a simple illustration of such law enforcement concerns.
In response to the above, the US Government has legislated to the effect
that when a strong cryptographic key is used, the key must be recoverable
by the US Government under the concept of the escrowed encryption
system. What this means is that for any strong cryptographic system with
its encryption and decryption keys, the manufacturer will have to provide,
in addition, a backup key, different from the encryption and decryption
keys, which can decipher this latter pair of keys. An authorized party
keeps the backup key. If needed, the US Government can require that
party to let the government use the backup key to break into the
cryptographic system. One consequence of this is that if an organization
in a country other than the US purchases a cryptographic system from the
US, the US Government will be in a position to break into that system, if
it deems necessary to do so. Naturally, other governments are not happy
with this situation. Some countries, such as Russia, have developed
strong cryptographic systems that do not carry with them this condition.
Reading 8.5
‘FBI “big brother” case tests limit of electronic spying’, South
China Morning Post, 31 July 2001.
Activity 8.6
Visit the website of the HK Post Office
(http://www.hongkongpost.gov.hk/) and find out about its PKI services.
Post your answer on the discussion board and have a look at your
classmates’ ideas.
LESM A204 Security Practice and Management
Legal aspects of computer
On several occasions in the unit, we came across the fact that
computerization, and especially the rise and growth of the Internet have
led to unprecedented legal problems. A couple of simple examples will
show this. Let’s say you make a purchase from a US firm through the
Internet. The merchandise arrives damaged. What can you do? Giant
Internet shops such as Amazon will ship you a replacement without a
problem, for this is part of the service they provide in order to build up a
huge customer base. However, smaller shops will not do this. Can you
sue them? In theory, yes, but the costs will be prohibitive. Let’s say you
do intend to sue a shop in New York. Which set of laws applies? Hong
Kong’s, or New York’s? Mostly, e-shops specify that in a dispute, the
laws of the place in which they are located are the governing ones. If
these laws are very different from those of the place of residence of the
buyer and huge sums are involved, the problem can be very troublesome.
Even more complicated will be a case such as this: A criminal located in
country A electronically directs a computer in country B to issue
instructions to a network in country C to erase certain data in that
network. Do the laws of country A, B or C apply?
In many countries, the basic instrument to legally protect computer
security is some form of computer misuse law. In other words, the aim is
to make at least the main specific forms of computer crime into legal
categories. Generally, such a computer misuse law aims at imposing
prohibitions on four different levels:
access to a computer without authorization (i.e. hacking)
access with intent
modification of contents
diverting the use of computer.
Locally, the overall approach is not to have a single comprehensive
computer misuse statute. In other words, not only is computer crime in
general not a legal category in Hong Kong, but many specific forms of
computer crime (such as hacking) which can be turned into legal
categories are not in Hong Kong. Hence, the major approach is to make
amendments to various statutes in order to incorporate prohibitions
against offences of the computer crime nature.
This is not to say that Hong Kong does not have a mini-computer misuse
statute. In 1993, the Computer Crime Ordinance was enacted, part of
which purpose is to enact new offences. However, its major purpose is, as
stated, to enable the amendment of existing legislation to deal with
various forms of computer crime. Existing ordinances amended for such
purposes include the Telecommunication Ordinance (Cap. 106), the
Crimes Ordinance (Cap. 200), and the Theft Ordinance (Cap. 210).
Unit 8
In the Telecommunication Ordinance, a new offence of ‘unauthorized
access to computer by telecommunication’ was created as section 27A.
This offence is aimed at electronic trespass to any computer system by
telecommunication, i.e. on the Internet. There is no need to prove the
criminal intent of the intruder. Due to this lesser requirement, the offence
only carries a maximum fine of $20,000.
A more serious offence is ‘access with criminal or dishonest intent’ under
section 161 of the Crimes Ordinance. In this offence, the intruder’s
criminal intent to (a) commit an offence, (b) dishonestly deceive, (c)
dishonestly gain for himself or another, or (d) dishonestly cause loss to
another, has to be proven. It should be noted that the gain or loss
mentioned in (c) and (d) do not have to be tangible, and can be temporary
or permanent (the ‘temporary’ provision is required because data
destroyed as a result of, for instance, a virus attack may sometimes be
recoverable). This offence can be liable up to five years of imprisonment.
In section 59(1) of the Crime Ordinance, the definition of ‘property’ in
relation to Criminal Damage has been extended to include ‘any program,
or data, held in a computer or in a computer storage medium, whether or
not the program or data is property of a tangible nature’. Furthermore, in
section 59 (1A) misuse of a computer is considered to ‘destroy or
damage’ property. The misuse of a computer means (a) to cause a
computer to function other than as it has been established to function, (b)
to alter or erase any program or data, or (c) to add any program or data to
the contents of a computer for a computer storage medium. This has
widened the concept of criminal damage in cyberspace because of the
intangible nature of computer technology. Section 60 stipulates the
maximum sentence for misuse of a computer to be ten years of
In section 11 of the Theft Ordinance, the offence of ‘Burglary’ has been
amended to include misuse of the computer as ‘doing unlawful damage to
anything in a building’. The aim of this is not of course against hacking
via the Internet. Rather, the aim is that if, for example, a person enters a
building unlawfully and deletes all data on the hard disk of a computer,
then he commits burglary just as if he removes some tangible property
from the building. In section 19 of the same Ordinance, falsifying records
kept in a computer or destroying them become punishable. In both
section 19 of the Theft Ordinance and section 85 of the Crime Ordinance,
the term ‘books’ is amended to include any disk, card, tape, microchip,
sound tracks or any other device; and ‘record’ is amended to include a
record kept by means of a computer.
Activity 8.7
What is the problem with the ‘unauthorized access to a computer by
telecommunication’ offence in section 27A of the Telecommunication
LESM A204 Security Practice and Management
The level of hacking in Hong Kong has risen notably over the years
(from one reported case in 1993 to 238 reported cases in 1999). Even
government sites have been affected, as you have probably heard on the
news. The first computer crime prosecution in Hong Kong occurred in
March 2000. Three people were accused of stealing 127 passwords on the
Internet and selling them to third parties. In addition, they were accused
of unlawfully downloading music from the Internet to make saleable
CDs. The three pleaded guilty, with one sentenced to six months of
imprisonment and the other two to a detention centre.
In the last section, we discussed e-commerce and the various security
issues associated with it, such as data integrity, non-repudiation and
authentication. The rise of e-commerce has obviously led to a host of new
legal issues that have to be tackled, such as the legality of online
contracts and the evidentiary requirements in disputes and lawsuits. In
Hong Kong, the Electronic Transactions Ordinance 2000 (Cap. 553) has
been enacted to handle these issues. The Ordinance creates status parity
(i.e. equality) between electronic forms of contract and existing physical
contracts. Similarly, electronic records and digital signatures acquire the
same status as physical, paper-based ones. A legal framework is also
established for the operation of CAs (see above).
Unit 8
We began this unit by examining what computer crime is. You learned
that considerable confusion exists, even among experts on the topic. In
order to overcome this confusion, we discussed the issue with reference
to the concept of legal category, and to the nature of computer crime in
relation to computerized data. This allowed us to understand that
computer security is mainly about the protection of computerized data.
Much of computer crime is committed on and via the Internet. Hence,
you have been provided with a basic introduction to computer networks
and the Internet. With this knowledge, computer security (focusing on
network security) and e-commerce security were explained to you, in
which you learned about the major threats to network and e-commerce
security, as well as the most common and important measures to ensure
network and e-commerce security.
The rise of computerization, especially network computerization, has led
to unprecedented legal problems. An examination of the legal aspects of
computer security focusing on Hong Kong’s efforts to deal with the
various issues involved has been provided.
LESM A204 Security Practice and Management
Bilingual Laws Information System, http://www.justice.gov.hk.
Carter, D L and Katz, A J (1996) ‘Computer crime and security: the
perceptions and experiences of corporate security directors’, Security
Journal, 7: 101–8.
Chan, H KH (2000) ‘Cyber crime — a global threat to e-commerce’,
Computer Society.
Chan, H K H (2001) ‘A comparative study of reported and unreported
crimes,’ UMI Dissertation Services, 10–35.
Ellison C and Schneier, B (2000) ‘Ten risks of PKI: what you’re not
being told about public key infrastructure’, Computer Security Journal,
Vol. XVI, http://www.counterpane.com/pki-risks.html.
Fukuyama, F (2001) ‘The virtual handshake: e-commerce and the
challenge of trust’, Merrill Lynch White Paper Forum,
Hoffer, J A and Straub Jr, D W (1989) ‘The 9 to 5 underground: Are you
policing computer crimes?’ Sloan Management Review, Summer, 35–43.
Information Security Survey 2001 (2001) Hong Kong Productivity
Council, October, http://www.hongkongcert.org/home.html.
Kalakota R and AB Whinston (1995) Frontiers of Electronic Commerce,
chapter 5, Englewood Cliffs, NJ: Addison Wesley.
Keyworth G A and Colton, D E (1996) ‘The computer revolution,
encryption and true threats to national security’,
Parker, D B (1998) Fighting Computer Crime: A New Framework for
Protecting Information, New York: John Wiley & Sons.
Session, W S (1991) ‘Computer crimes — an escalating crime trend’, FBI
Law Enforcement Bulletin, Feb., 12–15.
2001 FBI Computer Crime and Security Survey,
Wu R (2000) ‘Electronic transactions ordinance — building a legal
framework for e-commerce in Hong Kong’,
Unit 8
Feedback on activities
Activity 8.1
This would be considered a computer crime falling into the class of
computer as the tool of the criminal. It seems that the crime is more
suitably considered a straightforward forgery. The reason is that the
technique used in printing is incidental to the crime, and not the
substance of the crime itself.
Activity 8.2
This is straightforward fraud, no different from if you bid for the vase
at an auction held in a hotel function room, win it, pay for it, and then
receive a counterfeit. Again, as in Activity 8.1, the substance of the
crime is the fraud. That the auctioneer holds the auction on the
Internet is incidental to the crime.
This is a computer crime. The target is computerized data (your
Internet account details) obtained by a computerized process when
you logged on to the porn site.
Activity 8.3
In general, Hong Kong is about two years behind the US in trends
and patterns. One prevalent form of computer abuse/crime in the US,
child pornography, seems to be much less of a problem in Hong
First the amount of loss in computer crime in the US is much greater
than in Hong Kong, hence making victims more willing to report the
crime to law enforcement agencies. Second, cyber insurance is
available in US, but not yet in Hong Kong. This is another major
reason why the reporting rate in the US is higher, since reporting to
the police is required in order to make insurance claims.
Activity 8.4
Amazon is the biggest online shop in the world. From personal
experience, its service is superior to that of most other online shops.
You can buy a lot of things on the site ranging from books (the site
began as a bookshop) to computer software; you can sell things on it,
Once you have registered to carry out e-banking on the Hongkong
Bank site, you can carry out almost all kinds of banking transaction
on it except withdrawing cash.
You can search for news reports on any topic covered in the South
China Morning Post going back almost ten years. Once you have
identified the report you want, it costs HK$10 to download it.
LESM A204 Security Practice and Management
Activity 8.5
In the first case, the box says that the page is not encrypted. This
means any data transmitted to that page is insecure, i.e. it is easy for
hackers to intercept or eavesdrop on the data during transmission.
In the second case, the box says that the page is encrypted. This
means that data transmitted to that page is secure, i.e. it is not easy for
hackers to intercept or eavesdrop on the data during transmission.
The reason why one page is not encrypted and the other is encrypted
is simple. In the second page, you are asked to submit important
personal data. If the page is insecure (not encrypted), customers will
be reluctant to submit personal data, and hence this destroys the
purpose of e-banking.
Activity 8.7
The word ‘telecommunication’ restricts the above provision against
hacking to hacking via telecommunication means. Hacking can, however,
be perpetrated via non-communication means, such as an office worker
gaining illegal physical access to one of the office computers and hacking
into it.