LESM A204 Security Practice and Management Unit 8 Cybersecurity 219 HKMU Course Team Course Development Coordinator: Dr Raymond W K Lau, HKMU Developers: Dr Hilton Chan, Consultant Dr Raymond W K Lau, HKMU Instructional Designer: Louise Aylward, HKMU Members: Dr Garland Liu, HKMU Dr Czeslaw Tubilewicz, HKMU External Course Assessor Dr Dennis S W Wong, City University of Hong Kong Production Office for Advancement of Learning and Teaching (ALTO) Copyright © Hong Kong Metropolitan University, 2001, 2011. Reprinted 2021. All rights reserved. No part of this material may be reproduced in any form by any means without permission in writing from the President, Hong Kong Metropolitan University. Sale of this material is prohibited. Hong Kong Metropolitan University Ho Man Tin, Kowloon Hong Kong This course material is printed on environmentally friendly paper. Contents Introduction 1 Computer crime and security 3 What is computer crime? Characteristics of computer crime Computer crime and security surveys 3 7 9 Introducing computer networks and the Internet 10 Understanding network security 14 Legal aspects of computer security 20 Summary 23 References 24 Feedback on activities 25 Telecommunication systems Computer networks The Internet Illustration: computer security in e-commerce 10 11 11 16 Unit 8 Introduction More and more aspects of our daily life are associated with computers. The bus, train, tram, MTR or private car by which you travel to work all have computer parts. The microwave oven that you use to reheat food runs on a computer chip. For years now, I have not written anything by hand but rather have written directly on the computer. Except for withdrawing cash, many people now carry out their banking transactions on the Internet. Computers have revolutionized our daily life. But so have they revolutionized crime. As a result, a whole new area of security is born: computer security. As you will learn, computer security is a highly technical matter that is the special field of professional IT (information technology) experts. As a professional security manager, the technical aspects of computer security are beyond your scope. However, as we have emphasized several times in this course, the job of a modern-day professional security manager requires much more than putting guards at entrances and exits. It requires someone who has a broad basic knowledge of and sensitivity to issues such as criminology, law and socio-political-economic developments. That is why in this course we have included units on or introduced you to these issues. It is easy to learn about things like installing fire hydrants. You do not need a ten-credit course for that. But as we have shown (e.g. in Unit 7), a professional security sense requires much more than things like that to be developed. Moreover, although the technical IT issues of computer security are not the security manager’s area, a basic knowledge of and sensitivity to what computer security is about is required. In large organizations, the security manager is likely to have occasions in which he or she will need to work with IT professionals in planning the organization’s overall security requirements. For instance, the processes and procedures of physical security of large organizations are likely to be computerized. What if these computerized data are being electronically stolen or altered? Clearly, if the security manager were totally ignorant of what computer security is about, he or she would be working at a serious disadvantage. This unit first examines what computer crime is. You learn that there is considerable confusion even among experts on the topic. To overcome such confusion, the issue is examined first with reference to the concept of legal category, and then with reference to the nature of computer crime in relation to computerized data. This allows us to understand that computer security is mainly about protecting computerized data. After that, we introduce you to the characteristics of computer crime, as well as provide you with a brief survey of the state of computer crime. Much of computer crime is committed on and via the Internet. Hence, an understanding of this type of crime and of computer security requires a basic knowledge of the infrastructural basis of the computer network and the Internet. This is done in the second section (‘Introducing computer networks and the Internet’). The following section provides a basic examination of the various aspects of computer security (focusing on network security). You learn about the major threats to network security, 1 2 LESM A204 Security Practice and Management as well as the most common and important measures to ensure network security. The next section (‘Illustration: computer security in ecommerce’) pursues the matter further by focusing on e-commerce security. You learn about what the specific security concerns are, as well as the measures available to address these concerns. The final section looks at the legal aspects of computer security. This picks up from the discussion in the first section in which you learned why and how computerization, especially network computerization, has led to unprecedented legal problems. An examination of Hong Kong’s efforts to deal with the various issues involved is provided. In short, the unit: • examines what computer crime is and describes its characteristics; • provides a basic understanding of computer networks and the Internet; • discusses the major concerns of computer security; • discusses measures to ensure various aspects of computer security; and • discusses various legal aspects of computer security with a focus on Hong Kong. Unit 8 Computer crime and security The first challenge in understanding computer crime and security is defining what computer crime is. What is computer crime? This looks like a simple question, but I can tell you that it is not. To see why, look at the following example of computer crime given by Donn B Parker (1998, 59): For example, extortion and kidnapping involve ransom notes … If the ransom information is written by hand and sent through the postal service, the crime is an ordinary one. If the information is written and communicated electronically, it is a cybercrime. Such a way of defining cyber (or computer) crime seems strange. Let us say the kidnappers make the ransom demand neither by mail nor email (a form of electronic communication), but convey the demand through a simple phone call. Do we call the kidnapping a ‘telephone’ crime? We would, if Parker’s logic in the above quotation is followed. In fact, if a ransom demand conveyed by email constitutes computer crime, we should not call a ransom demand conveyed by post an ordinary crime, but a ‘postal’ crime. Let us consider another example of computer crime mentioned by Parker: A computer-controlled robot stabbed a repairman to death after his associate failed to put the robot into a safe mode for maintenance purposes. Again, it seems rather odd to call this a computer crime. Let us say a repairman is electrocuted when repairing an electrical device, because his colleague forgot to switch on the safe mode for the device. Do we call it an ‘electrical’ crime? Obviously not. In the above examples mentioned by Parker, it seems that the simple involvement of a computer itself constitutes the criterion on which to define computer crime. But, as we all know, more and more aspects of our daily life involve objects (from the microwave oven office workers use to reheat their lunches to the bus they take to go to work) that use computers or computerized parts. This implies that if the mere involvement of computers constitutes the definitional criterion, more and more crimes would become computer crimes. Then, the term computer crime becomes so broad as to make it meaningless. Parker is not alone in facing the difficulty of how to define what computer crime is. Thus, the FBI distinguishes between two types of computer crime: • the computer as the tool of the criminal • the computer as the target of the criminal. 3 4 LESM A204 Security Practice and Management Such a contrast between ‘tool’ and ‘target’ is a commonly used criterion. As you will see shortly, this contrast is useful. However, there are problems with it, too. For instance, a thief steals a PC (personal computer). The computer is the target of the thief, but it seems odd to call it a computer crime instead of simple theft. Take another example. Money launderers use e-banking (carrying out banking transactions such as money transfers from one account to another via the Internet; ‘e’ means ‘electronic’) for money laundering. When this happens, the money launderers use a computerized process (e-banking) as a tool in committing their crime, but there seems to be no good reason why it should be regarded as a computer crime. Instead, it is simple money laundering; the use of e-banking is purely incidental to the crime. Activity 8.1 Some criminals use sophisticated computers to print forged banknotes. According to the FBI’s classification, what kind of crime is this? Do you agree with such a categorization? If so, why? If not, why not? If you look at different texts on computer crime, you will find different definitions. In the above, we only cited the examples of Parker and the FBI for illustration. Why is there such confusion about what constitutes computer crime? This question is difficult to answer. Perhaps experts and law enforcement agencies are overwhelmed by the new phenomenon of computer crime, so instead of trying to think through carefully what it is conceptually, they simply hasten to lump everything criminal in which computers are involved under the general label of computer crime. In any case, what we want to do here is to make you think about the matter more systematically. First, you will recall from Unit 4 that white-collar crime is not a legal category but a sociological-criminological concept. So, the first question we need to ask is whether or not computer crime is a legal category. It is clear that although computer crime in general is not a legal category (i.e. a specific offence), certain specific forms of computer crime can constitute legal categories punishable as such by legislation. For instance, in some countries ‘hacking’ (unauthorized access to computers) is a specific offence. However, this is not the only way to deal with such criminal activities. Let’s say a computer whiz kid writes a virus program that will delete data on the hard disk of the computer struck by the virus and spreads it, thereby wiping out such data of his or her victims. Instead of trying to create a new specific offence for this, many places simply make it a form of criminal damage. In this case, the legal category is criminal damage, not the computer crime of spreading a virus. In sum, it is important to note: 1 The concept of computer crime in general is not a legal category. 2 Some specific forms of computer crime can be, and are, made into legal categories (i.e. specific offences) in some places. Unit 8 3 But (2) is not the only way to deal with such criminal activities. The advantage of the above analysis is that it immediately shows why it is ridiculous to call the above kidnapping case a computer crime. Even if a country or place decides to make as many specific forms of computer crime as possible into legal categories, it is unimaginable to have a specific offence of ‘kidnapping with the ransom demand sent electronically’. It would indeed be crazy if any such attempt were made. The same applies to the other similar examples discussed in this section. A later section examines the legal aspects of computer crime more fully. Let us proceed. Given point (1) above (that computer crime in general is not a legal category), the next question is precisely how we should define computer crime in general. In the following discussion, our purpose is not so much to provide an infallible definition as to provide guidance on how to think about this issue conceptually, which will further enable us to appreciate what computer security is about. Other experts may not entirely agree with our conceptualization, but we think it is superior to the various existing definitions. Take the example of the whiz kid again. It is clear that the data on the victims’ hard disks are the target of the crime (see the FBI’s first class of computer crime). Now consider another case. In shopping with an Internet retailer, you submit details of your credit card electronically. Unfortunately, the retailer’s Web page is insecure (Web page security is discussed later) and the details you submitted were intercepted by a hacker. The hacker subsequently used them to make purchases (retail shopping on the Internet requires details of your name, credit card number and expiry date only; no signature is needed). Here, the hacker uses the Internet as a tool (see the FBI’s second class of computer crime) to obtain data concerning your credit card. In both of the above cases, you will note that data are the target. In the first case, it is computerized data (on the hard disk) that is targeted. In the second case, the victim’s personal credit card data are submitted through a computerized process (e-shopping). In so doing, the credit card data become computerized (digitized), and as a result they become a target that is obtainable by another person through the computerized process of hacking. In short, in both cases, it is computerized data that are targeted. As you know, computers are really only sophisticated machines to handle data. Hence, from this point of view, a valuable way of understanding computer crime is the following: Computer crime is unlawful activities whose target is computerized data. Since these data are computerized, they can only be targeted by means of computerized processes. In contrast to using the mere involvement of computers as a defining criterion, this conceptualization is useful for two reasons. At one and the same time it allows us to avoid the embarrassing pitfalls of, for instance, calling a simple kidnapping case a computer crime; and it enables us to appreciate what computer security is about. Let me explain. You may ask: Just as the kidnapping case remains the same kidnapping case whether the ransom demand is conveyed by phone, post or email, 5 6 LESM A204 Security Practice and Management what is the difference between a criminal physically stealing the victim’s credit card and obtaining its details, and the above example of obtaining the data in the Internet? Indeed, from the legal point of view, both are theft. But in the above, it was explained that even if a certain specific form of computer crime (such as spreading a virus) can be made into a legal category (a specific offence), many countries choose not to do so, and prefer to handle these criminal activities by existing legal categories (such as criminal damage). Hence, although according to the law, both of the above cases are theft, this does not mean that we should not consider the latter case (stealing credit card details on the Internet) a computer crime. In fact, there is a distinct advantage in regarding it as a computer crime (based on the fact that the target is computerized data illegally obtained by computerized processes), because in doing so it enables us to understand what computer security is about. Computer security is about the protection of computerized data. Thus, in the latter case, the security concern is whether or not the retailer’s Web page is secure to protect the transmission of computerized data. In the former case, the security concern is different: it is to avoid being physically pick-pocketed. Computerized theft and physical theft are different and hence call for different security measures. This differentiation does not apply to the kidnapping case. Whether the ransom demand is conveyed by phone, post or email, the security concern remains the same: the physical prevention of getting kidnapped. There is no question of providing security against receiving ransom demand phone calls, ransom demand mail, or ransom demand email. This is why it is ridiculous to call kidnapping a computer crime if the ransom demand is made through email instead of phone or post. But it makes a lot of conceptual and security sense to regard the theft of credit card data that become computerized (by being submitted on the Internet) and illegally obtained through computerized processes as a computer crime. To summarize, in this section we explain that a lot of confusion exists, even among experts, about the term computer crime and how it should be defined. Many define it on the criterion of the mere involvement of computers, which sometimes results in ridiculous labelling. We then explain how computer crime is more usefully conceptualized. This is done first by examining the issues of whether or not computer crimes in general and specific forms of computer crime are legal categories. We then explain that the nature of computer crime is that it is targeted at computerized data that can be illegally obtained only by computerized processes. The usefulness of this conceptualization is shown by how it enables us to understand what computer security is about. Before moving on to the next section, you should note that various terms are used in addition to computer crime, the most common of which is cyber crime. In my view, these two terms (computer and cyber crime) are synonymous. However, there are other terms which really only reflect the abovementioned state of confusion. These include: computer-related crime (as mentioned, fewer and fewer aspects of our daily life are not computerrelated), high-tech crime (how do you define high-tech?), and information crime (can information not be conveyed non-electronically?). Unit 8 Activity 8.2 The following two types of fraud are among the most common on the Internet in the US. For each, explain whether or not you consider it to be a computer crime. 1 Auction fraud: Many auctioneers host a website at which auctions are held electronically. Let’s say you have topped the last bidder for a Ming Dynasty vase. You send the cheque, but the vase never arrives, or it turns out to be a fake. 2 Porn sites: You can get railroaded into one of these sites, and before you know it your phone bill is in the four-digit range, because the site operator has got details of your Web connection and uses it. Characteristics of computer crime Because computer crime concerns digitized data and the bulk of such data are or can be transmitted globally via the Internet, computer crime behaves very differently from traditional crimes. Let’s examine some of its unique features: • Boundary-free crime In cyber crime via the Internet, the criminal can launch a remote attack, in which he is physically in one country while the attack takes place in another country. • Extra-territorial jurisdiction In view of the distributed design of computer networks, it is difficult to define the jurisdiction of the criminal act. For example, in an Internet gambling scenario, the gambling server (the term ‘server’ will be explained later) is in country A, the payment server is in country B, the Web hosting server is in country C, while the program is running on the client computer in country D. Where is the gambling taking place in? • Anonymity Cyber criminals can easily hide their real identities with bogus names and addresses. • Small cost, huge benefit and damage The risk and cost of mugging a man in the street for $1,000 are much smaller than the risk and cost of robbing $1 million from the bank. But in computer crime, in technical complexity and risk, there is virtually no difference between altering financial data of $1 or $1 million. This means that for a relatively low cost, large sums of money can be targeted in computer crime. 7 8 LESM A204 Security Practice and Management • Invaluable information There is no universal formula in calculating information loss. For example, a copy of a company’s customer database is leaked to its competitor. Is it the physical cost of the CD-ROM? The investment costs in building the company’s customer database since the beginning? Or the loss in future revenues, public confidence and good will? • The victim may not be aware until it is too late When you physically lose a credit card, you know about the loss very soon and hence have time to remedy the situation (for example, by calling the credit card company to stop honouring the card). But victims of computer crime are often unaware of their victimization until it is too late — for example, when the credit card statement arrives showing huge purchases that the owner has never made. • Technical complexity — digital evidence Forensic investigation of traditional crime relies on the law of physics and chemistry, such as DNA, ballistic examination, fingerprints, etc. Computer crime investigation involves computer forensics, Internet data analysis, system log analysis, email head analysis, etc. to discover, collect, analyse and recover digital evidence from the cyber trail of a virtual crime scene. • Laissez-faire cyber culture The rapid growth of Internet is largely contributed to by the freeware, ‘copyleft’ (opposite of copyright), shareware and laissez-faire cyber culture. Regulation of the Internet will likely be regarded unfavourably by most Internet users. It is this culture that makes enforcement against computer crime on the Internet much more difficult. Having understood the characteristics of computer crime, we can see that the protection of information over the Internet has created unprecedented legal problems. Enforcement action require international cooperation, increased public awareness, government-private sector collaboration, computer forensics, and internal corporate information security policy. Reading 8.1 1 Chan, H K H (2000) ‘Cyber crime — a global threat to ecommerce’, Computer Society. 2 Carter, D L and Katz, A J (1996) ‘Computer crime and security: the perceptions and experiences of corporate security directors’, Security Journal, 7: 101–8. Unit 8 Computer crime and security surveys Over the years, numerous surveys have been conducted to understand the computer security and crime problem. In 1989, Hoffer and Straub (1989) revealed that 32% of computer abuse was discovered by accident, 45% by normal system controls, and 12.5% by computer security officers and auditors. The Information Security Survey 2000 conducted by the Hong Kong Productivity Council (HKCERT/CC) revealed that 19% of the interviewed companies experienced computer attacks within the last 12 months. Over 90% were computer virus, 3% sabotage, 1% unauthorized access, 1% denial of service (explained later), and 1% system penetration. Vandalism was the dominant type (77%) of website attack, followed by denial of service (15%) and theft of transaction information (8%). Total financial loss amounted to about HK $1.4 million. An interesting finding was that only 18% of the interviewees reported the attacks to the police. In the US, most organizations are concerned with negative publicity and hence are also reluctant to report to the police. The 2001 FBI Computer Crime and Security Survey revealed that 85% of the respondents detected computer security breaches within the last 12 months. The total financial loss was about US $378 million, compared to US $266 million in 2000. The most serious financial loss was due to theft of proprietary information. Thirty-six percent of the respondents had reported the incident to police, 94% detected a computer virus, 91% detected abuse of Internet access privileges by employees, 40% detected external system penetration, and 38% detected denial of service attacks. Reading 8.2 1 Chan, H K H (2001) ‘A comparative study of reported and unreported computer crimes’, UMI Dissertation Services, 10–35. 2 ‘Information Security Survey 2001’ (2001) Hong Kong Productivity Council, October, https://www.ipa.go.jp/security/fy13/report/security_survey/su rvey2001en.pdf 3 Session, W S (1991) ‘Computer crimes — an escalating crime trend’, FBI Law Enforcement Bulletin, February, 12–15. Activity 8.3 1 Compare computer abuses and crimes in the US and Hong Kong. 2 The reporting of computer crime to police in US is higher than Hong Kong. Explain why. 9 10 LESM A204 Security Practice and Management Introducing computer networks and the Internet The bulk of computer crime is committed on the Internet. Hence, the biggest concern of computer security is security on the Internet. In order to understand what is involved in security on the Internet, it is necessary to have a basic understanding of the Internet. Telecommunication systems Computer networks use telecommunications systems to connect the various computers belonging to the same network. Such networks consist of a number of components. Regardless of how far apart the computers belonging to the network are from one another, the components remain the same. They are: 1 the central or host computer which processes information 2 terminals or any input-output devices for accessing information 3 communication channels: the medium carrying information from one computer to another 4 communication processor: the equipment serving as the intermediary between computers and the communication channel 5 computer programs that govern the data traffic. Let me explain what these components are. The first two are computers and can be located anywhere within the network. An example of component 1 is a central computer that provides airline flight schedule data. A user can access the data by means of a desktop computer at home, or a laptop while travelling in a taxi, or even his or her Internet-capable cellular phone while having coffee at Delifrance. The desktop, laptop and cellular phone all constitute the terminal, i.e. component 2. In some networks, some terminals actually host data that can be accessed by other terminals. When this happens, it serves as both component 1 in relation to these data, as well as a terminal (component 2) for accessing data stored in the host computer. Component 3 can be in various forms. Thus, hooking up (connecting) computers within the same office is often done by means of dedicated (i.e. specially for the purpose) wires, whereas linking your home computer to the office network is mostly done using existing telephone lines. Other forms of communication channel include fibre optic cables and wireless media (microwave transmission, satellites, cellular phone transmission, etc.). The function of component 4 is to transform the digital data from the computer (host computer and terminals) into a format that the communication channel (component 3) can transmit, and vice versa. For instance, telephone lines transmit analog signals; hence a communication processor such as a modem is needed to transform digital into analog Unit 8 signals and vice versa, in order for data to be transmitted through the network, and readable in digital form on the computers of the network. Components 1 to 4 are the hardware. Component 5 is the software that controls input and output activities and manages other functions of the network. Computer networks Computer networks are organized hierarchically. At the lowest level, a group of computers is linked together to form a local area network or LAN. In, for example, an office, LAN is the network that links together by means of dedicated wires all of the office’s computers. In an Internet Service Provider (ISP, a firm providing access to the Internet for its endusers), the end-users’ computers (i.e. terminals) are connected to the ISP’s LAN by telephone lines. A group of LANs within the same metropolitan area may be linked together in a regional network. These regional networks are often known as wide area networks (WAN). Thus, communication between two computers belonging to different LANs is done through the WAN that incorporates both LANs. Different WANs are, in turn, connected into higher level networks which are known as backbone networks. By means of such a hierarchical structure, computers in different parts of the world can communicate with one another, with the Internet being the worldwide network. To route data between two computers, their locations must be known to one another. Such locations are known as IP addresses or simply addresses (IP means Internet Protocol). IP addresses are pretty much like telephone numbers, and consist of four groups of numbers (e.g. 184.108.40.206). As you can see, unlike telephone numbers, IP addresses are difficult to memorize. Hence, they are given aliases. For example, the alias of the above IP address is www.hkmu.edu.hk. It is, however, necessary to translate the human readable alias into its IP address. This is done by conversion tables that are stored in the Domain Name Server (DNS). DNS service is usually provided by a dedicated computer on the LAN. You can now understand why email addresses are structured in the form of user@domain. The domain name (e.g. hkmu.edu.hk) behind the sign @ identifies, after translation by the DNS, the IP address of the LAN. The user name in front of the sign @ identifies the specific user within the LAN. The Internet As noted, the Internet is the worldwide network. Its origins can be traced to the 1960s, when the US Department of Defense set up a network called ARPANET to facilitate information exchange among university professors and other research scientists. Later, the US National Science Foundation (NSF) formed a new network called the NSFNET, which 11 12 LESM A204 Security Practice and Management eventually replaced ARPANET as the backbone network (see above) for the research and academic community. It was, however, only in the early 1990s that commercial networks (i.e. ISPs) were connected to the NSFNET. This allowed end-users of these commercial networks to access the NSFNET. More importantly, by means of the NSFNET backbone network, end-users of different ISPs could now communicate with one another. As a result, a gigantic network was created which eventually developed into what we now call the Internet. Today, backbone networks are offered by a host of companies. These networks are connected through interchange points known as Commercial Internet Exchanges (CIX), which have formed into an association. Not surprisingly, large telephone companies and cable operators operate many of these companies. For instance, members of the CIX include: • telecom firms such as AT&T in the US, Cable & Wireless and British Telecom in Britain • cable TV operators such as Time-Warner, Media One, etc. • independent backbone carriers such as PSINet, UUNet, etc. The Internet has many applications, the most common of which include email, news forums, interactive communication (such as ICQ), remote computer access (instructions can be submitted to a remote computer to perform any task on that computer), and information retrieval. Information retrieval is the function that largely accounts for the explosive growth of the Internet. Information can be hierarchically organized into pages, known as Web pages, which contain texts, photo images and audiovisual media, and stored in dedicated computers (known as servers). By connecting to these servers, users can systematically retrieve information. A Web page is identified by its Web address or uniform resource locator (URL). Thus, the URL of HKMU’s homepage is http://www.hkmu.edu.hk. As you can see, the URL contains the domain name, which is the alias of the Web page’s IP address. Anyone can, if he or she wishes, set up his or her own website. The same applies to any organization. To do so, the site’s URL has to be established. As you probably know, the domain name easily identifies the type of organization. Thus, sites of commercial firms are identified by <.com> (<.co> in Britain) in the URL, educational institutions by <.edu> (<.ac> in Britain), non-profit organizations by <.org>, governmental organs by <.gov>, etc. When you set up a website, you have to register your domain name with any one of a number of non-profit organizations that keep centralized records of domain names. When registering, you also provide information on the nature of your website. The reason for this is simple. By doing so, it can be ensured that your domain name is not already used by someone else. Further, you probably know what a search engine (such as Yahoo!) is. When you use a search engine to Unit 8 search for sites on a certain topic (e.g. diving in Bali), the search engine goes through the records of domain names and uses the information on the type of website you supplied to identify the relevant websites. Because communication on the Internet goes in both directions, it is possible to conduct business via the Internet. Thus, many businesses have set up websites not only in order to promote themselves, but also to conduct business transactions. E-business, as such business is called, is of two main types: • B2C or B to C: business selling to consumers, or more generally transactions between business firms and consumers • B2B or B to B: business-to-business transactions In the following activity, you take a look at several B2C examples. Later, we discuss computer network security in relation to e-commerce specifically. Activity 8.4 Check out the kinds of B2C transaction you can conduct on the following websites: • Amazon: http://www.amazon.com • Hongkong Bank (click online@hsbc): https://www.hsbc.com.hk/ • South China Morning Post (click archive): http://www.scmp.com One final point before we move on to the next section. On the Internet, there is no privacy. This lack of privacy can be understood in a number of senses. For instance, the network administrator has a complete record of all of your Internet activities (e.g. the email you send and receive, the websites that you have visited, etc.). Of course, we assume that network administrators observe the ethics of not prying into your activities. The following section explores this issue more fully. Meanwhile, you should note that the lack of privacy (or, conversely, the openness of the Internet, and hence of any computer logged on to it) means that technical sophistication is required to provide security. It also means that forensic investigation into computer crimes is possible by means of collecting (or discovering) and analysing the cyber trail left behind by cyber criminals (though sophisticated cyber criminals are capable of disguising such trails). 13 14 LESM A204 Security Practice and Management Understanding network security This section gives you a basic introduction to the topic of network security. The next section explores the issue of computer security in greater detail by examining security in e-commerce. In a recent survey (2001) conducted by the Information Technology Association of America or ITAA (in conjunction with an accountancy firm) among IT executives, it was found that the major concerns of network security are: 1 privacy and confidentiality: we pointed this out at the end of the previous section 2 data integrity: uncertainty about whether or not data is not interfered with by malicious parties (data integrity is the completeness and soundness of the data) 3 authentication: uncertainty about the true identity and credentials of the parties with whom one communicates 4 infrastructure security: uncertainty about whether or not the network infrastructure is robust enough to withstand malicious attacks. As you can see, security concerns range widely, but basically, we can classify network security threats into two groups: 1 Client-server: Any computer logged on to the Internet (including an ISP’s host-server and its end-users’ terminals) is subject to remote manipulation by a malicious third party. 2 Data and transaction: An unauthorized party without the owner’s knowledge may access confidential data; parties assuming a false identity may carry out transactions. Let us discuss these two groups of threat in greater detail. Under the category of ‘client-server’ threats, the most common types are: • malicious code threats, e.g. computer viruses that instruct the victim’s computer to perform self-destructive tasks, as well as spread to other computers linked to the initial batch of victim computers • unauthorized modification of data contained in the victim’s computer by remote hackers, i.e. destroying data integrity • service overloading, e.g. denial of service (DoS) attacks (targeted at host servers, in which hackers create enormous numbers of data requests from the host server, thereby overloading it, with the result that genuine end-users making genuine service requests from the host server are denied its service) • message overloading, e.g. hackers send a large number of very large files to an email server, causing it to crash. Unit 8 Under the category ‘data and transaction’ threats, the most common types are: • Data security: unauthorized access to confidential data, achieved either through eavesdropping on the network or gaining access to the computer hosting the data. • Message integrity: unauthorized alteration of an important message or document such as a business contract. • Authentication: false identity assumed by parties with whom one communicates or does business on the Internet. Let us now take a general look at some of the typical security measures that can be taken: • Restriction of access: Only legitimate users are allowed to access the network, for instance, by using passwords. However, hackers are able to eavesdrop on the network and obtain the password during its transmission, hence necessitating the further measure of encrypting passwords (see below on encryption). • Establishing a firewall between the network and the Internet: A firewall is typically a computer or a router device (a device that forwards packets of data from one LAN or WAN to another) that stands between the network (typically the LAN) and the Internet, controlling and monitoring all traffic between them. By means of the firewall, computers within the LAN have full access to the Internet, but outside access to the LAN is restricted. For instance, in addition to a user name and password, outside user authentication (based on an IP address and other identifiers) may be required to access the LAN. Moreover, even authenticated outside users may be restricted to perform only certain functions on the LAN. Firewalls are also frequently used to filter incoming data traffic (e.g. filtering out data from pornographic websites — the firewall is able to identify these websites because, as you will recall, when a website is registered, information on the nature of the website has to be provided. There is no point in providing false information, for in that case search engines will not be able to pick up the website correctly, and hence Internet users interested in this kind of websites will not get to know about it). • Data and message encryption: To encrypt data (messages are also data) is to scramble them (by coding techniques based on highly sophisticated mathematics) so that outsiders will not be able to read them (e.g. the number 123, after encryption may, for example, become something like x*=&_|4(#-). Only insiders who have the decrypting (i.e. decoding) algorithms will be able to recover them in their original state. Encryption was first developed for military and diplomatic purposes but is now essential for doing business on the Internet. • Third-party authentication: Two communicating parties on the Internet authenticate each other’s identity through an authenticating third party. We discuss this more fully in the following section. 15 16 LESM A204 Security Practice and Management Activity 8.5 Log on to www.hsbc.com.hk. Click the ‘security’ button on the menu bar at the top of the web browser. A box appears on the screen. What do you read in the box? Now click OK to close the box. Click online@hsbc ‘new user’. Then click ‘apply now’ on the new screen. Select any one of the four options (ATM, Credit Card, etc.) on the new screen. When the new screen appears, click the ‘security’ button on the menu bar at the top of the Web browser. A box appears. What do you read there? Reading 8.3 (optional) Kalakota, R and Whinston, AB (1996) Frontiers of Electronic Commerce, Reading, MA: Addison Wesley, Chapter 5. We recommend and provide you with this reading as an optional reading. It provides a good account of network security. Illustration: computer security in e-commerce In this section, we examine computer security in e-commerce, to give you a fuller idea about computer security in general. Before you read on, it would be useful to go through Reading 8.4. Reading 8.4 Fukuyama, F (2001) ‘The virtual handshake: e-commerce and the challenge of trust’, Merrill Lynch Forum White Paper, http://pratclif.com/fukuyama/fukuyama3.htm. In Activity 8.2, we drew your attention to auction fraud on the Internet. When you shop at a street retailer and pay a deposit for merchandise for subsequent delivery, you trust that the shop will still be there if the delivery fails to occur, so that you can pursue the matter. Of course, sometimes shoppers are defrauded of their deposits by retailers shutting up shop before delivery. However, this is a relatively infrequent occurrence. It’s different on the Internet. Anyone can create a website and sell things or services through it. How can consumers be sure that the website is a genuine and trustworthy business? This simple example shows you that many difficulties face e-commerce, all related to computer security. Let us take a look at what these difficulties are: 1 Authentication: As noted, the need is to ensure the authentic identity of the parties with whom one communicates and transacts business on the Internet. Common authentication measures in cyberspace include Unit 8 PIN (personal identity number) and digital signature, the latter of which is discussed later on in this section. 2 Confidentiality: Consumers must be assured that the personal data they submit via Internet will not be illegally accessed during transmission by third parties. In Activity 8.5, we came across the most effective technique for ensuring confidentiality in this respect, encryption. However, encryption is expensive, and hence only large businesses are able to afford it. If you log on to smaller businesses on the Internet and check their website’s security information, you will find that most of them do not offer encrypted security, and hence it is unsafe to send personal data to them on the Internet. One way to get round this problem is to combine Internet transactions with nonInternet ones. For instance, a hotel resort on Phi Phi Island (Phuket, Thailand) may have a website through which you can make room bookings. Since no encrypted security is provided, clients are not asked to send credit card details to them electronically. Instead, the resort’s bank account number is given. Clients can make the deposit through this bank account and fax the receipt to the resort. On receiving the fax, the room booking is confirmed, and the outstanding amount is paid on arrival at the resort. 3 Data integrity: As already noted, it is important to ensure that data and messages (including documents such as contracts) sent on the Internet are not altered by malicious third parties during transmission. This is particularly important in B2B transactions, since, for instance, an extra ‘0’ added or deleted from the contract sum in a business contract can be financially fatal. Various techniques are available to guard against impairment of data integrity, ranging from a simple checksum operation to the more effective cryptographic technique of hashing. Since these are rather technical, there is no need to explain them in this unit. 4 Availability: In the above, we came across denial of service (DoS) attacks. For businesses doing transactions on the Internet or portals (websites providing a large variety of services such as news, entertainment, etc. to anyone logging on to them, mostly for free, which make money through advertising), a DoS attack can mean significant losses in business revenue and goodwill (the good name of the business, inspiring customers’ trust). You may recall that even giant search engines-cum-portals such as Yahoo! have suffered from DoS attacks. When this happens, data and services from the website become unavailable. 5 Access control: We came across this when discussing firewalls in the previous section. 6 Non-repudiation: let’s say Company A places an order of $1 million with Company B via B’s website. What if B produces the merchandise ordered but then A repudiates that it has ever placed the order? How can it be ensured that when B receives the order from A on the Internet, B can show (if A repudiates having placed the order) that the order could only have originated from A and no one else? In 17 18 LESM A204 Security Practice and Management non-electronically conducted business transactions, the contracting parties’ physical signatures on the contract ensure non-repudiation. In electronic transactions, an effective tool to ensure non-repudiation is the digital signature. As mentioned, a digital signature is able to ensure both authenticity of the contracting parties (or, more generally, communicating parties) as well as non-repudiation. How does it work? For our purpose, it is not necessary to go into details, so only a simplified explanation is given. Since the use of a digital signature incorporates encryption (and decryption), it also serves to ensure data integrity and confidentiality. Organizations as well as individuals that wish to communicate or transact on the Internet while ensuring the above aspects of computer security (authenticity, etc.) can use what is called the digital certificate, which incorporates the digital signature feature. Basically, there are organizations known as Certificate Authorities or CA (in Hong Kong the Post Office offers Certificate Authority services). Any person or organization (called the subscriber) can apply to the CA for a digital certificate (DC). The CA verifies the subscriber’s identity and issues it a DC. All DCs are published in the CA’s repository, so that parties wanting to communicate or transact with a subscriber can check it. The CA provides the subscriber with a pair of ‘public keys’ and ‘private keys’. Now, let’s say subscriber X wants to send a message to subscriber Y. X uses its private key to encrypt the message. Since each subscriber’s private key is unique to it, any message sent using that key could only come from the subscriber. In this way, authenticity is ensured (the identity of the sender of the out-going message is guaranteed through the CA), and so is non-repudiation (since the message could only have been sent by the subscriber with the particular key, it cannot repudiate having sent the message) and confidentiality/data integrity (as a result of the encryption process). On receiving the message, Y can check with the CA’s repository on the validity of the DC of X. If it is in order, Y can obtain X’s public key from the CA, which is used to decrypt the message. In this way, messages transmitted are signed with the digital signature provided for by the pair of private-public keys. The above mechanism is known as the Public Key Infrastructure or PKI. Although it is a very powerful mechanism to ensure computer security in Internet communication and transaction, it, too, has problems. Because of these problems, originally the Hong Kong Post Office’s PKI had a target of issuing more than 100,000 digital certificates in the first year of its launch. However, so far (as of late 2001), only several thousand have been issued. If you are interested in the problems with PKI, read the article ‘Ten risks of PKI: what you’re not being told about public key infrastructure’ by C Ellison and B Schneier, in Vol. XVI (1 Nov 2000) of the Computer Security Journal, available on https://www.schneier.com/wp-content/uploads/2016/02/paper-pki.pdf. Before proceeding to the next section, there is one point worth mentioning. In Unit 7, we called your attention to the need for professional security managers of large organizations and communities to be sensitive to and aware of socio-political-economic developments. In Unit 8 the development of cryptographic technology (such as PKI) for nongovernmental and non-military use, governments actually have reservations, though they see the benefits of its commercial application. The reason is simple. If powerful cryptographic technologies become easily available, criminals can use them too. Communications between criminals can become encrypted, thereby rendering wiretapping and the like useless. If you are interested in this issue, you can read the article by G A Keyworth II and D E Colton, ‘The computer revolution, encryption and true threats to national security’, available from http://www.pff.org/issuespubs/futureinsights/fi3.5computerrevolution.html. Reading 8.5 gives you a simple illustration of such law enforcement concerns. In response to the above, the US Government has legislated to the effect that when a strong cryptographic key is used, the key must be recoverable by the US Government under the concept of the escrowed encryption system. What this means is that for any strong cryptographic system with its encryption and decryption keys, the manufacturer will have to provide, in addition, a backup key, different from the encryption and decryption keys, which can decipher this latter pair of keys. An authorized party keeps the backup key. If needed, the US Government can require that party to let the government use the backup key to break into the cryptographic system. One consequence of this is that if an organization in a country other than the US purchases a cryptographic system from the US, the US Government will be in a position to break into that system, if it deems necessary to do so. Naturally, other governments are not happy with this situation. Some countries, such as Russia, have developed strong cryptographic systems that do not carry with them this condition. Reading 8.5 ‘FBI “big brother” case tests limit of electronic spying’, South China Morning Post, 31 July 2001. Activity 8.6 Visit the website of the HK Post Office (http://www.hongkongpost.gov.hk/) and find out about its PKI services. Post your answer on the discussion board and have a look at your classmates’ ideas. 19 20 LESM A204 Security Practice and Management Legal aspects of computer security On several occasions in the unit, we came across the fact that computerization, and especially the rise and growth of the Internet have led to unprecedented legal problems. A couple of simple examples will show this. Let’s say you make a purchase from a US firm through the Internet. The merchandise arrives damaged. What can you do? Giant Internet shops such as Amazon will ship you a replacement without a problem, for this is part of the service they provide in order to build up a huge customer base. However, smaller shops will not do this. Can you sue them? In theory, yes, but the costs will be prohibitive. Let’s say you do intend to sue a shop in New York. Which set of laws applies? Hong Kong’s, or New York’s? Mostly, e-shops specify that in a dispute, the laws of the place in which they are located are the governing ones. If these laws are very different from those of the place of residence of the buyer and huge sums are involved, the problem can be very troublesome. Even more complicated will be a case such as this: A criminal located in country A electronically directs a computer in country B to issue instructions to a network in country C to erase certain data in that network. Do the laws of country A, B or C apply? In many countries, the basic instrument to legally protect computer security is some form of computer misuse law. In other words, the aim is to make at least the main specific forms of computer crime into legal categories. Generally, such a computer misuse law aims at imposing prohibitions on four different levels: • access to a computer without authorization (i.e. hacking) • access with intent • modification of contents • diverting the use of computer. Locally, the overall approach is not to have a single comprehensive computer misuse statute. In other words, not only is computer crime in general not a legal category in Hong Kong, but many specific forms of computer crime (such as hacking) which can be turned into legal categories are not in Hong Kong. Hence, the major approach is to make amendments to various statutes in order to incorporate prohibitions against offences of the computer crime nature. This is not to say that Hong Kong does not have a mini-computer misuse statute. In 1993, the Computer Crime Ordinance was enacted, part of which purpose is to enact new offences. However, its major purpose is, as stated, to enable the amendment of existing legislation to deal with various forms of computer crime. Existing ordinances amended for such purposes include the Telecommunication Ordinance (Cap. 106), the Crimes Ordinance (Cap. 200), and the Theft Ordinance (Cap. 210). Unit 8 In the Telecommunication Ordinance, a new offence of ‘unauthorized access to computer by telecommunication’ was created as section 27A. This offence is aimed at electronic trespass to any computer system by telecommunication, i.e. on the Internet. There is no need to prove the criminal intent of the intruder. Due to this lesser requirement, the offence only carries a maximum fine of $20,000. A more serious offence is ‘access with criminal or dishonest intent’ under section 161 of the Crimes Ordinance. In this offence, the intruder’s criminal intent to (a) commit an offence, (b) dishonestly deceive, (c) dishonestly gain for himself or another, or (d) dishonestly cause loss to another, has to be proven. It should be noted that the gain or loss mentioned in (c) and (d) do not have to be tangible, and can be temporary or permanent (the ‘temporary’ provision is required because data destroyed as a result of, for instance, a virus attack may sometimes be recoverable). This offence can be liable up to five years of imprisonment. In section 59(1) of the Crime Ordinance, the definition of ‘property’ in relation to Criminal Damage has been extended to include ‘any program, or data, held in a computer or in a computer storage medium, whether or not the program or data is property of a tangible nature’. Furthermore, in section 59 (1A) misuse of a computer is considered to ‘destroy or damage’ property. The misuse of a computer means (a) to cause a computer to function other than as it has been established to function, (b) to alter or erase any program or data, or (c) to add any program or data to the contents of a computer for a computer storage medium. This has widened the concept of criminal damage in cyberspace because of the intangible nature of computer technology. Section 60 stipulates the maximum sentence for misuse of a computer to be ten years of imprisonment. In section 11 of the Theft Ordinance, the offence of ‘Burglary’ has been amended to include misuse of the computer as ‘doing unlawful damage to anything in a building’. The aim of this is not of course against hacking via the Internet. Rather, the aim is that if, for example, a person enters a building unlawfully and deletes all data on the hard disk of a computer, then he commits burglary just as if he removes some tangible property from the building. In section 19 of the same Ordinance, falsifying records kept in a computer or destroying them become punishable. In both section 19 of the Theft Ordinance and section 85 of the Crime Ordinance, the term ‘books’ is amended to include any disk, card, tape, microchip, sound tracks or any other device; and ‘record’ is amended to include a record kept by means of a computer. Activity 8.7 What is the problem with the ‘unauthorized access to a computer by telecommunication’ offence in section 27A of the Telecommunication Ordinance? 21 22 LESM A204 Security Practice and Management The level of hacking in Hong Kong has risen notably over the years (from one reported case in 1993 to 238 reported cases in 1999). Even government sites have been affected, as you have probably heard on the news. The first computer crime prosecution in Hong Kong occurred in March 2000. Three people were accused of stealing 127 passwords on the Internet and selling them to third parties. In addition, they were accused of unlawfully downloading music from the Internet to make saleable CDs. The three pleaded guilty, with one sentenced to six months of imprisonment and the other two to a detention centre. In the last section, we discussed e-commerce and the various security issues associated with it, such as data integrity, non-repudiation and authentication. The rise of e-commerce has obviously led to a host of new legal issues that have to be tackled, such as the legality of online contracts and the evidentiary requirements in disputes and lawsuits. In Hong Kong, the Electronic Transactions Ordinance 2000 (Cap. 553) has been enacted to handle these issues. The Ordinance creates status parity (i.e. equality) between electronic forms of contract and existing physical contracts. Similarly, electronic records and digital signatures acquire the same status as physical, paper-based ones. A legal framework is also established for the operation of CAs (see above). Unit 8 Summary We began this unit by examining what computer crime is. You learned that considerable confusion exists, even among experts on the topic. In order to overcome this confusion, we discussed the issue with reference to the concept of legal category, and to the nature of computer crime in relation to computerized data. This allowed us to understand that computer security is mainly about the protection of computerized data. Much of computer crime is committed on and via the Internet. Hence, you have been provided with a basic introduction to computer networks and the Internet. With this knowledge, computer security (focusing on network security) and e-commerce security were explained to you, in which you learned about the major threats to network and e-commerce security, as well as the most common and important measures to ensure network and e-commerce security. The rise of computerization, especially network computerization, has led to unprecedented legal problems. An examination of the legal aspects of computer security focusing on Hong Kong’s efforts to deal with the various issues involved has been provided. 23 24 LESM A204 Security Practice and Management References Bilingual Laws Information System, http://www.justice.gov.hk. Carter, D L and Katz, A J (1996) ‘Computer crime and security: the perceptions and experiences of corporate security directors’, Security Journal, 7: 101–8. Chan, H KH (2000) ‘Cyber crime — a global threat to e-commerce’, Computer Society. Chan, H K H (2001) ‘A comparative study of reported and unreported crimes,’ UMI Dissertation Services, 10–35. Ellison C and Schneier, B (2000) ‘Ten risks of PKI: what you’re not being told about public key infrastructure’, Computer Security Journal, Vol. XVI, http://www.counterpane.com/pki-risks.html. Fukuyama, F (2001) ‘The virtual handshake: e-commerce and the challenge of trust’, Merrill Lynch White Paper Forum, http://www.ml.com/woml/forum/ecommerce1.htm. Hoffer, J A and Straub Jr, D W (1989) ‘The 9 to 5 underground: Are you policing computer crimes?’ Sloan Management Review, Summer, 35–43. Information Security Survey 2001 (2001) Hong Kong Productivity Council, October, http://www.hongkongcert.org/home.html. Kalakota R and AB Whinston (1995) Frontiers of Electronic Commerce, chapter 5, Englewood Cliffs, NJ: Addison Wesley. Keyworth G A and Colton, D E (1996) ‘The computer revolution, encryption and true threats to national security’, http://www.eff.org/Privacy/ITAR_export/HTML/encry.html. Parker, D B (1998) Fighting Computer Crime: A New Framework for Protecting Information, New York: John Wiley & Sons. Session, W S (1991) ‘Computer crimes — an escalating crime trend’, FBI Law Enforcement Bulletin, Feb., 12–15. 2001 FBI Computer Crime and Security Survey, http://habitantes.elsitio.com/digisign/2001fbisurvey.html Wu R (2000) ‘Electronic transactions ordinance — building a legal framework for e-commerce in Hong Kong’, http://elj.warwick.ac.uk/jilt/00-1/wu.html. Unit 8 Feedback on activities Activity 8.1 This would be considered a computer crime falling into the class of computer as the tool of the criminal. It seems that the crime is more suitably considered a straightforward forgery. The reason is that the technique used in printing is incidental to the crime, and not the substance of the crime itself. Activity 8.2 1 This is straightforward fraud, no different from if you bid for the vase at an auction held in a hotel function room, win it, pay for it, and then receive a counterfeit. Again, as in Activity 8.1, the substance of the crime is the fraud. That the auctioneer holds the auction on the Internet is incidental to the crime. 2 This is a computer crime. The target is computerized data (your Internet account details) obtained by a computerized process when you logged on to the porn site. Activity 8.3 1 In general, Hong Kong is about two years behind the US in trends and patterns. One prevalent form of computer abuse/crime in the US, child pornography, seems to be much less of a problem in Hong Kong. 2 First the amount of loss in computer crime in the US is much greater than in Hong Kong, hence making victims more willing to report the crime to law enforcement agencies. Second, cyber insurance is available in US, but not yet in Hong Kong. This is another major reason why the reporting rate in the US is higher, since reporting to the police is required in order to make insurance claims. Activity 8.4 1 Amazon is the biggest online shop in the world. From personal experience, its service is superior to that of most other online shops. You can buy a lot of things on the site ranging from books (the site began as a bookshop) to computer software; you can sell things on it, too. 2 Once you have registered to carry out e-banking on the Hongkong Bank site, you can carry out almost all kinds of banking transaction on it except withdrawing cash. 3 You can search for news reports on any topic covered in the South China Morning Post going back almost ten years. Once you have identified the report you want, it costs HK$10 to download it. 25 26 LESM A204 Security Practice and Management Activity 8.5 1 In the first case, the box says that the page is not encrypted. This means any data transmitted to that page is insecure, i.e. it is easy for hackers to intercept or eavesdrop on the data during transmission. 2 In the second case, the box says that the page is encrypted. This means that data transmitted to that page is secure, i.e. it is not easy for hackers to intercept or eavesdrop on the data during transmission. 3 The reason why one page is not encrypted and the other is encrypted is simple. In the second page, you are asked to submit important personal data. If the page is insecure (not encrypted), customers will be reluctant to submit personal data, and hence this destroys the purpose of e-banking. Activity 8.7 The word ‘telecommunication’ restricts the above provision against hacking to hacking via telecommunication means. Hacking can, however, be perpetrated via non-communication means, such as an office worker gaining illegal physical access to one of the office computers and hacking into it.