CS5038
GROUP I
Author: Ye TIAN
Internet Security
Should Be Implemented by both Technique and Law
Introduction
Can you imagine what would the Internet world be like if there is not any protection
to it? Hackers can modify or acquire any resources of Internet as they like. What is
even worse, without any protection hacking would be an easy-learn and easy-use
technology and anybody can be a hacker. So Internet Security is a necessary safeguard
against hacking. In this article, I will introduce not only what is Internet Security but
also how to implement security.
Internet Security
Obviously, Internet Security is the security of the Internet. However, when we talk
about the Internet Security, there are mainly three areas we care about. First is
physical security. It is about your computer. Is there anybody who uses your computer?
And is there a password to protect your computer? For example, if you write down
your password just on a piece of paper, and even worse you stick the paper on a
corner of your computer monitor, this is something bad for the physical security
because anybody with intentions can access your computer physically. The second
area is data security. In fact, it is not necessary for some hackers to steal your data by
intruding into your computer. Instead, they can use some network-monitor tools to
capture your data packages that transferred at the Transport Layer in the ISO/OSI
model. If your data packages are transported in plain text, the text could be emails or
password or your credit card information, or you are not using a secure web
connection such as Secure Socket Layer (SSL), the data security is really on a low
level. And the third one is server and software security. This area is related to a third
party. Do you trust the software delivered by the third party? Is it a real vendor as
described on the prompt window? Most of us know that some software you
downloaded will sent your information such as emails or addresses to the vendors.
Sever and software security is a complicated problem since it is difficult to identify
CS5038
GROUP I
Author: Ye TIAN
the servers or vendors for most common users.
One of the most important aspects about Internet Security is data protection. There are
three main issues about data protection. First, privacy issue is that you must make the
private data inaccessible to others without your permit. And data encryption can help
you protect the private data from being seen by hackers. Integrity is the second issue.
If hackers capture your packages and modify them, and then send them to you, the
integrity of data is destroyed. The worse situation is that most of the time you will not
find your data has been modified and maybe get into a trap. Also, encryption or digital
signature would be a solution to this issue because hackers can hardly analyze the
content although they capture your data packages. And the third issue is authenticity.
Like I describe previously, it is difficult for users to verify the senders of data or the
vendors of software. Fortunately, digital signature technology can help us verify the
senders’ identity.
Internet Security - Technology
According to a variety of attacks and security issues, I list some types of techniques
that strengthen Internet Security.
1. Encryption.
Encryption is also known as cryptography. It is about encoding our data or data
packages with a code or cipher. The famous Morse code1 is an early and simple
encryption method which is created for electric telegraph by Samuel Morse in 1830s.
Because charges of telegraph based on length of messages, common phrases were
encoded in five letters that stood for a single word. Examples: BYOXO means “Are
you trying to crawl out of it?”, and AYYLU means “Not clearly coded, repeat more
clearly.” Morse code is just like binary code in computer technology. Of course with
the development of Internet, Morse code is obsolete. But the idea of data encryption is
1
Wikipedia.org., 2006. Morse Code. [online] Available from: http://en.wikipedia.org/wiki/Morse_code [cited 12
December 2006].
CS5038
GROUP I
Author: Ye TIAN
used in computer network nowadays. Encryption can protect our data even though
packages are captured by hackers. And there are mainly two types of encryption:
symmetric and asymmetric2. Symmetric cryptography is an encryption method in which both
the sender and receiver use the same key to encode or decode. For example, Data Encryption
Standard (DES) that uses 56-bit keys to encode is a symmetric encryption. However, symmetric
cryptography has its limitation that key management has to use the keys securely since it is the
same key to encode and decode. Asymmetric cryptography which uses different keys to encode
and decode does not have such limitation. In this method, two different but related keys are used, a
public key and a private key. The public key is published and the private key that would never
leave the senders is kept secret, so it can avoid the problems of exchanging keys.
2. Firewall.
When we talk about firewall, the most common word in Internet Security terminology,
it can be either hardware or software firewall. A firewall’s basic function is to separate
the trust areas and control the traffic between different areas. And this kind of traffic
control is bidirectional, which means it can not only block the unsecured traffic from
the public network but also block the private network from using unauthorized web
resources. For example, many companies use firewalls to prevent their employees
viewing web pages not related to their work. Of course, firewalls can block transfer
protocols as well as block data. Most universities such as Aberdeen University make
their firewalls block all P2P software transfer protocol. On the other hand, personal
firewalls are widely used by most of private users, such as Norton and the firewall
build-in Window XP. Such anti-virus software can help Internet users keep away from
hackers’ attacks efficiently.
3. Digital Certificate.
Digital Certificate is also known as public key certificate or identity certificate. It is a
2Wikipedia.org.,
December 2006]
2006. Cryptography. [online] Available from: http://en.wikipedia.org/wiki/Cryptography [cited 12
CS5038
GROUP I
Author: Ye TIAN
useful technique of Internet applications. And X.5903 is the Internet standard of
digital certificate. A certificate includes a public key with a digital signature of a
trusted third party or a Certificate Authority (CA). Besides the public key, a certificate
should also have a name that refers to a person or a computer or an organization, a
validity period due to which certificates can be revoked, and a location of a revocation
center. It is important for users to check the certificate’s validity at times, and this can
be done by two ways. One is comparing it with a Certificate Revocation List, and the
other is using Online Certificate Status Protocol to check the validity. If there is any
related private key has been compromised or certificate found incorrect, the certificate
should be revoked.
4. Secure Socket Layer
Secure Socket Layer (SSL) is “a cryptographic protocol which provides secure
communications on the Internet for such things as web browsing, e-mail, Internet
faxing, and other data transfers.”4 SSL is the most famous encryption type that
encrypts data within TCP/IP. It is just like a secure tunnel that connects the web
clients and severs. All traffics in the tunnel are encoded, and the authentication and
the integrity of the data will be checked at both entrance and exit of the tunnel. Early
days, because the U.S. government restricted the export of encryption technique, SSL
used 40-bit length symmetric keys which are easily broken by brute-force attack to
encode. A few years later, new implementations use more than 128-bit to encode
instead of the 40-bit keys. This absolutely strengthens the security of SSL.
5. Network Security Scan.
Network Security Scanning is technology that can help network administrators know
the vulnerabilities of the system thus reduce the Internet Security risk. There is a lot of
such scanning software in the Internet Security market. And these products are mainly
3
Herardian, R., 1998. Introduction to Internet Security Standards. [online] Available form:
http://www.dominopower.com/issues/issue199808/securitystand002.html [cited 12 December 2006]
4 Wikipedia.org., 2006. Transport Layer Security. [online] Available from:
http://en.wikipedia.org/wiki/Transport_Layer_Security [cited 12 December 2006]
CS5038
GROUP I
Author: Ye TIAN
divided into four types5. The first type is remote networking security scan. This kind
of software can check and analyze the holes of the system. In fact, most hackers use
this software as well to find the holes to attack. The second type is firewall system
scan. The software provides the firewall configuration scan and operating system scan.
The third one is website security scan. The security of CGI applications that run on
websites is a primary threat to Internet Security. And website security scan can
recover the secure holes by detecting web services, CGI applications and web
configurations. The last type is system security scan. It scans the target host’s system
configuration and reports the vulnerabilities of the system.
6. Intrusion Detection.
It is also called networking real-time monitoring. It uses software or hardware to
detect the network traffics and compares the data flow to the intrusion features
database. For example, Intrusion Detection System (IDS) is a system that performs
the detection automatically. Once the system discovers an intrusion-like object, it will
log the relevant information to a database and send an alert to administrator. However,
the intrusion detection is good at discovering intrusion rather than preventing
intrusion. So we should combine the intrusion detection with firewall technology to
realize the Internet Security.
Internet Security - Legislation
Legislation is an effective means to fight against Internet crime. It can help us not
only protect our private data, but also improve our public data accessing. Although
security technology often keeps us away from being attack, it can not always work as
well as we expect. When the loss has already been caused by hacking, technical things
can do nothing with the crime. However, we could use law to punish the criminals and
to reduce the loss by fines. Examples6: the creator of virus ‘Melissa’ was sentenced to
5
Jin, H., 1998. Introduction to networking security. [online] Available form:
http://www.positivecn.com/Tech/technic/jslw/Safe.htm [cited 13 December 2006]
6 Cybercrime.gov, 2006., Computer Crime Cases. [online]
Available from: http://www.justice.gov/criminal/cybercrime/cccases.html [cited 13 December 2006]
CS5038
GROUP I
Author: Ye TIAN
20 months in Federal Prison and faced 150,000 dollars fine; the Russian man who
hacked into computers in U.S. was sentenced to a term of imprisonment of 48 months,
to be followed by three years of supervised release in 2003. Maybe the fines can not
cover the loss caused by hacking, but the legislation related to Internet Security does
limit the ascending trends of Internet crime.
There are some important Acts we should know about. The first one is the Computer
Misuse Act 1990. It was designed to prevent hackers and defined as “An Act to make
provision for securing computer material against unauthorized access or modification;
and for connected purposes.”7 In this Act, computer misuse offences and jurisdiction
were defined. The second one is Data Protection Act 1998 which is “An Act to make
new provision for the regulation of the processing of information relating to
individuals, including the obtaining, holding, use or disclosure of such information.”8
This Act defined sensitive data and introduced the data protection principles. The data
protection mainly protects private data such as credit card information held by a third
party. The last Act introduced is Freedom of Information Act 2000 defined as “An Act
to make provision for the disclosure of information held by public authorities or by
persons providing services for them and to amend the Data Protection Act 1998 and
the Public Records Act 1958; and for connected purposes.”9 This Act is different from
the previous two as it gains the rights of users to access the public resources.
Conclusion
Internet Security should be implemented by both technical method and legislative
method, since neither of them will completely prevent Internet crime independently. It
is obvious that hacking technology is developing with the development of security
technology. Nobody dare to say his system is so robust that hackers can never intrude
7
Office of Public Sector Information, 2006. Computer Misuse Act 1990 (c.18). [online] Available from:
http://www.opsi.gov.uk:80/acts/acts1990/Ukpga_19900018_en_1.htm [cited 13 December 2006]
8 Office of Public Sector Information, 2006. Data Protection Act 1998. [online] Available from:
http://www.opsi.gov.uk:80/ACTS/acts1998/19980029.htm [cited 13 December 2006].
9 Office of Public Sector Information, 2006. Freedom of Information Act 2000. [online]Available from:
http://www.opsi.gov.uk:80/actsacts2000/20000036.htm [cited 13 December 2006].
CS5038
GROUP I
Author: Ye TIAN
into it. So legislation seems more and more important besides the technology.
Unfortunately, legislation is often ineffective because different counties have different
laws about Internet crime while hacking does not have such a limitation of
international boundaries. Should we make a tradeoff between these two methods thus
that they can be strong enough to fight against hacking? The answer is absolutely yes.
Reference
Jin, H., 1998. Introduction to networking security. [online]
Available from:
http://www.positivecn.com/Tech/technic/jslw/Safe.htm
[cited 13 December 2006].
Cybercrime.gov, 2006., Computer Crime Cases. [online]
Available from:
http://www.justice.gov/criminal/cybercrime/cccases.html
[cited 13 December 2006].
U.S. Department of Justice., 2002. Creator of Melissa Computer Virus Sentenced to
20 Months in Federal Prison. [online]
Available from:
http://www.justice.gov/criminal/cybercrime/melissaSent.htm
[cited 13 December 2006].
U.S. Department of Justice., 2003. Russian Man Sentenced for Hacking into
Computers in the United States. [online]
Available from:
http://www.justice.gov/criminal/cybercrime/ivanovSent.htm
[cited 13 December 2006].
Stringer, G., 2006. Conceptual Issues in Cyberspace.[online]
Available from:
http://www.services.ex.ac.uk/cmit/modules/cyberspace/slides/index.html
[cited 12 December 2006]