CHAPTER 9
PRIVACY, CRIME, AND SECURITY
The term anonymity refers to the ability to convey a message without disclosing the user’s name or identity.
Computers and the Internet enable marketing firms, snoops, and government officials to harness all the power of
technology in order to collect information in ways that are hidden from the user’s view. The same technology is
also making it increasingly difficult for citizens to engage in anonymous speech.
Privacy in Cyberspace
Privacy refers to an individual’s ability to restrict the collection, use, and sale of
confidential personal information; The Internet is eroding privacy through the selling of information collected
through registration forms on Web sites; Few laws regulate selling personal information; Technology is not only
making it easier to invade someone’s privacy, but it is also providing a means to protect against privacy invasion.
The types of computer crime and cybercrime.
Computer crime and cybercrime include identity theft; computer viruses; and other rogue programs such as time
bombs, worms, zombies, and Trojan horses; fraud and theft, password theft; salami shaving and data diddling;
forgery; and blackmail.
Identity Theft
Identity theft is one of the fastest growing crimes in the United States and Canada;
Identity theft occurs when enough information about an individual is obtained to open a credit card account in his
or her name and items are charged to that account; Examples of information needed are name, address, Social
Security number, and other personal information; Laws limit liability to $50 for each fraudulent charge; An
individual’s credit report is affected by identity theft.
How Virus Infections Spread
Virus Infections spread by: Inserting a disk with an infected program and
then starting the program; Downloading an infected program from the Internet; Being on a network with an
infected computer; Opening an infected e-mail attachment.
Fraud and Theft
Selling Social Security numbers; Memory shaving—taking RAM chips from
computers; Salami Shaving—Programmer alters a program to take a small amount of money out of an account;
Data Diddling—Data is altered to hide theft.
The various types of computer criminals.
Computer criminals include crackers, cybergangs, virus authors, swindlers, shills, cyberstalkers, and sexual
predators.
Understand computer system security risks.
A computer security risk is any event, action, or situation—intentional or not—that could lead to the loss or
destruction of computer systems or the data they contain. Threats include wireless networks, corporate espionage,
information warfare, security loophole detection programs, and attacks on safety-critical systems, such as airtraffic control.
How to protect your computer system and yourself?
No computer system is totally secure, but you can do several things to cut down on security risks. Use an
uninterruptible power supply (UPS) to combat power-related problems. Use good passwords, know-and-have
authentication, biometric authentication, and firewalls to control access to computer systems. Avoid scams, and
prevent cyberstalking by doing business with well-known companies and by guarding your identity online.
Copyright © 2006 Prentice-Hall. All rights reserved.
1
Chapter 9: Privacy, Crime, and Security
Controlling Access
To control access to a computer: Use authentication passwords; Use callback
systems; Use know-and-have authentication: Tokens—Electronic devices that generate a logon code;
Smartcards—Credit card-sized devices with internal memory; Biometric authentication—Voice recognition,
retinal scans, thumbprints, and facial recognition.
Encryption and how it makes online information secure.
Encryption refers to a coding or scrambling process by which a message is rendered unreadable by anyone except
the intended recipient. Until recently, encryption was used only by the intelligence service, military, and banks.
But powerful encryption software is now available to the public. A person who uses the latest encryption
technology to scramble e-mail messages can be reasonably certain that the message will remain secret. Strong,
unbreakable encryption is needed for electronic commerce—otherwise, money could not be safely exchanged on
the Internet. Because it allows two parties who have not previously met to exchange secret messages, public key
encryption is an essential foundation of electronic commerce.
Public Key Encryption
Public key encryption uses two different keys: Public key is the
encryption key, Private key is the decryption key; They are used in e-commerce transactions; A secure channel for
information is provided when the keys are used.
Digital Signatures and Certificates
Digital signatures are a technique used to guarantee that a
message has not been tampered with; Digital certificates are a technique used to validate one’s identity; Secure
Electronic Transactions (SET) are online shopping security standards used to protect merchants and customers
from credit card fraud.
The U.S. government's proposed key recovery plan and why it threatens the growth of Internet commerce.
In 1998, FBI director Louis Freeh called for a new back-door-based encryption system. Called key recovery, this
back door would be built into encryption software, rather than implemented by means of a microprocessor chip.
This would enable encryption product vendors to fix vulnerabilities such as the one discovered in the Clipper
Chip. By eliminating the cumbersome key escrow bureaucracy, the key recovery system would function much
faster and, for this reason, would be more attractive to investigators.
A key recovery system could impede the further development of e-commerce, which some see as a major factor to
continued U.S. economic growth. Corporations and banks will not wholeheartedly embrace electronic commerce
without strong, secure encryption, but cryptography experts are wary of key recovery systems. Until
cryptographers are reasonably certain that an encryption algorithm is safe to use, businesses will not use it to
transfer anything other than trivial amounts of money, thus slowing the growth of e-commerce.
key terms
anonymity—On the Internet, the ability to post a message or visit Web sites without divulging one’s identity.
Anonymity is much more difficult to obtain than most Internet users realize.
back door—A secret decoding mechanism that enables investigators to decrypt messages without first having to
obtain a private key.
banner ad—On the World Wide Web, a paid advertisement—often rectangular in shape, like a banner—that
contains a hyperlink to the advertiser’s page.
biometric authentication—A method of authentication that requires a biological scan of some sort, such as a
retinal scan or voice recognition.
2
Chapter 9: Privacy, Crime, and Security
boot sector virus—A computer virus that copies itself to the beginning of a hard drive, where it is automatically
executed when the computer is turned on.
ciphertext—The result of applying an encryption key to a message.
Clipper Chip—A microprocessor that could encrypt voice or data communications in such a way that
investigators could still intercept and decode the messages.
computer crime—Action that violates state or federal laws.
computer security risk—Any event, action, or situation—intentional or not—that could lead to the loss or
destruction of computer systems or the data they contain.
computer virus—A program, designed as a prank or as sabotage, that replicates itself by attaching to other
programs and carrying out unwanted and sometimes dangerous operations.
cookie—A text file that is deposited on a Web user’s computer system, without the user’s knowledge or consent,
that may contain identifying information. This information is used for a variety of purposes, such as retaining the
user’s preferences or compiling information about the user’s Web browsing behavior.
corporate espionage—The unauthorized access of corporate information, usually to the benefit of one of the
corporation’s competitors.
cracker (black hat)—A computer user obsessed with gaining entry into highly secure computer systems.
cybercrime—Crime carried out by means of the Internet.
cybergang—A group of computer users obsessed with gaining entry into highly secure computer systems.
cyberlaw—A new legal field designed to track developments in cybercrime.
cyberstalking—A form of harassment in which an individual is repeatedly subjected to unwanted electronic
mail or advances in chat rooms.
denial of service (DoS) attack (syn flooding)—A form of network vandalism that attempts to make a service
unavailable to other users, generally by flooding the service with meaningless data.
digital certificate—A form of digital ID used to obtain access to a computer system or prove one’s identity
while shopping on the Web. Certificates are issued by independent, third-party organizations called certificate
authorities (CA).
digital signature—A technique used to guarantee that a message has not been tampered with.
employee monitoring—When large employers routinely engage in observing employees' phone calls, e-mails,
Web browsing habits, and computer files.
encryption—The process of converting a message into ciphertext (an encrypted message) by using a key, so that
the message appears to be nothing but gibberish. The intended recipient, however, can apply the key to decrypt
and read the message. See also public key cryptography and rot-13.
encryption key—A formula that is used to make a plaintext message unreadable.
3
Chapter 9: Privacy, Crime, and Security
ethical hacker (white hat)—Hackers and crackers who have turned pro, offering their services to companies
hoping to use hacker expertise to shore up their computer systems' defenses.
file infector—A computer virus that attaches to a program file and, when that program is executed, spreads to
other program files.
firewall—A program that permits an organization’s internal computer users to access the Internet but places
severe limits on the ability of outsiders to access internal data.
global unique identifier (GUID)—A uniquely identifying serial number assigned to Pentium III processor
chips that can be used by Web servers to detect which computer is accessing a Web site.
hacker—Traditionally, a computer user who enjoys pushing his or her computer capabilities to the limit,
especially by using clever or novel approaches to solving problems. In the press, the term hacker has become
synonymous with criminals who attempt unauthorized access to computer systems for criminal purposes, such as
sabotage or theft. The computing community considers this usage inaccurate.
hacker ethic—A set of moral principles common to the first-generation hacker community (roughly 1965–
1982), described by Steven Levy in Hackers (1984). According to the hacker ethic, all technical information
should, in principle, be freely available to all. Therefore, gaining entry to a system to explore data and increase
knowledge is never unethical. Destroying, altering, or moving data in such a way that could cause injury or
expense to others, however, is always unethical. In increasingly more states, any unauthorized computer access is
against the law. See also cracker.
identity theft—A form of fraud in which a thief obtains someone’s Social Security number and other personal
information, and then uses this information to obtain credit cards fraudulently.
information warfare—A military strategy that targets an opponent’s information systems.
key escrow plan—The storage of users’ encryption keys by an independent agency, which would divulge the
keys to law enforcement investigators only on the production of a valid warrant. Key escrow is proposed by law
enforcement officials concerned that encryption would prevent surveillance of criminal activities.
key interception—The act of stealing an encryption key.
key recovery—A method of unlocking the key used to encrypt messages so that the message could be read by
law enforcement officials conducting a lawful investigation. Key recovery is proposed by law enforcement
officials concerned that encryption would prevent surveillance of criminal activities.
know-and-have authentication—A type of computer security that requires using tokens, which are handheld
electronic devices that generate a logon code.
macro—In application software, a user-defined command sequence that can be saved and executed to perform a
complex action.
macro virus—A computer virus that uses the automatic command execution capabilities of productivity
software to spread itself and often to cause harm to computer data.
memory shaving—A type of computer crime in which knowledgeable thieves remove some of a computer's
RAM chips but leave enough to start the computers.
4
Chapter 9: Privacy, Crime, and Security
.NET passport—A free service Microsoft introduced as part of its .NET strategy in which users create a .NET
Passport profile that stores an e-mail address and a password and allows the option to choose whether profile
information will automatically be shared with participating Web sites to provide personalized services.
personal firewall—A program or device that is designed to protect home computer users from unauthorized
access.
plaintext—A readable message before it is encrypted.
privacy—The right to live your life without undue intrusions into your personal affairs by government agencies
or corporate marketers.
private key—A decryption key.
public key—In public key cryptography, the encoding key, which you make public so that others can send you
encrypted messages. The message can be encoded with the public key, but it cannot be decoded without the
private key, which you alone possess.
public key encryption—A computer security process in which an encryption (or private) key and a decryption
(or public) key are used to safeguard data.
public key infrastructure (PKI)—A uniform set of encryption standards that specify how public key
encryption, digital signatures, and CA-granted digital certificates should be implemented in computer systems and
on the Internet.
Secure Electronic Transaction (SET)—An online shopping security standard for merchants and customers that
uses digital certificates.
symmetric key encryption—Encryption technique that uses the same key for encryption and decryption.
time bomb (logic bomb)—A destructive program that sits harmlessly until a certain event or set of
circumstances makes the program active.
trap door—In computer security, a security hole created on purpose that can be exploited at a later time.
Trojan horse—An application disguised as a useful program but containing instructions to perform a malicious
task.
uninterruptible power supply (UPS)—A device that provides power to a computer system for a short period
of time if electrical power is lost.
worm—A program resembling a computer virus that can spread over networks.
Zombie—A computer commandeered by a hacker to do what the hacker's program tells it to do.
5
Chapter 9: Privacy, Crime, and Security
Multiple Choice
1. Which of the following is a rogue program disguised as a useful program that contains hidden instructions to
perform a malicious task?
a. Trojan horse
b. worm
c. trap door
d. macro
2. What is the result of applying an encryption key to a message?
a. Cybertext
b.decryption
c. ciphertext
d. plaintext
3. Of what type are most viruses?
a. file infectors
b. boot sector viruses
d. time bombs
c. worms
4. These are computer hobbyists who enjoy pushing computer systems to their limits.
a. crackers
b. Trojan horses
c. hackers
d. cybergang members
5. Which method requires an encryption key to be transmitted to a recipient before a message can be decrypted?
a. key interception
b. key recovery
c. symmetric key encryption d. digital certificates
6. A firewall usually protects a network from which of the following?
a. smoke damage
b. unauthorized access through the Internet
c. electronic funds transfer
d. buggy programs
7. Which of the following is not used to limit access to computer systems?
a. know-and-have authentication
b. password
c. UPS (uninterruptible power supply)
d. firewall
8. A recipient uses which of the following to read an encrypted message?
a. private key
b. public key
c. digital certificate
d. digital signature
9. What do you call using information technologies to corrupt or destroy an enemy's information and industrial
infrastructure?
a. data warfare
b. technology bombs
c. information warfare
d. data infiltration
10. This item is a rectangular advertisement that is not part of the Web page you are viewing, but is rather a page
separately supplied by an ad network.
a. spam
b. Adnet ad
c. Spamnet ad
d. banner ad
Fill in the Blank
1. A(n) __________ is any event, action, or situation—intentional or not—that could lead to the loss or destruction
of computer systems or the data they contain.
2. A(n) __________ is hidden code within a program that may be destructive to infected files.
3. Hackers generally subscribe to an unwritten code of conduct, called the __________, which forbids the
destruction of data.
4. Crimes carried out over the Internet are known as _______________.
5. A(n) _______________ installs itself at the beginning of a hard drive where code is stored and then automatically
executes every time you start the computer.
6. In a computer network, a(n) _______________ resembles a computer virus but doesn't need an unsuspecting user
to execute a program or macro file.
7. A(n) _______________ takes advantage of the automatic command execution capabilities of productivity
software.
8. _________ is the unauthorized access of corporate information to benefit a competitor.
6
Chapter 9: Privacy, Crime, and Security
9. Disgruntled employees may discover or create security holes called _______________ that they can exploit after
leaving the firm to get even with their former employer.
10. _______________ refers to one's ability to convey a message without disclosing a name or identity.
11. __________ are programs or devices that protect home computers from unauthorized access.
12. _______________ refers to a coding or scrambling process that renders a message unreadable by anyone except
the intended recipient.
13. _______________ is emerging to track developments in crime on the Internet.
14. _______________ is a uniform set of encryption standards that specify how public key encryption, digital
signatures, and digital certificates should be implemented in computer systems and on the Internet.
15. A(n) _______________ is a technique for validating one's identity, like showing your driver's license when you
cash a check.
Short Answer
1. What are the different cookie settings on the browser that you use most often? (Hint: If you're not sure, click the
browser's Help button and enter "cookies.") Describe how to switch the cookie settings. What cookie setting do
you prefer? Explain why.
Students’ answer may vary. To change the cookies settings in Internet Explorer, on the Tools menu, click Internet
Options. On the Privacy tab, move the slider up for a higher level of privacy or down for a lower level of privacy.
2. What is a digital signature? What is a digital certificate? How do they differ?
A digital signature is a technique used to guarantee that a message has not been tampered with. A digital
certificate is a form of digital ID used to obtain access to a computer system or prove one’s identity while
shopping on the Web. Certificates are issued by independent, third-party organizations called certificate
authorities (CA). Digital signatures deal with tampering with a message—digital certificates verify identities.
3. How do time bombs, worms, and Trojan horses differ?
Time bombs, also called logic bombs, are designed to sit harmlessly on a system until a certain event or set of
circumstances causes the program to become active. Disgruntled programmers may create time bombs designed to
detonate after they’ve left a firm’s employment.
A worm resembles a computer virus in that it can spread from one computer to another. Unlike a virus, however, a
worm can propagate over a computer network, and it does not require an unsuspecting user to execute a program
or macro file. It takes control of affected computers and uses their resources to attack other network-connected
systems.
A Trojan horse is disguised as a useful program, but it contains hidden instructions to perform a malicious task
instead. Sometimes a Trojan horse is disguised as a game or a utility program that users will find appealing. Then,
when the users begin running the program, they discover that they have loaded another animal entirely. A Trojan
horse may erase the data on the hard disk or cause other damage.
4. Name some of the common types of passwords that users choose. Why are these poor choices?
Computer users too often don’t understand the need to choose secure passwords. They choose a password that’s
easily guessed, such as “password.” Other popular passwords are “qwerty” (the first six letters of the keyboard),
obscene words, personal names, birthdays, celebrity names, movie characters, such as Frodo or Gandalf, and the
names of cartoon characters, such as Garfield.
5. Do you believe that the online marketing industry can adequately and effectively regulate itself? If not, who
should regulate it?
Answers will vary. However, since the online marketing industry has failed to show that it can do its own
policing, there is no reason to assume that it will out of the goodness of its heart. Federal regulation would be
preferred to 50 possible state regulations.
7