Legal Issues in Network Security Primarily based on Chapter 30, Complete Reference (Textbook#2). © Complete Reference Most text, examples taken verbatim from this book. Why study legal issues? – What reasons can you think of? Understanding legal issues from an IT/IS professional’s perspective. • You are administering a database which contains SSNs and credit card number of a number of users. Now, a hacker breaks in and steals this data. – You should know: • What laws protect you against law suites from customers. – Especially, what preventive actions to take, to defend a law-suit. • Whom you should call. • How to preserve evidence. Consider these issues • You notice that someone inside your company is port scanning all the computers. – – – – • What do you do? Whom do you talk with? What evidence do you collect? And, important: how aggressively will you pursue the matter? – E.g., in this case w.r.t the attacker, what will you do? (a) Strengthen the firewalls and other technological security aspects? (b) Become a super-user (root) and login to the other users account? (c) Check his/her email? (d) Go through his/her files? While you probably will know what technological measures to employ – to prevent liabilities, you need to also know how to handle a situation!. E.g., Checking someone’s email (even if you can) can open your company to liability issues (unless the policy is clearly stated). Legal aspects of protection of security. • Protecting computing systems against criminals: prosecuting violations of confidentiality, integrity and availability • Protecting code and data. Copyrights, patents and trade secret acts. • Protecting programmers and employers rights. • Protecting users of programs. Copyrights • The U.S law aspects: – Expression of an idea is protected and belongs to the author of the expression. The expression must be expressed in a tangible medium. – The idea itself is NOT protected. – Copyright can only be applied if the originator/author of the expression is known. – Copyright cannot be given to things expressed by U.S/state governments or on well-known expressions. – Copyrighted work must be put into "fixed form" (written, but now also electronic). Using copyrighted material • Fair use: – You can use the material for what it is intended. – You can use the idea behind the product freely. – You can make copies of material as long as the purpose for the copy is: • “Criticism, comment, news reporting, teaching, scholarship or research. “ – First sale: if you purchase a copyrighted item, you do have the right to re-sell it or give it away. Owner only controls the first sale. • Unfair use is called Piracy. Registering for a copyright • What symbol would you use to protect copyrighted material? • Copyright lasts 70 years beyond the death of the last surviving author in U.S • Prosecuting copyright infringement: – Need to goto court. Copyright on Computer Software. • Is copyright a good way to protect computer software? – Why or why not? Copyright for Digital Objects. • The Digital Millennium Copyright Act (DMCA) – Digital objects can be subject to copyright. – Cannot circumvent or disable antipiracy functionality built into an object. – Cannot sell or distribute objects/devices that disable antipiracy functionality. – These objects/devices can be used for educational/research purposes. – You can make a backup copy – Lending libraries can make up to 3 copies Cases. • Case 1: You buy a CD and want to load it into your MP3 player. The CD is copyprotected. Can you do it without violating DMCA? – E.g., can you purchase a software that converts the CD tracks into MP3 tracks? • Case 2: You bought a program that would now like to enhance. You use a disassembler to get the source code of the program from the executable. Is this a violation of the copyright act? Cases. • Case 3: A Computer Science Professor Dr. Edward Felten at Princeton University presented a work (along with his students) on cryptanalysis of digital watermarking techniques used to protect music files from being copied. Would DMCA protect him? • Case 4: You make a copy of a software and give it to a friend. Is this legal? U.S no electronic theft act (NET) • Treat software just like music: – You do not purchase a software (or music), you only purchase the right to use it (or listen to it). – So, you cannot distribute it or copy it. • Enforced to sue Napster. • Some conflicting issues remain: – E.g., a computer’s menu design is copyrighted, but the “look and feel” cannot. Patents • Copyrights: Works of arts, literature, writing. Patent: inventions, tangible objects or ways to make them. • Patents protect the device or process for carrying out an idea and not just the idea. • Patents do not protect works of mind. E.g, mathematics. Patents • Case 1: An inventor gets an idea: how about using styrofoam as a building material to reduce heating/cooling costs? She decides to incorporate styrofoam into construction material as follows: – Step 1: Get recycled styrofoam: • • Start a recycling plan for collecting styrofoam cups and boxes. Break the cups and boxes into small pieces. – Step 2: Incorporate styrofoam into building material: • • Mix the pieces with drywall. What can she apply a patent for? Multiple choices are correct. (a) (b) (c) (d) (e) (f) Her plan to use styrofoam to protect building material. Using recycled styrofoam. Getting recycled styrofoam by collecting styrofoam cups and boxes. Getting recycled styrofoam by collecting styroform cups, boxes and plates. Incorporating styrofoam into building material. Mixing styrofoam pieces into drywall. Copyright cases. • Case 1a: I develop a new algorithm to solve a major problem. Can I copyright the algorithm? • Case 1b: I now write a program to implement the algorithm. Can I copyright the program? • Case 2: Two personal trainers applied for a copyright to the bench-press method of building muscles. They describe the process of bench-pressing. Will the copyright be given to their process of benchpressing? • Case 3: can you file a copyright for the phrase: “Happy Birthday to you”. Copyright cases. • Case 4: An inventor (who shall remain nameless) who works on Security in a big University in Southwest Virginia that has in its name a famous auto company’s name, invents a new way to secure a web-browser and publishes the results in a Journal paper. Is this work protected by copyright law? • Case 5: An imaginative grand-mother creates a story to entertain her grandkids. Can she copyright her story? • Case 6: You create a dictionary of English words. Can you copyright it? • Case 7; A music historian selects a bunch of folksongs (none of which he wrote) and creates a CD to sell. Can he copyright it? • Case 8: A company makes a new Operating System and sells the executable. Can this company copyright the executable? Defining intellectual property. • Must not be in public domain (e.g., works of US govt). • Must not be well-known expressions. – E.g., “top o’ the mornin’ to ye” • Must be in a tangible medium. – E.g., story must be in a printed, written or recorded form or stored on a magnetic medium. • Work must be original: the original work can use work in public domain (without expressing where it came from) as long as there is some originality to it. – E.g., the music historian, the dictionary maker. Patents vs. copyright. • Two musicians created a song at the same time but independently. Will they both get a copyright on the song or patent on the song? • Patent requires novelty. If you create an object and the “creation” itself was obvious then there is no novelty. – E.g., create a bookmark using a piece of cardboard. Can this be patented? Patents and computer objects • Cannot patent ideas. – E.g., (Gottschalk v. Benson) patent on converting decimal into binary numbers was rejected. • But can patent a process. – E.g., (Diamond vs. Bradley): patent a process that used software, a well-known algorithm, temperature sensors and a computer to calculate the time to cure rubber seals. Trade secrets. • Difference from patent/copyright: it must be kept secret! – Examples ? • No one can get the secret and profit from it. • You cannot reverse engineer to get a secret out. • Trade secrets apply very well to computer objects. How? It allows distribution of a result of a secret (e.g., .exe) but keeping the program design hidden. • Doesn’t protect against copying though. Protecting computer objects: guidelines • Hardware protection – Firmware • Protect software – Object code – Source code • Protecting documentation • Protecting web content • Domain names and URL Information and the law • Information is not exactly tangible. How do we protect it? It is different from “things” sold in a shop. Why? Depleatable? Replicated. Cost of information? Time dependency. Intangible. How can the law protect information. • Law is in its infancy. Some issues are hard: – E.g., newspapers online – who owns the news? – Protecting data in a database, e.g., addresses and phone numbers? Who owns them? • There are some laws that can be used. Usually: – – – – Criminal laws Civil laws Tort laws. E.g., fraud Contract law • Tort laws works well with protecting information. Privacy laws. • Security also deals with “privacy”. – Loss of privacy could result in severe liabilities. • E.g., T.J.Maxx data theft cost $256 million. – Here’s an article from Boston Globe. – Problem: Weak Wi-Fi encryption, no firewalls, failure to update software – everything we studied/are studying! (Source: Wall Street Journal) So what is the law? • Unfortunately, there is no one law. – We currently work with a patchwork of various federal laws (some predate the concern for network security). • However, among those available, they can be split into: – hacking laws: • cover intrusions into networks, subsequent fraud, theft and damage. – electronic communication laws: • govern interception, retrieval and disclosure of email and keystrokes. – other laws: • address use of computers for unlawful purposes. intrusion/hacking laws • Computer Fraud and Abuse Act (CFAA) – protects against unlawful intrusion attempts as well as attacks that cause damage. – what are some unlawful attempts you are familiar with? intrusion/hacking laws (2) • Computer Fraud and Abuse Act (CFAA) – protects against unlawful intrusion attempts including: • denial of service attacks. • ping floods (aka ping sweep). • malware: worms, viruses, spyware. • The primary focus of this act is on: – access without authorization • E.g., dictionary attack on a password to get into someones email account. – or in excess of authorization plus • E.g., on H: drive, trying to access your fellow college-mates files. – damage or loss. • Summary: CFAA prosecutes crimes that involve: – Unauthorized access + Loss. (not just unauthorized access) Seven deadly sins of the CFAA. • CFAA prohibits 7 acts: – Unauthorized access • • • • to information protected for national security reasons, of confidential information on the internet of government, non public computers, of a protected computer in furtherance of fraud, – Protected computers: » used by financial institutions or U.S govt. » Used in interstate foreign commerce or communications. » 2001 USA PATRIOT Act expanded protected computers to those outside U.S that affect U.S interstate commerce. – Practical perspective: almost any computer crime will fall under CFAA jurisdiction – Intentional acts causing damage to computers – Trafficking of passwords affecting interstate commerce or govt. computers. – Threats to cause damage to a protected computer for the purpose of extortion. Access excess of authorization is a fine line • In the following scenarios, state when the action is valid and when it becomes “access excess of authorization”? – An IRS agent browsing taxpayers files. • E.g., the U.S vs Czubinski lawsuit. – A collection agency obtaining someone's credit report. • E.g., James Edge vs. Professional Claims Bureau, Inc. – A Professor reading transcripts of a student in the same University. – System administrator accessing a user's home directory (folder). CFAA: damage or loss – What is loss? • “any responsible cost to the victim”. – E.g., » cost of incident response, » damage assessment, » restoration of data or systems » lost revenue. – This law usually prosecuted by U.S attorney’s office. CFAA: damage • CFAA defines damage as: • Loss to one or more persons affecting one or more protected computers aggregating to atleast $5000. • Any modification or potential modification to the medical diagnosis, treatment or care of one or more individuals. • Physical injury to any person. • A threat to public health or safety. • Damage affecting a computer system used by government for administration of justice, national defense, or national security. • How does all this matter to you? CFAA: prosecution • How does all this matter to you? – Recall: in CFAA, victim needs to demonstrate: • Unauthorized access + loss. – Not all loss will be prosecuted! • U.S. Attorney’s office has certain thresholds for loss. need to keep detailed expense reports: • Time spent (e.g., overtime paid, time that you could have used for other activities). • Other hard responses (e.g., loss of revenue estimates). • Currently: need at least $5000 in loss, to prosecute. • Damage also includes: – Physical injury. – Threat to public security. • Yes, the subway accident in the Spiderman movie would have been covered by CFAA! CFAA sections.. • Different sections of the law define different types of loss. – E.g., Section 1030: loss of information (e.g.., unauthorized access to read someone’s email). • And each comes with its own penalty: – Loss of information (like reading email) is a misdemeanor not a felony. – However, any financial gain due to the theft is a felony (or if information exceeds $5000). • So is a trespass without a loss not a crime in CFAA? – Trespass on govt. computers is a crime! • Other sections: – 1030(a)(5): intentional release of malicious logic (spyware, viruses etc.), dos, intrusions etc. – 1030(a)(4): covers plans to defraud. CFAA penalties • Penalties vary depending on the crime. • USA PATRIOT act expands this: – Attempt to commit a crime is interpreted as if the crime was completed. • CFAA allows civil claims • In addition to CFAA, states have their own laws. – E.g., Computer Laws - Code of Virginia.. The Electronics Communications Privacy Act (ECPA) • Prohibits unauthorized interception or disclosure of communications. • Level of protection based on: – Information in transit or stored. • Useful for us: • When does monitoring become illegal? – E.g., we used audit loggers on operating systems. What can be audited legally? • Identify if a crime was committed. Some provisions of ECPA • Electronic eavesdropping: – Covered by Wiretap provisions: • Prohibits intentionally intercepting any electronic communication, • Intentionally disclosing the contents of any electronic communication – Knowing/having reason to know that the information was obtained by an illegal wiretap. • Examples of wiretaps: packet sniffers (e.g., Wireshark), key stroke loggers. – However, two exceptions to wiretapping. The following are legal: • If wiretapping done as self-defense. E.g., installing an Intrusion detection system. • Consent. • The self-defense provision not always easy to apply. E.g., is monitoring all employees' emails self-defense? • In such cases, consent is used. • How can such a consent be obtained? Obtaining consent. • Consider this: – You are a system admin for company ABCD. – You wish to monitor all email communications from all the employees. – How will you get their consent? • Most common approach: use a banner. • Other approaches: (e.g., Radford’s): acceptable use of computers policy. ECPA: stored electronic comm. • Stored communications: – E.g., email on a mail server – Protected by ECPA. • Homeland Security Act, elevates this to a felony if done for financial use. • However, review/recording of stored communications is lawful (as long as it is authorized access). – E.g., system administrators can read emails (for legit purposes) stored on mail server. Other acts • Economic espionage act: – Protects against theft of trade secrets. • E.g.., Pepsi reported theft of Coca Cola secret.d • Copyright acts: – Allow system admins to prosecute those using company networks to violate copyrights (piracy). • U.S.C Section 2242 and 2252A: – Prohibit knowing possessions or any material that contains child pornography (book, magazine, file, periodical etc.) – Here is what a network security professional must think about: a party may “knowingly” possess such material if that material has been stored for a long time. – Hence, network security administrators must take action if they have sufficient knowledge. Due care. • Lots of laws to prosecute computer crimes. • However, what about liability to an organization. – E.g., if a company loses some private data • Is it just the attackers fault?, or, • Is the company liable? Due care • Company is liable if it does not take “due care”. • i.e., it does not implement proper, wellknown, established security controls. • The laws for information security regulations are increasing! Gramm-Leach-Bliley safeguards (GLB) • Standards to protect personal information by financial institutions. – E.g., confidentiality of SSNs, account#’s etc. • Financial institutions have different federal agencies as overseers: – E.g., FDIC, Federal Reserve System, Federal Trade Commission, SEC • Each agency establishes its own set of standards for security. • The focus of the standards are: – All organizations must have a comprehensive information security program. • – – More jobs to us! Must contain physical, technological and administrative controls. Must be appropriate to the size of the organization. Examples of GLB application. • Some suggested methods of security: – – – – – Authorized access. Encryption of private data. Physical security. Background screening of employees. Separation of power. Sarbanes Oxley Act • Requires annual reports to contain “internal control report” – Management’s responsibility for: • establishing and maintaining adequate internal controls for the purpose of financial reporting. • Assessment of effectiveness of these controls. • Imposes substantial penalties for failure to report. • Requires reasonable safeguarding of assets – may mean information security. Privacy laws • HIPAA (health insurance portability and accountability act) • FERPA • Other security standards: – ISO 17799: Code of practice for information security management Voluntary security standards • ISO 17799: Code of practice for information security management – Recommendations for information security management. – http://www.iso.org/iso/support/faqs/faqs_widely_used_standards/widely_used_stand ards_other/information_security.htm – Helps several organizations to formulate their security policies using the templates provided here. Other issues • Software failures. Who pays? – Are there any legal issues? – Moral, ethical issues? • Some issues can be addressed by law. Others cannot. • Reporting software flaws. Who should report? • Computer crimes and evidence. – Log files, audit records, – Some U.S laws (Economic espionage, Computer Fraud and abuse act, Electronic funds transfer act). • Open issues: value of a computer item; cryptography controls. Ethical Issues in Computer Security • What is the difference between law and ethics? • Why is studying this complex? Ethical pluralism • Sometimes more than just one position maybe ethically justifiable. • In Science, we want things to be concrete. – Sometimes ethics are rejected. • However, for Computer Security ethics matter. Examining a Case for Ethical Issues. • Simple algorithm to decide on ethics: Understand the situation – Knowledge of several theories of ethical reasoning. – List the ethical principles involved. – Determine which principles outweigh others. Ethical principles • Two schools of thoughts on ethics: – Consequence based – Based on duties of persons. • Consequence based principles: – Teleological theory: choose the action that results in lowest harm and greatest good. • E.g., if your friend asks you to write his/her programming assignment? What is the good? What is the bad? • Does the bad outweigh the good? – Whom should it do good? You or others? • Egoism vs. Utilitarianism. Ethical principles • Rule based principles – Denotology: based on sense of duty. It is based on the idea that somethings are just good and do not have to be judged: • Peace, security, freedom, truth, knowledge, happiness etc… [Frankena 73] – Rule-denotology: • Universal, self-evident natural rules specify our conduct. • E.g., from David Ross: – – – – Fidelity or truthfulness Reparation Gratitude Justice etc.. • Difference between teleological vs. denotology? Case studies • Case studies from textbook (Pfleeger) discussed in class. • Code from major organizations.