Legal Issues in Network Security

advertisement
Legal Issues in Network
Security
Primarily based on Chapter 30, Complete Reference
(Textbook#2).
© Complete Reference
Most text, examples taken verbatim from this book.
Why study legal issues?
– What reasons can you think of?
Understanding legal issues from an
IT/IS professional’s perspective.
• You are administering a database which
contains SSNs and credit card number
of a number of users. Now, a hacker
breaks in and steals this data.
– You should know:
• What laws protect you against law suites from
customers.
– Especially, what preventive actions to take, to defend
a law-suit.
• Whom you should call.
• How to preserve evidence.
Consider these issues
• You notice that someone inside your company is port
scanning all the computers.
–
–
–
–
•
What do you do?
Whom do you talk with?
What evidence do you collect?
And, important: how aggressively will you pursue the matter?
– E.g., in this case w.r.t the attacker, what will you do?
(a) Strengthen the firewalls and other technological security aspects?
(b) Become a super-user (root) and login to the other users account?
(c) Check his/her email?
(d) Go through his/her files?
While you probably will know what technological measures to employ – to prevent
liabilities, you need to also know how to handle a situation!. E.g., Checking
someone’s email (even if you can) can open your company to liability issues (unless
the policy is clearly stated).
Legal aspects of protection of
security.
• Protecting computing systems against criminals:
prosecuting violations of confidentiality, integrity and
availability
• Protecting code and data. Copyrights, patents and trade secret
acts.
• Protecting programmers and employers rights.
• Protecting users of programs.
Copyrights
• The U.S law aspects:
– Expression of an idea is protected and belongs to
the author of the expression. The expression must
be expressed in a tangible medium.
– The idea itself is NOT protected.
– Copyright can only be applied if the
originator/author of the expression is known.
– Copyright cannot be given to things expressed by
U.S/state governments or on well-known
expressions.
– Copyrighted work must be put into "fixed form"
(written, but now also electronic).
Using copyrighted material
• Fair use:
– You can use the material for what it is intended.
– You can use the idea behind the product freely.
– You can make copies of material as long as the
purpose for the copy is:
• “Criticism, comment, news reporting, teaching, scholarship
or research. “
– First sale: if you purchase a copyrighted item, you
do have the right to re-sell it or give it away.
Owner only controls the first sale.
• Unfair use is called Piracy.
Registering for a copyright
• What symbol would you use to protect
copyrighted material?
• Copyright lasts 70 years beyond the
death of the last surviving author in U.S
• Prosecuting copyright infringement:
– Need to goto court.
Copyright on Computer
Software.
• Is copyright a good way to protect
computer software?
– Why or why not?
Copyright for Digital Objects.
• The Digital Millennium Copyright Act
(DMCA)
– Digital objects can be subject to copyright.
– Cannot circumvent or disable antipiracy
functionality built into an object.
– Cannot sell or distribute objects/devices that
disable antipiracy functionality.
– These objects/devices can be used for
educational/research purposes.
– You can make a backup copy
– Lending libraries can make up to 3 copies
Cases.
• Case 1: You buy a CD and want to load it
into your MP3 player. The CD is copyprotected. Can you do it without violating
DMCA?
– E.g., can you purchase a software that converts
the CD tracks into MP3 tracks?
• Case 2: You bought a program that would
now like to enhance. You use a disassembler to get the source code of the
program from the executable. Is this a
violation of the copyright act?
Cases.
• Case 3: A Computer Science Professor
Dr. Edward Felten at Princeton
University presented a work (along with
his students) on cryptanalysis of digital
watermarking techniques used to
protect music files from being copied.
Would DMCA protect him?
• Case 4: You make a copy of a software
and give it to a friend. Is this legal?
U.S no electronic theft act
(NET)
• Treat software just like music:
– You do not purchase a software (or music),
you only purchase the right to use it (or
listen to it).
– So, you cannot distribute it or copy it.
• Enforced to sue Napster.
• Some conflicting issues remain:
– E.g., a computer’s menu design is
copyrighted, but the “look and feel” cannot.
Patents
• Copyrights: Works of arts, literature,
writing.
Patent: inventions, tangible objects or
ways to make them.
• Patents protect the device or process
for carrying out an idea and not just the
idea.
• Patents do not protect works of mind.
E.g, mathematics.
Patents
•
Case 1: An inventor gets an idea: how about using styrofoam as a
building material to reduce heating/cooling costs? She decides to
incorporate styrofoam into construction material as follows:
– Step 1: Get recycled styrofoam:
•
•
Start a recycling plan for collecting styrofoam cups and boxes.
Break the cups and boxes into small pieces.
– Step 2: Incorporate styrofoam into building material:
•
•
Mix the pieces with drywall.
What can she apply a patent for? Multiple choices are correct.
(a)
(b)
(c)
(d)
(e)
(f)
Her plan to use styrofoam to protect building material.
Using recycled styrofoam.
Getting recycled styrofoam by collecting styrofoam cups and boxes.
Getting recycled styrofoam by collecting styroform cups, boxes and plates.
Incorporating styrofoam into building material.
Mixing styrofoam pieces into drywall.
Copyright cases.
• Case 1a: I develop a new algorithm to solve a major
problem. Can I copyright the algorithm?
• Case 1b: I now write a program to implement the
algorithm. Can I copyright the program?
• Case 2: Two personal trainers applied for a copyright
to the bench-press method of building muscles. They
describe the process of bench-pressing. Will the
copyright be given to their process of benchpressing?
• Case 3: can you file a copyright for the phrase:
“Happy Birthday to you”.
Copyright cases.
• Case 4: An inventor (who shall remain nameless) who works on
Security in a big University in Southwest Virginia that has in its
name a famous auto company’s name, invents a new way to secure
a web-browser and publishes the results in a Journal paper. Is
this work protected by copyright law?
• Case 5: An imaginative grand-mother creates a story to
entertain her grandkids. Can she copyright her story?
• Case 6: You create a dictionary of English words. Can you
copyright it?
• Case 7; A music historian selects a bunch of folksongs (none of
which he wrote) and creates a CD to sell. Can he copyright it?
• Case 8: A company makes a new Operating System and sells the
executable. Can this company copyright the executable?
Defining intellectual property.
• Must not be in public domain (e.g., works of US govt).
• Must not be well-known expressions.
– E.g., “top o’ the mornin’ to ye”
• Must be in a tangible medium.
– E.g., story must be in a printed, written or recorded form or
stored on a magnetic medium.
• Work must be original: the original work can use work
in public domain (without expressing where it came
from) as long as there is some originality to it.
– E.g., the music historian, the dictionary maker.
Patents vs. copyright.
• Two musicians created a song at the
same time but independently. Will they
both get a copyright on the song or
patent on the song?
• Patent requires novelty. If you create
an object and the “creation” itself was
obvious then there is no novelty.
– E.g., create a bookmark using a piece of
cardboard. Can this be patented?
Patents and computer objects
• Cannot patent ideas.
– E.g., (Gottschalk v. Benson) patent on
converting decimal into binary numbers was
rejected.
• But can patent a process.
– E.g., (Diamond vs. Bradley): patent a
process that used software, a well-known
algorithm, temperature sensors and a
computer to calculate the time to cure
rubber seals.
Trade secrets.
• Difference from patent/copyright: it must be
kept secret!
– Examples ?
• No one can get the secret and profit from it.
• You cannot reverse engineer to get a secret
out.
• Trade secrets apply very well to computer
objects. How? It allows distribution of a result
of a secret (e.g., .exe) but keeping the program
design hidden.
• Doesn’t protect against copying though.
Protecting computer objects:
guidelines
• Hardware protection
– Firmware
• Protect software
– Object code
– Source code
• Protecting documentation
• Protecting web content
• Domain names and URL
Information and the law
• Information is not exactly tangible. How
do we protect it? It is different from
“things” sold in a shop. Why?
Depleatable?
Replicated.
Cost of information?
Time dependency.
Intangible.
How can the law protect
information.
• Law is in its infancy. Some issues are hard:
– E.g., newspapers online – who owns the news?
– Protecting data in a database, e.g., addresses and
phone numbers? Who owns them?
• There are some laws that can be used. Usually:
–
–
–
–
Criminal laws
Civil laws
Tort laws. E.g., fraud
Contract law
• Tort laws works well with protecting
information.
Privacy laws.
• Security also deals with “privacy”.
– Loss of privacy could result in severe liabilities.
• E.g., T.J.Maxx data theft cost $256 million.
– Here’s an article from Boston Globe.
– Problem: Weak Wi-Fi encryption, no firewalls, failure to
update software – everything we studied/are studying!
(Source: Wall Street Journal)
So what is the law?
• Unfortunately, there is no one law.
– We currently work with a patchwork of various federal laws
(some predate the concern for network security).
• However, among those available, they can be split
into:
– hacking laws:
• cover intrusions into networks, subsequent fraud, theft and damage.
– electronic communication laws:
• govern interception, retrieval and disclosure of email and keystrokes.
– other laws:
• address use of computers for unlawful purposes.
intrusion/hacking laws
• Computer Fraud and Abuse Act (CFAA)
– protects against unlawful intrusion
attempts as well as attacks that cause
damage.
– what are some unlawful attempts you are
familiar with?
intrusion/hacking laws (2)
• Computer Fraud and Abuse Act (CFAA)
– protects against unlawful intrusion attempts including:
• denial of service attacks.
• ping floods (aka ping sweep).
• malware: worms, viruses, spyware.
• The primary focus of this act is on:
– access without authorization
• E.g., dictionary attack on a password to get into someones email account.
– or in excess of authorization plus
• E.g., on H: drive, trying to access your fellow college-mates files.
– damage or loss.
• Summary: CFAA prosecutes crimes that involve:
– Unauthorized access + Loss. (not just unauthorized access)
Seven deadly sins of the CFAA.
• CFAA prohibits 7 acts:
– Unauthorized access
•
•
•
•
to information protected for national security reasons,
of confidential information on the internet
of government, non public computers,
of a protected computer in furtherance of fraud,
– Protected computers:
» used by financial institutions or U.S govt.
» Used in interstate foreign commerce or communications.
» 2001 USA PATRIOT Act expanded protected computers to those outside U.S that
affect U.S interstate commerce.
– Practical perspective: almost any computer crime will fall under CFAA jurisdiction
– Intentional acts causing damage to computers
– Trafficking of passwords affecting interstate commerce or govt.
computers.
– Threats to cause damage to a protected computer for the purpose
of extortion.
Access excess of authorization is a fine line
• In the following scenarios, state when the action is valid and
when it becomes “access excess of authorization”?
– An IRS agent browsing taxpayers files.
•
E.g., the U.S vs Czubinski lawsuit.
– A collection agency obtaining someone's credit report.
•
E.g., James Edge vs. Professional Claims Bureau, Inc.
– A Professor reading transcripts of a student in the same University.
– System administrator accessing a user's home directory (folder).
CFAA: damage or loss
– What is loss?
• “any responsible cost to the victim”.
– E.g.,
» cost of incident response,
» damage assessment,
» restoration of data or systems
» lost revenue.
– This law usually prosecuted by U.S
attorney’s office.
CFAA: damage
• CFAA defines damage as:
• Loss to one or more persons affecting one or more protected
computers aggregating to atleast $5000.
• Any modification or potential modification to the medical
diagnosis, treatment or care of one or more individuals.
• Physical injury to any person.
• A threat to public health or safety.
• Damage affecting a computer system used by government for
administration of justice, national defense, or national security.
• How does all this matter to you?
CFAA: prosecution
• How does all this matter to you?
– Recall: in CFAA, victim needs to demonstrate:
• Unauthorized access + loss.
– Not all loss will be prosecuted!
• U.S. Attorney’s office has certain thresholds for loss.
 need to keep detailed expense reports:
• Time spent (e.g., overtime paid, time that you could have used for other
activities).
• Other hard responses (e.g., loss of revenue estimates).
• Currently: need at least $5000 in loss, to prosecute.
• Damage also includes:
– Physical injury.
– Threat to public security.
• Yes, the subway accident in the Spiderman movie would have been covered by
CFAA!
CFAA sections..
•
Different sections of the law define different types of loss.
– E.g., Section 1030: loss of information (e.g.., unauthorized access to read
someone’s email).
•
And each comes with its own penalty:
– Loss of information (like reading email) is a misdemeanor not a felony.
– However, any financial gain due to the theft is a felony (or if information
exceeds $5000).
•
So is a trespass without a loss not a crime in CFAA?
– Trespass on govt. computers is a crime!
• Other sections:
– 1030(a)(5): intentional release of malicious logic (spyware, viruses etc.), dos,
intrusions etc.
– 1030(a)(4): covers plans to defraud.
CFAA penalties
• Penalties vary depending on the crime.
• USA PATRIOT act expands this:
– Attempt to commit a crime is interpreted as if
the crime was completed.
• CFAA allows civil claims
• In addition to CFAA, states have their own laws.
– E.g., Computer Laws - Code of Virginia..
The Electronics Communications Privacy Act
(ECPA)
• Prohibits unauthorized interception or disclosure of
communications.
• Level of protection based on:
– Information in transit or stored.
• Useful for us:
• When does monitoring become illegal?
– E.g., we used audit loggers on operating systems.
What can be audited legally?
• Identify if a crime was committed.
Some provisions of ECPA
•
Electronic eavesdropping:
– Covered by Wiretap provisions:
• Prohibits intentionally intercepting any electronic communication,
• Intentionally disclosing the contents of any electronic communication
– Knowing/having reason to know that the information was obtained by an illegal wiretap.
• Examples of wiretaps: packet sniffers (e.g., Wireshark), key stroke loggers.
– However, two exceptions to wiretapping. The following are
legal:
• If wiretapping done as self-defense. E.g., installing an Intrusion
detection system.
• Consent.
• The self-defense provision not always easy to apply.
E.g., is monitoring all employees' emails self-defense?
• In such cases, consent is used.
• How can such a consent be obtained?
Obtaining consent.
• Consider this:
– You are a system admin for company ABCD.
– You wish to monitor all email communications from all the
employees.
– How will you get their consent?
• Most common approach: use a banner.
• Other approaches: (e.g., Radford’s): acceptable use of
computers policy.
ECPA: stored electronic comm.
• Stored communications:
– E.g., email on a mail server
– Protected by ECPA.
• Homeland Security Act, elevates this to a felony if
done for financial use.
• However, review/recording of stored communications
is lawful (as long as it is authorized access).
– E.g., system administrators can read emails (for legit
purposes) stored on mail server.
Other acts
• Economic espionage act:
– Protects against theft of trade secrets.
• E.g.., Pepsi reported theft of Coca Cola secret.d
• Copyright acts:
– Allow system admins to prosecute those using company networks to
violate copyrights (piracy).
• U.S.C Section 2242 and 2252A:
– Prohibit knowing possessions or any material that contains child pornography
(book, magazine, file, periodical etc.)
– Here is what a network security professional must think about: a party may
“knowingly” possess such material if that material has been stored for a long
time.
– Hence, network security administrators must take action if they have
sufficient knowledge.
Due care.
• Lots of laws to prosecute computer
crimes.
• However, what about liability to an
organization.
– E.g., if a company loses some private data
• Is it just the attackers fault?, or,
• Is the company liable?
Due care
• Company is liable if it does not take
“due care”.
• i.e., it does not implement proper, wellknown, established security controls.
• The laws for information security
regulations are increasing!
Gramm-Leach-Bliley safeguards (GLB)
• Standards to protect personal information by financial
institutions.
– E.g., confidentiality of SSNs, account#’s etc.
•
Financial institutions have different federal agencies as overseers:
– E.g., FDIC, Federal Reserve System, Federal Trade Commission, SEC
•
Each agency establishes its own set of standards for security.
•
The focus of the standards are:
–
All organizations must have a comprehensive information security program.
•
–
–
More jobs to us!
Must contain physical, technological and administrative controls.
Must be appropriate to the size of the organization.
Examples of GLB application.
• Some suggested methods of security:
–
–
–
–
–
Authorized access.
Encryption of private data.
Physical security.
Background screening of employees.
Separation of power.
Sarbanes Oxley Act
• Requires annual reports to contain “internal control report”
– Management’s responsibility for:
• establishing and maintaining adequate internal controls for the purpose of financial
reporting.
• Assessment of effectiveness of these controls.
• Imposes substantial penalties for failure to report.
• Requires reasonable safeguarding of assets – may mean
information security.
Privacy laws
• HIPAA (health insurance portability and
accountability act)
• FERPA
• Other security standards:
– ISO 17799: Code of practice for
information security management
Voluntary security standards
• ISO 17799: Code of practice for
information security management
– Recommendations for information security management.
–
http://www.iso.org/iso/support/faqs/faqs_widely_used_standards/widely_used_stand
ards_other/information_security.htm
– Helps several organizations to formulate their security
policies using the templates provided here.
Other issues
• Software failures. Who pays?
– Are there any legal issues?
– Moral, ethical issues?
• Some issues can be addressed by law. Others
cannot.
• Reporting software flaws. Who should report?
• Computer crimes and evidence.
– Log files, audit records,
– Some U.S laws (Economic espionage, Computer
Fraud and abuse act, Electronic funds transfer
act).
• Open issues: value of a computer item;
cryptography controls.
Ethical Issues in Computer
Security
• What is the difference between law and
ethics?
• Why is studying this complex?
Ethical pluralism
• Sometimes more than just one position
maybe ethically justifiable.
• In Science, we want things to be
concrete.
– Sometimes ethics are rejected.
• However, for Computer Security ethics
matter.
Examining a Case for Ethical
Issues.
• Simple algorithm to decide on ethics:
Understand the situation
– Knowledge of several theories of ethical
reasoning.
– List the ethical principles involved.
– Determine which principles outweigh
others.
Ethical principles
• Two schools of thoughts on ethics:
– Consequence based
– Based on duties of persons.
• Consequence based principles:
– Teleological theory: choose the action that
results in lowest harm and greatest good.
• E.g., if your friend asks you to write his/her
programming assignment? What is the good? What
is the bad?
• Does the bad outweigh the good?
– Whom should it do good? You or others?
• Egoism vs. Utilitarianism.
Ethical principles
• Rule based principles
– Denotology: based on sense of duty. It is based on
the idea that somethings are just good and do not
have to be judged:
• Peace, security, freedom, truth, knowledge, happiness
etc… [Frankena 73]
– Rule-denotology:
• Universal, self-evident natural rules specify our conduct.
• E.g., from David Ross:
–
–
–
–
Fidelity or truthfulness
Reparation
Gratitude
Justice etc..
• Difference between teleological vs. denotology?
Case studies
• Case studies from textbook (Pfleeger)
discussed in class.
• Code from major organizations.
Download