Chapter 9

Law, Ethics, and

Cyber Crime
Prentice Hall, 2003

Learning Objectives
Describe the difference between legal
and ethical issues
Understand the difficulties of protecting
privacy in EC
Discuss issues of intellectual property
rights in EC
Understand the conflict between free
speech and censorship on the Internet
Prentice Hall, 2003

Learning Objectives (cont.)

Document the rapid rise in computer and
network security attacks
Understand the factors contributing to the rise of
EC security breaches
Describe the key security issues facing EC sites
Discuss some of the major types of cyber
attacks against EC sites
Describe some of the technologies used to
secure EC sites
Prentice Hall, 2003

MP3, Napster, and

Intellectual Property Rights
The Problem
MP3.com enabled users to listen to music
from any computer with an Internet connection
without paying royalties
Napster supported the free distribution of
music and other digitized content among
millions utilizing peer-to-peer (P2P) technology
These services could not be ignored because
they could result in the destruction of millions
of jobs and revenue
Prentice Hall, 2003

MP3, Napster, and

Intellectual Property Rights (cont.)
The Solution
Emusic.com filed a copyright infringement
lawsuit against MP3.com
Copyright laws and copyright cases have been
in existence for years but:
Were not written for digital content
Financial gain loophole was not closed

Prentice Hall, 2003

MP3, Napster, and

Intellectual Property Rights (cont.)
The Results
All commerce involves a number of legal,
ethical, and regulatory issues
EC adds a number of questions about what
constitutes illegal behavior versus unethical,
intrusive, or undesirable behavior

Prentice Hall, 2003

Legal Issues vs. Ethical Issues

Ethicsthe branch of philosophy that
deals with what is considered to be
right and wrong
Businesspeople engaging in e-commerce
need guidelines as to what behaviors are
reasonable under any given set of
circumstances
What is unethical in one culture may be
perfectly acceptable in another
Prentice Hall, 2003

Privacy
Privacythe right to be left alone and
the right to be free of unreasonable
personal intrusions
Two rules have been followed fairly
closely in court decisions:
1. The right of privacy is not absolute.
Privacy must be balanced against the
needs of society
2. The public s right to know is superior
to the individuals right of privacy

Prentice Hall, 2003

Privacy Advocates
Take On DoubleClick
DoubleClick is one of the leading providers
of online advertising
DoubleClick uses cookies to personalize ads
based on consumers interests
In January 1999, DoubleClick bought catalog
marketer Abacus Direct and announced plans
to merge Abacuss off-line database with their
online data
Prentice Hall, 2003

Privacy Advocates
Take On DoubleClick (cont.)
Several class action lawsuits were brought against
DoubleClick, claiming that the company was
tracking Internet users and obtaining personal and
financial information with-out the individuals
knowledge
In violation of the states Consumer Protection
Act and asked it to stop placing cookies on
consumers computers without their permission
In January 2001, the FTC ruled that DoubleClick
had not violated FTC policies
Prentice Hall, 2003

10

Privacy Advocates
Take On DoubleClick (cont.)
DoubleClick agreed to enhance its privacy
measures and to pay legal fees and costs up
to $18 million
Key provision of the settlement requires
DoubleClick to obtain permission from
consumers before combining any personally
identifiable data with Web surfing history

Prentice Hall, 2003

11

Web-Site Self-Registration

Registration questionnaires
50% disclose personal information on a Web
site for the chance to win a sweepstakes

Uses of the private information collected:

For planning the business
May be sold to a third party
Must not be used in an inappropriate manner

Prentice Hall, 2003

12

Cookies
Cookiea small piece of data that is
passed back and forth between a Web site
and an end users browser as the user
navigates the site; enables sites to keep
track of users activities without asking for
identification
Cookies can be used to invade an individual s
privacy
Personal information collected via cookies has
the potential to be used in illegal and
unethical ways
Prentice Hall, 2003
13

Cookies (cont.)
Solutions to unwanted cookies
Users can delete cookie files stored in their
computer
Use of anti-cookie software
Passporta Microsoft component that lets
consumers permanently enter a profile of
information along with a password and use
this information and password repeatedly
to access services at multiple sites
Prentice Hall, 2003

14

Protection of Privacy
Notice/awareness
Choice/consent
Access/participation
Integrity/security
Enforcement/redress
Supported in the U.S. by the Federal
Internet Privacy Protection Act
Supported in the European Union by EU
Data Protection Directive
Prentice Hall, 2003

15

Intellectual Property Rights

Intellectual property (IP)creations
of the mind, such as inventions,
literary and artistic works, and
symbols, names, images, and
designs used in commerce

Prentice Hall, 2003

16

Intellectual Property Rights (cont.)

Copyrightan exclusive grant from
the government that allows the
owner to reproduce a work, in whole
or in part, and to distribute, perform,
or display it to the public in any form
or manner, including the Internet
Digital watermarksunique identifiers
imbedded in digital content that make it
possible to identify pirated works
Prentice Hall, 2003

17

Intellectual Property Rights (cont.)

Trademarksa symbol used by businesses to identify
their goods and services; government registration of the
trademark confers exclusive legal right to its use
Gives exclusive rights to:
Use trademark on goods and services
registered to that sign
Take legal action to prevent anyone from using
trademark without consent
Patenta document that grants the holder
exclusive rights on an invention for a fixed
number of years
Prentice Hall, 2003
18

Free Speech and

Censorship on the Internet
The issue of censorship is one of the most
important to Web surfers
Most citizens are implacably opposed to
censorship in any form except censorship of
whatever they personally happen to find
offensive.
Citizen action groups desiring to protect every
ounce of their freedom to speak
Children s Online Protection Act (COPA)
Governments protective of their role in society
Prentice Hall, 2003

19

Controlling Spamming
Spammingthe practice of indiscriminately
broadcasting messages over the Internet (e.g., junk
mail)
Spam comprised 25 to 50% of all e-mail
Slows the internet in general; sometimes Shuts
ISPs down completely
Electronic Mailbox Protection Act
ISPs are required to offer spam-blocking software
Recipients of spam have the right to request
termination of future spam from the same
sender and to bring civil action if necessary
Prentice Hall, 2003

20

Cyber Crime
Fraud
Intentional deceit or trickery, often with the
aim of financial gain

Cyber attack
An electronic attack, either criminal trespass
over the Internet (cyber intrusion) or
unauthorized access that results in damaged
files, pro-grams, or hardware (cyber
vandalism)
Prentice Hall, 2003

21

The Players: Hackers, Crackers,

and Other Attackers
Hackers
Original hackers created the Unix operating
system and helped build the Internet, Usenet,
and World Wide Web; and, used their skills to
test the strength and integrity of computer
systems
Over time, the term hacker came to be applied
to rogue programmers who illegally break into
computers and networks
Prentice Hall, 2003

22

The Players: Hackers, Crackers,

and Other Attackers (cont.)
Crackers
People who engage in unlawful or
damaging hacking short for criminal
hackers

Other attackers
Script kiddies are ego-driven, unskilled
crackers who use information and software
(scripts) that they download from the
Internet to inflict damage on targeted sites
Prentice Hall, 2003

23

Internet Security
Cyber attacks are on the rise
Internet connections are increasingly
a point of attack
The variety of attacks is on the rise
Why now?
Because thats where the money and
information is!
Prentice Hall, 2003

24

Internet Security (cont.)

Factors have contributed to the rise in
cyber attacks:
Security and ease of use are antithetical to
one another
Security takes a back seat to market pressures
Security of an EC site depends on the security
of the Internet as a whole
Security vulnerabilities are mushrooming
Security is compromised by common
applications
Prentice Hall, 2003

25

Basic Security Issues

From the user s perspective:
How can the user be sure that the Web
server is owned and operated by a
legitimate company?
How does the user know that the Web
page and form do not contain some
malicious or dangerous code or content?
How does the user know that the Web
server will not distribute the information
the user provides to some other party?
Prentice Hall, 2003

26

Basic Security Issues (cont.)

From the company s perspective:
How does the company know the user will not
attempt to break into the Web server or alter
the pages and content at the site?
How does the company know that the user
will not try to disrupt the server so that it is
not available to others?

Prentice Hall, 2003

27

Basic Security Issues (cont.)

From both parties perspectives:
How do they know that the network
connection is free from eavesdropping
by a third party listening in on the line?
How do they know that the information
sent back and forth between the server
and the user s browser has not been
altered?
Prentice Hall, 2003

28

Basic Security Issues (cont.)

Authorization
The process that ensures that a person
has the right to access certain resources

Authentication
The process by which one entity verifies
that another entity is who they claim to
be by checking credentials of some sort

Prentice Hall, 2003

29

Basic Security Issues (cont.)

Auditing
The process of collecting information about
attempts to access particular resources,
use particular privileges, or perform other
security actions

Confidentiality (privacy)
Integrity
As applied to data, the ability to protect
data from being altered or destroyed in an
unauthorized or accidental manner
Prentice Hall, 2003

30

Basic Security Issues (cont.)

Integrity
As applied to data, the ability to protect
data from being altered or destroyed in
an unauthorized or accidental manner

Availability
Nonrepudiation
The ability to limit parties from refuting
that a legitimate transaction took place,
usually by means of a signature
Prentice Hall, 2003

31

Exhibit 9.2
General Security Issues at E-Commerce Sites

Prentice Hall, 2003

32

Types of Cyber Attacks

Technical attack
An attack perpetrated using software and
systems knowledge or expertise

Nontechnical attack
An attack in which a perpetrator uses
chicanery or other form of persuasion to trick
people into revealing sensitive information or
performing actions that compromise the
security of a network
Prentice Hall, 2003

33

Types of Cyber Attacks (cont.)

Common vulnerabilities and exposures
(CVEs)
Publicly known computer security risks or
problems; these are collected, enumerated, and
shared by a board of security-related
organizations (cve.mitre.org)

Denial-of-service (DoS) attack

An attack on a Web site in which an attacker
uses specialized software to send a flood of data
packets to the target computer with the aim of
overloading its resources
Prentice Hall, 2003
34

Types of Cyber Attacks (cont.)

Distributed denial of service (DDoS) attack
A denial-of-service attack in which the attacker
gains illegal administrative access to as many
computers on the Internet as possible and uses
these multiple computers to send a flood of data
packets to the target computer

Malware
A generic term for malicious software

Prentice Hall, 2003

35

Exhibit 9.3
Using Zombies in a DDoS Attack

Prentice Hall, 2003

36

Types of Cyber Attacks (cont.)

Virus
A piece of software code that inserts itself into
a host, including the operating systems, to
propagate; it cannot run independently but
requires that its host program be run to
activate it

Worm
A software program that runs independently,
consuming the resources of its host from
within in order to maintain itself and
propagating a complete working version of
itself onto another machine
Prentice Hall, 2003
37

Types of Cyber Attacks (cont.)

Trojan horse
A program that appears to have a useful
function but that contains a hidden function
that presents a security risk

Two of the better-known Trojan horses Back

Orifice and NetBus
Self-contained and self-installing utilities that
can be used to remotely control and monitor
the victim s computer over a network
(execute commands, list files, upload and
download files on the victims computer)
Prentice Hall, 2003

38

Trojan Horse Attack

on Bugtraq List
BugTraqa full disclosure moderated
mailing list for the detailed discussion
and announcement of computer
security vulnerabilities:
What they are
How to exploit them
How to fix them
Prentice Hall, 2003

39

Trojan Horse Attack

on Bugtraq List (cont.)
SecurityFocus.com experts have
been fooled
Sent the code containing a Trojan horse
to its 37,000 BugTrac subscribers
Network Associates server found itself
under attack
The way the list is moderated did not
change
Prentice Hall, 2003

40

Security Technologies
Internet and EC security is a thriving
business
Firewalls and Access Control
One major impediments to EC is the concern
about the security of internal networks
Sidestep the issue by letting third parties
host their Web sites
Primary means of access control is password

Prentice Hall, 2003

41

Security Technologies (cont.)

Firewall
A network node consisting of both hardware
and software that isolates a private network
from a public network

Intrusion detection system (IDS)

A special category of software that can
monitor activity across a network or on a
host computer, watch for suspicious activity,
and take automated action based on what it
sees

Prentice Hall, 2003

42

Security Technologies (cont.)

Security risk management
A systematic process for determining the
likelihood of various security attacks and
for identifying the actions needed to
prevent or mitigate those attacks
Assessment
Planning
Implementation
Monitoring
Prentice Hall, 2003

43

Managerial Issues
How can the global nature of EC impact
business operations?
What sorts of legal and ethical issues
should be of major concern to an EC
enterprise?
What are the business consequences of
poor security?
Prentice Hall, 2003

44

Managerial Issues (cont.)

Are we safe if there are few
visitors to our EC site?
Is technology the key to EC
security?
Where are the security threats
likely to come from?

Prentice Hall, 2003

45

Summary
Describe the differences between legal
and ethical issues in EC
Understand the difficulties of protecting
privacy in EC
Discuss the issues of intellectual property
rights in EC.proven to be particularly
Understand the conflict between free
speech and censorship on the Internet
Prentice Hall, 2003

46

Summary (cont.)
Document the rapid rise in computer and
network security attacks
Understand the factors contributing to the rise
of EC security breaches
Describe the key security issues facing EC
sites
Discuss some of the major types of cyber
attacks against EC sites
Describe some of the technologies used to
secure EC sites
Prentice Hall, 2003

47