Chapter 3-Notes
Chapter 3-Notes
   Public domain software has no owner and is not protected by copyright law.
   It was either created with public funds, or the ownership was forfeited by the creator.
   Can be copied, sold, and/or modified
   Often is of poor quality/unreliable
Freeware License
   Freeware is copyrighted software that is licensed to be copied and distributed without charge.
   Freeware is free, but it’s still under the owner’s control.
Shareware License
• A shareware software license allows you to use the software for a trial period, but you must pay a
registration fee to the owner for permanent use.
• Some shareware trials expire on a certain date
• Payment depends on the honor system
• Purchasing (the right to use) the software may also get you a version with more powerful features
and published documentation.
All Rights Reserved License
   May be used by the purchaser according the exact details spelled out in the license agreement.
  You can’t legally use it--or even possess it-- without the owner’s permission.
Open Source
• What is Open Source?
• Source code is free to look at.
• Compiled application is (typically) free to use.
• Licensed under one of many OSS licenses.
• Licenses are typically GPL compatible.
• GPL
• GNU General Public License v3
• Created by Richard Stallman
• Fundamental example of an open-source license.
• Highly restrictive.
if( use_gpl_code ) {
distribute_changes_as_gpl();
distribute_linked_apps_as_gpl_compatible();
}
Open Source
• LGPL
• GNU Lesser General Public License
• Can be linked to by non-GPL compatible software.
• Can be distributed with your software…
if( modify_lgpl_program ) {
Prof. Rushikesh R. Nikam                               Department Computer Engineering
Subject: Management Information system                                          Semester: VII
distribute_changes_as_lgpl();
} else {
distribute_however_you_like();
}
Open Source
• MIT License
• Only 20 lines!
• Liberal terms.
• Use this code however you like...
if( modify_mit_program ) {
sublicense_however();
give_attribution();
} else {
distribute_with_mit_license();
}
Computer Crime
• Computer criminals -using a computer to commit an illegal act
• Who are computer criminals?
• Employees – disgruntled or dishonest --the largest category
• Outside users - customers or suppliers
• “Hackers” and “crackers” - hackers do it “for fun” but crackers have malicious intent
• Organized crime - tracking illegal enterprises,
forgery, counterfeiting
Types of Computer Crime
• Damage to computers, programs or files
• Viruses - migrate through systems attached to files and programs
• Worms - continuously self-replicate
• Theft
• Of hardware, software, data, computer time
• Software piracy - unauthorized copies of copyrighted material
• View/Manipulation
• “Unauthorized entry” and “harmless message” still illegal
       Cyber-crime
        Cyber-crime refers to the use of information technology to commit crimes. Cyber- crimes can
range from simply annoying computer users to huge financial losses and even the loss of human life.
The growth of smartphones and other high-end Mobile devices that have access to the internet have
also contributed to the growth of cyber-crime.
       Once the information has been acquired by the cyber-criminal, it can be used to make
purchases online while impersonating himself to be someone else. One of the ways that cyber-
criminals use to obtain such personal details is phishing. Phishing involves creating fake websites
that look like legitimate business websites or emails.
       For example, an email that appears to come from YAHOO may ask the user to confirm their
personal details including contact numbers and email password. If the user falls for the trick and
updates the details and provides the password, the attacker will have access to personal details and
the email of the victim.
       If the victim uses services such as PayPal, then the attacker can use the account to make
purchases online or transfer funds.
       Other phishing techniques involve the use of fake Wi-Fi hotspots that look like legitimate
ones. This is common in public places such as restaurants and airports. If an unsuspecting user logons
into the network, then cyber-crimes may try to gain access to sensitive information such as
usernames, passwords, credit card numbers, etc.
        According to the US Department of Justice, a former state department employee used email
phishing to gain access to email and social media accounts of hundreds of women and accessed
explicit photos. He was able to use the photos to extort the women and threatened to make the photos
public if they did not give in to his demands.
       Copyright infringement
        Piracy is one of the biggest problems with digital products. Websites such as the pirate bay
are used to distribute copyrighted materials such as audio, video, software, etc. Copyright
infringement refers to the unauthorized use of copyrighted materials.
       Fast internet access and reducing costs of storage have also contributed to the growth of
copyright infringement crimes.
       Click fraud
        Advertising companies such as Google AdSense offer pay per click advertising services.
Click fraud occurs when a person clicks such a link with no intention of knowing more about the
click but to make more money. This can also be accomplished by using automated software that
makes the clicks.
       Advance Fee Fraud
       An email is sent to the target victim that promises them a lot of money in favor of helping
them to claim their inheritance money.
       In such cases, the criminal usually pretends to be a close relative of a very rich well- known
person who died. He/she claims to have inherited the wealth of the late rich person and needs help
to claim the inheritance. He/she will ask for financial assistance and promise to reward later. If the
victim sends the money to the scammer, the scammer vanishes and the victim loses the money.
       Hacking
         Hacking is used to by-pass security controls to gain unauthorized access to a system. Once
the attacker has gained access to the system, they can do whatever they want. Some of the common
activities done when system is hacked are;
       •       Install programs that allow the attackers to spy on the user or control their system
remotely
       •       Deface websites
        •       Steal sensitive information. This can be done using techniques such as SQL Injection,
exploiting vulnerabilities in the database software to gain access, social engineering techniques that
trick users into submitting ids and passwords, etc.
       Computer virus
        Viruses are unauthorized programs that can annoy users, steal sensitive data or be used to
control equipment that is controlled by computers.
        Computer viruses – these are malicious programs as described in the above section. The
threats posed by viruses can be eliminated or the impact minimized by using Anti-Virus software
and following laid down security best practices of an organization.
        Unauthorized access – the standard convention is to use a combination of a username and a
password. Hackers have learnt how to circumvent these controls if the user does not follow security
best practices. Most organizations have added the use of mobile devices such as phones to provide
an extra layer of security.
        Let's take Gmail as an example, if Google is suspicious of the login on an account, they will
ask the person about to login to confirm their identity using their android powered mobile devices or
send an SMS with a PIN number which should supplement the username and password.
        If the company does not have enough resources to implement extra security like Google, they
can use other techniques. These techniques can include asking questions to users during signup such
as what town they grew up in, the name of their first pet, etc. If the person provides accurate answers
to these question, access is granted into the system.
       Data loss – if the data center caught fire or was flooded, the hardware with the data can be
damaged, and the data on it will be lost. As a standard security best practice, most organizations keep
backups of the data at remote places. The backups are made periodically and are usually put in more
than one remote area.
        Biometric Identification – this is now becoming very common especially with mobile devices
such as smartphones. The phone can record the user fingerprint and use it for authentication purposes.
This makes it harder for attackers to gain unauthorized access to the mobile device. Such technology
can also be used to stop unauthorized people from getting access to your devices.
       Summary:
        With great power comes great responsibility. Information systems bring new opportunities
and advantages to how we do business but they also introduce issues that can negatively affect society
(cybercrime). An organization needs to address these issues and come up with a framework (MIS
security, ICT policy, etc.) that addresses them.
•         It is a software, hardware, or procedural weakness that may provide an attacker the open door
        he is looking for to enter a computer or network and have unauthorized access to resources
        within the environment.
•       Vulnerability characterizes the absence or weakness of a safeguard that could be exploited.
•         E.g.: a service running on a server, unpatched applications or operating system software,
        unrestricted modem dial-in access, an open port on a firewall, lack of physical security etc.
Threat
    Risk
•            Risk is the likelihood of a threat agent taking advantage of vulnerability and the
           corresponding business impact.
•          Reducing vulnerability and/or threat reduces the risk.
•            E.g.: If a firewall has several ports open, there is a higher likelihood that an intruder will use
           one to access the network in an unauthorized method.
    Exposure
•          An exposure is an instance of being exposed to losses from a threat agent.
•          Vulnerability exposes an organization to possible damages.
•            E.g.: If password management is weak and password rules are not enforced, the company is
           exposed to the possibility of having users' passwords captured and used in an unauthorized
           manner.
Technology have a wide area of applications in education, business, health, industries, banking sector
and scientific research at a large level. With the leading advancement in information technology, it
is necessary to have the knowledge of security issues, privacy issues and main negative impacts of
IT. To deal with these issues in IT society it is important to find out the ethical issues.
Some of the major ethical issues faced by Information Technology (IT) are:
 1. Personal Privacy
 2. Access Right
 3. Harmful Actions
 4. Patents
 5. Copyright
 6. Trade Secrets
 7. Liability
 8. Piracy
These are explained with their affects as following below:
        1. Personal Privacy:
It is an important aspect of ethical issues in information technology. IT facilitates the users having
their own hardware, operating system and software tools to access the servers that are connected to
each other and to the users by a network. Due to the distribution of the network on a large scale, data
or information transfer in a big amount takes place which leads to the hidden chances of disclosing
information and violating the privacy of any individuals or a group. It is a major challenge for IT
society and organizations to maintain the privacy and integrity of data.
Accidental disclosure to inappropriate individuals and provisions to protect the accuracy of data also
comes in the privacy issue.
        2. Access Right:
The second aspect of ethical issues in information technology is access right. Access right becomes
a high priority issue for the IT and cyberspace with the great advancement in technology. E-
commerce and Electronic payment systems evolution on the internet heightened this issue for various
corporate organizations and government agencies. Network on the internet cannot be made secure
from unauthorized access. Generally, the intrusion detection system is used to determine whether the
user is an intruder or an appropriate user.
         3. Harmful Actions:
Harmful actions in the computer ethics refers to the damage or negative consequences to the IT such
as loss of important information, loss of property, loss of ownership, destruction of property and
undesirable substantial impacts. This principle of ethical conduct restricts any outsiders from the use
of information technology in manner which leads to any loss to any of the users, employees,
employers and the general public.
Typically, these actions comprise of the intentional destruction or alteration of files and program
which drives a serious loss of resources. To recover from the harmful actions extra time and efforts
are required to remove the viruses from the computer systems.
         4. Patents:
It is more difficult to deal with these types of ethical issues. A patent can preserve the unique and
secret aspect of an idea. Obtaining a patent is very difficult as compared with obtaining a copyright.
A thorough disclosure is required with the software. The patent holder has to reveal the full details
of a program to a proficient programmer for building a program.
         5. Copyright:
The information security specialists are to be familiar with necessary concept of the copyright law.
Copyright law works as a very powerful legal tool in protecting computer software, both before a
security breach and surely after a security breach. This type of breach could be the mishandling and
misuse of data, computer programs, documentation and similar material. In many countries,
copyright legislation is amended or revised to provide explicit laws to protect computer programs.
         6. Trade Secrets:
Trade secrets is also a significant ethical issue in information technology. A trade secret secures
something of value and usefulness. This law protects the private aspects of ideas which is known
only to the discover or his confidants. Once disclosed, trade secret is lost as such and is only protected
by the law for trade secrets. The application of trade secret law is very broad in the computer range,
where even a slight head start in the advancement of software or hardware can provide a significant
competitive influence.
7. Liability:
 One should be aware of the liability issue in making ethical decisions. Software developer makes
 promises and assertions to the user about the nature and quality of the product that can be restricted
 as an express warranty. Programmers or retailers possess the legitimate to determine the express
 warranties. Thus, they have to be practical when they define any claims and predictions about the
 capacities, quality and nature of their software or hardware. Every word they say about their product
 may be as legally valid as stated in written. All agreements should be in writing to protect against
 liability. A disclaimer of express warranties can free a supplier from being held responsible of
 informal, speculative statements or forecasting made during the agreement stages.
          8. Piracy:
 Piracy is an activity in which the creation of illegal copy of the software is made. It is entirely up to
 the owner of the software as to whether or not users can make backup copies of their software. As
 laws made for copyright protection are evolving, also legislation that would stop unauthorized
 duplication of software is in consideration. The software industry is prepared to do encounter against
 software piracy. The courts are dealing with an increasing number of actions concerning the
 protection of software.
 Identify the five factors that contribute to the increasing vulnerability of information
 resources, and provide a specific example of each one?
1. Today's interconnected, interdependent, wirelessly networked business environment. Example: The
   Internet
2. Smaller, faster, cheaper computers and storage devices. Examples: Netbooks, thumb drives, iPads
3. Decreasing skills necessary to be a computer hacker.
 Example: Information system hacking programs circulating on the Internet
4. International organized crime taking over cybercrime.
 Example: Organized crime has formed transnational cybercrime cartels. Because it is difficult to
 know exactly where cyberattacks originate, these cartels are extremely hard to bring to justice.
5. Lack of management support.
 Example: Suppose that your company spent $10 million on information security countermeasures
 last year, and they did not experience any successful attacks on their information resources. Short-
sighted management might conclude that the company could spend less during the next year and
obtain the same results. Bad idea.
 Compare and contrast human mistakes and social engineering, and provide a specific example
 of each one?
 Human mistakes are unintentional errors. However, employees can also make unintentional mistakes
 as a result of actions by an attacker, such as social engineering.
 Example: Tailgating
 Social engineering is an attack through which the perpetrator uses social skills to trick or manipulate
 a legitimate employee into providing confidential company information.
 Example: An attacker calls an employee on the phone and impersonates a superior in the company.
10.      Cyberterrorism and cyberwarfare - attackers use a target's computer systems, particularly
  thorough the Internet, to cause physical, real-world harm or severe disruption, usually to carry
  out a political agenda.