Information Systems Malpractice and Crime

www.ICT-Teacher.com

• Explain the consequences of malpractice and crime on information systems.

• Describe the possible weak points within information technology systems.

• Describe the measures that can be taken to protect information technology systems against internal and external threats.

• Describe the particular issues surrounding access to, and use of the Internet, e.g. censorship, security, ethics.

Hacking

• Unauthorised access to data held on a computer system.

• Inside knowledge of user ID’s and passwords to gain knowledge.

• Used for theft of data, or collecting credit card details for purchases.

Hackers Dictionary: (A Hacker)• A person who enjoys exploring the details of programmable

systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.

• One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming.

• A person capable of appreciating hack value. • A person who is good at programming quickly. • An expert at a particular program, or one who frequently does

work using it or on it. • An expert or enthusiast of any kind. One might be an

astronomy hacker, for example. • One who enjoys the intellectual challenge of creatively

overcoming or circumventing limitations. • A Cracker is a malicious meddler who tries to discover

sensitive information by poking around.

Fraud

• Give an example of computer fraud?

• Companies use the Internet to trade under a false name.

• Companies use the Internet to sell non-existent products.

Minimizing Potential for Succumbing to Fraudulent Sites

• Never accept a site as being "too good to be true" it probably is!

• Never transmit any personal data such as social security number, telephone number, home address, or email address without knowing to whom it is being sent.

• Always refer to several sources when collecting information. Look for consistency.

• Examine the site for credible information including author's name, title, references, affiliations with well-known organizations, etc.

Other Offences• Denial of Service Attack:

– A web site is flooded with data with the intention of making it crash, preventing legitimate users from gaining access. Considerable financial losses could occur during the time the site is down.

• Gambling:– Virtual casinos in cyberspace. Used by organised crime for

money laundering in countries with little regulations.• Pornography & Paedophilia:

– Posting and downloading of obscene images and news items, the use of newsgroups and chat rooms to illegally entrap vulnerable children.

• Cyber-stalking:– Unwanted persistent e-mail from an unwanted source.

• Hate sites:– Websites run by extremists to promote their views, personal

details may be published to endanger the safety of their targets. Includes animal rights, bomb makers, racists, etc.

Topical Offences

• What is e-mail Spam?• What is theft of identity?

Viruses• Developed to cause damage to computer files

and systems.• Usually a small executable file transferred from a

floppy disk, or from an e-mail attachment, that copies itself into the computer’s operating system.

• The virus can then perform such tasks as overwriting files, causing them to be deleted, to running certain software such as e-mail and sending data back to the source of the virus.

• A virus can lie dormant until the computer reaches a certain date on its internal clock and them become active.

Types of Virus

• Boot sector virus: activated when an infected floppy disk is left in the computer when switched off. On switching on, the processor will read the floppy disk for any executable files before loading the operating system.

• File Virus: are attached to executable files and run when the legitimate program runs, common viruses are attached to an e-mail attachment, when the attachment is opened the virus runs.

• Macro virus: embedded in Word processors and Spreadsheets, a macro is a mini program which does repetitive tasks.

Trojan Horse

• Trojan horse attacks are accomplished by inserting malicious code into other people's programs. When the user executes their program, they unintentionally execute the Trojan horse program.

• The Trojan horse programs are as variable as any other possible software program in their actions, and these Trojan horse programs may be used by criminals to commit fraud, embezzlement, sabotage and espionage.

• Software was the traditional source of Trojan horses, though many current web sites insert a small piece of code (a cookie) into your browser file, which may contain a Trojan horse.

Logic Bomb

• A logic bomb is computer instruction that codes for a malicious act when certain criteria are met, such as a specified time in a computer's internal clock or a particular action, such as deletion of a program or file. It can be activated remotely by the creator. Used by extortionists to blackmail an organisation.

• What are the possible weak points within a system?– Consider where the points of entry are.

Individual Security

• Never accept disks or programs without checking them first using a current version of an anti-viral program.

• Never use software or demos with doubtful origins. • If you lend a disk to anyone, check it when you get it back,

BEFORE you use it again. • Never leave a floppy disk in the disk drive longer than

necessary. • Never boot your machine with a disk in the disk drive,

unless it is a known "Clean" bootable system disk. • Always scan any program or document download onto your

machine before you open or read it (e-mail attachments). • Be aware of "cookies", files which are automatically

transferred to users computers when they visit particular web sites.

Office Security• Measures taken could be:• Vetting of prospective employees,• Removal of sacked / resigned employees and immediate

removal of their access rights,• Separation of duties/access, job functions separated

where no one person has access to all areas,• Creation of secure rooms, personal readable cards or

locks on computers,• Use of passwords,• Alertness of staff, tidiness, machines switched off,• Security manager / database administrator has

monitoring software to trace who has accessed what material.

Protection from Viruses

• Buy new software in sealed packaging.• Not allowing the use of personal floppy disks in

the system.• Use of anti-virus software that is kept up-to-date.• Remote users when logging in have to wait for a

‘call back’ from the system.

Backup and Recovery

• Most organisations do a regular back-up of all their files (copying and saving in a secure place).

• What problem may arise from periodic back-up?

• A contingency plan for recovery from severe disruption would (as well as file recovery) include spare hardware and an alternative communications network.

Censorship

Parental Supervision• Parents have a responsibility to their children to know

and understand the Internet and what it has to offer.• Parents should learn as much as possible about the

current technologies that block or allow access to Internet information.

• Cyber Patrol, which suggests and blocks Web sites. Parents can choose from a list of 35,000 sites as either appropriate or inappropriate for children.

• CYBER Sitter, which blocks and monitors sites that parents choose from a list of 44,000 Web sites that are termed inappropriate based on labels and ratings.

• Net Nanny, which blocks and monitors sites that parents choose from a list of 21,000 sites that are termed either appropriate or inappropriate for children. It also uses words and phrases that block access to inappropriate Web sites

• What are the possible problems with these types of software?

• Why could banning the word ‘sex’ from sites be a problem?

Censorship laws ban Internet freedom

• Blocking technology is usually unsuccessful due to:– Under-blocking– Over-blocking– Subjective– Error-prone– Discrimination– Wrong Focus

Keeping Files/Data Secure

• Definitions:• Security: safe from

physical loss.• Integrity: accuracy of

stored data.• Privacy: protected

from unauthorised access.

Security

• Accidental corruption:• Screen prompts such as 'Are you really sure you

want to delete this', or locking file to 'read only' can help, but the best way to guard against natural disasters such as flood or fire, is to make copies and keep them safely off site.

• Deliberate corruption:• This includes hackers and virus attack. Simple

security measures include:• locks on doors and computers,• not leaving printed output lying around,• logging off when leaving a terminal, • using anti-virus software.

Back-Up• File copy: Simply copy the file to another medium, e.g.

floppy disk. File must be small enough to fit. Simple, but any changes in between copies will be lost.

• Incremental backup: This is useful for data that is relatively static, i.e. doesn't change much, for example a desktop computer that stores its data files on a network. You make a compressed, single file of all data, then periodically add a smaller file containing new or deleted data.

• Transaction log: You make a copy of a file, then keep in another file details of all changes (transactions) made to the file. If there is a problem, go back to the earlier copy and rerun the changes. Expensive on processing time.

• Mirror: This is where a complete system is run in parallel. All changes made to both systems. Costly.

Encryption

• Files can be encrypted, so they look like gibberish until decrypted.

• Two common methods are transposition and substitution.

• Transposition: the file is written out in a grid, and instead of reading left to right, it is read top to bottom.

• Substitution: letters are substituted, e.g. numbers for vowels, other letters with next letter in alphabet.

Examples of unethical and criminal behaviour:

• Stealing copyright and credit for intellectual property.

• Intercepting private e-mail.• Display of pornographic material.• Deliberate public misinformation.• Misuse of research material.• Improper/fraudulent commercial/personal use of

the network.• Stealing credit information.• Display of information that could be harmful.

The Ten Commandments from the Computer Ethics Institute:• Thou shalt not use a computer to harm other people.• Thou shalt not interfere with other peoples computer work.• Thou shalt not snoop around in other people’s files.• Thou shalt not use a computer to steal.• Thou shalt not use a computer to bear false witness.• Thou shalt not use or copy software for which is not paid for.• Thou shalt not use other people’s resources without

permission.• Thou shalt not appropriate other people’s intellectual output.• Thou shalt think about the social consequences of the

program you write.• Thou shalt use a computer in ways that show consideration

and respect.