Computer Security

And

Computer Crimes

Problem under considerationProblem under consideration

• A software flaw was found in a national bank's A software flaw was found in a national bank's web site that allows anyone who knows about web site that allows anyone who knows about the flaw to read all information about other the flaw to read all information about other people's bank accounts. You consider it a people's bank accounts. You consider it a serious privacy risk. You sent e-mail to the bank serious privacy risk. You sent e-mail to the bank about the problem but received no answer. What about the problem but received no answer. What should you do next? Discuss pros and cons of should you do next? Discuss pros and cons of various possible actions. various possible actions.

Discussions coveredDiscussions covered

• Individual’s standpoint

• Bank’s perspective

Individual’s stand pointIndividual’s stand point

Customer Decision TreeCustomer Decision Tree

Call Customer Support

Representative

Take Advantage Do Nothing Try Again

Stage IStage I

Stage II

Individual’s stand point Individual’s stand point (cont’d.)(cont’d.)

[[Customer Decision Tree…]Customer Decision Tree…]

Harmless Hacking

Malicious Hacking

Hactivism

Close Account

Follow Executive Hierarchy

Repetition till remedy

Eye on possibility of threats

(Take Advantage) (Do Nothing) (Try Again)

Individual’s standpoint (cont’d.)Individual’s standpoint (cont’d.)

1.Take Advantage of the Situation1.Take Advantage of the Situation

• Use your knowledge to hack the web site

– Harmless hacking• Let the bank know they have been hacked• Probably illegal• Forces the bank to confront security breach• Is this ethically justified?

Individual’s standpoint (cont’d.)Individual’s standpoint (cont’d.)

[ [ 1.Take Advantage of the Situation…]1.Take Advantage of the Situation…]

– Malicious hacking• Access accounts yourself• Disrupt service and/or steal money• Very much illegal• Severe penalties• No ethical justification

Individual’s standpoint (cont’d.)Individual’s standpoint (cont’d.)

[ [ 1.Take Advantage of the Situation…]1.Take Advantage of the Situation…]

– Hacktivism• Disrupt service• Tell other customers that web site is unsafe• Very much illegal or valid civil disobedience?• Penalties may not be as severe

Individual’s standpoint (cont’d.)Individual’s standpoint (cont’d.)

[ [ 1.Take Advantage of the Situation…]1.Take Advantage of the Situation…]

• In all three hacking examples the bank may incur serious losses– Financial– Customer relationships– Service disruptions

• Close account and go away– Problem still exists– Save your own hide– No recognition of responsibility to anyone beyond

yourself; socially irresponsible– Absolutely the least one can do– Don’t care about bank’s further actions

Individual’s standpoint (cont’d.)Individual’s standpoint (cont’d.)

2. Do Nothing2. Do Nothing

• Go up one level in complaint– Threaten to leave – Threaten to go to authorities (FDIC)– Threaten to go to media

• Repeat process as necessary, through chain of command

Individual’s standpoint (cont’d.)Individual’s standpoint (cont’d.)

3. Try again3. Try again

Individual’s standpoint (cont’d.)Individual’s standpoint (cont’d.)

[ [ 3. Try again…]3. Try again…]

• Follow through on threats

• Shows – Social responsibility – Customer loyalty

Bank’s PerspectiveBank’s PerspectiveDecision TreeDecision Tree

Informed of Glitch

Do Nothing Do Something

Internal Fix External Fix

Bank’s PerspectiveBank’s Perspective

1. Keep quiet about it

– Don’t draw attention• Keep secret from hackers

– Reliance on secrecy• Cheap

– Cost of fix vs. cost of liability

• Cost of exposure could have consequences beyond the cost of fixing the problem

Bank’s Perspective (cont’d.)Bank’s Perspective (cont’d.)

2. Analyze and fix problem internally

– Problem can be fixed without undue publicity– Minimal disruption of service– Question of competence

• Can we trust the people who broke it to fix it?

– Potentially most cost effective

Bank’s Perspective (cont’d.)Bank’s Perspective (cont’d.)

[ 2. Analyze and fix problem internally…]

– Check the flaw and see if any others exist– Check on potential of IT team

• Maybe hire a hacker to test other parts of the system

– Let it stay within the bank

Bank’s Perspective (cont’d.)Bank’s Perspective (cont’d.)

3. Third party security audit

– What requires auditing?• Hardware• Software• Network

– Personnel evaluation

Bank’s Perspective (cont’d.)Bank’s Perspective (cont’d.)

[ 3. Third party security audit …]

– Question of security• Threat of exposure• Exposes secrets to outside entity

Bank’s Perspective (cont’d.)Bank’s Perspective (cont’d.)

• How to decide

–Has anyone been injured• Loss of money• Loss of personal information

–Consequences of breach becoming known• Known only to hackers• Known to general public

–Ethical considerations

Comments / QuestionsComments / Questions