Biyernes, Disyembre 2, 2011

ENTRY # 3 COMPUTER HACKING

Activity 2.1 Researching hacking cases
Research one of the following hacking cases by either by typing one of the keywords into a search engine, or consulting of the recommended textbooks:
  • Kevin Mitnick
  • Raphael Gray
  • Master of Deception
  • Mafiaboy
  • Legion of Doom
  • Robert Mooris' Internet Worm
From your research, answer the following questions:
What was this case about?
  •  The case is all about the Computer hacking, a computer system was hacked by an 18 years old                 Raphael Gray, he hacked an e-commerce sites and expose 26,000 credit  card numbers.
  •  Raphael Gray - (internet "hacker" exposes Microsoft security weaknesses) Raphael was arrested at his home on the 23 March  2000, he was 18 years old hacker from rural Wales. The case was alleged that he had intruded into nine e-commerce websites in Britain, America, Canada, Thailand and Japan and taken details of some 26,000 credit card numbers and disclosed some of the credit card information on the Internet. When he was interviewed that he had been concerned for sometime at the inherent security weakness in one particular make of software called Microsoft Internet Information Server.
What were the protagonist and parties involved?
  •  No protagonists were mentioned. Parties involved was the law enforcement officers, e-commerce sites, and other organizations concerned as well as the owners of credit card information.

Did any prosecution results? If so, what were their outcomes?

             It was said that the result of the prosecution was accepting that  Raphael’s motivation was he wants to expose and  to publish the fact that the e-commerce retailers has a low security measures and it is vulnerable to hacking, and to inform the individuals  and users of the e-commerce sites that they should not trust there credit card information to any of the e-commerce retailers sites .
              In this case Raphael initially faced a ten count indictment, each count is under  section 2 of the Computer Misuse Act 1990 which has an intent to use the computer to perform a function to secure unauthorized access .
                The case of Raphael Gray result in  six initial counts alleging an offence under the Computer Misuse Act 1990 section 2(1), alleging the defendant had committed an offence under section 3(1) of the Computer Misuse Act by doing an act which caused an unauthorised modification of the contents of a computer. The remaining four counts alleged obtaining services by deception on two separate occasions, by using a credit card number he had downloaded to set up two separate websites upon which to display the credit card information. and the related offences under the Computer Misuse Act section 2(1). This result in the third section of Misuse act of 1990 which is unauthorized access.
             But on  March 28,  2001 the prosecution  reduce the first six counts to section 1 charges of simple unauthorized access if the defendant pleaded guilty to the remaining four counts. And after that  Raphael was  given a two year community rehabilitation order for his case.



What ethical issues are raised by this case? 


  • The ethical issue of this case was Raphael intention was to make the users of the e-commerce site to be aware that there credit card or personal information that they entered in that sites is vulnerable of hacking, and can be used with anyone who  has a bad intention. But through this, Raphael Gray also violated the UK Computer Misuse acts , when he exposed this credit card numbers and information in the public. At first place Raphael's intention was  good but to the owner of the e-commerce sites and the owner of those credit card basically would say that his act is unethical because he make an unauthorized access to this information.



Activity 2.3 The Computer Fraud And Abuse Act
Find out about the US Computer Fraud and Abuse Act(CFAA).
How does this Act compare with the UK Computer Misuse Act?
The following URL is recommended as a starting point for your research, though you may also want to consult some of the recommended texts and other acrticles:
www.eff.org/Legislation/CFAA

Activity 2.5 Arguments against Hacking
Write  a summary of the main arguments against hacking -  from a legal, professional and ethical perspective.
  • Hacking is argued to be an illegal act since an unauthorized access of  a computer material  can be considered as an criminal offense (also mentioned in the computer misuse act of 1990). In spite of the fact that it was considered illegal, hackers at some point do this offense in order to disclose information considered by others as "confidential", but the public deserves to know.
  • On an ethical perspective, hacking is also argued to be an unethical act of  trespassing,  since it involves an electronic entry to a computer system which is also viewed as a physical entry to an office or home. In this case, if computers are viewed as material possessions.
  • Hacking is considered as an unprofessional act, since the act of hacking into other's computer systems sometimes leads disruption of businesses and organizations. Though hacking can also be an issue on the professional perspective, since it was allowed on any code of conduct or any professional body, hackers often offered to work as security consultants in information security firms.
References: 

Lunes, Nobyembre 28, 2011

IT Professional Ethics Assignment 2

Case 1
Three years ago, Diane started her own consulting business. She has been so successful that she now has several  people working for her  and many clients. Their consulting work included advising on how to set up corporate intranets, designing database  management  systems, and advising about security.
Presently  she  is  designing  a  database   management   system  for  the  personnel  office  of  a medium-sized company. Diane has involved the client in the design process, informing the CEO, the director of computing, and the director of personnel about the progress of the system. It is now time to make decisions about  the  kind and degree of security to build into the  system. Diane has described several options to the client. Because the system is going to cost more than they  planned,  the  client  has decided  to  opt  for  a  less  secure  system.  She  believes  the information they will be storing is extremely sensitive. It will include performance evaluation, medical records for filing insurance claims, salaries, and so forth.
With weak security, employees working on client machines may be able to figure out ways to get access to this data, not to mention the possibility of on-line access from hakers. Diane feels strongly that the system should be much more secure. She has tried to explain the risks, but the CEO, director of computing and director of personnel all agree that less security will do. What should she do? Should she refuse to build the system as they request?”
Diane as an adviser of Database management systems and expert in Information security must explain to the clients and especially to her boss the essence of having Strong Security regarding the System’s Database she she’s currently designing for the company. She must act professionally in giving fluent idea in possessing and implementing strong security although her boss decided to implement weak security. She must call the attention of her boss, she must convince her boss that strong security will lower the risk of  security breach, lessen the unauthorized use of sensitive information  but however having strong security will have a great cost in the implementation and maintenance. Diane must decide for her integrity and the integrity of the company.  Professionals do not make excuses. As with other requests, if they are offered ways in which they could improve or are reprimanded for inappropriate behavior, a professional accepts the correction (whether they agree or not), tries to consider, apply the suggestion or do better next time, and then moves on.
Case 2
Consider an HCI consultant with extensive experience in evaluating web sites and graphical user interfaces  (GUI).  She has just received  an evaluation  contract  for a new accounting  product made by Company A due to her prior experience with e-commerce site evaluation. The work involves assessing the training requirements and the usability of the system. During the initial configuration of her usability laboratory, she becomes aware that the software she is to evaluate contains a GUI already patented by a rival Company B, which she evaluated several weeks before. Under her contractual arrangements, she is not allowed to discuss the evaluation of a product with anyone outside the contract. She therefore  has an obligation to Company B not to provide information regarding their product to anyone else without their permission. She has a similar obligation  to Company  A. Can she continue with the  evaluation?  If she cannot continue with the evaluation, how does she inform Company A of the patent violation? Does she have an obligation to let company B know Company A has copied their GUI?”
As a consultant with extensive experience in evaluation on web sites and programs (Graphical user Interfaces). She would rather not to continue in evaluating the graphical user interface which the company gave. She would acknowledge the view any lawyer regarding the said incident. Having an assessment of dual contract will lead some legal problem she might encounter at the near future. As a professional she must give up one of the assessment she’s holding. To inform company A’s patent violation she must acknowledge the presence of the company lawyer.
Submitted by:
            Rex Louie Pilongo
            Renato Arante
            Jesson Dela Peña
            Veniza Joy Macaraeg
            Hazel Ann Martinez

Preference

Sabado, Nobyembre 26, 2011

IT PROFESSIONAL ETHICS WITH QUALITY CONSCIOUSNESS - IT RELATED SOCIETY

 IT RELATED SOCIETY

Information Systems Audit and Control Association (ISACA - Manila Chapter)
ISACA is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance.
Connect and Network:
As an ISACA member, you belong to a community of professionals that share mutual goals, interests and commitments. Becoming involved with your local chapter will allow you to make valuable connections with peers, share knowledge and discover new opportunities in your profession.
Programs & Projects:
CISA - Certified Information Systems Auditor (CISA) program sponsored by ISACA, promotes and evaluates are the building blocks to meeting this challenge. Since 1978, CISA has been the globally accepted standard of competency among IS audit, control, assurance and security professionals. CISA certification signifies proficiency and commitment to excellence in serving an organization and the profession with distinction.
CISM- The Certified Information Security Manager (CISM) certification program is developed specifically for experienced information security managers and those who have information security management responsibilities. The CISM certification is for the individual who manages, designs, oversees and/or assesses an enterprise's information security (IS). The CISM certification promotes international practices and provides executive management with assurance that those earning the designation have the required experience and knowledge to provide effective security management and consulting services. Individuals earning the CISM certification become part of an elite peer network, attaining a one-of-a-kind credential. The CISM job practice also defines a global job description for the information security manager and a method to measure existing staff or compare prospective new hires.
Vision:
ISACA VISION
To be the recognized leader in IT governance, control and assurance.
ISACA MANILA VISION
To promote IT Governance, Control and Assurance in both public and private sectors.
Mission:
ISACA MISSION
To support enterprise objectives through the development, provision and promotion of research, standards, competencies and practices for the effective governance, control and assurance of information systems and technology.
ISACA MANILA MISSION
To support organization’s objectives by actively advocating IT Governance, control and assurance of information systems and technology.

Understanding the ISACA Code of Professional Ethics

The Information Systems Audit and Control Association (ISACA) set forth a code governing the professional conduct and ethics of all certified IS auditors and members of the association. As a CISA, you are bound to uphold this code. The following eight points represent the true spirit and intent of this code:
  • You agree to support the implementation of appropriate policies, standards, guidelines, and procedures for information systems. You will also encourage compliance with this objective.

  • You agree to serve the interests of stakeholders in an honest and lawful manner that reflects a credible image upon your profession. The public expects and trusts auditors to conduct their work in an ethical and honest manner.

  • You promise to maintain privacy and confidentiality of information obtained during your audit except for required disclosure to legal authorities. Information you obtain during the audit will not be used for personal benefit.

  • You agree to undertake only those activities in which you are professionally competent and will strive to improve your competency. Your effectiveness in auditing depends on how evidence is gathered, analyzed, and reported.

  • You promise to disclose accurate results of all work and significant facts to the appropriate parties.

  • You agree to support ongoing professional education to help stakeholders enhance their understanding of information systems security and control.

  • The failure of a CISA to comply with this code of professional ethics may result in an investigation with possible sanctions or disciplinary measures.
Ethics statements are necessary to demonstrate the level of honesty and professionalism expected of every auditor. Overall, your profession requires you to be honest and fair in all representations you make. The goal is to build trust with clients. Your behavior should reflect a positive image on your profession. All IS auditors are depending on you to help maintain the high quality and integrity that clients expect from a CISA.

Note: Every CISA should have a strong understanding of these objectives and how each would apply to different audit situations.


Submitted by:
            Rex Louie Pilongo
            Renato Arante
            Jesson Dela Peña
            Veniza Joy Macaraeg
            Hazel Ann Martinez


Reference: