Sunday, July 4, 2010
Thursday, March 18, 2010
My own Perspective
Erwin Alday Alampay on his article and study on Monitoring Employee Use of the Internet in Philippine Organizations gives a very clear information on the real scenario and possible effects of the use of internet with no proper policy implementation.
This study examined the practices of Philippine organizations in monitoring employee use of the Internet. Some of the contents in the study are the following:
• Conducts surveys of 112 organizations representing a variety of industries reveal that two-thirds of organizations and business firms provide Internet access to all its employees although majority monitor employee Internet use, less that half have an internet use policy in place.
• Majority of organizations blocked some online content and applications particularly those related to pornography, gaming, and social networking.
• Most organizations report difficulties as getting virus due to downloaded materials and excessive chatting on the Internet and but despite for this. Results suggest the need for more organizations to articulate their policies on Internet use educate workers on internet security and formulate mechanisms to ensure the integrity of employee monitoring.
The study clearly stated the significant reasons why policy on internet use should be implemented on organizations and business firms. Security issues arise when talking about internet access. Viruses can come from internet file transfers and on some online sites like the ones listed above. Considering the fact that a business firm or a specific organization can afford to have an internet connection in their establishment and lets their employee use it, I think, planning and implementing policy with regards on internet use should be realized.
The study truly helps.
This study examined the practices of Philippine organizations in monitoring employee use of the Internet. Some of the contents in the study are the following:
• Conducts surveys of 112 organizations representing a variety of industries reveal that two-thirds of organizations and business firms provide Internet access to all its employees although majority monitor employee Internet use, less that half have an internet use policy in place.
• Majority of organizations blocked some online content and applications particularly those related to pornography, gaming, and social networking.
• Most organizations report difficulties as getting virus due to downloaded materials and excessive chatting on the Internet and but despite for this. Results suggest the need for more organizations to articulate their policies on Internet use educate workers on internet security and formulate mechanisms to ensure the integrity of employee monitoring.
The study clearly stated the significant reasons why policy on internet use should be implemented on organizations and business firms. Security issues arise when talking about internet access. Viruses can come from internet file transfers and on some online sites like the ones listed above. Considering the fact that a business firm or a specific organization can afford to have an internet connection in their establishment and lets their employee use it, I think, planning and implementing policy with regards on internet use should be realized.
The study truly helps.
Wednesday, March 10, 2010
Computer Attacks Case Studies Examples
Denial of Service Attack
Scott Dennis, a former computer system administrator for the U.S. District Court of Alaska, initiated three denial of service attacks on Judsys, a private mail list server that is owned and operated by the U.S District Court for the Eastern District of New York. Dennis was able to shut the system down by flooding it with numerous emails, which resulted in the computer maintaining Judsys needing to be shut down and taken out of operations, reconfigured, and brought back on line again. Investigators were able to identify Dennis as the perpetrator by tracing the Internet Protocol addresses back to his personal computer.
On January 19, 2001, Dennis was sentenced to six months incarceration; three months in jail and three months of home confinement, followed by one year of supervised release. Additionally, he must allow authorities to monitor his computer activity, and perform 240 hours of community service.
Malicious Systems Admin at UBS
A disgruntled computer systems administrator for UBS PaineWebber was charged with using a "logic bomb" to cause more than $3 million in damage to the company's computer network, and with securities fraud for his failed plan to drive down the company's stock with activation of the logic bomb. Roger Duronio is charged in one count of securities fraud which carries a maximum penalty of 10 years in federal prison and a $1 million fine and one charge of computer fraud which carries a maximum prison sentence of 10 years and a fine of $250,000 or, alternatively, two times the gain made by the defendant or the loss suffered by the victim.
Duronio, who worked at PaineWebber's offices in Weehawken, N.J., planted the logic bomb in some 1,000 of PaineWebber's approximately 1,500 networked computers in branch offices around the country. The logic bomb, which was activated after Durino resigned, deleted files on over 1,000 of UBS PaineWebber's computers. It cost PaineWebber more than $3 million to assess and repair the damage. Duronio also purchased more than $21,000 of "put option" contracts for UBS PaineWebber's parent company, UBS, A.G.'s stock, hoping that the stock would decline in response to the damage caused by the logic bomb. The bomb attack did not have any impact on the price of the stock.
The investigation of Duronio was conducted by the U.S. Secret Service’s Electronic Crimes Task Force with help from UBS PaineWebber.
Robert Duronio
Unauthorized Access at North Bay
Jessica Quitugua Sabatia, a former accounts payable clerk for North Bay Health Care Group, admitted to using her computer to access North Bay’s accounting software without authorization, and in turn issued approximately various[clarification needed] checks payable to herself and others. Several of the checks were cashed by Sabatia or deposited into her personal bank account, and some were deposited into the bank accounts of others. She attempted to conceal the fraud by altering the electronic check registers of North Bay to make it appear as if the checks had been payable to the company’s vendors. The fraudulent scheme resulted in losses to North Bay of at least $875,035.
On May 27, 2004, Sabatia, plead guilty to two counts of computer fraud, and faces a maximum sentence of five years in prison and a $250,000 fine
The Melissa Worm
David L. Smith, a 31-year old New Jersey programmer was accused of unleashing the “Melissa” computer virus, a Visual Basic for Application[clarification needed] based worm.[1] This virus was propagated by deliberately posting an infected document to an alt.sex usenet newsgroup from a stolen AOL account. It is believed that Smith named the virus after a stripper he had known in Florida. He constructed the virus to evade anti-virus software and to infect computers using Microsoft Windows and Word programs. The Melissa virus appeared on thousands of email systems on March 26, 1999, disguised as an important message from a colleague or friend. The virus was designed to send an infected email to the first 50 email addresses on the users’ Microsoft Outlook address book. Each infected computer would infect 50 additional computers, which in turn would infect another 50 computers. The virus proliferated rapidly and exponentially, resulting in substantial interruption and impairment of public communications and services. Many system administrators had to disconnect their computer system from the internet. Companies such as Microsoft, Intel, Lockheed Martin and Lucent Technologies were forced to shut down their e-mail gateways due to the vast amount of email the virus was generating. To date, the Melissa virus is the most costly outbreak, causing more than $400 million in damages to North American businesses.
Smith was one of the first persons ever to be prosecuted for writing a virus. He was sentenced to 20 months in federal prison and a fine of $5,000. He was also ordered to serve three years of supervised release after completion of his prison sentence.
The investigation was conducted by members of the New Jersey State Police High Technology Crime Unit, the Federal Bureau of Investigation (FBI), the Justice Department’s Computer Crime and Intellectual Property Section, and the Defense Criminal Investigative service.
Illegal Data Mining
The owner of Snipermail, a business that distributes advertisements via the Internet to e-mail addresses on behalf of advertisers or their brokers was indicted for conspiracy, unauthorized access of a protected computer, access device fraud, money laundering and obstruction of justice.
It was alleged that Scott Levine and other Snipermail employees illegally accessed a computer database owned and operated by Acxiom Corporation, a company that stores, processes, and manages personal, financial, and corporate data on behalf of its clients. On numerous occasions, Levine and others illegally entered into an Acxiom file transfer protocol (ftp) server and downloaded significant amounts of data. The intrusions were traced back to an internet protocol address that belonged to one of Snipermail’s computers. The downloading of the databases lasted for period of a year and a half and represented 8.2 gigabytes of data. While the stolen data contained personal information about a great number of individuals and could have resulted in tremendous loss if the information were used in a fraudulent way, there was no evidence to date that any of the data was misused in this way. Acxiom, immediately notified law enforcement upon discovery of intrusions into its system and assisted with the investigation which was conducted by a task force formed the Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS).
Scott Levine
Types of Attacks
• IP spoofing - An attacker may fake their IP address so the receiver thinks it is sent from a location that it is not actually from. There are various forms and results to this attack.
The attack may be directed to a specific computer addressed as though it is from that same computer. This may make the computer think that it is talking to itself. This may cause some operating systems such as Windows to crash or lock up.
• Gaining access through source routing. Hackers may be able to break through other friendly but less secure networks and get access to your network using this method
• Man in the middle attack –o Session hijacking - An attacker may watch a session open on a network. Once authentication is complete, they may attack the client computer to disable it, and use IP spoofing to claim to be the client who was just authenticated and steal the session. This attack can be prevented if the two legitimate systems share a secret which is checked periodically during the session.
• Server spoofing - A C2MYAZZ utility can be run on Windows 95 stations to request LANMAN (in the clear) authentication from the client. The attacker will run this utility while acting like the server while the user attempts to login. If the client is tricked into sending LANMAN authentication, the attacker can read their username and password from the network packets sent.
• DNS poisoning - This is an attack where DNS information is falsified. This attack can succeed under the right conditions, but may not be real practical as an attack form. The attacker will send incorrect DNS information which can cause traffic to be diverted. The DNS information can be falsified since name servers do not verify the source of a DNS reply. When a DNS request is sent, an attacker can send a false DNS reply with additional bogus information which the requesting DNS server may cache. This attack can be used to divert users from a correct webserver such as a bank and capture information from customers when they attempt to logon
.
• Password cracking - Used to get the password of a user or administrator on a network and gain unauthorized access.
Some DoS Attacks
• * Ping broadcast - A ping request packet is sent to a broadcast network address where there are many hosts. The source address is shown in the packet to be the IP address of the computer to be attacked. If the router to the network passes the ping broadcast, all computers on the network will respond with a ping reply to the sttacked system. The attacked system will be flooded with ping responses which will cause it to be unable to operate on the network for some time, and may even cause it to lock up. The attacked computer may be on someone else's network. One countermeasure to this attack is to block incoming traffic that is sent to a broadcast address.
• Ping of death - An oversized ICMP datagram can crash IP devices that were made before 1996.
• Smurf - An attack where a ping request is sent to a broadcast network address with the sending address spoofed so many ping replies will come back to the victim and overload the ability of the victim to process the replies.
• Teardrop - a normal packet is sent. A second packet is sent which has a fragmentation offset claiming to be inside the first fragment. This second fragment is too small to even extend outside the first fragment. This may cause an unexpected error condition to occur on the victim host which can cause a buffer overflow and possible system crash on many operating systems.
Understanding Online defamation
The law of Defamation has come under renewed scrutiny with the advent of the Internet. This is largely because it is the nature of the Internet to give the average, anonymous person an opportunity to express their opinion well-beyond any previously defined venue. Consider the fact that a person of modest means now has the ability to publish a statement, article, or news item across the world in an instant, without an editor checking the facts. Thereafter, the item will linger on the 'Net for months, or even years, impossible to recover and amend, if the "facts" are erroneous. Therefore, it is inevitable that problems are going to arise.
The main issue to remember when dealing with the Internet is that people still have their basic legal rights intact on the Net, and - likewise - the Internet is not as completely anonymous as the typical person may presumes.
What is Defamation?
The law of defamation has been defined in the West for centuries, and the Internet variety holds to that same basic outline with a few twists. Defamation is the act of making an untrue statement to a third party that damages the subject's reputation. There are several subcategories of Defamation, being Libel and Slander. Libel is Defaming in a printed forum, such as a newspaper or magazine. Slander is spoken Defamation, and could be made person-to-person, or also broadcast over a radio or television
.
Technically, Defamation actionable at law follows this schema:
1. A false and defamatory statement regarding another;
2. Unprivileged publication of the claim to a third party;
3. Rising, in the case of matters of public concern, to at least negligence by the publisher, or
worse; and
4. Damages to the subject.
Generally, persons defined as "Public Figures," have a higher threshold in proving someone committed Defamation against them; that is, the statement must have been made maliciously. There are also four subjects that if falsely dispersed as a fact about another person, are actionable on their face: Attacking a person's professional character /standing; Alleging an unmarried person is unchaste; Claims a person is infected with a sexually transmitted, or loathsome disease; Claims a person has committed a crime of moral turpitude.
Is Internet Defamation Defined as Slander, Libel or Both?
Until the recent development of "podcasts," and other types of online videos such as those featured on YouTube, Defamation on the Internet was largely deigned Libel. But whether an online case of accused Defamation should fall under either category of Libel or Slander will not be nearly as meaningful as whether the activity satisfies the basic Defamation criteria, as defined above. What is most important is to focus upon the actual statement, whether verbal or written, that a plaintiff claims is defamatory.
A recently filed case illustrates the application of a libel claim in a blogging case in NY, Stuart Pivar v. Seed Media, 2007cv07334, Filed August 16, 2007, in New York Southern District Court. Seed Media pays PZ Myers to blog at ScienceBlogs.com, and there he reviewed a book by Dr. Stuart Pivar, called "LifeCode: The Theory of Biological Self Organization" which purports to reconfigure Darwinian Evolution.
Myers claimed Pivar is a "classic crackpot" on his http://scienceblogs.com/pharyngula website. In response, the lawsuit complaint states, "Myer's defamatory remarks were made with actual malice; Myers called Plaintiff "a classic crackpot" fully knowing that statement to be false as a statement of fact and in reckless disregard of the truth about Plaintiff because Myer's knew full well, the time of publishing his defamatory statement that no scientist holding the international reputation of any of Hazen, Sasselov, Goodwin or Tyson would endorse or review the work of a crackpot."
The complaint claims Myers caused "considerable mental and emotional distress," tortious interference with the plaintiff's business relationships as a "scientist and scientific editor," and "loss of book sales and diminished returns on ten years of funded scientific research in special damages" exceeding $5 million.
The suits asks for: declaratory relief to remove defamatory statements from the web and an injunction to block further libel; $5 million in special damages for "tortious interference with business relations"; and $10 million in damages for defamation, emotional distress, and loss of reputation.
This lawsuit well illustrates the libelous cause, effect and damages of a proper tort case based upon defamation.
Can a Blog Be Sued for Defamation; Isn't It All Free Speech?
This is a knotty issue, but a short answer would be, generally, that a blog owner whose blog has published obnoxious materials can be held harmless while a blogger using the site can be liable. The Communications Decency Act of 1996 is a protector of blog owners. It states, in section 230, that it "precludes courts from entertaining claims that would place a computer service provider in a publisher's role." As to how the court sees blogs, in general, overall, the US Supreme Court has ruled that blogs are similar to news groups, saying "in the context of defamation law, the rights of the institutional media are no greater and no less than those enjoyed by other individuals and organizations engaged in the same activities."
For bloggers, all Defamation legal rules apply to their posts. But there are many complications in applying them. First, many people who post online comments, and probably those tending to make the most inflammatory and false statements, will do so anonymously, for obvious reasons. So the first threshold is identifying the blogger making Defamatory claims. Several things make this difficult, as well. Since the blogger probably will not identify themselves when the issue comes to light, there needs to be a legal process that allows identification. They can be traced by high-tech means, but a court must agree via summary judgment that all the elements of Defamation have been met. This technology does have some limits, as well, as it can be stymied through use of "Proxies," which mask the true origin of the blogger. Also, the website owner may not cooperate in the search, as well.
A recent case showed how powerful Defamation laws, applied online, can be. In November 2006, a Florida woman, Sue Scheff, was awarded $11.3 million in damages in Broward County Circuit Court, in one of the biggest awards ever tolled. The suit was filed for Internet defamation, and the jury found a Louisiana woman had posted caustic messages against the Scheff and her company, claiming she was a "con artist" and "fraud". The jury found the charges were completely false, so the Louisiana woman had no defense. Interestingly, Scheff's attorney had offered to settle the case for $35,000 before it went before the jury.
What are some examples of libelous and non-libelous statements?
The following are a couple of examples from California cases; note the law may vary from state to state. Libelous (when false):
Charging someone with being a communist (in 1959)
Calling an attorney a "crook"
Describing a woman as a call girl
Accusing a minister of unethical conduct
Accusing a father of violating the confidence of son
Not-libelous:
Calling a political foe a "thief" and "liar" in chance encounter (because hyperbole in context.
Calling a TV show participant a "local loser," "chicken butt" and "big skank".
Calling someone a "bitch" or a "son of a bitch".
Changing product code name from "Carl Sagan" to "Butt Head Astronomer".
Since libel is considered in context, do not take these examples to be a hard and fast rule about particular phrases. Generally, the non-libelous examples are hyperbole or opinion, while the libelous statements are stating a defamatory fact.
How do courts look at the context of a statement?
For a blog, a court would likely start with the general tenor, setting, and format of the blog, as well as the context of the links through which the user accessed the particular entry. Next the court would look at the specific context and content of the blog entry, analyzing the extent of figurative or hyperbolic language used and the reasonable expectations of the blog's audience.
Context is critical. For example, it was not libel for ESPN to caption a photo "Evel Knievel proves you're never too old to be a pimp," since it was (in context) "not intended as a criminal accusation, nor was it reasonably susceptible to such a literal interpretation. Ironically, it was most likely intended as a compliment." However, it would be defamatory to falsely assert "our dad's a pimp" or to accuse your dad of "dabbling in the pimptorial arts." (Real case, but the defendant sons succeeded in a truth defense).
What is "Libel Per Se"?
When libel is clear on its face, without the need for any explanatory matter, it is called libel per se. The following are often found to be libelous per se:
A statement that falsely:
Charges any person with crime, or with having been indicted, convicted, or punished for crime;
• Imputes in him the present existence of an infectious, contagious, or loathsome disease;
• Tends directly to injure him in respect to his office, profession, trade or business, either by imputing to him general disqualification in those respects that the office or other occupation peculiarly requires, or by imputing something with reference to his office, profession, trade, or business that has a natural tendency to lessen its profits;
• Imputes to him impotence or a want of chastity.
• Of course, context can still matter. If you respond to a post you don't like by beginning "Jane, you ignorant slut," it may imply a want of chastity on Jane's part. But you have a good chance of convincing a court this was mere hyperbole and pop cultural reference, not a false statement of fact.
What is a "false light" claim?
Some states allow people to sue for damages that arise when others place them in a false light. Information presented in a "false light" is portrayed as factual, but creates a false impression about the plaintiff (i.e., a photograph of plaintiffs in an article about sexual abuse, because it creates the impression that the depicted persons are victims of sexual abuse). False light claims are subject to the constitutional protections discussed above.
A reaction on Profession
What is a profession?
A "calling requiring special knowledge and often long and intensive academic preparation" to prepare individuals for future career deployments in respective fields. This means, that a professional must at least practice a certain profession (i.e. law, medicine, etc.) and that defines the nature of the relationship between a professional and the profession he/she might have.
Source: www.merriam-webster.com
What is professional?
A professional is a member of a vocation founded upon specialized educational training.The word professional traditionally means a person who has obtained a degree in a professional field. The term professional is used more generally to denote a white collar working person, or a person who performs commercially in a field typically reserved for hobbyists or amateurs.In western nations, such as the United States, the term commonly describes highly educated, mostly salaried workers, who enjoy considerable work autonomy, a comfortable salary, and are commonly engaged in creative and intellectually challenging work. Less technically, it may also refer to a person having impressive competence in a particular activity.Because of the personal and confidential nature of many professional services and thus the necessity to place a great deal of trust in them, most professionals are held up to strict ethical and moral regulations.
Thanks to Miss Juvelyn Lumongtad for the whole idea. But the next question and answer is already taken from me.
Now, can I consider myself as an IT professional after I graduate?
The follow up question sounds annoying to me. LOL. However, this question I think is the most challenging question to answer and is debatable as well. That is, I think, applicable for our school only.
I can’t tell, but I’d like to, but I cannot.
You see while thinking for an answer to this question, my mind was stuck in between. Whether, I can consider myself as an IT professional or not after I graduate. Now, if we are going to base my answer on the above definitions, Yes, I could be considered as an IT Professional, since; firstly, I am a member of a vocation founded upon specialized educational training and secondly, after I graduate I already earned a degree in a professional field. These are included in the definition of profession and a professional. But, the question is, for Tate’s going to be IT Graduates, after graduation are we going to practice our degree, or what we call our profession? Meaning, are we going to apply for an IT related field job/work? Perhaps, that is not the real question after all.
Come to think of it! You see, dear readers, from the very first graduates of IT in the college, there are only few, very few or none, have worked in their profession or related fields of IT. That is because; graduates/students have already developed feeling of self-incompetence in their field. Who’s to blame? No one should be blamed of. Some students lack resources like owning a PC, resulting to lack of interest in the subjects’ esp. those with laboratories. Tendency is, if there are assignments that is going to be passed on a deadline, students with no resources would just tend to copy and paste it. Now is this the kind of a professional what we are trying to define? I can tell this because I have observed this to some and I have felt this too. Maybe faculties could think of some possible solutions like taking into great consideration the requirement for each student to have a pc in the first year. By this we wouldn’t be worrying anymore of this self-incompetence anymore. It’s just a matter of good implementation and managing for the betterment of IT in the college.
I hope this could be made possible. I hope this would be an eye opener. I don’t want to see IT in tate become worse. But so much for that, let’s go back to the challenge; let’s try to rephrase the follow-up question. Are we going to work in our related field or not? Or, can we dare to find a work in our related field? The answer is a matter of a Boolean function, 1 or 0, yes or no. haha!
For me I can do it, but not after graduation immediately. Maybe I could take some assessment or some reviews to take examination that would yield and develop more my potentialities as an IT because truly I am not confident with what I have right now in my database. It’s up to me. LOL. I think I just need an additional learning, and after that. That’s it.
Subscribe to:
Posts (Atom)