De La Salle University – Manila An Introduction to the IM Profession and Ethics Paper Presented to The Faculty of the College of Computer Studies De La University – Manila In Partial Fulfillment Of the Requirements for the Degree of Bachelor of Science of Information Systems By: Changcoco, Amos Dimla, Ysabel Nicole Ramchand, Pavan Tanchuling, Bianca Denise Tibayan, Jan Michael 1. 0 COMPUTER AND INTERNET CRIME 1. 1 Types of Exploits 1. 1. 1Virus It is a malicious code that is attached to a file or executable program that can hack the files of the victim’s computer and reformat, delete or modify the files.
The virus is executed only when the file that contains the virus is opened or if the program with the virus is executed as well. It leaves infections as it travels from one computer to another. The spread of the virus relies on the users whenever users would use removable media devices, download or through e-mails. An example of a computer virus would be the Pikachu virus which was the first computer virus directed to children. It was said that the virus started on June 28, 2000 from Asia or the Pacific Ocean region.
The virus was an email titled, “Pikachu Pokemon” with the message, “Pikachu is your friend. ” The email contained the image of the cartoon character, ‘Pikachu’ from the TV series Pokemon, with the message, “Between millions of people around the world I found you. Don’t forget to remember this day every time MY FRIEND. ” The Pikachu virus infected only a few companies in the United States through Microsoft Outlook email attachments or through Microsoft’s Internet Explorer browser.
The reason why only a few companies were harmed and why the virus was not as viral is that the virus was not coded properly and would ask the user if the virus can delete the files in the user. 1. 1. 2Worm A worm is a malicious code that is used for bringing down the computer system. A worm does not infect files, however, it monopolies the computer’s CPU and operating system and is capable of deleting data and programs. It infects a computer by finding vulnerability in an application or operating system. A worm is self-replicating and uses a network to replicate itself to other computer.
It does not rely on human interaction for spreading to other computers. An example would be the Morris Worm or also known as the Great Worm. Created by a Cornell University student named Robert Tappan Morris in the year 1968, the Morris Worm consisted of 99 lines of code. Robert Morris wanted to know how big the Internet was and made the worm to find the answer. It is noted that the creator did not have malicious intent in making this worm; however, the worm infected immense amounts of stability problems that made many systems unusable.
The damage was over 6,000 infected UNIX machines which cost between $10,000,000 and $100,000,000. This example is an ethical dilemma because the creator did not have evil intentions in making the worm but did have bad effects on most people in America. This dilemma would be ethical based on the psychological egoism theory because Robert Morris acted on his selfish motive whether he should or not, which made him moral. Based on the hedonism theory, it was ethical of Morris because he was only doing his duty without knowing that his actions would bring upon negative effects. 1. 1. 3Trojan Horse
Named after the Trojan horse from Troy which was used to infiltrate the enemy’s territory through a disguise, the Trojan horse is disguised as something else (such as a program or file) but is actually a malicious code or may contain malicious code. Similar to viruses, a Trojan horse is executed when the file with the virus is opened or the program with the malicious code is executed also. A Trojan horse can do from light damages such as changing the desktop and the like, to threatening damage, such as deleting files, stealing data, or activating and spreading other malware, to the victim’s software.
Trojan horses are also used to create a ‘back door’ in the operating system so that the hackers can access the system. However, the Trojan horse cannot duplicate itself nor it can self-replicate. It would need the user to spread to other computers. An example of a Trojan horse would be from the pirated version of Apple’s suite of software, iWork. iServices was the Trojan horse part of the pirated version of iWork, which would signal the hackers that the Mac is infected and the hacker has access to the system.
This is an ethical dilemma because the people who buy pirated software such as the iWork do not know that there is a Trojan horse in the software. It was unethical of the sellers to place a Trojan horse in the software without the consent of their customers’ because deontology theory states that it was not the duty of the vendors to hack into the systems of their customers in the first place. Another reason why it was unethical because of the theory of altruism because the interest of others was not thought about since many people will suffer due to the actions of the vendors.
This is another reason why it is unethical, because of the utilitarianism, which is consequences-based. Lastly, the social contract theory states that the actions of the vendors were unethical because it is against the law to hack and infiltrate private property. Logic bomb is a type of Trojan horse that is triggered only by a series of specific events such as a specific sequence of keystrokes or a change in a file. 1. 1. 4Botnets A botnet is a network of infected computers that are controlled by bots.
Named after the word ‘robot’, a bot is a type of malware that allows an attacker to take control of an affected computer. Criminal can take over the controlled computer such as sending out spam, spread viruses, attack computer and can even cause crime and fraud, without the owner knowing it. Bots are also called computer zombie because the computer has no control over its actions since hackers are in charge of its actions. 1. 1. 5Distributed Denial-Of-Service Attacks (DDoS Attacks) A Distributed Denial-of-Service Attack is when a malicious hacker controls computers through the Internet.
It is an attempt in preventing the computer owner to use network resource or machine. It is composed of one or more people trying to disenable a certain host from being connected to the Internet. 1. 1. 6Rootkits The name rootkit comes from the two words ‘root’, which pertains to the point it attacks, which would be the administrator or the source or the root, and ‘kit’ because of the set of programs. A rootkit is a set of programs that enables its user to gain administrator level access to a computer without the user’s consent or knowledge.
The owner of the rootkit is capable of executing files and changing system configurations on the target machine, as well as accessing log files or monitoring activity to covertly spy on the user’s computer usage. It is hard to detect if a computer system has a rootkit malware. 1. 1. 7Spam E-mail spam is when e-mail systems send unsolicited e-mail to large numbers of people. Spam mostly comes off as cheap advertisements of strange products such as pornography, ‘get-rich-quick’ schemes and the like. Spam can also be used to deliver harmful worms or other malware. . 1. 8Phishing Phishing is an attempt to steal personal identity data by tricking users into entering information on a counterfeit Web site. 1. 2Types of Perpetrators 1. 2. 1Hackers and Crackers Hackers are people who test the limits of the system, find the “holes”, and check which data they could access. The knowledge that they get is actually obtainable in various media, usually the internet. They are not usually considered bad; but due to many of them who used such knowledge to cause harm to systems, the term became negative.
A more appropriate term for these kinds of people is actually called crackers. 1. 2. 2 Malicious Insiders Malicious insiders are people who obtain goods, services, or property through deception or trickery, also known as fraud. In other words they lie to gain. 1. 2. 3 Industrial Spies Industrial spies are people who illegally obtain information from competitors for the benefit of their sponsor. The act is called industrial espionage and the opposite which is to obtain information legally is called competitive intelligence.
In 1993, Opel accused the rival Volkswagen of industrial espionage after the former’s chief of production and seven executives moved to the latter company due to missing documents. (Julian, 2011) 1. 2. 4 Cybercriminals These perpetrators hack to the company’s system and will do anything with the information just to gain money. One of the most famous hackers of the world is Albert Gonzalez, who used hacking to steal and resell millions of card and ATM numbers in a p of three years. He did this by attacking many systems which would eventually give him the information needed to steal the card numbers. Verini, 2010) Albert Gonzalez is in ethical dilemma because he used his skills to steal the information for money. Based on the deontological theory, it’s unethical because it is not the duty of hackers to steal information. Based on hedonism under the utilitarian theory, it is ethical because he found pleasure from the act. Social contract theory, however, makes this act unethical, and so does virtue theory. 1. 2. 5 Hacktivists and Cyberterrorists Hacktivists, combining the words “hacking” and “activist”, are people who hack to promote political ideology.
Cyberterrorists attack to get the attention of the government as part of their political objectives. Anonymous is one of the most famous hacktivist groups due to their appearance on various media in which members appear wearing the Guy Fawkes mask. Their advocacy is to oppose the Internet censorship and surveillance, government corruption and homophobia. This is why they attacked several government sites. (Katich, 2013) The ethical dilemma the group faces is that they use hacking skills to infiltrate the systems yet they belong to the side of the people as their objective is to make the government hear their voice.
This is ethical based on deontology because it is their duty to make the government listen to them their voice. This is also ethical based on the altruistic approach as more will benefit from their act. However, social contract theory states that it is unethical since this act has violated the law. 1. 3Laws for Prosecuting Computer Attacks 1. 3. 1Electronic Commerce Act of 2000 (RA 8792) 1. 3. 1. 1E-Commerce in Society The process of buying and selling goods electronically by consumers and from company to company through computerized business transactions.
This act has the purpose of protecting those who pursue business in electronic means through multiple communication networks through the Internet. 1. 3. 1. 2 Elements in the Law Electronic data messages – these are generally the information that is in every transaction of the business. Electronic document – these are the type of information specified with text, symbols, or other modes of written expression yet similar in nature with the electronic data messages. Electronic Signature – these are any distinctive marks that approve a transaction which are done by a person or an entity using electronic means. . 3. 1. 3Relation to other Laws Such laws that are affected with this are the Intellectual Property Rights, Copyrights Protection. These laws give protection to the parties involved in any business activities through electronic means. Fraud is also related as the government can charge you when you make accept payment illegally by disguising your site as a reliable option for payment. 1. 3. 1. 4 CASE in E-Commerce Censorship is very an essential tool to distinguish the moralities of websites and the cooperation of companies to acknowledge said moralities.
In China, Google’s operations created a storm of criticism when the company agreed to comply with the government’s wishes and censor pro-democracy and other websites. In 2010, Google relocated its Chinese operations to Hong Kong, putting it outside China’s censorship regime. Supporters of the decision say Google shouldn’t cooperate with China’s repressive policies, while critics say Google’s withdrawal cut off millions of Chinese citizens from the company’s services and weakens its presence in one of the world’s largest markets. This case has very evident ethical issues including the move of Google to relocate its operations to Hong Kong.
This made the jurisdiction of China’s censorship policy not reachable so that they can use their assets more freely. These however made the citizens of China that is inside the jurisdiction of the censorship policy long for their beneficial search engine. If seen in Google’s benefits this is a rather good trade for them to maximize the use of their services in a commercial area such as Hong Kong yet they could’ve served the citizens so they can keep up their reputation of improving life in the world and be consistent of the famous line “Don’t be evil”.
I generally disagree with their decision to relocate as they could’ve followed the updated utilitarianism and give their services to those who would need them the most. Still they acted the ethical egoism to censor pro – democracy sites which are morally good to their perspective. 1. 3. 1. 5Another Example Including Google Google gathers incredible amounts of data on people who use its search engine. As of 2011, the company’s website states that although it stores records of your searches as a tool to improve corporate efficiency, it renders them anonymous after nine months and deletes cookies used to track visitors after two years.
Governments could use Google’s information to investigate individuals visiting particular websites, however, and Google Earth’s photo collection also has raised privacy questions: In 2008, a couple sued on the grounds the online photos of their home violated their privacy, but a judge threw out the lawsuit the next year. This case is provides insight to how Google can be of every use to our society as they can help the government catch fugitives, suspects and criminals with their records of the searches of the every person using their search engines yet this leaves them to violate certain privacy issues when they abuse that kind of power.
The lawsuit of the couple may be dismissed by a judge but their lawsuit are supported by ethical theories namely the rights – based theories which states that there are social contracts that should be acknowledged and that includes their right for privacy. They may be legal to store records such as the photo from their Google Earth but they should have to limit their power to exercise their duty as they are also supported by the duty – based theories due to their daily or continual task of improving corporate efficiency as well as giving us access to unlimited knowledge. 1. 3. 2 Cybercrime Prevention Act of 2012 (RA 10175) 1. . 3. 1 Preliminary Provisions 1. 3. 3. 2. 1. 1 Brief History of RA 10175 Cybercrime Prevention Act of 2012 or also known as Republic Act No. 10175 was approved on September 12, 2012. This is first law in the Philippines which specifically criminalizes computer-related crimes. The Cybercrime Prevention Act in its current form is the product of House Bill No. 5808, authored by Representative Susan Tap-Sulit of the second district of Tarlac and 36 other co-authors. The final version of the Act was later signed into law by President Benigno Aquino III on September 12, 2012. 1. 3. 2. 1. 1 Declaration of Policy
The main objective of this Act is to protect the people from cybercrimes and also from the harmful effects associated with it. The state also aims to recognize the vital roles of information and communications industries in the country. The state also recognizes the need to protect and safeguard the citizens of the state, and also to protect the integrity of computers and its users. The state also wants to recognize the importance of providing an environment conducive to the development acceleration, and rational application and exploitation of information and communications technology. . 3. 3. 2. 1 General Provisions 1. 3. 3. 2. 2. 2. 1 Punishable Acts In this Act, there are 10 punishable acts indicated in the bill, and those punishable acts each have penalties that are associated. In the next sentences, the punishable acts will be discussed briefly. Offenses against the confidentiality, integrity, and availability of computer data and systems: A. Illegal Access – accessing a computer or a part of a computer without any right B.
Illegal Interception – the interception made by the use of any technical device without any right of non-public transmission of datum to or from any computer system including electromagnetic emissions from a computer system carrying such data C. Data Interference – the intentional or any reckless alteration, damaging, deletion or deterioration of computer data, electronic document, or electronic data message, without any right including the transmission or transferring viruses into a system. One example is the ILOVEYOU message transmitted through electronic mail way back in the year 2000.
D. System Interference – the intentional or any reckless hindering or interference with a functioning computer system, or a computer network by inputting, transmitting, damaging, deleting, deteriorating, altering, or supressing computer data or computer program without any right or authority in doing so. E. Misuse of Devices – the use of any material without any right of it. Acts like producing, manufacturing, selling, and distribution. F. Cyber-squatting – the simplest way is identity theft, using another individual’s identity to gain profit or scam other people in the internet.
G. Computer-related Forgery – the illegal use of a computer into copying one’s work, and gaining illegal access to a computer to copy the content of a system or database. H. Computer-related Fraud – the unauthorized input, alteration, or deletion of computer data or program or interference in the functioning of a computer system. I. Computer-related Identity Theft – the intentional acquisition, use, transfer, or possession of any identifying information belonging to another person, whether natural of juridical. Under these are Cybersex and Child Pornography. J.
Libel – defined as a public and malicious imputation of a crime, or of a vice or defect, real or imaginary, or any acts, omission, condition, status or circumstance tending to discredit or cause the dishonour or contempt of a natural or juridical person committed through a computer system or any other similar means which may be devised in the future. The above stated are the punishable acts by the law enforced and written in the bill, and these acts have corresponding penalties if have been proven to the court. The penalties include: imprisonment or a fine of at least two hundred thousand pesos (Php. 00,000. 00) up to a maximum amount commensurate to the damage incurred or both. Prison mayor is equivalent to imprisonment from 6 years and one day to twelve years. 1. 3. 3 Ethical/ Moral Dilemmas 1. 3. 4. 2 Situation A 16-year old male named “Josh Evans” was registered on the account used for bullying messages to a girl named Megan Mier. Lori Drew, the mother of Sarah, a former friend Mier, later admitted creating the MySpace account. She was aided by Sarah and Ashley Grills, an 18-year-old employee of the elder Drew.
The senior Drew and several others ran the fake account, with an aim to get information about Megan and use that information against her and also for her to be humiliated. This caused spreading gossips about Megan, and thus creating a traumatic experience not only for her but also to her family. 1. 3. 4. 3 Analysing using the Four Major Ethical Theories A. Duty-based Theory According to the Duty-based theory, an act is considered ethical if it has good intentions. Given the situation, I can clearly state that it is not an ethical thing to do. Creating or spreading false rumours is not even close to be called as a good intention.
Also, gathering information about a certain person is not ethical if it will be used against or be held against to a person. Using the Duty-Based Theory, I can clearly state that the situation of gathering information of Megan is not ethical because it does not serve a good intention. B. Utilitarianism According to the Utilitarianism Theory an act is only to be considered ethical if it produces desirable consequences or outcomes. The outcome of the situation stated earlier is that the experience Megan was traumatic not only for herself, but it also affected her family.
Just by looking at this outcome, we can say that it is not also considered ethical in this theory, because of the outcomes that the actions of the group had caused not only their target but also the relationship of other people to Megan. C. Social Contract Theory According to the social contract theory an act is considered ethical if the act does not violate any rules or laws; according to the Civil Code of the Philippines: Persons and Family Relations, under Chapter 2 which is Human Relations the Articles 19, 20 and 21 discusses the different rights a person possesses and how a person should exercise his or her rights.
Chapter 2 Article 19 presents the basic principles that are to be observed for the rightful relationship between human beings and the stability of the social order. Chapter 2 Article 20 presents that you are liable for any damage that you have caused to another person, whether wilfully or negligently. Chapter 2 Article 26 presents that right must never abused, the moment that it is abused, the moment rights are abused they ceased to right. D. Virtue According to the Virtue theory, the action that is considered to be ethical is when the action is came from a good moral principle.
Looking to the situation, it is not an ethical thing to do because it does only harm the person involved but also the moral principles of the suspect is to be questioned. 1. 3 Trustworthy Computing 1. 4. 1 Microsoft’s 4 Pillars of trustworthy Computing The 4 Pillars of trustworthy computing help identify the key elements in computing especially in an organization with numerous employees to manage. Guidance is a key to help implement a good and stable system such as how the pillars guide not just Microsoft employees but users alike. 1. 4. . 1 Security Creation of a trust worthy environment for a safe computing environment 1. 4. 2. 2 Privacy The protection and confidentiality of design, development and testing in any organization is essential as to be part of the competitive market today. 1. 4. 2. 3 Reliability Working as expected or promised by the developers and their entity 1. 4. 2. 4 Business Integrity Being responsible and transparent in you duties and expectation as part of a work force that strives to be excellent a mistake is bound to happen.
Admitting a mistake is the 1st step to a growing process of learning new things to come. 1. 4. 2 Risk Assessment It is the process of assessing security related risks to an organization’s computers and networks from both internal and external (Reynolds, 2011) A risk assessment is a process to identify potential hazards and analyse what could happen if a hazard occurs. (Federal Emergency Management Agency, 2013) The assessment would assure the IT security team that they will be ready when an attack comes because of the determined risk assessment they perform. 1. 4. 1 General Security Risk Assessment Process
Step 1: Identify IT assets and prioritize ones that are of most importance Step 2: Identify the threats/risks that could occur Step 3: Assess the likelihood of threats Step 4: Determine the impact of each threat, how large to small is the impact if affected Step 5: Determine how each threat can be prevented/blocked Step 6: Which is the most effective prevention method Step 7: Perform cost benefit analysis before taking any action Step 8: Make the decision to implement or not to implement the decided risk prevention found through thorough research and development 1. 4. 3 Establishing a security policy
Defines an organization’s security requirements, as well as controls and sanctions needed to meet those requirements. (Reynolds, 2011) A good security policy can possibly improve and provide a smooth flow of operations within an organization. NIST (National Institute of Standards and Technology) is a non-regulatory federal agency within the US department of commerce. The computer security division creates security standards for organizations to implement in their own system. 1. 4. 4 Educating the Employees, Contractor and Part-Time Workers Surveys show that most security problems come from negligence and unawareness of the security policies.
Teaching good security practices like not giving out your passwords, making sure you do not meddle in different departments. Knowing the Dos and DONTs of everyday computing will help guide any workplace and direct them to the good ways of being a good user. 1. 4. 5 Threat Prevention The key to a threat prevention system are layers of security systems that challenge the perpetrator to hack into the system. Firewall – stands guard between an organization’s internal network and the internet Intrusion Prevention Systems – prevents an attack by blocking viruses, malformed packets and other threats from getting into a protected network.
Antivirus software – should be installed on each user’s personal computer to scan a computer’s disk drives and memory regularly for viruses. User accounts that remain active after employees leave cause an uncertain threat to the company, IT staff must promptly delete and make sure to wipe out all the privileges of the former employee. The US-CERT (United States Computer Emergency Network Team) and SANS(SysAdmin, Audit, Network,System) Institute – regularly update a summary of the most frequent and high impact threats to a computer system specifically viruses and worms. . 4. 6 Security Audit An important prevention tool that evaluates whether an organization has a good security policy and if it is being followed. An example would be a requirement to change passwords every week or month with this in place a security for companies are much more protected compared to others without this requirement. Basically to test, check and review the system’s security and look for loop holes and easy targets. 1. 4. 7 Detection The preventive measures made for a computer system is not always enough to protect important data.
Intrusion detection system – is a software/hardware that monitors system and network resources, notifies a system admin when an intrusion occurs Knowledge based intrusion system – contains information about attacks and system vulnerabilities, then trigger an alarm (ex. Repeated login, repeated data events) Behaviour based intrusion system – compares users system behaviour with an admin created model that detects when a user is not following the required model, this would trigger an alarm. (Example: Unusual activity with an account in the HR department accessing the IT department’s data. 1. 4. 8 Response
An organization should be prepared for the worst, like a system attack that stops all operations and steals data from the company. The top priority during an attack is not to catch the perpetrator but to regain control and save what is left. Who needs to be informed? And who not to notify? Reputation and credibility is at stake in any security breach. A company should document all details of a security breach and be able to review it after to assess and further study. Eradication of the damaged/breached information is essential but before everything a log is required to keep track 1. . 9 Ethical Moral Dilemmas You are a member of a large IT security support group of a large manufacturing company. You have been awakened late at night and informed that someone has defaced your organization’s website and also attempted to gain access to computer files containing a new product under development. What are your next steps? How much time would you spend tracking down the hacker? -Deontological 1. 5 References * (1999, 10). Electronic Commerce. StudyMode. com. Retrieved 10, 1999, from http://www. studymode. com/essays/Electronic-Commerce-731. tml * THE ELECTRONIC COMMERCE ACT (R. A. 8792) AN OVERVIEW OF IT? S (INFORMATION TECHNOLOGY) IMPACT ON THE PHILIPPINE LEGAL SYSTEM(2005 006). ‘www. ustlawreview. com/pdf/vol. L/Articles/The_Electronic_Commerce_Act_RA_8792. pdf * What Is the Difference: Viruses, Worms, Trojans, and Bots? – Cisco Systems. (n. d. ). Cisco Systems, Inc. Retrieved from http://www. cisco. com/web/about/security/intelligence/virus-worm-diffs. html * What Is A Rootkit? (n. d. ). Internet / Network Security – Tips, Advice and Tutorials About Internet Security and Network Security.
Retrieved from http://netsecurity. about. com/od/frequentlyaskedquestions/f/faq_rootkit. htm * Julian. (2011). 10 Most Notorious Acts of Corporate Espionage. Retrieved from http://www. businesspundit. com/10-most-notorious-acts-of-corporate-espionage/ * Katich, A. (2013). Anonymous (Annie Katich). Retrieved from http://socialactive. wordpress. com/2013/02/25/anonymous-annie-katich/ * Verini, J. (2010). The Great Cyberheist. Retrieved from http://www. nytimes. com/2010/11/14/magazine/14Hacker-t. html/