Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide #6-1Law and SecurityCS498SH – Information AssuranceFall 2006Slide #6-2Overview•Natural language policies•Law and privacy•Cybercrime•Laws Affecting Computer UseSlide #6-3Reading Material•Introduction to Computer Security and Computer Security: Art and Science, Chapter 4–UC Davis natural language policy example.•Congressional Research Service Reports on Secrecy and Information Policy–http://www.fas.org/sgp/crs/secrecy/index.html–Specifically Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives•http://www.fas.org/irp/crs/RL32357.pdf–The Internet and the USA Patriot Act: Potential Implications for Electronic Privacy, Security, Commerce, and Government•http://www.epic.org/privacy/terrorism/usapatriot/RL31289.pdf•Secrets of Computer Espionage: Tactics and Countermeasures, Joel McNamara, Chapter 2.•Security in Computing, Charles Pfleeger and Shari Lawrence Pfleeger, Chapter 9.Slide #6-4Motivation•Need to understand legal environment–Protect self/organization•From law suits•From tainted evidence•From attackers–Understand personal rightsSlide #6-5Natural Language Security Policies•Targeting Humans–Written at different levels•To inform end users•To inform lawyers•To inform technicians•As with all policies, should define purpose not mechanism–May have additional documents that define how policy maps to mechanism•Some common policies–Privacy Policies–Acceptable Use PoliciesSlide #6-6Example Privacy policies•Busey Bank - http://busey.com/–Financial Privacy Policy•Targets handling of personal non-public data•Clarifies what data is protected•Who the data is shared with–Web Site Privacy Policy•Outlines how data is handled on the web site•Has a link to another document more security mechanism detailsSlide #6-7Example Acceptable Use Policy•IEEE Email Acceptable Use Policy –http://eleccomm.ieee.org/email-aup.shtml–Inform user of what he can do with IEEE email–Inform user of what IEEE will provide•Does not accept responsibility of actions resulting from user email•Does not guarantee privacy of IEEE computers and networks–Examples of acceptable and unacceptable useSlide #6-8Tension between Privacy and Security•How to trade off privacy for security?–They who would give up an essential liberty for temporary security, deserve neither liberty or security – Benjamin Franklin•Relevant laws and technologies–4th amendment–Wiretapping and Carnivore–Patriot Act–Key Escrow/DES–Freedom of Information ActSlide #6-94th Amendment•Fundamental privacy protection– The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.Slide #6-10USA PATRIOT Act (USAPA)•Covers many things•In our scope, augments or clarifies previous laws addressing electronic privacySlide #6-11Wiretapping•Can wiretap only for “serious” crime –Wiretap act established in 1968–Set of serious crimes has grown, false info on student loan applications?•Require court orders–Pen Registers and Tap-and-trace devices only capture “header” information, e.g., dialed numbers but not conversation–Full wiretap also captures content–Must demonstrate probable cause for full wiretap•Wiretapping reports–http://www.uscourts.gov/library/wiretap.htmlSlide #6-12Electronic Wiretapping•Electronic Communication Privacy Act of 1986 (ECPA)–Expands Wiretap Act to include electronic communications•Three exceptions that don’t require court authorization–Individual can monitor communication resulting from a break in on her computer–Banner that alerts computer is private implies consent to monitoring–Monitor to prevent misuse of system (by non-govt entity)•USAPA said only a single court jurisdiction needed to be involved in issuing warrantsSlide #6-13Electronic Search•Stored Communications Act of ECPA•Covers privacy of stored electronic data•Requires search warrant to access data like: e-mail, voice-mail•Two exceptions–Communication provider access•Can ask govt to help (USAPA)–Implied consent if supported by public policy•Search warrant instead of wiretap implies stored data is easier to access. (USAPA)Slide #6-14Questionable Searches in the News•HP's outside investigator acquired phone records–Using “pretexting”, pretending to be someone else–http://money.cnn.com/2006/09/05/technology/hp/index.htm?postversion=2006090616Slide #6-15Ensuring Wiretap Availability•Communications Assurance for Law Enforcement Act of 1994 (CALEA)–Requires that telecommunication carriers use equipment that is compatible with wiretapping–Enforced by FBI group–Expensive to comply with•Estimated telcos will spend 0.5 to 2.7 billion dollars to comply over 5 years.Slide #6-16CALEA Expansions•Recent FCC expansions–IP telphony must be CALEA compliant if server-oriented•Vonage, yes. Skype, no.–Expanded definition of service provider to include Universities•Still trying to figure out what this really means•http://connect.educause.edu/blog/blaha/the_impact_of_calea_on_higher_ed/1460Slide #6-17Carnivore/DCS-1000•FBI’s program for Internet wiretaps–Can be tuned to track communication for specific user–Operate as content wiretap or trap and trace•Run in “tap and trace” mode. Get more stringent “content” court order if anything looks interesting–Gained public scrutiny in 2000–Software not available for public analysis •IIT review released•Concerns that Carnivore really tracks all information not just the targeted user–Over-collection bug–Contaminates investigations. •2002 al Qaeda investigationSlide #6-18Foreign Intelligence Surveillance Act (FISA)•Addresses intelligence community instead of law enforcement–Generally another country is involved•Info can be used in criminal courts with restrictions•Separate court reviews requestsSlide #6-19USAPA extensions to
View Full Document
Unlocking...