Legal and Ethical Aspects of

Computer Hacking

ECE4112 – Internetwork Security

Georgia Institute of Technology

1
Some History of Hacking

• December 1993 USENET posting by

Farmer and Venema
• Idea of using techniques of an
intruder to evaluate system security
• Approach can help companies secure
systems
• Distributed Security Analysis Tool for
Auditing Networks (SATAN)

ECE 4110 - Internetwork Security 2

Ethical Hacking

• Approval from the organization

inside which the hacking will occur
• Tiger team uses tools and
techniques to evaluate security
• Inform owner of files and systems
before the fact

ECE 4110 - Internetwork Security 3

Hackers

• Term coined by the media back when

computer time was stolen by unauthorized
users

• Prior to this media coined term, a Hacker

was: “a person who enjoys exploring the
details of programmable systems and how
to stretch their capabilities; … one who
programs enthusiastically.”
ECE 4110 - Internetwork Security 4
Learning to Hack

• Hacking Schools
 Zi Hackademy, Paris
 Civil Hackers school, Moscow
• Hacking Classes
 This class
 Government Training
 Company training

ECE 4110 - Internetwork Security 5

Ethical or Not?
• So who is responsible for the outcome from
these teachings?
 It’s the teachers! They are the ones teaching such
techniques and tools and inflicting painful
examinations.
 It’s the students! They are responsible for the
actions they decide to take after learning tools
that others use to attack. How can you figure out
how to defend yourself if you do not understand
the attacks?

Only through knowledge can you defend yourself

ECE 4110 - Internetwork Security 6

The Law

• What types of policies are in place?

• How do they differ from each other?
• What kind of defined lines are there?
• Should these laws exist?
• Are these laws clear enough?

ECE 4110 - Internetwork Security 7

United States Code Title 18
Crimes and Criminal Procedure

• Part 1 > Chapter 119 > Section 2511

 Interception and disclosure of wire, oral, or
electronic communications prohibited.
• Part 1 > Chapter 121 > Section 2701
 Unlawful access to stored communications

http://www4.law.cornell.edu/uscode/18/

ECE 4110 - Internetwork Security 8

Georgia Computer Systems
Protection Act HB 822

• Computer Invasion of Privacy

 Any person who uses a computer or
computer network with the intention of
examining any employment, medical,
salary, credit, or any other financial or
personal data relating to any other person
with knowledge that such examination is
without authority shall be guilty of the crime
of computer invasion of privacy.

ECE 4110 - Internetwork Security 9

Patriot Act:

• USA Patriot Act: Uniting and

Strengthening America by Providing
Appropriate Tools Required to
Intercept and Obstruct Terrorism Act
• U.S. government’s anti-terrorism
policy

ECE 4110 - Internetwork Security 10

Homeland Security

• Department of Homeland Security

• Some call this a National Police Force
• Connects 22 different Agencies
• Exchange of information becomes a norm
• Centralized institution with the power to
keep track of computer and email usage

ECE 4110 - Internetwork Security 11

Georgia Institute of Technology

• Computer and Network Usage Policy

 Available for all students and faculty
 http://www.oit.gatech.edu/information_s
ecurity/policy/usage/
• Authorize users and uses
• Privileges for individuals
• User Responsibilities
 Access to Facilities and Information

ECE 4110 - Internetwork Security 12

GIT Computer and Network Usage Policy

4.6. Attempts to circumvent security

Users are prohibited from attempting to circumvent or subvert any system.s security
measures. This section does not prohibit use of security tools by personnel authorized by
OIT or their unit.
4.6.1. Decoding access control information
Users are prohibited from using any computer program or device to intercept or decode
passwords or similar access control information.
4.6.2. Denial of service
Deliberate attempts to degrade the performance of a computer system or network or to
deprive authorized personnel of resources or access to any Institute computer system or
network are prohibited.
4.6.3. Harmful activities
Harmful activities are prohibited. Examples include IP spoofing; creating and propagating
viruses; port scanning; disrupting services; damaging files; or intentional destruction of or
damage to equipment, software, or data.
ECE 4110 - Internetwork Security 13
Policy Maker Questions:
• How easy is it to catch hackers and how
many hackers have been caught?
• Are these policies good enough?
• Do the current policies actually define the
limits of “hacking”?
• Can companies hack into their own
systems and find vulnerabilities?
• Can other find vulnerabilities for them
without being asked to?

ECE 4110 - Internetwork Security 14

What if?
• A Georgia Tech student uses their personal PC and the school’s
network to do a port scan on a commercial web site.

• A Georgia Tech student uses their personal PC and a

commercial ISP to do a port scan on a commercial web site.

• A Georgia Tech student sends a “spoofed mail” from the school

account that appears to come from another user.

• A Georgia Tech student uses a school computer and password

guessing software to access and crack the administrator
password.

• A Georgia Tech student discovers that another user failed to

log off when departing. The student uses the account to send
an inflammatory email to the department chair.
ECE 4110 - Internetwork Security 15
Lab Enhancements

What corrections and or improvements do you suggest for this lab? Please be very specific and if you
add new material give the exact wording and instructions you would give to future students in the
new lab handout. You may cross out and edit the text of the lab on previous pages to make minor
corrections/suggestions. General suggestions like add tool xyz to do more capable scanning will not
be awarded extras points even if the statement is totally true. Specific text that could be cut and
pasted into this lab, completed exercises, and completed solutions may be awarded additional credit.
Thus if tool xyx adds a capability or additional or better learning experience for future students here
is what you need to do. You should add that tool to the lab by writing new detailed lab instructions
on where to get the tool, how to install it, how to run it, what exactly to do with it in our lab, example
outputs, etc. You must prove with what you turn in that you actually did the lab improvement
yourself. Screen shots and output hardcopy are a good way to demonstrate that you actually
completed your suggested enhancements.

ECE 4110 - Internetwork Security 16

G TISC M ini-Net10-19-2005 NETW ORK/M ASK:VLAN Autonom ous System RIP OSPF BG P Honeynet

Accounting-rtr 192.168.10.0/24:161 192.168.10.0/24:163 75.196.18.0/24:160

S2 .10
O S PF 1
Cisco 1760.1 192.168.0.0/24:101
172.16.6.0/24:106 .3 R1
192.168.20.0/24:162
Enterprise-dns
#11 .2 Dell Poweredge S2 192.168.20.0/24:164 75.196.17.0/24:159
.2 W eb Server Goodisp-dns
Redhat Apache .13 Dell Poweredge .1 .1
Virtual IP .1 .1
172.16.3.0/24:103 .1 .1
Addresses Cust1-intr2-rtr
#25 #26 Cust1-site2-rtr
172.16.4.0/24:104 .1 Edge2-rtr Cust1-site1-rtr #27 Cisco 1760
.18 .34 C isco 1760-K9+NAT .2
.1 Cisco 1760-K9 Cisco 1760-K9+NAT
64.0.2.0/24:153
.1 .2
172.16.7.0/24:107 172.16.2.0/24:102 75.196.15.0/30:157
#9 .1 12 .2 #8 64.0.1.32/28:151
.1 Gateway-rtr .2
Edge-fwall .4 64.0.1.16/28:152 .1
Cisco 1760-K9
Cisco PIX-515E 192.168.30.0/24:154 .1
172.16.5.0/24:105
Cust1-intr1-rtr #29
R2 .17
.33 Cust1-hq-rtr Cisco 1760 .2
.1
.1 .2 Cisco 1760-K9+NAT .1
212.43.0.0/24:100 EBGP .49 .1
Web Server 199.77.32.0/30:300 #23 64.0.1.48/30:150 75.196.14.0/30:156
#10 .1 Redhat Apache .254 Goodisp-rtr .50 #28
172.16.8.0/24:108
Engineering-rtr 172.16.2.99 O SP F 0 Cisco 3550-24-EMI (L3) .1
Cisco 1760 .1
EB GP 75.196.16.0/24:158
O SP F 0 75.196.10.0/24:155
O S PF 0 #7 .254 199.107.254.252/30:304
Edge1-rtr R9
Cisco 1760-K9 EBG P
.99
.1 .253
“ENTERPRISE” 62.7.245.252/30:308 EBG P Cust1 W ebserver “GO OD ISP”
.1 199.107.12.0/24:305 Redhat Apache
AS 64800 .2 #3 http://ww w.cust1.com AS 64600
.253 .1 199.77.31.0/30:301 Sigma1-rtr.18
Cisco 2621-XM
IBG P .254
“TIER 1 - om ega” S2 “TIER 1 - Sigma”
#2 .241
AS 64514 .33
Om ega-rtr
199.77.30.16/30:306 AS 64515
199.77.250.240/30:302 Root1-dns
Cisco 2621-XM .242 .17
Dell Poweredge

“UNIVERSITY” R3 .151
EB GP .1 #4 Sigm a2-rtr
“BAD ISP”
AS 64900 EB GP .41 C isco 2621-XM AS 64700
University Webserver
62.7.200.32/30:309
Redhat Apache
http://ww w.university.edu 138.210.240.0/24:210
.10 199.77.33.0/30:303 199.110.254.40/30:307

S4 .1 .42
.34
XP honeypot 138.210.228.0/24:211
.2
EBG P EB GP .1
HUB
G ateway2-rtr .1 57.35.7.0/24:250 S2
#14 .1 #15
S4 Cisco 3550-24-EM I (L3)
.1 .1 .17 .254
Bridge CS-rtr
.11 Cisco 1760 Badisp-rtr Badisp-dns
S4 Cisco 3550-24-EMI (L3) Dell Pow eredge
.3 .5
Redhat honeypot 138.210.251.0/24:200
.1 138.210.231.0/24:201
H oneynet #16 S2 57.35.0.0/30:253
.1
.4 U niversity-dns
Admin-rtr .2 StorageRus-rtr 57.35.0.16/30:252
Dell Pow eredge
#22
PWR

OK
WIC0
ACT/CH0

ACT/CH1
WIC0
ACT/CH0

ACT/CH1
ETH
ACT

COL
Cisco 1760-K9 .1 1760-K9
Admin-vpn .254 .2 .1 .18
138.210.237.0/24:207 138.210.232.0/24:202 #19
Cisco VPN #17 .1
.1 .1 .1 .1
Conc. 3005
.1 #20
138.210.233.0/24:203 57.35.5.0/24:258 Cust2-rtr
138.210.238.0/24:208
192.168.110.0/24:209 57.35.10.0/24:260 Cisco 1760.1 57.35.3.0/24:256

138.210.234.0/24:204 R5
R6
.2 .10 .16
57.35.6.0/24:259
.42 .43 138.210.235.0/24:205 .100 S3 57.35.4.0/24:257
.1 .8
R4 R7 .9 .11 - .200 .5 StorageRus W ebserver
CS W ebserver #18 .1 Adm in Webserver S5 MS IIS
CS Ftp Server MS IIS NAS
Redhat Apache CS2-rtr http://w ww.storagerus.com
Redhat
http://ww w.cc.university.edu Cisco 1760
R IP
138.210.236.0/24:206 O SPF 0 http://www .admin.university.edu Dell Network
Attached Storage Viz Printer W 1 ... … W 24 TA1 17
 References

1. Pfleeger, Charles. (2000). Security In Computing (2nd ed.). Upper Saddle River, NJ: Printice Hall PTR.

2. From RedDragon on IRC, handed to newbies. January 16, 2001. http://newdata.box.sk/2001/jan/are.you.a.hacker.html

3. Protect Yourselves From Hackers CDs. 2002. http://www.onedollarcds.com/hack

4. Vasilyev, Ilya V. Civil Hackers' School. April 12, 1999. http://klein.zen.ru/hscool/

5. Coomarasamy, James. Learning to Hack. December 1, 2001. http://news.bbc.co.uk/1/hi/world/europe/1686450.stm

6. Georgia Computer Systems Protection Act. Last Modified: June 29, 2002. http://www.security.gatech.edu/policy/law_library/gcspa.html

7. Title 18, Part 1, Chapter 119, Section 2511 – Interception and disclosure of wire, oral, or electronic communications prohibited. US Code Collection.
http://www4.law.cornell.edu/uscode/18/2511.html

8. Title 18, Part 1, Chapter 121, Section 2701 – Unlawful access to stored communications. US Code Collection. http://www4.law.cornell.edu/uscode/18/2511.html

9. Minow, Mary. The USA PATRIOT Act and Patron Privacy on Library Internet Terminals. February 15, 2002. http://www.llrx.com/features/usapatriotact.htm

10. Bush Homeland Security bill nears passage by US Congress. The Editorial Board. November 18, 2002.
http://www.wsws.org/articles/2002/nov2002/home-n18.shtml

11. Georgia Institute of Technology Computer and Network Usage Policy. Office of Information Technology. Last Modified October 20, 2003. http://
www.oit.gatech.edu/information_security/policy/usage/

12. Baase, Sara. A Gift of Fire: Social, Legal, and Ethical Issues for Computers and the Internet. 2nd edition. Prentice Hall. 2003. Page 289.

13. Palmer, C.C. Ethical Hacking. International Business Machines Corporation. Copyright 2001. www.research.ibm.com/journal/sj/403/palmer.html

14. Harvey, Brian. Computer Hacking and Ethics. April 1985. www.cs.berkeley.edu/~bh/hackers.html

15. Shell, Barry. Ethical Hacking. Georgia Straight Weekly, Vancouver, BC. September 14, 2000. http://css.sfu.ca/update/ethical-hacking.html
ECE 4110 - Internetwork Security 18