changes last made to this page 2006 May 16

In Section One  we will use material from the following texts
 

2nd Edition Chpt 4 Chpt 5

course author:Tim Richardson
 
 

.

Learning Objectives for Section 1 Section 1 is organized such that after completing this section participants will be able to understand the role of Third Parties in validation, verification and privacy policies identify the role of the government in restricting cryptographic business identify the role of the government in Third-Party Sharing / Selling of Data appreciate the controversial issues in Web Linking identify some of the registration issues of Domain Names, including Domain Name Disputes and Domain Name Hijacking understand some of the key privacy issues in the Canadian IT community and the relevant legislation

.
 

Chpt 4 E-commerce and the role of Third Parties

. S! .

.
 

Chpt 4 E-commerce and the role of Third Parties

Chpt 4, page 125 TRUSTe is a nonprofit organization that issues a seal to companies that comply with its rules of disclosure and informed consent   TRUSTe is an independent, non-profit initiative whose mission  is to build users' trust and confidence in the Internet by promoting the principles of disclosure and informed consent. . "Web sites displaying the TRUSTe  Privacy Seal are committed to abiding by a privacy policy  that gives users notice, choice, access, security, and redress with regard to their personal information."   . One of the critical areas that TRUSTe focuses on in their Public Relations is educating people about privacy issues. In fact, on their website they say "Education  is the number one priority in  privacy protection. WTGR . Under the heading of education, TRUSTe has a section titled TRUSTe's Privacy Protection Guidelines - go there  www.truste.com/education/protection_guidelines.html they have 6 points 1.      Read Privacy Statements. 2.      Seal Programs.  3.      Credit cards.  4.      Security.  5.      Common sense.  6.      Protect children

.

Chpt 4 E-commerce and the role of Third Parties

Chpt 4, page 126 "Specifically, Veri-Sign provides products that allow websites to transmit encrypted data and to provide authentication about the source and destination of the data"   www.verisign.com/corporate/about/index.html . . Verisign is one of the earliest companies to establish, and then sell, validation imaging services. The use of such services and accompanying logos helps bring credibility to vendors in a globalized online environment. . Network Solutions used to be the original Domain Name registrar. VeriSign bought Network Solutions and through its acquisition of Network Solutions, VeriSign is the world leader in domain name registration.

.

Chpt 5 Regulatory Environment                                     Chpt 5 Regulatory Environment

"Regulation of Electronic Commerce and the Internet is slowly Evolving" - the lead in sentance to Chpt 5 . While it is important to consider that Regulations are evolving slowly, we must also acknowledge that Regulations happen within a jurisdiction - there is no such thing as an Internet Police or a United Nations law of the web - regulations governing Internet use are witin the context of national government regulations - the textis a U.S. textbook, our course is in Canada, we will discuss Canadian regulations only. . Each Country has three categories of Internet Users to serve: Government agencies Businesses private citizens WTGR adds also industry associations academic institutions The text suggests the primary issues faced by these three groups, in the context of regulations, are Encryption Regulations Privacy Rights Inappropriate Web Linking Protection of copyright Material Domain Name issues Tax Policies Electronic Agreements Online Auctions . In Section A of this course we will look at Privacy Rights Inappropriate Web Linking Protection of copyright Material Domain Name issues Electronic Agreements .

.
 

Cryptography Issues Chpt 5 Regulatory Environment

Regulatory Environment, Cryptography Issues 2nd ed. page 146 Export of Cryptographic Products     . We will discuss this in a later section of the course - Chpt 10, which deals in Cryptography Issues in detail WTGR .

.

Chpt 5 Regulatory Environment

Regulatory Environment 2nd ed. page 156 Third-Party Sharing / Selling of Data   . The textbook we use for FCA 240 is an American textbook so it refers to the situations in the U.S. In Canada, our federal government has already dealt with the consequences of Third-Party Sharing / Selling of Data by enacting Bill C6 We have a unit on Bill C6 in the context of Privacy, go to  http://www.witiger.com/ecommerce/privacyissues.htm  WTGR .

.

Chpt 5 Regulatory Environment

Regulatory Environment 2nd ed. page 157 Carnivore   . The topic of Carnivore is discussed in the last section of this course when we deal with National Institutes and IT Security Organizations National Government Security Agencies WTGR .

.

META Tags Chpt 5 Web Linking Issues META Tags

Web Linking Issues 2nd ed. page 160 Linking Using Trademarks in Keyword META Tags   . This issue is highly over-rated. The point in question is the use by competitor companies, of key words in META Tags, that might trick the Search Engines into returning hits by companies that have no valid reason for being listed. Eg. General Motors putting the words Explorer, Escape, Excursion in their META Tags in  order to draw people to the GM site who may have been looking for a Ford SUV. In reality, META Tags are only one small part of what causes a site to rank high in Search Engines - there are many other factors that influence ranking other than META Tags. for more details, see  www.witiger.com/ecommerce/searchengineissues.htm  WTGR .

.

Chpt 5 Web Linking Issues

Web Linking Issues   . A number of companies that have business involving massive amounts of content on their sites [text, images, audio] try to save bandwidth and storage costs by providing content to users, from the sites of people elsewhere. Sometimes this linking is done without consent and causes many problems. WTGR .  Linking to Illegal Files 2nd ed. page 161 "Unfortunately the ease of scanning images and [copying] digital recordings of music and video make it easy for "bootlegged" copies of music and pictures to reside on the Internet. ...MP3 is one such compression technology thathas made it feasible to upload and download digital audio files that were otherwise to large to transmit" .  . Many of the technology developments mankind has made in the proceeding decades and centuries have often been used for entertainment. One of the oldest uses of technology is to make  music - therefore it is no surprise that the Internet is being used  to allow people to share music all over the world.   This increased ability to share music has good benefits (for listeners) and bad benefits (for record companies trying to maintain control and profits)   www.witiger.com/ecommerce/music.htm  WTGR .

.

screen capture leading to a special section on registration issues of Domain Names

..

 

screen capture leading to a special section on marketing issues of Domain Names

.
 

Chpt 5 The Regulatory Environment

Domain Name Disputes . see the section in  www.witiger.com/ecommerce/domainnames~mktg.htm in which we discuss Domain Name Disputes, and  Canada's role . Citing our military role as international peacekeepers, a story in ComputerWorld Canada in May, 2000 noted a Montreal company, named eResolution, backed by ICANN (Internet Corporation for Assignment Names and Numbers), is in a position to handle the full adversarial proceedings from initial complaint filing to the arbitration stage and transfer of evidence.

.

Domain Name Hijacking Chpt 5 The Regulatory Environment Domain Name Hijacking

. We will use a section in Chpt 5 of the text that discusses Domain Names Registered and held hostage . "The low cost and ease of domain name registration has allowed individuals to register domain names of well-known companies. The intent by many registrants was to hold these domain names hostage until a company would offer to buy the rights to use the domain name"     . Holding Domain Names hostage and ransoming them to the legitimate owners has not been as fruitful as some might expect. The courts in various states and provinces have allowed the aggrieved companies to sue the "hijackers" and in many cases the hijackers have lost because the companies have been able to clearly substantiate that they have a legal right to ownership of the name. . The text says on page 165 "Registrations are approved on the basis of the assumption that no other entity has a legal right, such as a registered trademark, to use that domain name. If that assumption proves false, ICANN reserves the right to reexamine the registration of that domain name and generally gives preference to entities with a federally registered trademark."

.
 
 

Chpt 5 The Regulatory Environment

Privacy Issues 2nd ed. page 149   . Some of the material we cover on privacy issues comes from your textbook for the course, some of it comes from a link to witiger's special "privacy issues module. WTGR .

.
 

screen capture leading to a special section on Privacy Issues

.

.

.In Section Two  we will use material from the following texts
 

	1st Edition Chpt 5			2nd Edition Chpt 7
	Chpt 2 Chpt 3 Chpt 4			Chpt 1 Chpt 2
	Chpt 2

course author:Tim Richardson
 
 

.

Learning Objectives for Section 2 Section 2 is organized such that after completing this section participants will be able to understand that good security involves more than just prevention identify what a company can do beyond prevention detection reaction identify the risks of insecure systems faced by business partners appreciate that business partners can pass on vulnerabilities to your clients differentiate between the relative risk benefits of intranets, extranets and the Internet understand the risk management paradigm and methodology differentiate between control weakness and control risk

.

Secrets & Lies: Digital Security in a Networked  World Schneier talking about the "relationship between prevention, detection and reaction. "Good security encompasses all three" prevention - facilities and systems to prevent people getting in and taking information detection - to find out if anybody has gotten in, and compromised important information or processes reaction - to allow the "bad guys" to be identified and their activity stopped Schneier points out widely that "digital security tends to reply wholly on prevention: cryptography, firewalls and so forth. There's generally no detection, and there's almost never any response or auditing"   . Schneier's statement about the relationship between prevention, detection and reaction is very important. The reason it is important is that most companies are focusing on e-commerce security by spending money to develop firewalls, filtering etc. - but if someone is successful in getting past that - very few organizations will know about it. This is like putting steel bars on your patio sliding doors hoping your house will not be broken into - but not knowing whether or not someone has snuck in through a basement window. Security doesn't work - if you cannot determine if it is working !!! .

.

Chpt 5 1st Edition   Chpt 7 2nd Edition                     Chpt 5 1st Edition   Chpt 7 2nd Edition                   Chpt 5 1st Edition   Chpt 7 2nd Edition

"Electronic Commerce":  Greenstein & Feinman, (1st Edition) Chpt 5 The Risks of Insecure Systems Greenstein & Vasarhelyi, (2nd Edition) Chpt 7 The Risks of Insecure Systems the powerpoints for Chpt 5 (1st Ed) can be obtained from http://homepages.cambrianc.on.ca/timrichardson/ecommerce/ECP1220/greensteinchap5.ppt     Before you begin reading Chapter 5 (7) in the Greenstein book, it would be a good idea to go to the website for the book and scan through the online list of "Key Terms" clicking on the screen capture to the right will take you directly to this "glossary" Page 133 Greenstein Text - 1st Edition Page 215 Greenstein Text - 2nd Edition "Until recently, most information security breaches were initiated by insiders. However a study by the CSI Computer Security Institute and FBI indicates that this trend is rapidly changing. The findings indicate that the number of external attacks is growing because if the increased use of the Internet" Overview of Risks Associated with Internet Transactions Internet Associated Risks Risks to Customers False or Malicious Websites (p. 218 2nd Edition) Stealing Visitor's ID's and Passwords Stealing Visitors's Credit Card information "man-in-the-middle" attacks to monitor a Visitor's activity Spying on a Visitor's hard drive Uploading from the Visitor's hard drive Theft of Customer Data from Selling Agents from ISPs Cookies (see special section) p. 220-222   2nd ed. Web Bugs embedded within the HTML code on a page used to track visitor's online movements unlike cookies, cannot be turned off Risks to Selling Agents and Vendors, p. 223   2nd ed. customer impersonation used to obtain product and service without paying used also to create negative publicity situations Denial of service (DNS) Attacks,  p. 224   2nd ed explanation of PINGING a DNS SYN flooding Intranet Associated Risks Sabotage by Employees former employees threats from current employees social engineering B2B Risks risks associated with transactions between business partners Data Interception Archives risks associated with confidentially-maintained archival, master file and reference data Viruses risks associated with viruses and malicious code overflows (in addition to the information in the Greenstein text, scroll down to viruses) trojan horses hoaxes buffer overflows

.

	screen capture leading to a special section on witiger.com about DNS Attacks
	screen capture leading to a special section on witiger.com about cookies

.

Chpt 3 Types of Attacks                   Chpt 3 Types of Attacks

Secrets & Lies: Digital Security in a Networked  World by Bruce Schneier Chpt 3 Attacks   . Schneier's third chapter in the book is an excellent overview of the different classes of attacks. You are strongly encouraged to read the entire chapter. The main themes, summarized in point form, are arranged below. The reason for knowing many of the terms on this list is so that you may understand the depth and range of the types of risks that can effect your organization. WTGR . Criminal Attacks fraud scams destructive attacks intellectual property attacks  piracy unauthorized copy of text and images from one site to another identity theft brand theft prosecution Privacy Violations data harvesting surveillance databases traffic analysis massive electronic surveillance Publicity Attacks denial of service attacks defacing web pages Legal Attacks

.
 

Principles of Information Security by Michael Whitman and Herbert Mattord Chpt 2 The Need for Security   . This chapter provides an excellent list of all the types of things that can go wrong with IT security.  WTGR. . A summary of the Threats described in Chpt 2 is listed below Five groups of "real and present" danger Inadvertent acts (malicious intent is absent) Human error or failure of the product/system to operate Deviations in quality of service by service providers Deliberate acts Competitive Intelligence Industrial Espionage Trespass hacking Information extortion Sabotage ad vandalism Theft Software attacks DNS attacks Virus attacks Trojan Horse Worms Compromises to Intellectual Property Acts of God Forces of Nature Fire Flood Earthquake Lightning Tornado / Hurricane Technical failures Hardware Failures Softare Failures Management failures Technological Obsolescence

.
 

Principles of Information Security by Michael Whitman and Herbert Mattord Chpt 2 The Need for Security   .  We have a CD with the powerpoints for this book and the powerpoint for Chpt 2 is available at the link below  www.witiger.com/powerpoints/IT~security/ WTGR. .

.
 

Chpt 3 Types of Attacks - Frauds

In addition to the resources of the National Consumers League, you can also access the web page of the National Fraud Information Center. The NFIC also has a special section on their web site dealing with Internet Fraud  www.fraud.org In their own words "Internet Fraud Watch was launched in March of 1996 enabling the NFIC to expand its services to help consumers distinguish between legitimate and fraudulent promotions in cyberspace and route reports of suspected fraud to the appropriate law enforcement agencies. "   . The NFIC web site is very extensive and you should time looking at the various links and read about some of the types of scams and frauds. They also have an "Internet Tips" page which is simply worded, but useful. You could earn some class contribution points by thoroughly reviewing this site and picking out some additional information which could be added in to this page. .

.
 

Chpt 3 Types of Attacks - Scams

Scams Schneier quotes the National Consumers League (Chpt 3, page 24) "the five most common online scams are sale of internet services sale of general merchandise auctions pyramid and multi-level marketing schemes business opportunities"

.
the National Consumers League (Chpt 3, page 24)

It would be very worthwhile for ECP participants to spend some time on this site since
it has some links and tips that are helpful
.

Privacy Violations In many countries, people do not own the information which is collected about them, that is to say, their personal data. This information is considered the property of whatever credit card company, insurance firm, educational institution that collected the information. As a consequence of some outrageous violations of collecting and disseminating personal information, Canada, New Zealand and other countries have enacted tough laws which are binding on the companies that collect and pass on personal profile information (which we noted in Section 1 of this course when we presented the federal and provincial legislation dealing with this). Privacy violations are not, strictly speaking, criminal activity, but, depending on what is done with the information, it can be used for criminal purposes - such as assuming an identity for the purposes of obtaining credit, which could then be used to fraudulently buy products and services. As a person studying IT security, it would be your responsibility to understand that protecting the private personal information of people that have data held within your firm's IT systems, is critical to conduct effectively and without risk.

Chpt 3 Types of Attacks - Privacy Violations

Privacy Violations Schneier, page 29 "There are two types of privacy violations  Targeted Attacks, and Data Harvesting" Targeted Attacks If the attacker wants to know everything about  a person, it is called stalking a company, it is called industrial espionage and corporate intelligence a country, it is called  national intelligence gathering, or spying Data Harvesting As Schneier says, "this attack harnesses the power of correlation" Data harvesting is only worthwhile doing if it can be automated, and computers allow the automation process to be done very effectively. Using good cryptography will thwart harvesters since they will not be easily able to identify if what they are looking for is in the target they are attacking.

Chpt 3 Types of Attacks - Traffic Analysis                   Chpt 3 Types of Attacks - Traffic Analysis

Secrets & Lies: Digital Security in a Networked  World by Bruce Schneier Chpt 3 Attacks Privacy Violations traffic analysis "Traffic analysis is the study of communication patterns. Not the content of the messages themselves, but characteristics about them"   . Explanation: If Joe sends a long message to Bill, then Bill sends a short reply back to Joe, and additionally a long message to Sue, Kevin, Greg and Alice, then we can assume there is some degree of hiearchy in this structure and regardless of the content, there must be some directions coming from Big Joe, which need to be passed on. If you wanted to spend time hacking these messages, the most effective thing to do is hack the single message from Joe to Bill since the information in that would probably tell you what Sue, Kevin, Greg and Alice received from Bill. The purpose of this explanation is to show that sometimes the patterns of communication are just as important to understanding as the actual text of the message sent. . Schneier gives an amusing example noting that in the hours leading up to the 1991 bombing of Iraq, pizza deliveries to the Pentagon increased one hundredfold - even if you did not know what the generals and admirals were talking about, it had to be something important from which there would be some serious time spent on decision making.   . Although we have cautioned in ECP 1220 that it is wise to encrypt your communications, we also have to mention that sometimes people can figure out what you are doing anyway because even if the message is encrypted, people could know the volume of traffic and this might be an indicator of something important - depending on the context. Therefore: not only do you prevent people knowing the content of your messages, you should endeavour to let people know the messages even exist !!! .

Internal Threats

Internal Threats   "The threat that is most often overlooked, yet is most likely to occur, is the inside threat. Provding internal access to an organization's digital assets can be the Achille's heel of many security plans through either malicious intention or carelessness... Few modern systems can withstand attacks from  users who are logged on to internal machines" page 9, Chpt 1   . Dr. Gnosh's book, E-Commerce Security, and other books and several on-line resources emphasize that good security requires a blend of computer security tools with policies that are judiciously applied - meaning if situation "x" requires the person only has a password to section"1", then do not give them a password for all sections just because it is too time consuming to block them off from thos they should not have access to. Gnosh says "The principles of need-to-know and compartmented information can be useful in determining to whom privaleged accounts and paswords should be given". .

Internal Threats

. Communications & Networking, January 2003, Vol. 6 No. 1  "Guarding against threats from within" by Grant Buckler "A careless employee is just as much of a threat as a hacker" . . The reason why we selected this article is because it contains many of the things we discuss in this course, particular the point about policies and procedures being just as important as spending money on firewalls and hardware. This article also explains well that sometimes internal threats are not from "bad employees", just simply employees that make mistakes, or employees who do not follow proper procedures which allow vulnerable situations to arrive. WTGR . " A firewall is not enough. Proper network security requires at least one (if not several) firewalls, anti-virus software and  intrusion detection. That's just the technology, which is not even the most important part. Security also depends on policies and procedures, and without those, all the gadgets in the  world will not be enough... external threats are just a small part of the security picture.... threats from outside have increased in the last couple of years, but insiders still pose a more serious risk than outsiders" Threats come from Former Employees who were fired or laid off Angry, frustrated current employees who want to damage the company Employees who have nothing against the company, but make a critical mistake "... guarding against security breaches from inside starts with the hiring process. When hiring new employees, employers should check references and conduct background checks. Then, the organization needs clear policies telling employees what they should and should not do. This may do little good against malicious attacks, but it can help guard against the many security breaches that occur through simple thoughtlessness."

Internal Threats

Chpt 7, 2nd Edition p. 227 Sabotage by Former Employees "former employees who leave under bad circumstances are very troubling because of their knowledge... in many cases, the employee becomes suspicious and begins collecting internal information in advance" Threats from Current Employees The 2000 CSI/FBI report found that 38% of the firms studied experienced internal attacks .

Handling Internal Threats

. Communications & Networking, January 2003, Vol. 6 No. 1  "Guarding against threats from within" by Grant Buckler "A careless employee is just as much of a threat as a hacker" . Handling Internal Threats by initiating policies and procedures to cut down on risk situations developing. "Deloitte Consulting LLC prohibits employees from storing documents from  work on their home computers, says Karim Zerhouni, head of the consulting firm's Canadian internetworking practice. That policy makes it less likely confidential information  will fall into the wrong hands.  Yet policies and procedures are not the complete answer either. Hardware and software can  help enforce the rules and make it easier for employees to comply with them.   Access controls and passwords can be used to limit employees' access to the applications  and data they need to do their jobs and keep them away from privileged material.  Authentication technology can ensure that e-mails come from whom they appear to come  from and that documents have not been tampered with."   . Access controls and passwords have to handled carefully. If they are implimented, without monitoring their effect on job performance, you may find that following the procedures may be very frustrating for employees and the invent ways of circumventing the controls eg. if the organization required employees to change password every tenth time they logged in, this frequency may be too difficult for employees to remember the password so they end up writing it on 3M stickies and sticking the password on the monitor in plain site. WTGR .

The disgruntled employee poses but one of many  insider threats to information systems and the valuable data stored therein. Unauthorised access from  insiders, rather than outside hackers, accounted for 44% of network security breaches last year, according to the March 2000 survey by Computer Security Institute (CSI) and the FBI. "The greatest exposure to any organisation is what I call the knowledgeable insider - anybody from a  janitor to a vendor or an active or ex-employee," says  Steve Dougherty, director of information security at  the Fulsom, California-based California Independent  System Operator, which is taking over management of power grid transmissions for 27m Californians with the state’s recent industry deregulation. American Society for Industrial Security’s (ASIS).  89% of respondents to the ASIS 1997/1998 Intellectual Property Loss Special Report indicated that their  biggest concern regarding system security is  retaliation from disgruntled employees..

Risks With Business Partners they may pass on infections to your clients                             Risks With Business Partners they may pass on infections to your clients

A SANS Institute email alert about a "fix" which itself contains a virus Medium and large size companies make themselves vulnerable to risk when they outsource various services to intermediary parties. Microsoft - which one would presume is very very careful about who they partner with, is often vulnerable when the partner makes a bad mistake. Some of these mistakes happen when the intermediary is responsible for dispensing some service, such as making downloads available. In the screen capture below, you can see Prof. Richardson has received an email from SANS. This email details how Microsoft Hotfixes downloaded from the Premier Support and Gold Certified Partner web sites were infected with the Fun Love virus.  The original email has been uploaded to the ECP site and you can read the full text, including other warnings and info at  http://homepages.cambrianc.on.ca/timrichardson/ecommerce/SANalert1.htm   . So the irony of the situation is almost funny if it weren't so dangerous - here is the world's most powerful softare company providing "fixes", through an intermediary, and the "fixes" themselves contain a virus !! One of the ways you protect yourself from these situations is being very diligent and reading all the email from organizations like SAN, which provide news and info on these vulnerabilities.. .

Risks With Business Partners Hacking - example of vulnerability to 3rd parties                       Risks With Business Partners Hacking - example of vulnerability to 3rd parties

. . Your vulnerability to hackers is not just direct between you and the threat, it can also involve third parties who process business information for you. Many companies trying to run "lean and mean" to cut costs, outsource specialty services to call centers. There have been some examples where these third party players get hacked, which in turn means the hacker comes into possession of confidential information of the clients. WTGR ...   A perfect example of a chain is as strong as its weakest link

screen capture leading to a section on witiger.com about Viruses

..

Printers vulnerable? - sure.

NATIONAL INFRASTRUCTURE PROTECTION CENTER (United States) - noted page 214 in Greenstein Text - 2nd Ed.

NATIONAL INFRASTRUCTURE PROTECTION CENTER "Intrusion Techniques: Networked printers are prime targets for denial of service attacks and root access intrusion attempts

Networks are only as strong as their weakest link, and printers are often overlooked when assessing and implementing network security measures. Vulnerabilities associated with widely used name-brand networked printers (NPs) may allow intruders to perform denial-of-service (DoS) attacks, and possibly gain root access to network administrative services if left undetected."  www.nipc.gov/publications/ highlights/2001/highlight-01-01.htm

.

We have our own example of hacked, and original pages which you can view by clicking on the screen capture to the left.

 .
 

In the on-line version of Chpt 6 of his book,  The Business of the Internet Neil Hannon, notes a link to an article about Netscape Communications Corp. white paper that deals with the issue of intranet security and some of its many challenges. "Cryptography Is The Key To Intranet Security Needs"  http://www.techweb.com/se/directlink.cgi?CRN19970630S0089 Copyright (c) 1997 CMP Media Inc. You can read the original article on CRN's site at  www.techweb.com/se/directlink.cgi?CRN19970630S0089 The following is a summary of some of the main points in case the article is no longer available online. "There are many challenges in building a full-service intranet that provides safe communications and collaboration. As the exponential growth of the publicInternet demonstrates, TCP/IP solves many problems in a remarkably scalable way. However, TCP/IP was not designed to offer secure  communication services. Because TCP/IP was not designed with security in mind, we must bring additional technology and policies to bear to solve typical security problems..." If you go to the web site you can read further about the problems and the cryptographic solutions

.

This quiz was created for another course - students of FCA 240 could try it too since much of the material os covered herein.    Online Quiz  for the preceeding material   www.witiger.com /senecacollege/ IEC818/ quiz~IEC818~2.htm .  1. Could you explain to someone what the Trojan Horse virus is (as explained in Greenstein text, Chpt 5, page 162) 2. Why do most companies not report IT security situations to authorities? 3. Why are macro viruses so troubling, and how can they be prevented? (as explained in Greenstein text, Chpt 5)