Ethical Hacking and Information Security

Organizations dealing with IT across the globe would be interested to know how secure their system or network and will be interested to know the vulnerabilities present. Many lone wolf ethical hackers and cyber security companies offer vulnerability assessment & penetration (VAPT) as a service. Several organizations that take these services often empanel more than one VAPT service providers and use them alternatively. Large organizations generally have their own in-house VAPT teams, that do VAPT exercise routinely and sometimes hire outside vendors. VAPT is often a tool based exercise used in conjunction with techniques best known to the person doing it. To understand more about what laws are applicable to Vulnerability Assessment and Penetrating Testing i.e. VAPT, let us first understand what does it mean in general parlance. What is a VA? To identify and analyse the vulnerabilities, a test known as the vulnerability assessment test is carried out. A vulnerability assessment exercise highlights the gap in vendor patch updations, misconfigurations and other known vulnerabilities. A VA can throw a lot of false positives and false negatives too, which is often tested manually by administrators to confirm. The team then conducts a threat mapping of these vulnerabilities around the affected assets.

This theme issue has the founding ambition of landscaping Data Ethics as a new branch of ethics that studies and evaluates moral problems related to data (including generation, recording, curation, processing, dissemination, sharing, and use), algorithms (including AI, artificial agents, machine learning, and robots), and corresponding practices (including responsible innovation, programming, hacking, and professional codes), in order to formulate and support morally good solutions (e.g. right conducts or right values). Data Ethics builds on the foundation provided by Computer and Information Ethics but, at the same time, it refines the approach endorsed so far in this research field, by shifting the Level of Abstraction of ethical enquiries, from being information-centric to being data-centric. This shift brings into focus the different moral dimensions of all kinds of data, even the data that never translate directly into information but can be used to support actions or generate behaviours, for example. It highlights the need for ethical analyses to concentrate on the content and nature of computational operations—the interactions among hardware, software, and data—rather than on the variety of digital technologies that enables them. And it emphasises the complexity of the ethical challenges posed by Data Science. Because of such complexity, Data Ethics should be developed from the start as a macroethics, that is, as an overall framework that avoids narrow, ad hoc approaches and addresses the ethical impact and implications of Data Science and its applications within a consistent, holistic, and inclusive framework. Only as a macroethics Data Ethics will provide the solutions that can maximise the value of Data Science for our societies, for all of us, and for our environments.

In October 2016, the White House, the European Parliament, and the UK House of Commons each issued a report outlining their visions on how to prepare society for the widespread use of artificial intelligence (AI). In this article, we provide a comparative assessment of these three reports in order to facilitate the design of policies favourable to the development of a 'good AI society'. To do so, we examine how each report addresses the following three topics: (a) the development of a 'good AI society'; (b) the role and responsibility of the government, the private sector, and the research community (including academia) in pursuing such a development; and (c) where the recommendations to support such a development may be in need of improvement. Our analysis concludes that the reports address adequately various ethical, social, and economic topics, but come short of providing an overarching political vision and long-term strategy for the development of a 'good AI society'. In order to contribute to fill this gap, in the conclusion we suggest a two-pronged approach.

The paper investigates the ethics of information transparency (henceforth transparency). It argues that transparency is not an ethical principle in itself but a pro-ethical condition for enabling or impairing other ethical practices or principles. A new definition of transparency is offered in order to take into account the dynamics of information production and the differences between data and information. It is then argued that the proposed definition provides a better understanding of what sort of information should be disclosed and what sort of information should be used in order to implement and make effective the ethical practices and principles to which an organisation is committed. The concepts of ''heterogeneous organisation'' and ''autonomous computational artefact'' are further defined in order to clarify the ethical implications of the technology used in implementing information transparency. It is argued that explicit ethical designs, which describe how ethical principles are embedded into the practice of software design, would represent valuable information that could be disclosed by organisations in order to support their ethical standing.

Humans communication and interaction have
dramatically changed in the last century with the introduction
of advanced technologies. One important form of
communication are electronic mails (email), as it is not only
used for personal purposes but also used on a professional
level. With the increase of electronic communication, spams
have widely increased targeting individuals, having a doubtful
intention such as stealing personal information to be misused
or even to paralyze the Email system by injecting viruses.
Therefore, to protect email users from spams and viruses, it is
crucial to protect our SMTP server. In this paper, a case study
is raised by configuring two SMTP servers and 6 different
scenarios, for the purpose of evaluating and addressing email
security issues. Various anti-spam and filtering techniques
were highlighted and analyzed, along with reporting and
visualizing functionalities to further assist system
administrators to control and monitor SMTP server.

The European Medical Information Framework (EMIF) project, funded through the IMI programme (Innovative Medicines Initiative Joint Undertaking under Grant Agreement No. 115372), has designed and implemented a federated platform to connect health data from a variety of sources across Europe, to facilitate large scale clinical and life sciences research. It enables approved users to analyse securely multiple, diverse, data via a single portal, thereby mediating research opportunities across a large quantity of research data. EMIF developed a code of practice (ECoP) to ensure the privacy protection of data subjects, protect the interests of data sharing parties, comply with legislation and various organisational policies on data protection, uphold best practices in the protection of personal privacy and information governance, and eventually promote these best practices more widely. EMIF convened an Ethics Advisory Board (EAB), to provide feedback on its approach, platform, and the EcoP. The most important challenges the ECoP team faced were: how to define, control and monitor the purposes (kinds of research) for which fed-erated health data are used; the kinds of organisation that should be permitted to conduct permitted research; and how to monitor this. This manuscript explores those issues, offering the combined insights of the EAB and EMIF core ECoP team. For some issues, a consensus on how to approach them is proposed. For other issues, a singular approach may be premature but the challenges are summarised to help the community to debate the topic further. Arguably, the issues and their analyses have application beyond EMIF, to many research infrastructures connected to health data sources.

Simeck, a lightweight block cipher has been proposed to be one of the encryption that can be employed in the Internet of Things (IoT) applications. Therefore, this paper presents the security of the Simeck32/64 block cipher against side-channel cube attack. We exhibit our attack against Simeck32/64 using the Hamming weight leakage assumption to extract linearly independent equations in key bits. We have been able to find 32 linearly independent equations in 32 key variables by only considering the second bit from the LSB of the Hamming weight leakage of the internal state on the fourth round of the cipher. This enables our attack to improve previous attacks on Simeck32/64 within side-channel attack model with better time and data complexity of 2 35 and 2 11.29 respectively.

In this article, we argue that personal medical data should be made available for scientific research, by enabling and encouraging patients to donate their medical records once deceased, in a way similar to how they can already donate organs or bodies. This research is part of a project on posthumous medical data donation (PMDD) developed by the Digital Ethics Lab at the Oxford Internet Institute, University of Oxford, and funded by Microsoft. We provide ten arguments to support the need to foster posthumous medical data donation. We also identify two major risks—harm to others, and lack of control over the use of data—which could follow from unregulated donation of medical data. We reject the argument that record-based medical research should proceed without the need to ask for informed consent, and argue for a voluntary and participatory approach to using personal medical data. Our analysis concludes by stressing the need to develop an ethical code for data donation to minimise the risks providing five foundational principles for ethical medical data donation; and suggesting a draft for such a code.