data security — watch out for the new computer criminals
TRANSCRIPT
Vol. 9, No. 6, Page 7
knowledge base provided by its managers, it knows the rules that the other systems are going to be following. Each of them is standing ready to pounce should the signals from the marketplace indicate that action is needed.
In 1929, the New York Stock Exchange crash occurred over a period of several weeks. At that time, there was an amplifier provided by the practice of trading on margin. As prices declined, the brokers who had been providing funds for those who had purchased stocks but only paid part of the price (leaving the stock that had been purchased with the broker as collateral) called for more cash from the purchaser. He therefore had to se1 some of his stock to find the cash, pushing prices down still further. This frightened others into getting out while the going was good and discouraged buyers from entering till the price was lower still.
Am I right to predict that sometime in the quite near future, we shall see the crash of 1929 not in weeks, but in milliseconds? If I am wrong, please will you write and tell me why. If I am right, who should be trying to do something about it? Is it possible in practice, even were one able to devise a theoretical structure, to put in place a regulatory mechanism to control the behaviour of an electronic market place which can migrate anywhere around the globe to evade controls? Should the central banks, or perhaps an association of the major global banks, establish some kind of self-denying ordinance outlawing program trading at electronic speeds which preclude human intervention? Should they agree some stops - triggers set by price movements beyond agreed "normal" levels - which would call for a pause and allow human intervention? Or do we need some kind of buyer/seller of last resort who will always intervene to prevent violent price fluctuations?
Adrian Norman, Consultant, Arthur D Little Ltd, Berkeley Square House, Berkeley Square, London WlX 6EY,UK; tel: 01-409-2277.
DATA SECURITY - The BIS series of Casebooks on Computer-related Fraud, WATCH OUT FOR THE Computer Crime, and Computer Disasters first came out in 1983. NEW COMPUTER The new editions of the Computer Fraud and Computer Crime CRIMINALS Casebooks contain many more new cases which have come to light
since the last publication date. BIS has detected major shifts of emphasis in computer crime trends both in terms of the significance of losses as well as in the schemes of perpetration. Increasingly BIS detects better cooperation between victim organizations and the police authorities: as a result there have been more prosecutions and more details are now available for individual case analysis. With the recent cases also come new types of computer criminals and new threats to computer data and business information. Fortunately the security industry is also responding to new demands for protection in erstwhile virgin territory for both attackers and defenders.
o 1987 Elsevier Science Publishers B.V.. Amsterdam./87/$9.00 + 2.20
CO~~‘f~~~~~~‘;~~;,& No part of this publication may be reproduced, stored in a retrieval system. or transmitted by any form or by any
SEcwIRBuLLErm means. electronic, mechanical, photocopying, recording or otherwise. without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back LOWT )
Vol. 9, No. 6, Page 8
Who are the new computer criminals?
At the highest company or board level, the Equity Funding case in the US in the 1970s set the scene for an entire company in collusion with employees to create bogus insurance policies and to boost its lacklustre financial performance on the stock market to appease investors. In the UK, we have seen a similar case of an operating company trying to inflate its trading volume to pretend to be in good health in order to avoid being closed down by the main group. Another company managed to create fictitious entries on its order book to successfully borrow f3 million from a creditor before going out of business. Although we were unsure if the company ledgers were computerized in that instance, nevertheless the fraud would probably be accomplished more effectively with a computer-based accounting system.
A financial modelling program running on a personal computer was recently available on the UK black market for the unscrupulous to use to understate a company's operating profits or VAT returns and cheat the taxman or Customs and Excise officials. By entering the actual returns on the system and asking for, say, a 5 or 10% reduction, the program will churn out a new set of figures, properly discounted and self-balanced, for the company to submit to the appropriate authorities. In another case, a high street computer dealer altered the name of a software package supplied by a software house and sold the bona fide software along with his 'own brand' side by side, with considerable price advantages offered to customers for the latter. The truth came out when a customer complained to the software supplier about the relatively high price charged compared with the dealer's 'own brand'. A number of cases involving software piracy the culprits prosecuted in recent years.
have been reported and
Meanwhile a 24 year-old entrepreneur set up a bogus hardware maintenance company to offer cut-price ma intenance to unsuspecting computer users by employing youngsters from the Youth Training Scheme to pose as expert technicians. By the time the police were called in to investigate, the company had collected over fl million in contract payments.
Next down the list of computer criminals come the company directors or senior managers who abuse their privileged positions to defraud their employers of large sums of money. For example, names of bogus suppliers would be added to the supplier lists and standing orders placed for fictitious goods or services. Invariably the same individuals would fabricate goods-received notes and then authorize for payment. In another instance a senior bank manager noticed a dormant account belonging to an Argentinian customer with f500 000 deposited for eight years, with no further deposits or withdrawals throughout that period. He then proceeded to siphon off KlOO from the account at first and then slowly moved bigger sums away. By the time the bank inspectors discovered the fraud, some f50 000 had been salted away in the culprit's savings account elsewhere. Meanwhile we were told of another case of a financial director of a textile group who perpetrated a computer fraud for eight years and got away with cl.6 million. The loss was recovered from the insurers although no prosecutions were made.
o 1987 Elsevier Science Publishers B.V.. Amsterdam./B7/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system. or transmitted by any form or by any means, electronic, mechanical, photocopying. recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover.)
Vol. 9, No. 6, Page 9
In the aftermath of the London Stock Exchange deregulation - the Big Bang in October 1986 - opportunities abound for insider dealing by entrepreneurial dishonest senior brokers exercising their privileged positions in securities companies to access sensitive trading information or takeover details from other business quarters.
Increasingly, more cases have been reported of trusted young employees making fraudulent transactions from electronic funds transfer systems to send money to their accomplices' accounts abroad, with Switzerland being the favoured destination to collect their gains. With few exceptions many of the cases reported involved sums in millions of pounds and many of the culprits were caught and jailed. Nevertheless these cases demonstrated the ease with which trusted individuals could authorize high-value bogus transactions for their own gains, thanks to the crude security built into many of the computer-based telex systems and occasional lack of authentification facilities in computer systems to check fraudulent transfers. Segregation of duties was also not properly enforced to allow employees falling on hard times or with expensive tastes for high living to attempt to 'balance their books' by illegal means. The recent Prudential-Bathe case involving a near loss of USS8.5 million was a case in point. The whole series of fraudulent transactions was initiated by two employees by entering a well-known authorized password from a personal computer at home with no authentification required. In other cases, employee termination procedures were inadequate. This allowed an ex-employee to use his company's passwords (which should have been changed on his departure) and a card key (which should have been retrieved from him) to enter the premises to access an account payment system afterwards. He would search for invoice payments of the order of El0 000 each, and entered duplicates for these, to be paid to a bogus company. The ingenious culprit and his accomplice actually engaged the use of a miniature.electronic transmitter to eavesdrop from the junction box outside the premises where the communication lines terminate, to discover the user passwords which were renewed every three months, in order to prolong their fraudulent scheme. f318 000 and eighteen months later, the company discovered one of these duplicate invoices and the game was up.
From computer users, the type of criminal extends to technical computer staff. There have been many recent cases reported of logic bombs being planted in business systems either to exact revenge on employers, or to demand ransoms in return for cleaning up the corrupted programs. The logic bombs would typically be applied with action triggers based on pre-selected dates or a combination of circumstances and the effect would be to halt the computer system on the due date or when triggered. In November 1985, computer users worldwide of a well-known access control software package for large IBM computers found themselves victims of a logic time bomb planted by a disgruntled programmer from the software vendor. All user sites with the software installed found their systems crashed on the same day. Another programmer demanded a ransom of $4000 from his former employer to disable a recurring logic time bomb planted in the company's on-line order processing system.
@ 1987 Elsevier Science Publishers B.V., ~te~~./87~0.~ + 2.20 No part of this publication may be reproduced. stored in a retrieval system. or transmitted by any form or by any
means. electronic. mechanical, photocopying, recording or otherwise, without the prior permission of the publishers
(Readers in the U.S.A.-please see special regulations listed on back cover.)
Vol. 9, No. 6, Page 10
In another case, a programmer managed to gain illegal access to the front-end processor of a banking system to divert f6 million to his account in Switzerland by altering the payee accounts for the first ten transactions in an electronic funds transfer system. Cases involving theft of sensitive information have begun to surface recently. One case involved a programmer working in the research and development department of a food company who introduced his private floppy diskette into the department's personal computer system to obtain an illegal copy of the company's product formula to sell to a competitor.
Sabotage of computer equipment remains a serious cause of concern. One installation found someone had entered the computer room over the weekend, removed a printed circuit board and snipped off thirteen miniature wires on the central processor. The room was protected by a card key system with only three persons authorized for access, including a senior executive. Computer systems were seriously disrupted the following week. The press reported recently the case of a computer operator who attacked an old age pensioner with a bottle after contracting Legionnaire's Disease. The disease is known to cause inflammation of the brain. With the potential epidemic of Aids, which also could cause the sufferer to become mentally deranged, the risk of employing computer staff who are being secretly treated for Aids must pose a potential danger to their colleagues or computer systems in their charge.
Outsiders have loomed large in recent cases of computer hacking, many of whom managed to obtain information on user account codes and passwords from hackers' electronic bulletin boards, or from careless systems administrators and users. Some managed to obtain the default account codes and passwords reserved for maintenance engineers to run remote diagnostics on faulty equipment. Some of the default accounts were found clearly posted in the installation manuals of computer equipment. Successes in hacking into large IBM systems have on several occasions been scuppered by the access control software packages installed which provide multiple levels of access control and password checking.
Several cases of arson have been reported, including one started by burglars who broke into the premises and used the oxyacetylene welding equipment stored on site to force open an office safe. On discovering there was only f37 being held there, frustration turned into anger and the burglars then directed the welding equipment on office equipment and furniture. The whole building was gutted and the computer room next door suffered severe contamination by smoke and soot deposits. The entire computer system had to be written off as a result.
In Europe, many computer installations have become targets for terrorist bombs. These include Italy, Germany, France, and Belgium. Many of the victims were accused of providing services related to NATO defence work or of using their computer equipment as capitalist instruments to exploit the proletariat. With the recent spate of terrorist attacks from Libyan quarters on US and British targets, it may be prudent to make reasonable contingencies in case the target shifts to computer centres in future. Many service companies offer standby processing or empty computer rooms for computer users in the event of a major computer
a 1987 Elsevier Science Publishen B.V., Amsterdam.ltt7/$0.0lt + 2.20 No part of this publication may be reproduced. stored in a retrieval system. or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise. without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.)
Vol. 9, No. 6, Page 11
disaster, especially on the IBM market, from System 34 right through to the 3080 Series.
Trade union activists are beginning to exploit sensitive corporate computer data to strengthen their wage bargaining positions. A brewery found their trade union officials were quoting highly sensitive corporate information in their pay negotiations. As such information could only have come from a 'leak', an investigation was initiated which traced the source to an employee working in the Computer Services Department. Apparently he regularly took home copies of sensitive output left in the offices and had actually accumulated two roomfuls of computer printout at home. Equally, any form of industrial action involving computer centres could prove costly to employers. This was exemplified by the f150 million bill to the UK Government through a prolonged DHSS operators' strike at Newcastle which lasted some seven months. Several banking institutions have in the past conceded demands from trade unions on being threatened with disruptions to their computer services.
There is growing evidence that the criminal fraternity is trying to exploit computer technology, to improve clandestine communication and productivity as well as to perpetrate fraud on business organizations. In the UK a group of drug traffickers were found using a small computer to control, supply, and distribute controlled drugs as well as to keep business accounts. In Germany, a pharmaceutical company found its international network was regularly abused by drug barons to provide a communications network to supply and distribute cocaine and heroin on an international scale. A prostitution ring in the US was using personal computers to hold details of clients: individual prostitutes were issued with hand-held devices to access a database customers' preferences, credit card details, and credit limits. One case involved the MAFIA commissioning an unemployed software designer to develop a SWIFT-lookalike inter-bank network for the Arab world. The MAFIA promised to underwrite all software development costs in return for a trapdoor to be built into the system for future clandestine access to the network.
In the UK, a major bank discovered its cash dispenser network was being abused by known criminals planning a concerted assault to withdraw a total of f64 000 in the Leeds and London areas by using duplicates of a stolen card with a known PIN number. All the withdrawals took place in the early hours of one weekday when the central database was being updated and on-line access to customers' account balances was temporarily withdrawn from the cash dispenser service.
Current concerns and new security products
However ineffective the UK's current Data Protection legislation may appear in practice, nevertheless senior management have been made aware of their legal obligations to give reasonable care to the protection of personal data in their company. Many organizations are also aware of potential weaknesses in, for example, the CICS on-line and TSO time-sharing systems for medium to large IBM computers. As a result, the majority of large IBM sites are using one of the many access control software packages on the market to bolster access protection to sensitive corporate
@ 1987 Ekevier Science Publishers B.V., Amsterdam./87/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system. or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the puhiishers. (Readers in the U.S.A. -please see special reg~iatio~s listed on back covcr.l
Vol. 9, No. 6, Page 12
and personal data. The majority of such packages will also provide detailed logs for auditors and security managers to help detect access violations or unusual activities on data access. The problem remains end users' lack of awareness of the need to improve the quality of passwords to deter hackers and to regularly renew their passwords to minimize opportunities for fraud and abuse.
At the lower end of the market, because of inherent difficulties in securing data on personal computers, we have seen a massive growth in PC security-related products, ranging from physical locks on equipment cabinets and the power supply, to password and encryption software, to secure programs and data.
Large organizations are increasingly aware of the need to have a consistent corporate security policy across the board as more personal computers appear in various user departments. With networking, workstations could download data from the corporate database on the central mainframe, onto their own diskettes for local programs to manipulate the details. In the absence of a consistent corporate security policy, despite good security at the data centre, an organization could find itself falling victim to industrial espionage if the security of personal computers and workstations can easily be compromised. This calls for the need to address such areas as security classification of data and staff responsibilities, criteria for control of access and monitoring, as well as backup and contingency planning. Consultancy companies such as BIS are busy developing risk analysis techniques to assist computer users assess their system vulnerabilities, and to provide security standards and guidelines for secure protection of data.
The success of hackers in penetrating public and dial-up networks has prompted suppliers and vendors to offer call-back devices, security modems, and other novel communication security products. Most users and suppliers of electronic funds transfer systems are now enlisting the use of encryption and authentification devices to guard against wire-tapping and interception of messages in order to modify their contents. BIS consultants have also assisted insurance underwriters in computer fraud surveys of financial service organizations in support of their application for computer crime insurance cover.
Adequate contingency planning remains one of the key issues of corporate and computer management, not only against natural disasters such as fire and flooding, but also in dealing with strike action from staff as well as arson and bombing from criminals and terrorist groups. We recently came across an underground publication, Towards a Citizen's Militia, which actually offers advice to extremists and urban guerillas on the most effective ways to disrupt communications and computer services. If subversive elements can have ready access to such knowledge to launch a calculated assault, we should likewise sharpen our defences, instead of continuing to bury our heads in the sand to pretend that we shall never be selected as terrorist targets. Prudent action must be taken in advance of any computer disaster to mitigate against losses arising from prolonged disruptions to corporate computer and network services.
o 1987 Elsevier Science Publishers B.V.. Amsterdam./87/$0.00 + 2.20 No part of this publication may be reproduced. stored in a retrieval system. or transmitted by any form or by any means, electronic, mechanical. photocopying, recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.)
Vol. 9, No. 6, Page 13
The ease of eavesdropping on information displayed on VDU screens has caused quite a stir among bankers and corporate managers with security responsibilities for sensitive information. The costs of protecting against electromagnetic emanations from computer equipment and terminal screens have come down drastically in recent months and are currently attracting only an additional 20% premium on the costs of equipment to provide the necessary shielding. The UK Ministry of Defence has also relaxed its restrictions on defence contractors to offer such products to the business sector.
Conclusion
As computer crime expands to involve a widening range of computer criminals from various business and technical sectors, the methods of perpetration and scales of losses are increasingly diverse. Security managers need to be better informed and better prepared to counter new risks and potential attacks from new quarters. In a rapidly changing business world where corporate executives are forever striving for market excellence and cost containment, some risks have to be incurred in making business decisions. Likewise the security manager faces a similar choice in managing computer risks. 100% security is difficult to achieve and could well turn out to be counter-productive and extremely costly. The prudent security manager will need to have a good knowledge of his company's business, be able to select the correct strategy to provide an adequate level of overall protection against all pertinent risks in his computer systems, and remain constantly in tune with the latest product offerings to obtain cost-effective protection.
Ken Wong, BIS Applied Systems Ltd.
US COMPUTER FRAUD Ernst & Whinney, the accountants, have told the US National REACHES $5 BILLION Commission on Fraudulent Financial Reporting, that losses from
computer fraud in the US are running at $3-$5 billion a year at a conservative estimate (Financial Times, 17 March 1987). Ernst & Whinney add that the spread of computing techniques makes it likely that such frauds will increase in frequency and sophistication. The frauds are mostly committed by insiders, who often hold a trusted and responsible job within the company.
More than 80% of a sample of US companies surveyed by Ernst Whinney in 1985 reported financial losses through computer security problems in the previous two years. The accountants' report cites figures from the Federal Bureau of Investigation suggesting that the average sum involved in reported computer frauds is now $600 000 compared with $23 000 for frauds perpetrated manually.
The report warns that senior executives can pull data down from the corporate mainframe onto their PC, manipulate the data to make the company appear more profitable, and send the new data back to the mainframe without an audit trail. However, managers at all levels could manipulate financial information on an on-line
@ 1987 Elsevier Science Publishers B.V.. Amsterdam./87/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system. or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers [Readers in the U.S.A.-please see special regulations listed on back cover.)