- Email: [email protected]
Television film on computer crime
have been shown to stand up well even to specially set up "technical expert attack teams" designed to probe for weaknesses in a system's defences. Others can be bypassed very simply. The simplest method of all - and this is a fundamental weakness of passwords - is to discover the password which unlocks a particular aspect of the system. This is analogous to having someone's key and taking it along to a key cutter for copying, the difference being that a copy of the password can be obtained at a glance. On the whole it is very difficult for someone to bypass the system's security controls if he has no access to the system at all. He needs to be able to run some work on the system in order to obtain a "toehold" from which he can start subverting it. Although Christensen and McLaughlin had their computing privileges removed, they must have been able to use someone else's password in order to start on the second phase of their destructive activity.
Vi r t ual machine
Once an attacker has gained some access to the system, then the amount of damage he can do varies a great deal with the system design. Many recently designed systems have gained a lot in integrity and security by introducing the concept of a "virtual machine" by which the users' view of the system is severely restricted. It becomes difficult or impossible to interfere with other users' programs or more importantly with the Operating System. Password files are crucially vulnerable when considering a system under attack. Three levels of defence are possible: (a)
if there is a file protection system installed, then it will be much more difficult for an attacker to gain the information he seeks;
(b)
it is likely to be more difficult for an attacker to gain or maintain his toehold if passwords are changed frequently;
(c)
there are "one way" encryption algorithms available, which can be used for storing passwords. In this situation even though the attacker can get at the password file the encrypted passwords will be of very little use to him.
There is no doubt that the University of Alberta's computer was not fully protected, because the press reports mention security programs which were waiting to be installed. In addition, University computers are particularly at risk from a large number of intelligent, curious and possibly mischievous students, with plenty of time on their hands and easy access to the computer. This sort of undermining of a system is less likely in commercial installations, but would be just as difficult to deal with if it ever occurred.
TELEVISION FILM ON COMPUTER CRIME
Albert W Hall, a reader from Austria, has reported on a recent television film. The German film began with the
COMPUTERIFll\£&lID& SECURITY BULLETII Vall No 6
9
murder of the boss of a computer centre. The police discovered that the centre held the data of those Germans waiting for a kidney transplant and that the manager had been accepting bribes to pullout selected names instead of letting the computer choose the optimal recipient. The murderess was the sister of a young man who had to have his blood "washed" while waiting for a kidney donor. The film ended with the new manager just about to leave his office when the phone rang, "No, that's not possible. What? a million marks? No please don't phone again. Please". But his hand was trembling as he hung up the phone. Remember: there is a chance for fraud in every
TELEPHONE FRAUD
job~
Raymond A Acker was convicted of the type of fraud a London computer manager said he would commit if he had the chance (December Bulletin). Acker, aged 63, is the retired Vice President of Data Processing of the SouthWestern Bell Telephone Company for whom he had worked for 35 years. Accused with him were five businessmen from the Intercap Corporation of Dallas, the International Equipment Financing Corporation, the Citizen's State Bank and a firm of lawyers. The fraud is alleged to have begun in 1974 when Acker was bribed to place his company's business with selected computer leasing companies. Between 1974 and 1978, Acker is alleged to have cost his employers over $1 million. He pleaded guilty to conspiracy to defraud amounting to $900 000 dollars and to tax evasion of $454 000.
Legi t i mate tax sav ing
The leasing deals were accepted by SouthWestern Bell as they appeared to be a legitimate method of tax saving but Acker and his colleagues took advantage of the opportunity when a consultant employed by the telephone company suggested the scheme. The fraud came to light after Acker had retired from the company and he now faces a maximum sentence of 30 years' imprisonment. Comment The sort of tax avoidance/leasing scheme exploited by Acker and his colleagues has direct parallels in Europe and it is possible that this type of fraud will be detected in the future. The potential for frauds of this nature does, however, seem greater in the USA at the moment. Europe does not have the vast surpluses of computer equipment that have encouraged small American companies to open up as leasing houses. Where there are surpluses of equipment (much of which is outdated) the competition to dispose of it rises and the risks of kickbacks, bribes and corruption increases.
NO CASH AND CARRY
X Ltd is a chain of cash and carry warehouses. Their business is particularly vulnerable to fraud: customers swap price labels, exchange the contents of boxes and even bribe cashiers not to ring up items on the tills. The first defence of the proprietors was to employ "callers" who would examine the
10
COlllPUTEBlrill£lNIID&: SECUBIT! B1JLLE'ID Vol. 1 No 6
Vi r t ual machine
Once an attacker has gained some access to the system, then the amount of damage he can do varies a great deal with the system design. Many recently designed systems have gained a lot in integrity and security by introducing the concept of a "virtual machine" by which the users' view of the system is severely restricted. It becomes difficult or impossible to interfere with other users' programs or more importantly with the Operating System. Password files are crucially vulnerable when considering a system under attack. Three levels of defence are possible: (a)
if there is a file protection system installed, then it will be much more difficult for an attacker to gain the information he seeks;
(b)
it is likely to be more difficult for an attacker to gain or maintain his toehold if passwords are changed frequently;
(c)
there are "one way" encryption algorithms available, which can be used for storing passwords. In this situation even though the attacker can get at the password file the encrypted passwords will be of very little use to him.
There is no doubt that the University of Alberta's computer was not fully protected, because the press reports mention security programs which were waiting to be installed. In addition, University computers are particularly at risk from a large number of intelligent, curious and possibly mischievous students, with plenty of time on their hands and easy access to the computer. This sort of undermining of a system is less likely in commercial installations, but would be just as difficult to deal with if it ever occurred.
TELEVISION FILM ON COMPUTER CRIME
Albert W Hall, a reader from Austria, has reported on a recent television film. The German film began with the
COMPUTERIFll\£&lID& SECURITY BULLETII Vall No 6
9
murder of the boss of a computer centre. The police discovered that the centre held the data of those Germans waiting for a kidney transplant and that the manager had been accepting bribes to pullout selected names instead of letting the computer choose the optimal recipient. The murderess was the sister of a young man who had to have his blood "washed" while waiting for a kidney donor. The film ended with the new manager just about to leave his office when the phone rang, "No, that's not possible. What? a million marks? No please don't phone again. Please". But his hand was trembling as he hung up the phone. Remember: there is a chance for fraud in every
TELEPHONE FRAUD
job~
Raymond A Acker was convicted of the type of fraud a London computer manager said he would commit if he had the chance (December Bulletin). Acker, aged 63, is the retired Vice President of Data Processing of the SouthWestern Bell Telephone Company for whom he had worked for 35 years. Accused with him were five businessmen from the Intercap Corporation of Dallas, the International Equipment Financing Corporation, the Citizen's State Bank and a firm of lawyers. The fraud is alleged to have begun in 1974 when Acker was bribed to place his company's business with selected computer leasing companies. Between 1974 and 1978, Acker is alleged to have cost his employers over $1 million. He pleaded guilty to conspiracy to defraud amounting to $900 000 dollars and to tax evasion of $454 000.
Legi t i mate tax sav ing
The leasing deals were accepted by SouthWestern Bell as they appeared to be a legitimate method of tax saving but Acker and his colleagues took advantage of the opportunity when a consultant employed by the telephone company suggested the scheme. The fraud came to light after Acker had retired from the company and he now faces a maximum sentence of 30 years' imprisonment. Comment The sort of tax avoidance/leasing scheme exploited by Acker and his colleagues has direct parallels in Europe and it is possible that this type of fraud will be detected in the future. The potential for frauds of this nature does, however, seem greater in the USA at the moment. Europe does not have the vast surpluses of computer equipment that have encouraged small American companies to open up as leasing houses. Where there are surpluses of equipment (much of which is outdated) the competition to dispose of it rises and the risks of kickbacks, bribes and corruption increases.
NO CASH AND CARRY
X Ltd is a chain of cash and carry warehouses. Their business is particularly vulnerable to fraud: customers swap price labels, exchange the contents of boxes and even bribe cashiers not to ring up items on the tills. The first defence of the proprietors was to employ "callers" who would examine the
10
COlllPUTEBlrill£lNIID&: SECUBIT! B1JLLE'ID Vol. 1 No 6