- Email: [email protected]
The psychology of computer crime — Part 1
Computer Audit Update
will be relatively secure. However, a number of issues will still require attention. We believe that these issues can only be effectively and securely resolved, in an otherwise open environment, by implementing a personal intelligent token based system. Our reasons are detailed below.
September 1992
THE PSYCHOLOGY OF COMPUTER C R I M E - PART 1 Kathy Buckner and Guy Fielding
Multiplatform applications will require several paSswords to be entered by users and this can be highly inconvenient - - an intelligent token could securely store or access all the passwords a user requires for end-to-end security. Ease of use - - the inconvenience of the security system will be significantly reduced if the user is provided with a unique identification token which may be used easily and securely at any client terminal, or location, to access the required applications. Security administration costs will be minimized if only one person/function is required to create and update user access profiles and each profile is carried around by the owner in an intelligent token. All profile changes could be transmitted from a central administration facility to a specific token over the communications network.
Classification and Extent of Computer Crime The diversity and extent of computer crime are often underestimated. Rapid growth in the number of personal computers used for information gathering and processing throughout the business world, combined with the continuing development of more user friendly systems has led to an increase in the number of people with the ability and opportunity to participate in computer crime. The identification of those who are likely to be involved in computer crime can be assisted by the application of theories of human behaviour. A better understanding of the way in which criminals think about crime, and in turn, of the way we ourselves think about computer crime, can determine the effectiveness of the techniques which are used for prevention and detection.
The concept of computer crime Confidentiality and integrity services such as data or password encryption can be provided for all combinations of users and application via a cryptographic facility provided within the token. Security can be further enhanced by using the cryptographic facility to perform authentication and integrity functions, e.g. client to server authentication. A number of options are available to implement the intelligent token based system described above. These can be accomplished through the use of smartcards, smart diskettes or similar devices - - which one the implementor selects will depend on preferences and type of terminal used.
David Pullen and Bernard Robertson both work at PA Consulting Group's Security Consulting Centre, London.
12
Before beginning a discussion of the computer criminal it is essential to identify what is meant by computer crime and to understand the diversity of activities which can be classified as computer crime. We will begin by looking at some specific 'types' of computer crime. Firstly, theft, which could involve the removal of data on any type of magnetic or optical media or on paper. It could also be the removal of h a r d w a r e such as printers or personal computers, or the removal of commercial software involving unauthorized copying or 'pirating'. Computer based espionage is a specific type of theft which may be undertaken for industrial, commercial or political reasons with or without the help of investigative journalists. A recent exam pie of this phenomenon occurred just prior to the 1992 UK general election when there was a spate of reports of information being
@1992 Elsevier Science Publishers Ltd
September 1992
removed from computers in the offices of a number of political parties. The second type of computer crime and one which can generate significant financial rewards for successful participants is fraud. Michael Comer defines this as, "Any behaviour by which one person intends to gain a d i s h o n e s t advantage over another "1. A l t e r a t i o n or falsification of data by the intentional input into a computer system of incorrect data or improper instructions for malicious reasons is often associated with fraudulent criminal activity. Finally, sabotage, which could be the physical damage of equipment. For example, in the case reported in the Computer Guardian, 3 March, 1988, a US Airforce Computer was destroyed by a peace activist using a crowbar, a hammer, a cordless electric drill and a belt cutter: unfortunately for her she attacked the wrong computer! Alternatively, sabotage could take the form of the intentional introduction of viruses into an organization's computers or computer networks. Hacking, involving the unauthorized access to a computer which may result in the committing of a criminal activity, may or may not come into the category of sabotage. We shall return to the subject of hacking later in the discussion. The types of computer crimes which hit the headlines tend to be both unusual and rare. The majority of computer crimes tend to be both simple and uninteresting, at least to the media. The implication here is that the types of security measures required to improve security may not be particularly complex or sophisticated. Although sophisticated measures may be required it is the obvious and mundane that should be explored and implemented as a first priority.
Classification of computer crime Computer crime manifests itself in many different ways and different criminal activities are likely to be undertaken by different types of people. Referring to crime in general, common sense tells us that 'a crime is a crime', that is, that all
©1992 Elsevier Science Publishers Ltd
ComputerAudit Update
crime is fundamentally similar. This is not in fact the case. Even the most cursory study of the phenomena demonstrates that there are a wide variety of different kinds of crime, perpetrated by an equally various range of criminals. Some types of crime will appeal to one type of criminal, other types of crime will appeal to other types of criminal. 'Picaresque' crime refers to the crime of rogues and rascals, the classic notion of those who are criminals because they enjoy it and are 'that way inclined'. Crime as 'craft' refers to vocational crime, that is, to crime engaged in as a way to earn a living. Crime here is just another job. Crime as 'project' refers to the one-off crime, executed because a particular need and/or opportunity arises, and is not predicted by either previous or subsequent behaviour, nor by social contacts or conditions. It is crime as project that is most frequently implied when computer crime is discussed. This may be because such crime attracts our attention precisely because it is 'surprising' with respect to common sense expectations. Crime as 'business' refers to organized crime, where professionals operate in organized groups, backed by substantial resources, on a continuing basis and undertake crime which offers far greater benefits and far fewer risks than does conventional (for example, armed-robbery) crime. There is an increasing tendency for professional criminals to be involved in large-scale computer crime although typically the initial action will involve the identification of a potentially dishonest employee (or 'insider'). It is also possible to classify computer crime according to the type of activity undertaken. Doswell and Simons 2 have identified two main types. Firstly, there is computer related or computer assisted crime, that is, any crime in which the computer is merely coincidental. The criminal has used the computer to undertake a criminal activity which prior to the introduction of computers might just as easily have been undertaken by pen and paper. For example, a computer may be used by a clerk to enter a fraudulent transaction into an accounting system or to alter transactions or account numbers. The crime may not even have been initiated by the person undertaking the data input. It may have been initiated much earlier in the input process
13
ComputerAudit Update
by, for example, the person responsible for producing the initial transaction documents. The significant point to note here for computer security is that no special computer knowledge is required other than the ability to use input devices such as the keyboard. On the other hand true computer crime needs computer expertise (rather than simply clerical or data input expertise). The criminal requires the knowledge and expertise to be able to program or 'hack' into the system. Here the criminal will intentionally alter or add programs. Increasing computer literacy amongst the population in general means that there is a growing pool of people with the expertise to undertake this type of activity. The scale of the problem There is substantial evidence to indicate that to date computer crime rates may well have been underestimated. Considering firstly crime rates in general, it can be seen from self-report studies (that is studies in which a random sample of particular populations are asked if they have committed any crime of a specific type over a given period) that the officially reported rate of any type of crime is a gross under estimation of the extent of crime indicated by such self reports. Indeed one particular survey by Hood and Sparks 3 indicated that the actual crime rates may be four times as great as officially reported crime rates. Focusing on computer crime in particular, a range of surveys in recent years have produced widely varying estimates as to the extent of losses due to computer fraud. In 1991 the UK's Department of Trade and Industry estimated that computer fraud alone was costing British businesses up to £1 billion per annum. As a specific example, Visa Intemational, in 1989, were anticipating losses of £130 million due to computer fraud and this was considered acceptable because it represented less than 1% of the total turnover. Definitive statistics relating to losses due to computer crime are impossible to find and Donn Parker, (reported by Sterlicchi 4) maintains that we should in any case be wary of computer crime figures on 3 counts:
14
September 1992
•
Victims generally resist revealing information about the crime as a matter of policy. The individuals surveyed often do not know all of the facts and figures relating to their organization. Definitions of the various types of misuses are both complex and very varied, and therefore likely to be misunderstood.
An additional explanation for the variations in estimates of the extent of computer crime is that it is a result of both 'wishful thinking' or a 'head in the sand' attitude combined with an inability to accurately estimate the extent of unknown losses which are actually due to computer fraud. Breaking this down in more detail the apparent low level of computer crime statistics can be attributed to several factors: Companies do not wish to be perceived as having lax computer security. Where security breaches come to light they may believe that their credibility and profits are at risk. There is perceived to be (by both criminals and organizations) inadequate, unworkable, unenforceable legislation to deal with computer crime. There are considerable difficulties in detection. The majority of computer crimes are not detected : they are stumbled across. Companies are concerned about liability. For example, with respect to the Data Protection Act, companies who fail to take proper precautions with data security may be liable to prosecution. There exists a fear of alerting would-be offenders to the potential riches of computer crime by exposing the vulnerability of computing systems. Because existing c o m p u t e r security monitoring and control is generally so inadequate
©1992 Elsevier Science Publishers Ltd
September 1992
that people genuinely do not know the extent of the problem, it poses additional problems for those wishing to improve computer security. It may be impossible to quantify any improvement due to the introduction of new security arrangements and in fact there may appear to be a worsening situation as improved security highlights the extent of losses and of abuse of the system. Thus it may become difficult to justify both proposed improvements, or the continuation of existing improvements on the basis of cost/benefit analysis alone. Despite weaknesses in data, the evidence indicates that computer crime is on the increase. Organizations of all sizes are becoming increasingly dependent upon computer technology and hence there is a steady increase in the number of computer systems available. In 1982 there were very few word processors or desktop information systems in existence. Now just 10 years on there are powerful, sophisticated systems in almost every office. There are also developments towards more user friendly systems which no longer need the skilled and specialist computer expert to operate them. People of all walks of life are expected to use computer based information systems. The population as a whole is becoming more computer literate and this combined with the proliferation of computers means that there is an increase in the number of people who have both the ability and opportunity to commit computer crimes.
References 1.
Comer MJ, Corporate Fraud, McGraw Hill, 1977.
.
Doswell R and Simons GL, Fraud and Abuse of IT Systems, NCC Publications, 1986.
.
Hood R and Sparks R, Key Issues in Criminology, London, Weidenfeld and Nicolson, 1970.
.
Sterlicchi J, Fashionable Figures, The latest trends in Crime Statistics, Computer Fraud and Security Bulletin, May 1990, pp 1-4.
©1992 Elsevier Science Publishers Ltd
Computer Audit Update
Kathy Buckner and Dr. Guy Fielding are members of the Department of Communication and Information Studies, Queen Margaret College, Edinburgh.
NEWS The end of the Inslaw saga? One of the most notorious cases of software crime over the past few years - - the Inslaw case - - may finally be coming to a close. Though the case's repercussions have been, and are continuing to be, felt throughout the US Government. Wayne Madsen reports: In August the US House of Representatives' Judiciary Committee voted 21 to 13 (along Democratic and Republican party lines) to approve a report that the US Justice Department used trickery, fraud and deceit in stealing a software program from Inslaw Inc. Additionally, the report claims that the department allowed Inslaw's proprietary software, PROMIS, to be sold to overseas interests thus depriving Inslaw of revenue. The report also finds that former Attorneys General Edwin Meese III and Richard Thornburgh deliberately blocked Congressional attempts to investigate the incident during the 1980s. Finally the report questions the completeness of the investigation into the death of Danny Casolaro, a journalist who was investigating the Inslaw case for a book entitled The Octopus File. The Judiciary Committee called for the appointment of an independent special prosecutor to investigate the entire Inslaw matter. This case has many aspects. Three articles which delve into the case in detail are the 5 March 1992 issue of Frank Magazine ('PROMIS, PROMIS'); the November/December issue of Columbia Journalism Review ('The Octopus File' by Phil Linsalata) and the Winter 91-92 issue of the Covert Action Information Bulletin ('The Mysterious Death of Danny Casolaro' by David MacMichael)o The following information is mostly
15
will be relatively secure. However, a number of issues will still require attention. We believe that these issues can only be effectively and securely resolved, in an otherwise open environment, by implementing a personal intelligent token based system. Our reasons are detailed below.
September 1992
THE PSYCHOLOGY OF COMPUTER C R I M E - PART 1 Kathy Buckner and Guy Fielding
Multiplatform applications will require several paSswords to be entered by users and this can be highly inconvenient - - an intelligent token could securely store or access all the passwords a user requires for end-to-end security. Ease of use - - the inconvenience of the security system will be significantly reduced if the user is provided with a unique identification token which may be used easily and securely at any client terminal, or location, to access the required applications. Security administration costs will be minimized if only one person/function is required to create and update user access profiles and each profile is carried around by the owner in an intelligent token. All profile changes could be transmitted from a central administration facility to a specific token over the communications network.
Classification and Extent of Computer Crime The diversity and extent of computer crime are often underestimated. Rapid growth in the number of personal computers used for information gathering and processing throughout the business world, combined with the continuing development of more user friendly systems has led to an increase in the number of people with the ability and opportunity to participate in computer crime. The identification of those who are likely to be involved in computer crime can be assisted by the application of theories of human behaviour. A better understanding of the way in which criminals think about crime, and in turn, of the way we ourselves think about computer crime, can determine the effectiveness of the techniques which are used for prevention and detection.
The concept of computer crime Confidentiality and integrity services such as data or password encryption can be provided for all combinations of users and application via a cryptographic facility provided within the token. Security can be further enhanced by using the cryptographic facility to perform authentication and integrity functions, e.g. client to server authentication. A number of options are available to implement the intelligent token based system described above. These can be accomplished through the use of smartcards, smart diskettes or similar devices - - which one the implementor selects will depend on preferences and type of terminal used.
David Pullen and Bernard Robertson both work at PA Consulting Group's Security Consulting Centre, London.
12
Before beginning a discussion of the computer criminal it is essential to identify what is meant by computer crime and to understand the diversity of activities which can be classified as computer crime. We will begin by looking at some specific 'types' of computer crime. Firstly, theft, which could involve the removal of data on any type of magnetic or optical media or on paper. It could also be the removal of h a r d w a r e such as printers or personal computers, or the removal of commercial software involving unauthorized copying or 'pirating'. Computer based espionage is a specific type of theft which may be undertaken for industrial, commercial or political reasons with or without the help of investigative journalists. A recent exam pie of this phenomenon occurred just prior to the 1992 UK general election when there was a spate of reports of information being
@1992 Elsevier Science Publishers Ltd
September 1992
removed from computers in the offices of a number of political parties. The second type of computer crime and one which can generate significant financial rewards for successful participants is fraud. Michael Comer defines this as, "Any behaviour by which one person intends to gain a d i s h o n e s t advantage over another "1. A l t e r a t i o n or falsification of data by the intentional input into a computer system of incorrect data or improper instructions for malicious reasons is often associated with fraudulent criminal activity. Finally, sabotage, which could be the physical damage of equipment. For example, in the case reported in the Computer Guardian, 3 March, 1988, a US Airforce Computer was destroyed by a peace activist using a crowbar, a hammer, a cordless electric drill and a belt cutter: unfortunately for her she attacked the wrong computer! Alternatively, sabotage could take the form of the intentional introduction of viruses into an organization's computers or computer networks. Hacking, involving the unauthorized access to a computer which may result in the committing of a criminal activity, may or may not come into the category of sabotage. We shall return to the subject of hacking later in the discussion. The types of computer crimes which hit the headlines tend to be both unusual and rare. The majority of computer crimes tend to be both simple and uninteresting, at least to the media. The implication here is that the types of security measures required to improve security may not be particularly complex or sophisticated. Although sophisticated measures may be required it is the obvious and mundane that should be explored and implemented as a first priority.
Classification of computer crime Computer crime manifests itself in many different ways and different criminal activities are likely to be undertaken by different types of people. Referring to crime in general, common sense tells us that 'a crime is a crime', that is, that all
©1992 Elsevier Science Publishers Ltd
ComputerAudit Update
crime is fundamentally similar. This is not in fact the case. Even the most cursory study of the phenomena demonstrates that there are a wide variety of different kinds of crime, perpetrated by an equally various range of criminals. Some types of crime will appeal to one type of criminal, other types of crime will appeal to other types of criminal. 'Picaresque' crime refers to the crime of rogues and rascals, the classic notion of those who are criminals because they enjoy it and are 'that way inclined'. Crime as 'craft' refers to vocational crime, that is, to crime engaged in as a way to earn a living. Crime here is just another job. Crime as 'project' refers to the one-off crime, executed because a particular need and/or opportunity arises, and is not predicted by either previous or subsequent behaviour, nor by social contacts or conditions. It is crime as project that is most frequently implied when computer crime is discussed. This may be because such crime attracts our attention precisely because it is 'surprising' with respect to common sense expectations. Crime as 'business' refers to organized crime, where professionals operate in organized groups, backed by substantial resources, on a continuing basis and undertake crime which offers far greater benefits and far fewer risks than does conventional (for example, armed-robbery) crime. There is an increasing tendency for professional criminals to be involved in large-scale computer crime although typically the initial action will involve the identification of a potentially dishonest employee (or 'insider'). It is also possible to classify computer crime according to the type of activity undertaken. Doswell and Simons 2 have identified two main types. Firstly, there is computer related or computer assisted crime, that is, any crime in which the computer is merely coincidental. The criminal has used the computer to undertake a criminal activity which prior to the introduction of computers might just as easily have been undertaken by pen and paper. For example, a computer may be used by a clerk to enter a fraudulent transaction into an accounting system or to alter transactions or account numbers. The crime may not even have been initiated by the person undertaking the data input. It may have been initiated much earlier in the input process
13
ComputerAudit Update
by, for example, the person responsible for producing the initial transaction documents. The significant point to note here for computer security is that no special computer knowledge is required other than the ability to use input devices such as the keyboard. On the other hand true computer crime needs computer expertise (rather than simply clerical or data input expertise). The criminal requires the knowledge and expertise to be able to program or 'hack' into the system. Here the criminal will intentionally alter or add programs. Increasing computer literacy amongst the population in general means that there is a growing pool of people with the expertise to undertake this type of activity. The scale of the problem There is substantial evidence to indicate that to date computer crime rates may well have been underestimated. Considering firstly crime rates in general, it can be seen from self-report studies (that is studies in which a random sample of particular populations are asked if they have committed any crime of a specific type over a given period) that the officially reported rate of any type of crime is a gross under estimation of the extent of crime indicated by such self reports. Indeed one particular survey by Hood and Sparks 3 indicated that the actual crime rates may be four times as great as officially reported crime rates. Focusing on computer crime in particular, a range of surveys in recent years have produced widely varying estimates as to the extent of losses due to computer fraud. In 1991 the UK's Department of Trade and Industry estimated that computer fraud alone was costing British businesses up to £1 billion per annum. As a specific example, Visa Intemational, in 1989, were anticipating losses of £130 million due to computer fraud and this was considered acceptable because it represented less than 1% of the total turnover. Definitive statistics relating to losses due to computer crime are impossible to find and Donn Parker, (reported by Sterlicchi 4) maintains that we should in any case be wary of computer crime figures on 3 counts:
14
September 1992
•
Victims generally resist revealing information about the crime as a matter of policy. The individuals surveyed often do not know all of the facts and figures relating to their organization. Definitions of the various types of misuses are both complex and very varied, and therefore likely to be misunderstood.
An additional explanation for the variations in estimates of the extent of computer crime is that it is a result of both 'wishful thinking' or a 'head in the sand' attitude combined with an inability to accurately estimate the extent of unknown losses which are actually due to computer fraud. Breaking this down in more detail the apparent low level of computer crime statistics can be attributed to several factors: Companies do not wish to be perceived as having lax computer security. Where security breaches come to light they may believe that their credibility and profits are at risk. There is perceived to be (by both criminals and organizations) inadequate, unworkable, unenforceable legislation to deal with computer crime. There are considerable difficulties in detection. The majority of computer crimes are not detected : they are stumbled across. Companies are concerned about liability. For example, with respect to the Data Protection Act, companies who fail to take proper precautions with data security may be liable to prosecution. There exists a fear of alerting would-be offenders to the potential riches of computer crime by exposing the vulnerability of computing systems. Because existing c o m p u t e r security monitoring and control is generally so inadequate
©1992 Elsevier Science Publishers Ltd
September 1992
that people genuinely do not know the extent of the problem, it poses additional problems for those wishing to improve computer security. It may be impossible to quantify any improvement due to the introduction of new security arrangements and in fact there may appear to be a worsening situation as improved security highlights the extent of losses and of abuse of the system. Thus it may become difficult to justify both proposed improvements, or the continuation of existing improvements on the basis of cost/benefit analysis alone. Despite weaknesses in data, the evidence indicates that computer crime is on the increase. Organizations of all sizes are becoming increasingly dependent upon computer technology and hence there is a steady increase in the number of computer systems available. In 1982 there were very few word processors or desktop information systems in existence. Now just 10 years on there are powerful, sophisticated systems in almost every office. There are also developments towards more user friendly systems which no longer need the skilled and specialist computer expert to operate them. People of all walks of life are expected to use computer based information systems. The population as a whole is becoming more computer literate and this combined with the proliferation of computers means that there is an increase in the number of people who have both the ability and opportunity to commit computer crimes.
References 1.
Comer MJ, Corporate Fraud, McGraw Hill, 1977.
.
Doswell R and Simons GL, Fraud and Abuse of IT Systems, NCC Publications, 1986.
.
Hood R and Sparks R, Key Issues in Criminology, London, Weidenfeld and Nicolson, 1970.
.
Sterlicchi J, Fashionable Figures, The latest trends in Crime Statistics, Computer Fraud and Security Bulletin, May 1990, pp 1-4.
©1992 Elsevier Science Publishers Ltd
Computer Audit Update
Kathy Buckner and Dr. Guy Fielding are members of the Department of Communication and Information Studies, Queen Margaret College, Edinburgh.
NEWS The end of the Inslaw saga? One of the most notorious cases of software crime over the past few years - - the Inslaw case - - may finally be coming to a close. Though the case's repercussions have been, and are continuing to be, felt throughout the US Government. Wayne Madsen reports: In August the US House of Representatives' Judiciary Committee voted 21 to 13 (along Democratic and Republican party lines) to approve a report that the US Justice Department used trickery, fraud and deceit in stealing a software program from Inslaw Inc. Additionally, the report claims that the department allowed Inslaw's proprietary software, PROMIS, to be sold to overseas interests thus depriving Inslaw of revenue. The report also finds that former Attorneys General Edwin Meese III and Richard Thornburgh deliberately blocked Congressional attempts to investigate the incident during the 1980s. Finally the report questions the completeness of the investigation into the death of Danny Casolaro, a journalist who was investigating the Inslaw case for a book entitled The Octopus File. The Judiciary Committee called for the appointment of an independent special prosecutor to investigate the entire Inslaw matter. This case has many aspects. Three articles which delve into the case in detail are the 5 March 1992 issue of Frank Magazine ('PROMIS, PROMIS'); the November/December issue of Columbia Journalism Review ('The Octopus File' by Phil Linsalata) and the Winter 91-92 issue of the Covert Action Information Bulletin ('The Mysterious Death of Danny Casolaro' by David MacMichael)o The following information is mostly
15