- Email: [email protected]
Computer crime survey
Volume7
Ndmber Ii
ISSN 0142-0496
OCTOBER 1985
COMPUTERS SEGURITY BULLETIH 1
_
Editor:
Editorial Advisors:
MICHAEL COMER, Director, Network Security Management Ltd. London
Jay J. BloomBecker, Director, National Data Center for Computer Crime, Los Angeles
Associate Editor: FRED LAFFERTY, Director of Corporate Security, Cargill Inc. Minneapolis
Patrick M. Ardis, Partner, Wildman. Harold, Allen Dixon & McDonnell Robert P. Campbell, CDP, President, Advanced Information Management
Inc, Woodbridge,
Virginia
Andrew Chambers, BP Professor of Internal Auditing, The City University Business School, London Pieter van Dijken, Former Chief of Fraud Department,
N.C.I.S., The Hague
Dr. Jerry Fitzgerald, Jerry Fitzgerald & Associates, Redwood City, California Fred M. Greguras, Attorney, Fenwick, Stone, Davis & West, Palo Alto, California Peter Hamilton, Managing Director, Zeus Security Consultants Ltd, London Jocelin Harris, Lawyer and Banker, London Peter J. Heims, Fellow of the Institute of Professional Investigators, London Geoffrey Horwitz, Consultant, Johannesburg Alistair Kelman, Barrister and Legal Expert in Microelectronics
and Computing, London
Jules B. Kroll, President, Kroll Associates, New York David Lancaster, Vice President and Chief Auditor, Gulf Investment Corp, Kuwait Las Lawrence, Director, Venalda Pty, Ltd. New South Wales, Australia R. J. Lindquist, Lindquist Holmes & Co, Toronto Norman Luker, Security Management,
Northern Telecom Ltd. Montreal
James Martin, Author and Lecturer Special Technical Advisors: James Khosla, Open Computer Security Ltd. Brighton
Adrian R. D. Norman, Consultant, Arthur D. Little Ltd, London Dorm B. Parker. Senior Management Systems Consultant, Stanford Research Institute, Menlo Park, California Alec Rabarts, Fellow of the Institute of Chartered Accountants, London Michael I. Sobol, President, MIS Training Institute, Framingham, Timothy J. Walsh, President, Harris and Walsh Management
Martin Samociuk, Consultant, Network Security Management
Massachusetts
Consultants, New York
Graeme Ward, Head of Audit, Abbey National Building Society, London Ltd
CONTENTS
COMPUTER CRIME SURVEY
Philip Weights, Philip Weights&Associates
Inc. Panama
crime survey UK Software P.rotection Act becomes law
Computer
1 4
News on the international copyright front The security of personal computers: a growing concern
4
5
We are haunted by the self-described 'hacker' who told us we had convinced him to commit a computer crime. He was convinced that the paucity of computer crime charges against teenagers meant he was unlikely to ever see the grim interior of Juvenile Hall. We suspect there are millions like this caller, who will never change until there is a clear necessity to do so. there should be a mainstream computer ethic. It seems obvious: There should be agreement about what is right and what is wrong when you use a computer or a computer program or a computer communication system. But there isn't. The malicious 'hacker', the computer criminal, the pirate, the manufacturer which produces inadequately tested software, the salesman who misrepresents a machine's capabilities, the bigot who maintains lists of enemies on a computer - these are but a few manifestations of an absent mainstream computer ethic. Think about just the first of this list. Security consultant Stever Ross noted sagely, "The issue is not the actions of misguided children; it is society's attitude towards those acts."
a 1985 Elsevier Science Publishers B.V. (Information & Business Division), Amsterdam. /85 / $9.99 + 2.20 No part of this publication may be reproduced. stored in a retrieval system. or transmitted by any form or by any means. electronic. mechanical. photocopying. recording or otherwise. without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover).
Vol 7. No 12. Page 2. One way of finding out what society's attitude is, is to look at how perpetrators of computer crime fare when they have been caught. The following survey was conducted through over one hundred state prosecutors in the US to determine the significance of various computer crime laws passed in the States.
0ccupti0M/ls
Forty-three defendants and juveniles were surveyed to find out how they were treated in court and what kind of punishment they received, if guilty. Their average age was twenty-seven years and their occupations were as follows: Occupation
Number of Peop
Unemployed Unskilled labourer Accomplice (work unspecified) Private investigator Programmer Input clerk Bank teller Computer firm executive Programming teacher Computer technician Student Of the individuals listed here , only those in the student category The programmers are likely to fit the typical hacker stereotype. were primarily employees who got into disagreements with their employers and either took programs they claimed rights to, or did damage to the employer's system. Based on an analysis of the police reports and prosecutors' case summaries, we find little evidence of computer sophistication in our sample. It is notable that almost one-third of those in the sample demonstrated no knowledge of computer science. With the exception of the students , most of the others are likely to have learned enough to commit their crimes from training they got in their work assignments. Victim4
1. Who are the victims? Number of Gas'
Victim Banks Miscellaneous commercial users Telecommunications companies Governmental units Individuals Computer product manufacturers Retail department manufacturers Universities
The two major victim classifications are those who produce compute products and those who use them. The producers are more likely to be subjected to the taking of, or damage to, programs or data. To the extent that computer users develop their own software or data, they are subject to the same crimes as their suppliers.
D1985 Elsevier Science Publishers B.V. (Information & Business Division), Amsterdam. /84 / $0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical. (Readers in the U.S.A. -please
photocopying, recording or otherwise, without see special regulations listed on back cover).
the prior permission
of the publishers.
Vol 7. No 12. Page 3. 2. What are the crimes? Number of Cases
Type of Crime
18 8 3 5 4
Theft of money Taking programs and data Alteration of data for gain Damage to programs or data Theft of services 3. What are the losses? Type of Crime
Av. Loss
Theft of money Theft of programs or data Damage to programs or data
$5245 $81 000 $93 600
Number of Cases 18 2 5
With the exception of the figures for losses in theft of money In cases, these statistics are of questionable usefulness. addition to the two cases summarized as taking programs and data, there were four in which no value could be put on the software or data taken, and two in which the value was estimated as minimal.
Figurea queationab&
Analogously, the figures for damage to programs and data are questionable. They represent estimates of the cost to fix a damaged computer system, ranging from $450 to $250 000. A final category of losses is those resulting from changes in information or unauthorized disclosure of information. It is impossible to put a dollar value on the loss in the four cases fitting in this category. 4. What happens in court? Almost all cases are dismissed or disposed of by plea bargain. 52 cases in the sample, the dispositions were as follows: Disposition
Of
Number of Cases
Guilty plea Trial Not guilty Still pending
30 2 7 13
Of the not guilty findings, three involved factual difficulties in applying the law to the actions of the defendant. In each case, there was insufficient evidence to prove that the defendant intended to commit the acts which constituted the crime charged. In one case a court found that the computer crime law did not cover theft from a computerized subway train ticket machine, calling it nothing more than a big Coke machine. One individual was not prosecuted because one cooperated with the police; in another the victim would not cooperate. One case was dropped when the codefendant 'took the rap.' 5. What are the penalties? Of the 14 sentenced to jail time, one received one year, three got six months, one got five.months , and the rest got six weeks or less. $129 600 in restitution was ordered , with the highest being 0 1985 Elsevier Science Publishers B.V. (Informalion No part of this means. (Keaders
publication
electronic.
may be reproduced.
mechanical.
in the U.S.A.
please
photocopying. see special
stored
& Business
recording
regulations
Division).
in a retrieval
system.
or otherwise. listed
Amsterdam. or transmitted
without
on back cover).
the prior
184 / $0.00 + 2.20 by any form permission
or by any
of the publishers.
Vol 7. No 12. Page 4. $87 000, and the low being three cases in the $500 range. fines were for $1000 (twice) and $300 once. Penalty
The
Number of Cases
Jail time Prison time Restitution Fine Community service
14 1 11 3 4 JAY BLOOMBECKER
UK SOFTWARE PROTECTION ACT BECOMES LAW
The Federation aginst Software Theft (FAST)-sponsored Copyright (Computer Software) Amendment Act 1985 finally came into force in the UK on the 16th of September. According to the Department of Trade and Industry this Act removes any doubt that computer programs are protected by copyright and enhances the criminal remedies of the Copyright Act 1956. Making, importing or distributing copies of programs which infringe copyright now carries a maximum penalty of an unlimited fine and two years imprisonment on indictment. The less serious retailing offences attract a maximum penalty of E2000 fine and/or two months imprisonment. On passage of this Government-supported Act, John Butcher, Parliamentary Under Secretary of State for Industry, stated: "The powers of this new Act ensure that the creators of computer programs enjoy the same protection as other creative writers. I hope the Act will be as effective against software piracy as earlier legislation was in dealing with video piracy". This earlier legislation that the Minister referred to - the Copyright Act 1956 (Amendment) Act 1982 and the Copyright (Amendment) Act 1983 - has indeed led to a dramatic fall in video piracy which, at its peak, was estimated to be losing the industry as much if not more than software piracy (El50 million per annum). Meanwhile FAST has been busy requesting co-operation from the UK software industry in identifying cases of software infringement. According to the 23rd of October issue of Datalink, FAST has already received information on over 40 alleged cases of piracy some of them full-scale counterfeiting operations - and will be soon discussing some of these with the police with a view to prosecution under the new Act.
NEWS ON THE INTERNATIONAL COPYRIGHT FRONT
The copyright situation in Japan appears to have changed again with a new edict that databases now qualify as "intellectual work" and This small therefore are eligible for copyright protection. advance in the battle against piracy has been followed by Singapore, which has just drafted new copyright laws increasing the penalties for companies or individuals found guilty of software piracy. These laws are expected to be passed by the Singapore government sometime in the next six weeks and come into force in the new year. This action is seen to be very timely as Singapore has just been accused of being one of the leading world sources of 1985 Elscyier Science Publishers B.V. (Information No part ot this means.
[f&ders
pubtxatmn
etec.tronir:.
may be reproduced.
mechanical.
in the I1.S.A.
photoLopylng.
please SW special
stored
& Business Division), in a retrluval
record~ngor
regulations
listed
system.
otherwise.
Amsterdam. or transmitted
without
on back covrr)
the prior
184 / $0.00 + 2.20 by any term or by any permission
of the
pubbshers.
Ndmber Ii
ISSN 0142-0496
OCTOBER 1985
COMPUTERS SEGURITY BULLETIH 1
_
Editor:
Editorial Advisors:
MICHAEL COMER, Director, Network Security Management Ltd. London
Jay J. BloomBecker, Director, National Data Center for Computer Crime, Los Angeles
Associate Editor: FRED LAFFERTY, Director of Corporate Security, Cargill Inc. Minneapolis
Patrick M. Ardis, Partner, Wildman. Harold, Allen Dixon & McDonnell Robert P. Campbell, CDP, President, Advanced Information Management
Inc, Woodbridge,
Virginia
Andrew Chambers, BP Professor of Internal Auditing, The City University Business School, London Pieter van Dijken, Former Chief of Fraud Department,
N.C.I.S., The Hague
Dr. Jerry Fitzgerald, Jerry Fitzgerald & Associates, Redwood City, California Fred M. Greguras, Attorney, Fenwick, Stone, Davis & West, Palo Alto, California Peter Hamilton, Managing Director, Zeus Security Consultants Ltd, London Jocelin Harris, Lawyer and Banker, London Peter J. Heims, Fellow of the Institute of Professional Investigators, London Geoffrey Horwitz, Consultant, Johannesburg Alistair Kelman, Barrister and Legal Expert in Microelectronics
and Computing, London
Jules B. Kroll, President, Kroll Associates, New York David Lancaster, Vice President and Chief Auditor, Gulf Investment Corp, Kuwait Las Lawrence, Director, Venalda Pty, Ltd. New South Wales, Australia R. J. Lindquist, Lindquist Holmes & Co, Toronto Norman Luker, Security Management,
Northern Telecom Ltd. Montreal
James Martin, Author and Lecturer Special Technical Advisors: James Khosla, Open Computer Security Ltd. Brighton
Adrian R. D. Norman, Consultant, Arthur D. Little Ltd, London Dorm B. Parker. Senior Management Systems Consultant, Stanford Research Institute, Menlo Park, California Alec Rabarts, Fellow of the Institute of Chartered Accountants, London Michael I. Sobol, President, MIS Training Institute, Framingham, Timothy J. Walsh, President, Harris and Walsh Management
Martin Samociuk, Consultant, Network Security Management
Massachusetts
Consultants, New York
Graeme Ward, Head of Audit, Abbey National Building Society, London Ltd
CONTENTS
COMPUTER CRIME SURVEY
Philip Weights, Philip Weights&Associates
Inc. Panama
crime survey UK Software P.rotection Act becomes law
Computer
1 4
News on the international copyright front The security of personal computers: a growing concern
4
5
We are haunted by the self-described 'hacker' who told us we had convinced him to commit a computer crime. He was convinced that the paucity of computer crime charges against teenagers meant he was unlikely to ever see the grim interior of Juvenile Hall. We suspect there are millions like this caller, who will never change until there is a clear necessity to do so. there should be a mainstream computer ethic. It seems obvious: There should be agreement about what is right and what is wrong when you use a computer or a computer program or a computer communication system. But there isn't. The malicious 'hacker', the computer criminal, the pirate, the manufacturer which produces inadequately tested software, the salesman who misrepresents a machine's capabilities, the bigot who maintains lists of enemies on a computer - these are but a few manifestations of an absent mainstream computer ethic. Think about just the first of this list. Security consultant Stever Ross noted sagely, "The issue is not the actions of misguided children; it is society's attitude towards those acts."
a 1985 Elsevier Science Publishers B.V. (Information & Business Division), Amsterdam. /85 / $9.99 + 2.20 No part of this publication may be reproduced. stored in a retrieval system. or transmitted by any form or by any means. electronic. mechanical. photocopying. recording or otherwise. without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover).
Vol 7. No 12. Page 2. One way of finding out what society's attitude is, is to look at how perpetrators of computer crime fare when they have been caught. The following survey was conducted through over one hundred state prosecutors in the US to determine the significance of various computer crime laws passed in the States.
0ccupti0M/ls
Forty-three defendants and juveniles were surveyed to find out how they were treated in court and what kind of punishment they received, if guilty. Their average age was twenty-seven years and their occupations were as follows: Occupation
Number of Peop
Unemployed Unskilled labourer Accomplice (work unspecified) Private investigator Programmer Input clerk Bank teller Computer firm executive Programming teacher Computer technician Student Of the individuals listed here , only those in the student category The programmers are likely to fit the typical hacker stereotype. were primarily employees who got into disagreements with their employers and either took programs they claimed rights to, or did damage to the employer's system. Based on an analysis of the police reports and prosecutors' case summaries, we find little evidence of computer sophistication in our sample. It is notable that almost one-third of those in the sample demonstrated no knowledge of computer science. With the exception of the students , most of the others are likely to have learned enough to commit their crimes from training they got in their work assignments. Victim4
1. Who are the victims? Number of Gas'
Victim Banks Miscellaneous commercial users Telecommunications companies Governmental units Individuals Computer product manufacturers Retail department manufacturers Universities
The two major victim classifications are those who produce compute products and those who use them. The producers are more likely to be subjected to the taking of, or damage to, programs or data. To the extent that computer users develop their own software or data, they are subject to the same crimes as their suppliers.
D1985 Elsevier Science Publishers B.V. (Information & Business Division), Amsterdam. /84 / $0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical. (Readers in the U.S.A. -please
photocopying, recording or otherwise, without see special regulations listed on back cover).
the prior permission
of the publishers.
Vol 7. No 12. Page 3. 2. What are the crimes? Number of Cases
Type of Crime
18 8 3 5 4
Theft of money Taking programs and data Alteration of data for gain Damage to programs or data Theft of services 3. What are the losses? Type of Crime
Av. Loss
Theft of money Theft of programs or data Damage to programs or data
$5245 $81 000 $93 600
Number of Cases 18 2 5
With the exception of the figures for losses in theft of money In cases, these statistics are of questionable usefulness. addition to the two cases summarized as taking programs and data, there were four in which no value could be put on the software or data taken, and two in which the value was estimated as minimal.
Figurea queationab&
Analogously, the figures for damage to programs and data are questionable. They represent estimates of the cost to fix a damaged computer system, ranging from $450 to $250 000. A final category of losses is those resulting from changes in information or unauthorized disclosure of information. It is impossible to put a dollar value on the loss in the four cases fitting in this category. 4. What happens in court? Almost all cases are dismissed or disposed of by plea bargain. 52 cases in the sample, the dispositions were as follows: Disposition
Of
Number of Cases
Guilty plea Trial Not guilty Still pending
30 2 7 13
Of the not guilty findings, three involved factual difficulties in applying the law to the actions of the defendant. In each case, there was insufficient evidence to prove that the defendant intended to commit the acts which constituted the crime charged. In one case a court found that the computer crime law did not cover theft from a computerized subway train ticket machine, calling it nothing more than a big Coke machine. One individual was not prosecuted because one cooperated with the police; in another the victim would not cooperate. One case was dropped when the codefendant 'took the rap.' 5. What are the penalties? Of the 14 sentenced to jail time, one received one year, three got six months, one got five.months , and the rest got six weeks or less. $129 600 in restitution was ordered , with the highest being 0 1985 Elsevier Science Publishers B.V. (Informalion No part of this means. (Keaders
publication
electronic.
may be reproduced.
mechanical.
in the U.S.A.
please
photocopying. see special
stored
& Business
recording
regulations
Division).
in a retrieval
system.
or otherwise. listed
Amsterdam. or transmitted
without
on back cover).
the prior
184 / $0.00 + 2.20 by any form permission
or by any
of the publishers.
Vol 7. No 12. Page 4. $87 000, and the low being three cases in the $500 range. fines were for $1000 (twice) and $300 once. Penalty
The
Number of Cases
Jail time Prison time Restitution Fine Community service
14 1 11 3 4 JAY BLOOMBECKER
UK SOFTWARE PROTECTION ACT BECOMES LAW
The Federation aginst Software Theft (FAST)-sponsored Copyright (Computer Software) Amendment Act 1985 finally came into force in the UK on the 16th of September. According to the Department of Trade and Industry this Act removes any doubt that computer programs are protected by copyright and enhances the criminal remedies of the Copyright Act 1956. Making, importing or distributing copies of programs which infringe copyright now carries a maximum penalty of an unlimited fine and two years imprisonment on indictment. The less serious retailing offences attract a maximum penalty of E2000 fine and/or two months imprisonment. On passage of this Government-supported Act, John Butcher, Parliamentary Under Secretary of State for Industry, stated: "The powers of this new Act ensure that the creators of computer programs enjoy the same protection as other creative writers. I hope the Act will be as effective against software piracy as earlier legislation was in dealing with video piracy". This earlier legislation that the Minister referred to - the Copyright Act 1956 (Amendment) Act 1982 and the Copyright (Amendment) Act 1983 - has indeed led to a dramatic fall in video piracy which, at its peak, was estimated to be losing the industry as much if not more than software piracy (El50 million per annum). Meanwhile FAST has been busy requesting co-operation from the UK software industry in identifying cases of software infringement. According to the 23rd of October issue of Datalink, FAST has already received information on over 40 alleged cases of piracy some of them full-scale counterfeiting operations - and will be soon discussing some of these with the police with a view to prosecution under the new Act.
NEWS ON THE INTERNATIONAL COPYRIGHT FRONT
The copyright situation in Japan appears to have changed again with a new edict that databases now qualify as "intellectual work" and This small therefore are eligible for copyright protection. advance in the battle against piracy has been followed by Singapore, which has just drafted new copyright laws increasing the penalties for companies or individuals found guilty of software piracy. These laws are expected to be passed by the Singapore government sometime in the next six weeks and come into force in the new year. This action is seen to be very timely as Singapore has just been accused of being one of the leading world sources of 1985 Elscyier Science Publishers B.V. (Information No part ot this means.
[f&ders
pubtxatmn
etec.tronir:.
may be reproduced.
mechanical.
in the I1.S.A.
photoLopylng.
please SW special
stored
& Business Division), in a retrluval
record~ngor
regulations
listed
system.
otherwise.
Amsterdam. or transmitted
without
on back covrr)
the prior
184 / $0.00 + 2.20 by any term or by any permission
of the
pubbshers.