- Email: [email protected]
The right way to treat computer crime
-
9 -
Prior to 1970, Triangle had run its customer billing routines, purchasing and reinsurance on a small IBM system but wished to upgrade to a faster and larger machine. Honeywell won the It now appears that the difficulty of converting from contract. the old IBM 360-20's card-based RPG programs to Cobol for the Honeywell tape-orientated system was grossly underestimated. It was alleged that Honeywell employees, who knew that the system would not run as intended, went ahead and installed the machine, complete with inadequate programs, so that Honeywell sales quotas for the year would be achieved. Triangle was not told about the problems and only discovered all was not well when they ran the system.
to meet quota
Pressure
sales
Then the trouble started: billings were incorrect, some agents were paid more than once and some not at all, commissions and other calculations were in error.
$2.1 million damages
How much the inadequate performance of the computer contributed to Triangle's downfall is difficult to estimate, although the New York jury found in the insurance company's favour and awarded damages against Honeywell of $1.1 million. The jury decided that Honeywell had fraudulently misrepresented the performance of the computer system and had known when releasing it to the customer that 60% of the programs had never been adequately tested. Delivery was pushed through against the best interests of the customer.
Ethical companies, u7zethica2 employees
Anyone who knows Honeywell will know that this was not a companyinspired fraud, but more likely a group of over-eager and ambitious employees seeking to improve or maintain their own positions. Quite often, in thinking through possible fraud schemes potential victims argue "but company X would never defraud us". In most cases they are right: the 'company' would not. But all it needs is one or two employees of a reputable company, either acting for their own benefit or mistakenly believing they are acting on behalf of their employer, and fraud loopholes can appear. Bribery is a typical case in point. Few major companies will permit bribery of potential buyers. But if an employee states to senior management in the costing of goods, that a commission is required for a person (who seems unconnected with the buyer) most companies will pay it without checking too closely. In the end, the ethic of an organisation is as strong as its weakest employee acting in his own personal interests.
THE RIGHT WAY TREAT COMPUTER CRIME
TO
On 5 June 1980, Leeds and Northrup of Pennsylvania fired one of its computer project leaders/programmers named Joseph Hershman, and within a very short space of time went to remove Hershman's passwords from the files. To the company's surprise they found that data relating to their Max 1 computer control program had been erased. They decided to make further enquiries. Examination of the computer console log indicated that within a few hours of his dismissal Hershman had gained access to his ex employers IBM 370/158 and had deliberately erased programs relating to Max 1, classified as a critical project for Leeds and Northrup. Unlike many victims of both computer-related and manual fraud, Leeds and Northrup had the good sense to make the matter public and took action against Hershman in the Montgomery County Court. Their
COMPUTEBL;t'~~~TD&SECUBITYB~ Vol2 No1 2
.
Elsewer
Sequoia
SA. Lausanne,
Swltrerland
-
10 -
reasons for doing so were twofold: first to enable them to discover through the legal process what other data or programs Hershman might have altered or erased; and secondly to deter other people, still working for the organization, who might at some future point become tempted to take similar destructive steps. Leeds and Northrup asked for $10 000 in damages, but withdrew the financial claim in an out-of-court settlement. This seems to us to be exactly the right approach to any fraud; the certainty of detection, publicity and punishment is a important deterrent, particularly in systems where total prevention is impossible. The fact that Leeds and Northrup was so prompt in erasing Mr Hershman's password is also unusual, but the case might provide a lesson for computer users: to remove the employee's password immediately before he is told of his dismissal
SEARCHING CRIMINAL
FOR RECORDS
The Official Secrets Act makes it an offence in the UK for a Government Employee to hand out any confidential information. Both the giver and receiver of information are at risk. Thus the law makes it impossible in the UK for an employer or a potential employer to obtain detailed information about a person they suspect of having a criminal record. An employer in the UK contemplating the recruitment of a person into a highly sensitive job is walking a tightrope. On one hand he could let into the organization the very person most likely to harm him; and on the other, if he seeks to make unofficial checks, he could face the risk of prosecution for violating the Official Secrets Act.
Screening checks
In previous editions we have discussed legal ways in which thorough pre-employment screening checks can be made and we would recommend to any employer that if he has not already done so, he should review his methods of recruitment most carefully. He would also be prudent to make similar checks before vital contracts are entered into with suppliers, customers, agents and other third parties. A little bit of care can prevent problems later on. One extremely useful source of such information is the Newspaper Library of the British Library at Colindale Avenue, London NW9 5HE (Tel: 01 200 5515). The library contains about half a million volumes and parcels of daily and weekly newspapers and periodicals. The collection dates back to 1700, which should be enough to cover the backgrounds of most computer staff. There is a name and subject index, a photograph and microfilm service and a reading room. Similar libraries exist in most big cities. In some - New York, Boston and Los Angeles, for examples - the full text of certain newspapers and journals are held in computers, permitting very rapid search and retrieval of items.
ADVERTISING THEFT
You are a leading supplier in what is becoming an increasingly competitive market. How do you get your message across that your product is better, faster, more secure or cheaper? One answer appears to be to have your system stolen by the Russians. Software AG who produce the Data Base Management System 'Adabas', which Andre Mark De Guyter (COMPUTER FRAUD & SECURITY, Vol 2, No 9, p 13) stole, allegedly for the Russians, has produced what must be
COHPUTEB~~IQ@ID&SECWlTYB~ Vol2 No12
Elsev~er Sequola
SA. Lausanne.
Swtrerland
9 -
Prior to 1970, Triangle had run its customer billing routines, purchasing and reinsurance on a small IBM system but wished to upgrade to a faster and larger machine. Honeywell won the It now appears that the difficulty of converting from contract. the old IBM 360-20's card-based RPG programs to Cobol for the Honeywell tape-orientated system was grossly underestimated. It was alleged that Honeywell employees, who knew that the system would not run as intended, went ahead and installed the machine, complete with inadequate programs, so that Honeywell sales quotas for the year would be achieved. Triangle was not told about the problems and only discovered all was not well when they ran the system.
to meet quota
Pressure
sales
Then the trouble started: billings were incorrect, some agents were paid more than once and some not at all, commissions and other calculations were in error.
$2.1 million damages
How much the inadequate performance of the computer contributed to Triangle's downfall is difficult to estimate, although the New York jury found in the insurance company's favour and awarded damages against Honeywell of $1.1 million. The jury decided that Honeywell had fraudulently misrepresented the performance of the computer system and had known when releasing it to the customer that 60% of the programs had never been adequately tested. Delivery was pushed through against the best interests of the customer.
Ethical companies, u7zethica2 employees
Anyone who knows Honeywell will know that this was not a companyinspired fraud, but more likely a group of over-eager and ambitious employees seeking to improve or maintain their own positions. Quite often, in thinking through possible fraud schemes potential victims argue "but company X would never defraud us". In most cases they are right: the 'company' would not. But all it needs is one or two employees of a reputable company, either acting for their own benefit or mistakenly believing they are acting on behalf of their employer, and fraud loopholes can appear. Bribery is a typical case in point. Few major companies will permit bribery of potential buyers. But if an employee states to senior management in the costing of goods, that a commission is required for a person (who seems unconnected with the buyer) most companies will pay it without checking too closely. In the end, the ethic of an organisation is as strong as its weakest employee acting in his own personal interests.
THE RIGHT WAY TREAT COMPUTER CRIME
TO
On 5 June 1980, Leeds and Northrup of Pennsylvania fired one of its computer project leaders/programmers named Joseph Hershman, and within a very short space of time went to remove Hershman's passwords from the files. To the company's surprise they found that data relating to their Max 1 computer control program had been erased. They decided to make further enquiries. Examination of the computer console log indicated that within a few hours of his dismissal Hershman had gained access to his ex employers IBM 370/158 and had deliberately erased programs relating to Max 1, classified as a critical project for Leeds and Northrup. Unlike many victims of both computer-related and manual fraud, Leeds and Northrup had the good sense to make the matter public and took action against Hershman in the Montgomery County Court. Their
COMPUTEBL;t'~~~TD&SECUBITYB~ Vol2 No1 2
.
Elsewer
Sequoia
SA. Lausanne,
Swltrerland
-
10 -
reasons for doing so were twofold: first to enable them to discover through the legal process what other data or programs Hershman might have altered or erased; and secondly to deter other people, still working for the organization, who might at some future point become tempted to take similar destructive steps. Leeds and Northrup asked for $10 000 in damages, but withdrew the financial claim in an out-of-court settlement. This seems to us to be exactly the right approach to any fraud; the certainty of detection, publicity and punishment is a important deterrent, particularly in systems where total prevention is impossible. The fact that Leeds and Northrup was so prompt in erasing Mr Hershman's password is also unusual, but the case might provide a lesson for computer users: to remove the employee's password immediately before he is told of his dismissal
SEARCHING CRIMINAL
FOR RECORDS
The Official Secrets Act makes it an offence in the UK for a Government Employee to hand out any confidential information. Both the giver and receiver of information are at risk. Thus the law makes it impossible in the UK for an employer or a potential employer to obtain detailed information about a person they suspect of having a criminal record. An employer in the UK contemplating the recruitment of a person into a highly sensitive job is walking a tightrope. On one hand he could let into the organization the very person most likely to harm him; and on the other, if he seeks to make unofficial checks, he could face the risk of prosecution for violating the Official Secrets Act.
Screening checks
In previous editions we have discussed legal ways in which thorough pre-employment screening checks can be made and we would recommend to any employer that if he has not already done so, he should review his methods of recruitment most carefully. He would also be prudent to make similar checks before vital contracts are entered into with suppliers, customers, agents and other third parties. A little bit of care can prevent problems later on. One extremely useful source of such information is the Newspaper Library of the British Library at Colindale Avenue, London NW9 5HE (Tel: 01 200 5515). The library contains about half a million volumes and parcels of daily and weekly newspapers and periodicals. The collection dates back to 1700, which should be enough to cover the backgrounds of most computer staff. There is a name and subject index, a photograph and microfilm service and a reading room. Similar libraries exist in most big cities. In some - New York, Boston and Los Angeles, for examples - the full text of certain newspapers and journals are held in computers, permitting very rapid search and retrieval of items.
ADVERTISING THEFT
You are a leading supplier in what is becoming an increasingly competitive market. How do you get your message across that your product is better, faster, more secure or cheaper? One answer appears to be to have your system stolen by the Russians. Software AG who produce the Data Base Management System 'Adabas', which Andre Mark De Guyter (COMPUTER FRAUD & SECURITY, Vol 2, No 9, p 13) stole, allegedly for the Russians, has produced what must be
COHPUTEB~~IQ@ID&SECWlTYB~ Vol2 No12
Elsev~er Sequola
SA. Lausanne.
Swtrerland