10iconJewels that Blip
The words have a nasty metallic ring, as if to suggest helmeted policemen with black jackets and billy clubs. Watch out: the “data security” troopers are at the front door.
But a small business on the East Coast nowadays wishes it had enjoyed more “data security.”
A fire melted its computer disks into plastic globs. The firm just missed bankruptcy after losing several hundred thousand dollars’ worth of information—everything from accounts receivable to tax records. Scrambling to recover, salesmen leaned on customers for copies of old bills.
Arson? Maybe. A disgruntled workermayhave short-circuited some tangled wiring. Proof never came.
Either way, however, the incident was a powerful argument for “data security”—the right kind.
It’s nothing more than trying to make sure that your computer and its information are safe. This isn’t to advocate overkill. Don’t overprotect nonsecrets or facts that you can easily duplicate; for instance, instead of buying costly fireproof cabinets, you might simply keep backup disks at another location—perhaps a more secure approach, anyway.
Why, however, do I say “trying” to make your computer and its information “safe”? An ex-hacker, Ian (“Captain Zap”) Murphy, now a computer security consultant, wisely observes: “You’re safe from average crooks—they don’t envision a nice, mild-mannered human being working at anything more than a souped-up typewriter. But you can never, never be able to 100 percent secure a computer system. Even the most trusted user could say, ‘F— the damn payroll,’ and destroy your records.”
But in the best of all worlds, your electronic files are safe, accurate, and if need be, tamperproof and confidential. The equipment is sound. And so are you and others working with it. You’ve shown good judgment. You’re ideally safe not only from crooks but also your own blunders. You know you often can’t keep papercopies of all your electronic jewels, your treasured business files, at least not without giving up the conveniences of computerization. You have faith, then, that your green screen, at your command, will display the right blips. I’m stretching the meaning of the word “blips” to emphasize the transitory nature of what you see on the screen. Without your stashing it away on a disk or otherwise—and without your making an electronic backup—it may be lost forever.
The unlucky owner of the East Coast company will never see his blips again because he violated a major precept of data security. He stored his original disks and his copies in the same room—the one with the fire.
“The remark at all times in cases like this is ‘Why didn’t the dealer tell me?‘” says Harold Joseph Highland, a top computer crime consultant and author ofProtect Your Microcomputer System(John Wiley & Sons, 1984).
A store can only sell you a computer, not common sense. Nor can this chapter impart it to you. It can, however, pound away at the elements of data security—people, policies, hardware, and software. They go together, these four. And so do the criminal and noncriminal parts of data security. If you’ve lost control of your computer files and don’t know what’s normal, you’ll hardly notice the abnormal. You’ll never thwart a computerized embezzler, for instance, with a gun. You will with good software. Buy it and errors in your electronic files may leap out at you. May. Remember Canyes’s Law of Computing: “Sooner or later you’ll feel like killing yourself.”
In other places I’ve written about good software and other mundane ways to make yourself less suicidal. And here, too, you’ll read of everyday calamities like coffee spilled on floppy disks. But this is also the fun chapter, the one with the stories about errant whiz kids and a computer crook who supposedly stole $8 million and got away with it.
Each of their sins met Harold Joseph Highland’s definition of a computer-related crime. They were “committed using a computer as a tool.”
“In other words,” explains Highland, who has taught computer science at the State University of New York, “you use the computer to get to financial records. Or to get to software if you’re illegally copying software.”
Estimates of the size of the threat have ranged from the double-digit millions up to over $5 billion a year. This uncertainty has sparked a feud between the icebergers and some computer makers.
Highland is an iceberger. He says that reported computer-related crimes are “just the tip of the iceberg,” that the annual loot is atleast $750 million and more likely reaches the billions. Another expert wrote a crime article livened up with a drawing of theTitanic. Meanwhile, the Computer and Business Equipment Manufacturers Association pooh-poohs all but the more conservative estimates. “Computer crime is not now, never has been, and never will be out of control,” an association official once said, “unless security is completely ignored. And that is not going to happen.”
“If that’s your opinion, sir,” counters Captain Zap, the computer felon now working as a security consultant, “why are fourteen-year-olds getting on defense networks? And what about adult criminals doing their thing on banks?”
Also, how about computer crimes against small business?
“No one’s going to find out why Joe Blow goes out of business,” says Ken Churbuck, a New Hampshire lawyer and former computer engineer, who believes that electronic crime may be the downfall of many more small businessmen than supposed. “You think Joe Blow can afford an investigation? You think anyone else wants to autopsy the corpse?”
Large business or small, however, don’t swear off computers and buy quill pens for your accountants. You may or may not get robbed electronically, but you’ll very possibly lose money if you cheat yourself of the benefits of computerization.
Although computer crooks may be difficult quarry at times, at least you can console yourself that they’re normallynotgeniuses.
Consider a story from Highland. The law caught up with one crook—presumably more knowledgeable about computers than banks—after he asked a teller to cash seven identically dated checks made out to him. The embezzler had simply learned how to take advantage of a feature in the check-printing program. It allowed checks to be reprinted in the event of mistakes; only his stupidity offset this programming error.
“You don’t have to be knowledgeable,” Highland says. “You can be an absolute idiot and try a computer-related crime.”
Some of the victims, alas, show their own streaks of naïveté. One small business lost thousands of dollars to a bookkeeper who funneled it to relatives’ firms via phony invoices. Such crimes happen with or without computers. But the company begged for trouble here by retaining an accountant old-fashioned enough to have felt at home alongside Scrooge and Cratchitt. Computers baffled him but not the embezzler, who knew of this vulnerability.
Executives at big corporations needn’t be smug about such grass-roots examples.
Many large companies, for instance, have reducedthe crooks’risks in computerized crime by auditing samples instead of everything—pulling one hundred checks, perhaps, out of a batch offour thousand. The young man trying to cash his seven duplicates worked for a large West Coast firm given to quick and dirty sampling; just tote up the odds of catching him through an audit if he’d been smart enough to go to different banks. Ideally, at least, your system should flag quirks like the seven checks.
You can also complicate life for computer crooks by studying classic cases of the past.
Mostly the criminals sinned with or against large computers. And yet eternal truths linger on even in the micro-mini age. In fact, some mainframe cases may mean even more to the desktop crowd today, with so many small computers hooked up as terminals on large systems. You might also say giant machines are acquiring plenty of pygmy siblings—joined Siamese style with them at the brains. And the big and small machines aren’t just wired together by phone or otherwise. Increasingly, mainframes are sending electronic copiestotomicros outside data-processing departments. What’s more, in power and capabilities, the pygmies are matching some big IBMs and Univacs of yore.
So whether you’re using a $1,000 Apple or a $100,000 mini, you’ll come out ahead knowing about the Golden Oldies of computer crime.
Computer consultants, especially Donn Parker, a prominent expert with the SRI think tank in Menlo Park, California, have labeled various offenses.[50]
When a time-keeping clerk hoodwinked a railroad, he committed the most tried-and-tested computer crime:data diddling.
That’s just jargon for fiddling with data before or during entry into the machine.
The culprit’s duties included filling out time forms for three hundred employees, and he learned that someone had shown a fit of absentmindedness in setting up a computer system storing pay and hour records. The railroad put workers’ names as well as their identification numbers into the computer. But the machine used only the numbers to track down names and addresses to print on checks. Manually processing the forms, however, humans normally ignored the computer numbers. They actually had the gall to think of the workers just by their names.
Wheels turned in the clerk’s head. Why not sneak in overtime pay by using other people’s names on the paper forms buthisown number for the myopic computer? And so his income increased by several thousand dollars each year.[51]
The clerk’s end came only when an auditor by chance looked over W-2 forms and asked why the railroad had been so generous toward the man. Confronted, the clerk confessed. There’s a moral here: if you have a timekeeping and payroll system, don’t rely on ID numbers alone. Attach to them the first few letters of workers’ names. Also, include a cross-comparison of names and numbers in your auditing procedure.
Today scattered terminals—or micros or minis used as them—make data diddling as tempting as ever. A police officer in an eastern city told me criminals had walked into the offices of used-car lots, sneaked in a few minutes on terminals there, and altered financial records in a credit bureau’s computer.
Forget about the mystique of computer crime. People have been diddling credit bureau files for years by changing or deleting paper records. Machines and lack of paper records in some cases just make their work easier and faster.
A comely woman at a New England firm was the victim of what might loosely be called a computerized sex crime.
“She would be doing her electronic paperwork,” Tracy Kidder said inSoul of a New Machine, “when suddenly everything would go haywire, all her labor would be spoiled, and on the screen of her cathode-ray tube would appear cold, lascivious suggestions.” Someone had electronically wheeled in aTrojan horse—hidden unauthorized instructions in the computer’s program.
The “sex crime” kept up daily for several weeks, leading an executive to observe that the villain must have “the mentality of an assassin.” It was unfair. Young computer whizzes at the company played horse pranks on each other all the time. But this victim couldn’t strike back. Gallantly, the woman’s bosses set electronic traps to learn from which terminal the masher was mashing. The villain, though, was too nimble. “At one time,” said Kidder, “he made his escape by bringing to an abrupt halt the entire system on which most of the engineer departments relied.” Finally, one of the woman’s protectors chatted casually with asuspect about the computer’s wondrous vulnerabilities to pranks. The obscenities and glitches stopped.
This Trojan horse was just a prankster’s, but the company may have squandered thousands of dollars in human and computer time to kill it off.
Consider, too, the company—Data General, the mini maker that Kidder admired.
Imagine a serious saboteur wheeling his horse into the computer of a company without the same knowhow.
It happens. Donn Parker says Trojan horse tricks are “the most common method in computer-based frauds and sabotage.” A horse, in fact, may have shown up in the first federally prosecuted computer crime in Minneapolis in the 1960s. A programmer told an IBM 1404 to drop an unflattering series of bytes about his personal checking account—overdrawn.
Trojan horses are more of a mainframe and mini problem than a micro one. Normally, professional programmers don’t run desktop computers.
But as computer literacy spreads, this might not matter so much, and besides, unsecured micros make such easy nuts to crack. “They’re peanuts,” Highland says, “not butternuts.” Most micro systems today lack electronic console logs—requiring operator ID numbers—that some bigger computers have to tell who did what on the machines. In other words, there’s noaudit trail. John Lewis, an FBI agent teaching a course on computer crime, told me, “I can write a perfectly error-free payroll program on a micro, load it in from a disk, and run it. But I modify one or two lines in there, saying, ‘When you find John Lewis’s name, add $1,000 to net pay.’” You can even have the program zap the evidence immediately after the crime. Significantly, too, you can reprogram a micro in a fraction of the time you’d need on a mainframe.
And in the future the micros, while retaining their ease of programming, will develop more electronic nooks and crannies in which to hide horses. And what about the micros already hooked in at times with the big computers or using down-loaded data from them? If a saboteur or con man is giving fits to the giant machines, then the pygmy machines may suffer along.
You just can’t make sense of your savings account statement. No matter what you do, it’s a nickel off. You don’t, however, pursue the matter—not over five cents.
All over your city your fellow depositors are thinking similarly.
A computer crook, meanwhile, is growing rich.
The nickels, dimes, whatever, add up. He works at the bank and has programmed its computer to round interest downward, for instance, rather than upward. The sliced-off money goes into a dummy account. From hundreds of cheated customers, maybe thousands, he’s amassing enough over the years for a new Buick. He may even have told the computer to steal prudently and not clip anyone more than twice a year.
It’s the old salami trick, an MO of countless embezzlers inside and outside the computer world—ranging from pudgy, fat-bottomed drones to glamour figures in Hollywood and on Wall Street.
An amusing salami tale comes from Thomas Whiteside’s brilliantNew Yorkerseries on computerized crime. The name “Zwanda” did the crook in.
Programming for a mail-order sales company, he rounded down sales-commission accounts and diverted the loot to a dummy account for a “Zwanda.” The “Z” name made sense. The computer worked alphabetically, and he could more easily guide the money to the end account.
“The system,” Whiteside says, “worked perfectly for three years, and then it failed—not because of a logical error on the culprit’s part but because the company, as a public-relations exercise, decided to single out the holders of the first and last sales-commission accounts on its alphabetical list for ceremonial treatment.
“Thus, Zwanda was unmasked, and his creator fired.”
Could Zwandas show up in your company’s microcomputer—not just mainframes? Perhaps. It’s no less likely than the micro case mentioned earlier in which the bookkeeper was paying bogus bills from his relatives’ firms.
Of course, in the case of a micro, the trouble probably will be not in the way the program is written but in how it’s set. Most micros, after all, use off-the-shelf software.
It’s named after the “superzap” program used on some large IBM computers.
“Superzap” is known among the pros as a break-glass program, the kind you use in emergencies to change or divulge the computer’s contents. It can bypass all security controls. You can also think ofsuperzappinganother way. The computer is a high-rise building, and this program is a master key to all the apartmentsor offices inside. Pity the building manager if a thief can counterfeit the key.
Donn Parker, the source of those comparisons, says a New Jersey bank lost $128,000 to superzaps.
The crook was none other than the bank’s manager of computer operations. He first superzapped legitimately to change errors in accounts as his superiors asked. The main program wasn’t working—hence, the superzapping. The bank was upgrading its computer system, the glitches kept piling up, and the operations manager zapped again and again, discovering the joys of ignoring the normal controls. The usual electronic logs and journals just didn’t show his actions.
So, he decided, why not zapawayawaythe barriers to shifting the money to the accounts of three friends?
The bank learned of the crime only after a customer saw that his own money wasn’t adding up right.
Superzaps like this, of course, are simply special breeds of Trojan horses, just as the salami trickscanbe. Like the horses, the zaps aren’t so much a micro crime now. They’re more of a mini and mainframe one, but watch out for the future when garden-variety crooks are more learned and micros are more like the bigger computers.
Atrap door—orback door—normally is just a shortcut into the program, bypassing the normal security systems, meant as a debugging aid. Once the writers have a program up and running, they should get rid of the door. Large programs are so complicated that programmers sometimes leave the doors in as an emergency way for them to get back in if the main passwords are lost or the computer “hangs up.” David Lightman, the teenage hacker in the movieWarGames, used the trap-door ploy to penetrate a Defense Department computer and almost caused a nuclear Armageddon.
In a real-life example mentioned by Parker, some automobile engineers in Detroit called up a computer service bureau in Florida, found a trap door, and could “search uninhibitedly” for privileged passwords.
“They discovered the password of the president of the time-sharing company and were able to obtain copies of trade-secret computer programs that they proceeded to use free of charge.”
The electronic thievery didn’t stop until the company found out accidentally. And it never learned how many other crooks were rummaging around inside the computer.
Once again, this form of crime isn’t so much a worry for the desktop set as for those using bigger machines. At least for now.
Heard the old joke about the Washington speech writer at odds with his boss? It’s a favorite story among journalists and other wordsmiths.
The aide was tired of drudge work for a dumb, lazy but electable congressman who didn’t even read the immortal prose ahead of time.
One day the politician, a square-jawed, movie-actorish man, was mellifluously speaking on the House floor. As usual, he was fresh to the material. But his rendition overwhelmed everyone, from the pols to the pages, to the tourists in the galleries. Heknewhe was on his way to the White House.
With actorlike polish he intonated through the third page, including the last sentence:
“And now, let the words ring out, loud and clear, to all corners of the earth—to our friends, to our foes, across every ocean, every mountain. You purblind piece of excrement, I quit, and you’re on your own.”
The fourth page, of course, was blank.
Malicious programmers must nod and wink when they hear the story.
For the speech writer had just the right kind of temperament to hide alogic bomb—a computer glitch that explodes, so to speak, only under certain conditions.
The conditions in the Washington joke were clear. The congressman mustn’t read the speech to himself beforehand—something inevitable. He was dependably lazy. Nor must he understand the speech; no problem, certainly, for he was dumb about everything all the time. Above all, however, if this bomb were to “kill,” he must be embarrassable. And that’s why the bomb in a sense just maimed him—because, like most politicians, he never blushed.
In a real-life story told by Parker, a payroll programmer hid a bomb to erase the entire personnel file if he ever got fired—that is, if his own name ever vanished from it.
A crooked accountant embezzled a million dollars usingsimulation.
On his own computer he set up a mock version of the victim company’s accounting and general ledger. Then he could figure out how his thefts would show up on the company’s electronic books—and how to cover up the crime.
A Texan ripped off oil companies through computerizedscavenging.
He used a computer time-sharing service bureau, the same one as the oil companies. This thief read scratch tapes—temporary storage tapes without the safeguards protecting the main ones—by phone off the service’s computer. He was stealing secret seismic information to sell to the oilmen’s competitors.
Finally, however, the service bureau caught on.
A worker there had grown curious. Why did a red “read” light glow at bizarre times? How come the customer was prowling through the tapes before entering his own data? Parker says a “simple investigation” ended the electronic scam.
Scavenging can be physical, too—nothing more complicated than rummaging through old trash barrels for printouts.
“Hidden in the central processors of many computers used in the Vietnam War,” Parker says, “were miniature radio transmitters capable of broadcasting the contents of the computers to a remote receiver.
“They were discovered when the computers were returned to the United States from Vietnam.”
It was adata-leakageproblem—defined by Parker and other pros as the removal of data or copies of it from a computer or a computer center. Culprits can even smuggle out secrets by hiding them in apparently routine reports. “Data leakage,” he says, “might be conducted through use of Trojan horse, logic bomb, and scavenging methods.”
You don’t have to be in the Vietcong or KGB, of course, to spy on a computer by radio. Today a smart snoop can walk casually into your computer area and leave behind a miniature transmitter—perhaps hooked up to the maze of wires that snake under the floor of many modern offices. “I could then find out everything that you were sending for a year,” says Harold Joseph Highland, “which is the life of the unit I could transmit with. I could buy it for
9.50 from any of the large supply houses. There’s one more expensive that will transmit up to five miles away. With the forty-buck one I can park across from the building and keep a tape recorder going.”
Some say it’s rare in the computer world. The thinking goes, There are easier ways to steal. Why tap when so often you can just call up your victim’s computer and be greeted with a friendly electronic whine?
But don’t count on wiretapping not existing.
Your local radio store carries cheap equipment usable for tappers.
And electronic banking and new computer services will grow, making wiretapping more tempting. A security consultant, J. Michael Nye, opened an unlocked closet of the second floor of an office building in Hagerstown, Maryland, and pointed to the telephone wires inside. “See these?” he asked me. “They’re hooked up to a bank’s computer. If you wanted to change the amount of money in a deposit, you could attach a portable computer and no one might be the wiser.”
The wiretapping threat may increase because of the break-up of the Bell system—as more and more repair people parade in and out of wire closets.
You might be able to get around the threat, or at least reduce it, by electronically scrambling the messages you transmit over the phone wires.
For the moment, don’t let fear of wiretapping obsess you unless, say, you’re routinely transferring millions of dollars via computer.
It’s bone cold outside, the stranger looks harmless, and you let him in as you unlock the doors of your apartment building one night. The next day all the old ladies in the lobby are talking about a burglary.
You fret. Rightly. You may have let a criminal succeed inpiggybackinghis way behind you into the building.
It’s happening, too, in computer rooms, which crooks use similar tricks to enter.
That’s physical piggybacking. The electronic kind, rare, can happen this way. You punch in a password or key on your terminaland hook up with the computer, unaware that the piggybacker has a hidden terminal connected to the same phone line. Perhaps you haven’t signed off properly. The computer keeps the connection going, and the piggybacker “rides” on.
Impersonationis what it sounds like, and it can be physical or electronic.
Leslie D. Ball, a Massachusetts consultant and college professor, once illustrated computers’ vulnerabilities to such tricks. “Why is it more difficult to rob a bank of $2,500 than to steal millions from its computer?” he asked, and quickly answered the question.[52]
“During a security consulting project at an Atlantic City hotel,” Ball said, “I spent the evening with an associate in the casino. At about eleven p.m. we headed for our rooms, but the elevator stopped where the computer center was located, and we decided to look around. The door marked ‘Computer Center—No Admittance’ was locked but had a bell beside it. A computer operator opened the door when we rang, letting us in without a word. For the next ten minutes we wandered through the center without speaking to the operators on duty.” In effect, by acting as if they belonged in the room, Ball and the associate were impersonating authorized people. “Finally,” he recalled, “we said, ‘Thank you’ and left. They were lucky we were not disgruntled heavy losers!”
A real impersonator, an ex-college professor named Stanley Mark Rifkin, passed himself off as a bank branch manager to steal $10.2 million. He bought diamonds in Switzerland. The law caught up with him only because, like many bright, cocky computer crooks, he bragged. That wasn’t all. “While awaiting trial,” Ball says, “he attempted a fifty-million-dollar transaction from another bank. When apprehended, Rifkin told a reporter that he thought he finally had all the bugs worked out.”
Rifkin was just another example of an ordinary man using legally acquired skills to commit an illegal act.
However smart, and despite his background as a computer science professor-consultant, he was hardly agenius. “Master criminal?” asked H. Michael Snell, a publisher who’d dealt with him.[53]“I could sooner imagine a smoking gun in the hands of Winnie the Pooh. In fact, Stan resembled Pooh Bear: short, stocky, paunchy from too much good food and wine, a deeply receding hairline above an intelligent, sloping forehead. Quiet, unassuming, not the kind of guy who’d stand out at a cocktail party.” Rifkin was good at puzzles, at problem solving, but as Snell and others agree, that’s true of all talented programmers. You could say thesame, too, of first-rate accountants and engineers. Rifkin’s case made me think of Hannah Arendt’s phrase about Adolph Eichmann, applied not to the Nazis but to garden-variety crooks within the computer field: “the banality of evil.”
Rifkin’s take happened to be larger than most. But his mind-set was the same.
Snell said, “He shared the dreams of many academics who feel blocked from great success and wealth, and he loved ‘get-rich-quick’ stories, such as a friend who struck gold in California real estate or the Silicon Valley’s overnight millionaires.”
Greed, however, isn’t the only motive. “People who like computers are games people,” John Lewis, the FBI agent, told me, “and they like challenges. It’s ‘me against the machine.’ You give them a computer and say you can do anything but that, and that’s the first thing they’re going to do. You go back to the Book of Genesis in the Bible where God said, ‘You can do anything in the Garden of Eden but eat from that tree,’ and what’s the first thing people did?” We were in a windowless, fluorescent-lit room at the FBI Academy in Quantico, Virginia, where Lewis lectured on computer crime. He looked at a fellow instructor, a tall, alert man who started out in the bureau not as an agent but as a programmer. “I’ve seen Ken get ahold of material. Like this one program that said it couldn’t be copied. Now he didn’t care what the program did. The first thing he did was copy it. Because they said he couldn’t do it. And he did it.”
I thought of John and Ken three weeks later when I picked up a copy ofTechnology Illustratedmagazine.
A stranger in Quantico, Virginia, it seemed, was dialing up the electronic bulletin boards on which computer pranksters sometimes left messages. The bulletin boards were a form of electronic mail. Callers could write out their thoughts for friends or anyone checking up on the highest-numbered entries. The mysterious computer dialer from Quantico, however, would just read, never send. Aware of the FBI Academy’s location, one of the pranksters posted a friendly suggestion on a board.
He invited the Quantico caller to subscribe to the TAP newsletter—said to be “to phone phreaks what theWall Street Journalis to stockbrokers.”
TAP stands for a group named the Technology Assistance Program, a successor to Youth International Party Line (YIPL), whose own radical pedigree goes back to Abbie Hoffman’s Yippies. “Al Bell” and Hoffman started YIPL. It was a high-tech display of Hoffman’sSteal This Bookphilosophy, there being, however, a serious problem, one shared by society at large. The technocrats usurped the politicians.
They were, reportedly, “more interested in blue boxing Ma Bell than in pushing politics.” Cheshire Catalyst, who was editing the TAP newsletter when I talked to him, said, “You don’t have to be a phone phreak to read us—but ithelps.”helps.”
Lindsay L. Baird, Jr., a tough, no-nonsense consultant with famous corporate clients, told me TAP was a serious threat. “They’re now using micro systems to test the 800 numbers methodically to see which ones have computers on them,” he said of some TAP people. The corporate computers whine their strange mating call no matter who dials up, saying electronically, “I am here, I am a computer, I am ready.” You might say they’re like an unlocked, unattended BMW left with the motor running in New York City. And Baird claimed, rightly or not, that TAP has some political zealots mixed in with the technocrats and that they could indulge in large-scale computer zapping over the next few years.
The TAPpers’ side was this: they illegally logged on to networks like Telenet and the feds’ because they couldn’t stand seeing expensive computer time go unused. “Nobody wants to pool it as a computer utility and make it available to everyone because it would probably not make a profit,” groused “A. Ben Dump” in the newsletter. Cheshire portrayed TAP toHigh Technologyas basically just pranksters, at least in his case. “Good grief!” Cheshire once ghost-wired to a Telex machine; “I seem to have reached Adelaide, Australia. This is just a computer hacker in the United States out for a good time.” The TAPpers said they were against the Bell bureaucracy, not America at large, and, in fact, censored an article submitted to their newsletter telling how to build an H-bomb. “Among other things,” Cheshire worried, “anyone using that technology is going to take out the phone network.” I still wondered. Would TAP have printed the article if a way existed to H-bomb the countryside without toppling any microwave towers?
■ ■ ■
■ ■ ■
■ ■ ■
Hacking: An Addiction to Be “Squelched”?
Hacking: An Addiction to Be “Squelched”?
WithWarGames-style break-ins in mind, someone once called hacking an addiction to be squelched.That’s wrong. Hacking is more an addiction to be tamed.The term “hacking,” perhaps born at M.I.T., just means someone who hacks away at computer problems until he solves them. Many hackers for some reason or another love Chinese food. Sooner or later a computer-crime expert will link computer addiction to ODing on monosodium glutamate.Cheshire Catalyst is a prototypical hacker in many ways. He’s a thin, bearded man in his twenties, extrapolite, who, when I saw him, was in Washington for an aeronautics and space gathering and wore a Space Shuttle tie and an Apple pin. His nickname indeed came from the grinning, vanishing cat inAlice’s Adventures in Wonderland. Proudly he told me how his clock ran counterclockwise. Cheshire said he hoped someday to meet another backward-clock buff, Grace Hopper, a distinguished military officer who helped give the world the COBOL computer language.Cheshire might find even more of a soulmate in Steve Wozniak, the Applecofoundercofounder, who is perhaps one of the world’s leading hackers—in addition to having been a phone phreak in his time. “Woz” and a friend snooped on computers across America. The friend was John Drapper, a bearded, somewhat maniacal-looking man who earned the nickname Cap’n Crunch because he used prize whistles from cereal boxes to steal free long-distance calls by way of a tone at exactly the right frequency. Later, Crunch wrote the EasyWriter word-processing program used on the Apple and later the IBM PC.On balance Cheshire thinks that hackers do more good than harm. “Let’s say you have money in a bank,” he says. “Wouldn’t you rather that a hacker get into its computer than a criminal did? He could warn the bank. If I had money at a bank, I’d feel safer with hackers checking out security.”Well, it depends. Some hackers are nothing more than electronic vandals. Some are a privacy threat; they’re doing the equivalent of spying on mail and tapping phones.Still, talented hackers may become real assets to corporations. They’ll care infinitely more about your computer system—and all its quirks—than will programmers working nine to five for the money alone. Just a little oversimplistically it’s been said that you can befriend a hacker merely by supplying a computer with enough RAM, encouragement, a long leash, and lots of chow mein.
WithWarGames-style break-ins in mind, someone once called hacking an addiction to be squelched.
That’s wrong. Hacking is more an addiction to be tamed.
The term “hacking,” perhaps born at M.I.T., just means someone who hacks away at computer problems until he solves them. Many hackers for some reason or another love Chinese food. Sooner or later a computer-crime expert will link computer addiction to ODing on monosodium glutamate.
Cheshire Catalyst is a prototypical hacker in many ways. He’s a thin, bearded man in his twenties, extrapolite, who, when I saw him, was in Washington for an aeronautics and space gathering and wore a Space Shuttle tie and an Apple pin. His nickname indeed came from the grinning, vanishing cat inAlice’s Adventures in Wonderland. Proudly he told me how his clock ran counterclockwise. Cheshire said he hoped someday to meet another backward-clock buff, Grace Hopper, a distinguished military officer who helped give the world the COBOL computer language.
Cheshire might find even more of a soulmate in Steve Wozniak, the Applecofoundercofounder, who is perhaps one of the world’s leading hackers—in addition to having been a phone phreak in his time. “Woz” and a friend snooped on computers across America. The friend was John Drapper, a bearded, somewhat maniacal-looking man who earned the nickname Cap’n Crunch because he used prize whistles from cereal boxes to steal free long-distance calls by way of a tone at exactly the right frequency. Later, Crunch wrote the EasyWriter word-processing program used on the Apple and later the IBM PC.
On balance Cheshire thinks that hackers do more good than harm. “Let’s say you have money in a bank,” he says. “Wouldn’t you rather that a hacker get into its computer than a criminal did? He could warn the bank. If I had money at a bank, I’d feel safer with hackers checking out security.”
Well, it depends. Some hackers are nothing more than electronic vandals. Some are a privacy threat; they’re doing the equivalent of spying on mail and tapping phones.
Still, talented hackers may become real assets to corporations. They’ll care infinitely more about your computer system—and all its quirks—than will programmers working nine to five for the money alone. Just a little oversimplistically it’s been said that you can befriend a hacker merely by supplying a computer with enough RAM, encouragement, a long leash, and lots of chow mein.
■ ■ ■
■ ■ ■
■ ■ ■
The TAPpers, depending on your viewpoint, came across inTechnologyas reassuringly or distressingly middle class. Cheshire at the time of the article was teaching computer skills at a large corporation. “VAX-man”[54]worked as a computer programmer, “The Librarian” as a systems analyst, and another was, of all things, amiddle manager for a defense contractor; indeed, every member reportedly boasted a technical background. Most, I suspect, perhaps nearly all, didn’t see themselves as criminals.
“We’re just an information service for the people,” said one.
Well, okay. Maybe it’s good that if G-men want to bone up on the latest electronic tricks, they need only log on to hackers’ bulletin boards and read the TAP newsletter. Still, how many crooks have the same idea?
TAP’s another indication that for the criminally greedy the “data cookie jar,” as it’s been called, is out there.
Lindsay Baird scoffs at computer trade associations’ efforts to play down the problem. And he fires back with statistics of his own. “I’ve worked on thirty-five or forty cases,” he says, “and only one was reported to authorities.” The loot ranged from $40,000 to $29 million. And Baird, dismayed that some computer criminals’ sentences are more shoplifterlike than adequate, jokes, “My wife tells me I ought to commit a crime.”
“The security problems with computing systems in the 1960s was like a balloon deflated,” he says, “and you could hold it in your hand. But now it’s like a huge balloon inflated. Or a big bowl of Jell-O.
“You just can’t handle it now, and the manufacturers have got to be concerned.”
Of course you should remember that most corporate data are far from sensitive, that only the most self-important executive would view everything as a national-security secret. Also, Baird is hardly hurting his bank account in sounding the computer-crime alarm. Still, he’s basically right in saying that computer buyerswith sexy data of interest to thievesnow may have three choices:
1. Burden programmers and others with electronic versions of heavy padlocks.
2. Keep their computer systems easy to use—and vulnerable. (“Then you’re going to get raped.”)
3. Compromise. (“You get half raped.”)
Baird doesn’t blame just the manufacturers for some computers’ sievelike leaks. “Business isn’t willing to pay the price to secure systems,” he says—a complaint echoed in effect by the Computer and Business Equipment Manufacturers Association (CBEMA). It acknowledges the present clash between security and ease of use of computer systems. “If a computer could be designed with various levels of security as options, computer security might well be a marketable commodity,” said a statement from CBEMA to a trade magazine. In recent years there has been much more researchin this area, and when 32-bit micros become the norm, it will be much easier to beef up security.
When crimes do happen on existing systems, they’re often covered up by top executives panicky over going to court or jail.
How’d you like to be the chairman of a corporation faced with an ugly data-security scandal—and the possibility of a stockholders suit? You needn’t be in the scandal personally. Your stockholders could charge you with malfeasance, if not misfeasance, forlettingit happen. So could the Securities and Exchange Commission and other feds. When companies hush up computer crimes, it’s not necessarily for high-minded reasons such as protecting assets by playing down vulnerability to electronic crime. Consider Baird’s experiences.
Called to a New England firm to do routine theft prevention, Baird merrily put himself on the payroll—not to steal but to demonstrate system weaknesses.
“I also,” he says, “nicked the vice-president for participating in a $400,000-a-year kickback.”
At another company, an accounting firm did the books at year’s end and had to make an adjustment of $1.2 million. “Then,” said Baird, “we went in some more and really did a number on that company. And we came up with $4.5 million in proven losses. And it all had to do with their computer system.”
But, you’re wondering, how about that crook who stole $8 million and got away with it?
The story—perhaps apocryphal but told in the sedateSmithsonianmagazine—is that bank officials confronted the thief in a restaurant over breakfast.
He coolly confessed. If they tried to jail him, why he’d blow the whistle on the bank’s vulnerable computer system. And it would cost more than $8 million to fix.
So the bank officials just asked him to step down quietly.
Leaving the table, the crook smiled.
“I’ll keep the eight million,” he said, “but I’ll pick up the tab for breakfast.”
Definitely, then, Donn Parker was on target when he once called computer security “first and last a people problem.”
Honest, loyal employees are more important than the latest security gizmos. Use common sense. Beware of the $26,000-a-yearprogrammer who suddenly acquires a posh home and a sports-car collection. Don’t pry. But don’t shut your eyes, either.
Start with a sensible hiring policy. Decide on the questions you want to ask applicants and their references—about the prospective employees’ backgrounds and characters. Then bounce them off your legal department. The rule of thumb is that you won’t get in trouble if the questions are related to the job. IBM has said it doesn’t even ask applicants about their ages or marital statuses. If there aren’t legal obstacles, you might invest $25 in a credit-bureau check of a keypunch clerk but perhaps several hundred dollars for a top programmer. Keep in mind the notorious lack of reliability of many reporting services. Check for criminal records when hiring for responsible positions. A Maryland hospital didn’t. It hired a convicted embezzler, a computer operator who later diddled $40,000 out of the system.
Granted, there are occasions when you might knowingly hire an ex-con to give him a chance. But ask the normal questions. What’s he done to justify your trust since his sentencing? What are your risks? How much could he steal, and how?
Whomever you hire—ex-cons, Harvard grads, or combinations of the two—know how to respond to the common criminal motives.
Jay BloomBecker, a top computer crime expert, sums up one of the main motives by quoting the title of a collection of Doonesbury comic strips:But the Trust Fund Was Just Sitting There.
Reduce the temptation. Let your people know there’ll be surprise audits—and mandatory vacations. A thief busy slicing salami might be loath to take too much time off, lest his or her replacement catch on to what’s happening. Likewise, consider rotating duties every few months and also divvying them. People who write checks with computers, for example, ideally won’t be the ones approving them; in a small business, of course, this might not be possible.
The old need-to-know policy, of which the military is so fond, may also increase the criminals’ risks—by increasing the need for collusion. This, too, isn’t always possible, and it could boomerang. If employees aren’t supposed to know what their colleagues are doing, maybe a thief would actually have less chance of being noticed.
Also, tell people that stealing—even small amounts from a large company—willhurt. If you can’t prove how it will hurt the corporation noticeably, then you’d better make a good case that it will hurt them. Pretend you’re a department store warning the nimble fingered: “All will be prosecuted.” Well, within bounds.You needn’t fire and prosecute a thirty-year man because he once used a company micro to calculate his average golf score.
But do remind your employees of the applicable theft-of-service laws, larceny ones, and others.
Not that electronic theft is your only problem. Whiteside tells of a computer-ridden North Carolinian, working for an insurance firm, who reportedly shot a handgun several times at the hated machine. And Harold Joseph Highland offers another cautionary tale. Executives at an East Coast firm fired a crabby woman, then returned the next Monday to find its floppies sliced apart with a paper cutter. They never proved her guilt. Regardless,someonemoved the blade up and down, costing the company several hundred thousand dollars in time reentering the paper versions of the records into the computer. And that doesn’t even include the orders canceled by customers angry over the delay. In yet another story, a disgruntled worker short-circuited a terminal by urinating on it.
“Hire well,” says Jack Bologna, an expert on the “people” side of computer security, summing up ways to avoid such traumas. “Pay fairly, praise people for good work, give them opportunities for advancement, and make them feel comfortable talking over their problems.”
Remember that the line can fuzz between outright sabotage and simple sloppiness induced by poor morale.
If there’s a disaster and you’re not sure if it’s accidental or deliberate, however, don’t be too quick to point your finger. You may find it chopped off with a lawsuit filed by your suspect, perhaps for less than $1,000, while your firm must spend several times that to defend itself. Unjustified accusations, also, hurt morale and may even add to security problems.
And if you do prove theft or sabotage?
Act. Don’t cover up. Rather, cover yourself—legally. Tell your boss what happened. If you’re mum and someone else reports the crime, your superior may consider you among the guilty. Also, don’t discount the possibility that your boss may himself be either guilty or a part of a cover-up because he fears a stockholders’ suit. You may have no choice but to report him tohisboss. Press for an independent audit committee if you’re powerful enough and if the size of the crime justifies one.
Should you fire someone for a computer-related offense, do it artfully.
“If they’re in a critical job position, help them clean out their desk, collect their ID card and any office keys, and walk them to the door or to the personnel department,” says Timothy A. Schabeck, who editsCorporate and Computer Fraud Digestwith Jack Bologna. The FBI’s Lewis says as much.
If you do prefer instant firing, follow Schabeck’s advice to provide counseling and severance pay. And soften the blow, too, by warning everyone, when hired, that your axes are quick and sharp.
Mightn’t instant firing, however, be brutal, anyway? Well, it depends on the amount of damage that a discharged employee could inflict and on how vindictive you perceive him to be. Ideally, you could minimize the damage by having backup disks or tapes out of the your victim’s reach. Also consider how successfully you can keep the fired employee from returning to your computer—by ruse or otherwise? Is your office absolutely physically secured? Can you trust guards or janitors working weekends not to admit a familiar face?
It’s all a part of bridging the gap between policy and practices.
Don’t just wait until a crime to make your staff security conscious.
Too often, warns James A. Schweitzer, a Xerox security expert, people protect information only if it’s on paper. He says, “There have been a number of cases where tapes and disks have mysteriously disappeared from places like desktops.” If need be, designate an employee to make sure others have locked up right by the end of the day. In less than a minute, using a floppy disk, a thief may duplicate hundreds of times as much material as he could on a paper copier.
Worry, too, about your people’s use ofmodems—the gizmos that transform your computers digital output into a whiny sound for the phone lines.
Don’t let them routinely keep sensitive material on disks that will play back to savvy criminals who happen to dial in.
This especially applies to Winchesters. They’re the oxide-coated aluminum disks that remain in the machine housing them, and they stash away many times the amount of information on most plastic floppies. Now imagine the delights awaiting a thief or snoop. Via your auto-answer modem he could rifle thousands of pages of Winchestered documents. Such electronic robberies needn’t happen, but until businesses get burned this way, they will. So if you’re sharing an electronic spreadsheet or mailing list with your branch office, do so if possible at a prearranged time during business hours when you know who’s calling. Tell your people to do the same.
You’ll also need a privacy policy—internal and external. Do you, for instance, want salary information on a Winchester disk that any of your company’s computer-users could read? And how about employees’ health records? Good data security should protect your people as well as your company. So limit your computerizedrecords to the essential and tell your executives not to use their home computers to bypass privacy laws.
Worry, too, about an external-privacy policy. Are you respecting the rights of your customers, including those, who, by computer, may be transmitting to your companytheirelectronic jewels?
It isn’t just decency you want; it’s also good protection against suits, whether from people or client companies.
Here again, set a firm policy against your people misusing their personal micros. Alan F. Westin, a Columbia University professor of public law and government, correctly warned inPopular Computing, “A financial officer of a bank might store information about the life-style, habits, sexual preferences and other personal behavior of large individual borrowers or key corporate executives.” The banker might do this behind customers’ backs to help decide who was “stable” enough for loans.
You’ll also need a policy covering employees who use your computers for, say, maintaining their church’s bingo books. Why not let them? It isn’t the worst public relations. Some companies even allow their employees to play games after hours, tapping into company systems from home, and you, too, might experiment with this, provided it won’t add to your data-security problems. Better a fringe benefit than a crime.
On the other hand, you’ve got to draw the line somewhere. Can you estimate how much this extracurricular use of your machines costs in wear and tear—in, eventually, replacement costs? Feel your employees out on this one if you’re running a small business or hold sway over a large one. Would they rather enjoy computer privileges or better health insurance? You might offer cafeteria-style fringe benefits, with computer use as one of the options. Employees not selecting this choice might have to agree to it, anyway, if you discovered them using a company computer for personal purposes. This problem, of course, may lessen as the prices of small computers plummet and their capabilities grow.
Whatever the form of potential crime—theft or otherwise—keep remembering one of the basics of data security: It should cost neither more money nor morale than justified.
Now for advice on finding themostcrookproof computers and programs.
Buy a micro with 16- or 32-bit word lengths and RAMs of 256K or more. Those specifications will let you use more elaborate codes to protect information. What’s more, they might be lesscumbersome than codes on an 8-bit machine. Look, too, for electronic design that lets your computer establish privilege levels—reachable through passwords. That way, Sally, the new secretary, can start out getting into the computer only for word processing. Helen, the payroll clerk, can have access to confidential salary information but not a top-secret budget that doesn’t give her the raise she’s been pestering you about. Questions exist about the effectiveness of passwords and codes, at least when the thieves or snoops may be sophisticated, but that’s another story. Most experts will tell you that anything that can be coded can be cracked. The trick is to make it not worth the criminals’ time and resources. Of course, the best safeguard is still the simplest: locking up the disks and computer after you or your people are through.
New minis, by the time you’re reading this, may all be 64 bit or higher. They adapt to codes—and fancy electronic logs showing the kind of work done on them—more easily than do micros. And they might justify other costly security measures. Suppose, for instance, you want to follow the many government agencies’ examples and pen in the tiny radio waves that computers emit so that eavesdroppers can’t pick them up with sensitive receivers. A micro fortified this way might cost perhaps $10,000. “What’s the sense of doing that for what’s essentially a throwaway computer?” asks Harold Joseph Highland. The “throwaway,” be assured, is an exaggeration, but his point comes through.
Of course, don’t forget the disadvantages of minis.
Most machines at the mini level or above need professional programmers, and that’s bad news if you’re trying to stay in complete charge of your business.
Also, minis, because of their expense, normally won’t pay for themselves unless they have at least several terminals.
And the more terminals you have, the more “doors” through which crooks can “walk.”
Still, you normally shouldn’t let security alone determine if you end up with a micro or with a mini. Remember the warning earlier in this chapter that security costs shouldn’t overwhelm you. How often, for instance, is your information so sensitive that you’re worried about criminals lurking in the bushes with the elaborate equipment needed to make sense of the tiny waves your computer emits? Your data might not even justify use of codes.
I myself haven’t the slightest need for codes, user-privilege levels, anything other than locking up my disks, since I’m essentially a small businessman who is the sole operator of a micro.
Even the FBI doesn’t really worry about security on some computers. At the time I visited the agency’s academy in Virginia,several little Radio Shack models were purring away there—the same kind you’d buy off the shelf. The micros’ software had passwords, but some agents could bypass them, anyway, which wouldn’t be necessary, of course, since, in this case, the FBIwantsthe machines to be used.
Before saddling yourself with fancy electronic precautions, do see if a security service, a good, heavy safe, a locked room, or a burglar alarm would work instead. And what about simply carrying home some duplicates of your most important floppies? That possibility will become increasingly attractive as the disks’ storage capacity increases. This isn’t to say, however, that you should store Exxon’s major corporate secrets in a dirty unlocked drawer next to old underwear. But a small businessman might consider taking his backup disks home.
If you buy a safe for your office’s disks or tapes, think about fire protection. Check with your fire department. What makes of safes could be in the middle of the flames without the disks suffering temperatures of more than 115 degrees Fahrenheit?
Investigating locks and burglar alarms, you’ll learn that your computer may be able to protect itself. How? Some gadgets can let only card-carrying employees—your people with magnetic cards—enter a room. And they can tie into the computer to save you money. The same applies to burglar alarms. Of course, you might want nothing fancier than a strong lock bolting your computer to a heavy table. Don’t spend more than the data are worth to replace.
You might also consider a guard service. The problem is that salaries add up even for quick nighttime checks.
After a few months or a year, you may be well on your way to having shelled out the cost of an elaborate electronic security system. Guards normally would be more appropriate for users of large minis and mainframes than for desktop types.
One advantage of physical security—most any kind—is that it can protect the computer equipment itself, not just your electronic files.
You’ve undoubtedly read of theft of computer chips from Silicon Valley firms. Now be prepared for reports of widespread computer theft, eventually, as the market grows for both legally bought and fenced merchandise. With computers shrinking in size, they may well be an even hotter item for fences than stolen Selectrics. Even Apples several years ago were too intimidating to a burglar, like the one who stole the silverware of an acquaintance of mine but passed over his computer. Be assured, though, that crooks are increasingly computer literate. There’s even talk of themob moving into computer crime, raiding government files, and, presumably, engaging in less challenging illegalities, like setting up computer-fencing rings.
With computer crooks in the future being smarter and more organized, you should think hard before depending on simply passwords or codes to protect you.
First, assume that at least some people may try to unravel your puzzles. A whole generation of prodigies right now is practicing by copying the supposedly uncopyable computer games on disks. In effect, notes Churbuck, the New Hampshire lawyer, each disk provides two puzzles. One is the original game. The other is the puzzle of figuring out how to make illicit copies. And at the University of Western Ontario, Prof. John Carroll surveyed students in two advanced computer courses and found that one-third had sought free, illegal computer time. It’s been pointed out that the very best, the very brightest, students have too many legitimate opportunities—on large systems—to worry about pillaging small computers. And that may be true. But by the late 1980s or early 1990s, some journeyman criminals may develop among the second-raters.
Second, don’t shrug off a warning from R. E. (Bob) Kukrall, author of the handbookComputer Auditing, Security and Controls: “Cracking a computer system’s defenses may be about as difficult as doing a hard Sunday crossword puzzle.” He says that thieves managed in minutes to call up computer files that were protected by a five-digit code number. They just programmed the computer itself to try each of 100,000 combinations.
“In effect the speed and capabilities of the computer were used to violate its own security,” Kukrall said inTeleSystems Journal.