Running head: THE GROWING THREAT OF COMPUTER CRIME
The Growing Threat of Computer Crime
Computers have been used for most kinds of crime, including fraud, theft, larceny, embezzlement, burglary, sabotage, espionage, murder, and forgery, since the first cases were reported in 1958. One study of 1,500 computer crimes established that most of them were committed by trusted computer users within businesses; persons with the requisite skills, knowledge, access, and resources. With the arrival of personal computers to manipulate information and access computers by telephone, increasing numbers of crimes–electronic trespassing, copyrighted-information piracy, vandalism–have been committed by computer hobbyists, known as “hackers,” who display a high level of technical expertise. For many years, the term hacker defined someone who was a wizard with computers and programming. It was a challenge to all hackers, and an honor to be considered a hacker. But when a few hackers began to use their skills to break into private computer systems and steal money, or interfere with the system’s operations, the word acquired its current negative meaning. With the growing use of computers and the increase in computer crimes, early detection, deterring computer crimes, and new laws regulating and punishing these computer crimes are necessary. Without it, chaos will be the end result.
The Growing Threat of Computer Crime
Do you think your company’s computer systems are secure? Think again. Billions of dollars in losses have already been discovered due to computer crimes. Billions more have gone undetected. Trillions more will be stolen, most without detection, by the emerging master criminal of the twenty first century –The computer crime offender. What’s worse yet is that anyone with a computer can become a computer criminal.
Crimes such as embezzlement, fraud and money laundering are not new. However, each of these crimes now has a new partner in crime-the computer. Crimes that have become unique due to the availability and widespread use of computers include:
a.unauthorized use, access, modification, copying, and destruction of software or data;
b. theft of money by altering computer records of theft of computer time;
c.theft or destruction of hardware;
d.use or conspiracy to use computer resources to commit a felony;
e.intent to obtain information or tangible property, illegally through use of the computer. (Fraud Survey Results, 1993)
Although incidents in this second category of crimes do present a serious problem, embezzlement is by far the major threat to small businesses. This is evident by the frequency of reports in the local media. Cash is the most vulnerable asset as it is the easiest for the perpetrator to convert to personal use. Firms most vulnerable to theft of money are firms that must rely on one individual to perform the duties of office manager and bookkeeper. Having more than one employee in the office provides an opportunity to effect certain internal controls, particularly separation of duties. Small business owners should review their insurance coverage for employee dishonesty. While there are no standards to determine precisely the amount of coverage necessary, the marginal cost of adding an extra $1,000 of coverage decreases as the coverage increases. A business owner should consult with an insurance agent and err on the side of caution, just to be safe.
Although theft of money is a major subject when speaking of computer crime, there are also many other areas to be concerned about. Some of the computer crimes for the 21st century will include:
Communication crimes (cellular theft and telephone fraud).
Low-tech thieves in airports and bus terminals use binoculars to steal calling card access numbers. Thieves will park their vans along busy interstate highways and use specialized equipment to steal cellular telephone access codes from the air. This is just the tip of the “iceberg”.
Business. Most banking today is done by electronic impulse. Therefore, access to business computers equals access to money (and lots of it). Convicted computer hacker, John Lee, a founder of the infamous “Master’s of Deception” hacker group stated that he could change credit card records and bank balances, get free limousines, airplane tickets, and hotel rooms (without anyone being billed), change utility and rent rates, distribute computer software programs free to all over the internet, and easily obtain insider trading information. Imagine………this is just one person. Think of all the hundreds of “hackers” that are out there.
Computer stalking. One type of computer criminal rapidly emerging is the “cyber stalker”. One such stalker, the pedophile, surfs the net looking to build relationships with young boys or girls and then sets out to meet them in person to pursue his/her sexual intensions. This type of activity also leads to sellers of child pornography over the internet.
Virtual crimes. Stock and bond fraud is already appearing on the internet. Stocks and bonds that appear on the market are actively traded (for a short period of time) and then disappear. These stocks and bonds are nonexistent-only the electronic impulses are read.
One must note, however, no matter how clever the hacker, the most serious security threat in most enterprises is password theft. Password stealing is the “holy grail” of hacking. Once a username/password combination has been found, the hacker has free rein to exploit that user account. Firewalls, intrusion detection systems, encryption, and other countermeasures are powerless. Here, hackers an get a hold of a valid user name and password, plus the right URL or dial up number, and can use these to steal your sensitive data. Hackers can also use programs such as “sniffers” to steal your sensitive data. These programs look for particular information such as passwords or credit card numbers in which the hackers turn around and use to their benefit. Last year, a so-called “sniffer” was used to steal more than 100,000 credit numbers which were stored on the server of an internet service provider.
The top ten types of high tech criminal activity are reported as:
10.Active wiretap 4%. (Computer Security Institute for the FBJ)
As you can see, computer crime isn’t limited to any one area or business. And nothing boosts awareness of computer security better than a few widely publicized breaches. In 1998, a federal prosecutor charged a former employee of Forbe’s Inc with sabotaging Forbes computers. The accused sought revenge after his dismissal in 1997 by tying up one of Forbe’s computer lines, from his home telephone, for a total of 55 minutes. The company stated it was like putting Krazy Glue in the telephone line. Estimated damage $100,000. In 1999, despite Microsoft’s claims that it took “advanced” skills to create a hack in its free, web-based Hotmail service, which exposed millions of user’s accounts. Security experts said the hack was actually very “user friendly” and easily shared. In August, 2000, Supermarket great “Safeway” had failed to get its web site up and running two weeks after a suspected hacker attach led to its closure. The sight was shut down after numerous shoppers received an email hoax telling them to shop elsewhere. In 1994-95, an organized crime group headquartered in St. Petersburg, Russia, transferred 10.4 million dollars from Citibank into accounts all over the world. Russian hacker, Vladimiv Levin, was charged with fraud and convicted by a federal grand jury in New York. He was sentenced to 3 years in prison and ordered to pay $240,000 restitution to Citibank. In February 2000 it was reported that hacker attacks on sites such as Yahoo and Ebay resulted in losses of 1.2 billion dollars. The attacks were initiated by hackers who penetrated insecure servers hosted by large organizations like universities and research institutions. These sites were plagued by “denial of service” attacks. (routers connecting the site to the rest of the Internet have been flooded with so much fake traffic that the router becomes unable to cope. Once this is achieved, genuine users find themselves unable to get connected). Other sites affected by “denial of service” include CNN, Zdnet, Buy.com, and ETRADE group. These sites experienced slowdowns in service of 45 minutes up to 5 hours.
With the never-ending threat to computer security, there are several different programs
available to help guard your valuable information. The following is an overview of some of these programs:
SilentRunnerTM. SilentRunnerTM is an internal network security tool and is designed to
detect and report network threats that originate from inside your network. SilentRunnerTM is a passive, multi-functional software tool that monitors network activity in real time, producing a virtual picture of network usage and vulnerabilities. Because SilentRunnerTM is passive and does not introduce additional traffic on a network, it remains undetected by network users, without violating a company’s privacy codes. It works as a complement to external devices, such as firewalls and intrusion detection, and provides the highest level of internal security available in the industry.
Omniguard/ITA (Intruder Alert). Omniguard/ITA is a real time, security event monitor that enables security manages to detect suspicious activities and prevent security breaches before they occur. Omniguard/ITA monitors multiple streams of security audit trail information across the network, analyzes this data in real-time based on site-specified rules and responds automatically to critical events. If Omniguard/ITA system detects a significant threat, it can notify the security administrator by flashing a message on the management console, sending an email or beeping a pager.
Cisco Secure IDS (formerly NetRanger). Cisco Secure IDS is an enterprise-scale, real-time intrusion detection system designed to detect, report, and terminate unauthorized activity throughout a network. Cisco Secure IDS is an ideal solution for companies who need to know if their network us under attack from internal or external sources.
Real Secure Manager is an intrusion detection system with capabilities within a familiar network and systems management environment. All RealSource management options include real-time views of suspicious activity, such as external and internal attacks or internal misuse, real-time alarm management through propagated display of network security activity, Realsecure online help for incident response and detailed information abut events, secured communications between the Realsecure manager and all Realsecure engines and agents, and control functions are authenticated, verified, and encrypted using RSA, Certicom Elliptical Curve, or user-selected algorithms.
NFR security offers several different options in security products. The NFR Intrusion Detection System (NFR IDS) comprises several products that operate independently or together as an integrated suite with a common administration, architecture, interface, data formats, management, and analysis and reporting tools. Each product can operate as a stand-alone system, and as part of a distributed configuration serving large or geographically dispersed organizations. NFR IDS includes NFR Network Intrusion Detection (NID), NFR Secure Log Repository (SLR) and NFR Host Intrusion Detection (HID). NID monitors networks and subnets and raises alerts when known attacks and anomalous activity are detected. NFR SLR is NFR’s secure log storage and management systems, NFR HID monitors servers and workstations and raises alerts when known attacks and anomalous activity are detected. There are also programs available that will protect your home computer from security breaches caused by hackers. One such program is called Freedom Internet Privacy Suite 2.0. Standard features include a personal firewall (especially for those with DSL and cable modems), form filler (to speed up and secure online registrations and transactions), cookie manager (to prevent websites from tracking your activities), ad manager (controls ads and speed up browsing), keyword alert (to prevent personal information from leaving your computer), as well as offering untraceable encrypted email (to secure and privatize your email) and anonymous browsing and chat (to go online undetected). Unfortunately, most computer crimes are discovered by chance, particularly in small businesses.
Some means of detection include suspicious employees, physical inventory shortages detected by
an audit, an error made by a greedy associate, an employee living a lifestyle obviously beyond
what could be supported by his income and other resources, and disgruntled employees. Hiring and firing practices, effective employee training, and managing disgruntled employees properly can help make crime less likely to occur.Most people imagine a “hacker” as an anonymous cyber-intruder writing endless lines of code to penetrate a system from outside. But half of the unauthorized system intrusions involve insiders who have, or had legitimate access to the system. In addition, hacking has entered the mainstream, spurred by downloadable “hacking tools” that can enable even computer novices to launch devastating cyber-assaults. A hacker must also find an vulnerability human or technical that he then exploits to circumvent security measures. “Social Engineering”, tricking staff into providing information that can help establish access, often entails posing as a member of the computer or MIS department to obtain passwords from unsuspecting employees. As previously stated, hackers also employ “sniffers” and other software prog5rams to gain access to victim systems. Nobody can predict which companies will be attacked and businesses want to know, how serious is the threat? In truth, know one knows. A system isn’t immune to attack just because the information inside has little value. And, any attack brings obvious costs: lost computer time, employee hours spent on investigation or repairs, lost revenues for e-commerce firms. One key point in fighting computer crime is to design an effective compliance program. An effective compliance program addresses both human and technical vulnerabilities, and protects against both outside and inside attacks. Background and security checks should be performed on key computer network personnel, including outside contractors who build or service the network. All personnel, from the CEO to the stock clerk must understand the risks of social engineering and learn what to do in the event of attack—whom to notify, and how to preserve evidence that may prove useful to company counsel or law enforcement. There are six strategies to follow in deterring computer crime:
a.making the crime less likely to occur;
b.increasing the difficulty of successfully committing the fraud;
d.prosecuting and incarcerating perpetrators;
e.using forensics accountants; and
f.reducing the losses. (Allen 1977)
When all else fails…..call in the law. Hackers, or those committing crimes via the computer can be charged with fraud, invasion of privacy, embezzlement, and many other charges through your local law enforcement office. However , there are at least 26 states that have laws specific to computer crime (Arkansas, Kentucky, Michigan and Vermont are among some of the states that do not have specific laws regarding computer crime). In fact, let’s take a look at a few of these laws. In Texas, s. 33.03 “Harmful Access” states:
(a) A person commits an offense if the person intentionally or knowingly and
without authorization from the owner of the COMPUTER or a person authorized to
(1) damages, alters, or destroys a COMPUTER, COMPUTER program or software,
COMPUTER system, data, or COMPUTER network;
(2) causes a COMPUTER to interrupt or impair a government operation, public
communication, public transportation, or public service providing water or
(a) tamper with government, medical, or educational records; or
(b) receive or use records that were not intended for public dissemination
to gain an advantage over business competitors;
(4) obtains information from or introduces false information into a COMPUTER
system to damage or enhance the data or credit records of a person;
(5) causes a COMPUTER to remove, alter, erase, or copy a negotiable
(6) inserts or introduces a COMPUTER virus into a COMPUTER program, COMPUTER network, or COMPUTER system.
(1) felony of the second degree if the value of the loss or damage caused by
the conduct is $20,000 or more;
(2) felony of the third degree if the value of the loss or damage caused by
the conduct is $750 or more but less than $20,000; or
(3) Class A misdemeanor if the value of the loss or damage caused by the
conduct is $200 or more but less than $750.
In Iowa, one of the laws “on the books” is noted as:
716A.2 Unauthorized access. A person who knowingly and without authorization accesses a computer, computer system, or computer network commits a simple
In the Hawaiian state Legislature, house bill 524, House Draft 1, was passed, to update the laws relating to prohibited computer activity, nearly a decade after the laws were created. One of the provisions includes unauthorized computer access in the first degree: when a person knowingly access a computer or system without authorization in order to obtain information for commercial or private gain, to advance any other crime, to take information valued at more than $5,000 or if the information is already protected against unauthorized disclosure. The violation is a Class B felony punishable by up to ten years in prison. Unauthorized computer access in the second degree is classified as a Class C felony punishable by up to five years in prison, and a third-degree violation is a misdemeanor.
In conclusion, computer crime needs to be prevented and halted through increased computer network security measures as well as tougher laws and enforcement of those laws in cyberspace. If new laws and enforcement of those laws are not soon established, along with heightened security measures, the world will have a major catastrophe as a result of computer activity. The world is becoming increasingly dependant on computers, and the crimes committed will have greater and greater impact as the need for computers (or use of) rises. The possible end of the world was narrowly averted, but was caused by a computer crime. The United States defense computer system was broken into, and the opportunity existed for the hacker to declare intercontinental nuclear war; thus leading to death of the human race. Another event like this is likely to occur if laws, enforcement of the laws and security of computers are not beefed up. The greatest creation of all time, the computer, should not lead to the destruction of the race that created it.
Abreu, E.M. (1999, September). Experts find Microsoft Hotmail hack easier than claimed. Company Business and Marketing.
Bernardo, R. (May 4, 2001). State law moves to address technology crime. Honolulu Star-Bulletin
Cisco Secure IDS (2001). On-line. Available: http://www.cisco.com
Eaton, J.W. (1986). Card-carrying Americans. Privacy;, Security, and the national i.d card debate. United States of America: Rowman & Littlefield.
Farrow, R. & Power, R. (2001). Five vendors some no-nonsense questions on IDS. CSI Intrusion System Resource
Goodwin, B. (2000, August ). Safeway site is still down after hack attack.. Company Business and Marketing.
Network ICE Corporation (1998-2000). Password theft On-line. Available: http://www.netice.com
Niccolai, J. (02/11/2000). Analyst puts recent hacker damage at $1.2 billion and rising On-line. Available: http://www.nwfusion.comn/news
Real Secure (2001). On-line. Available: http://www.securehq.com
Schindler, D.J. (2000, March). E-Crime and what to do about it. Los Angeles Business Journal.
SilentRunnerTM. SilentRunnerTM On-line. Available: http://www.silentrunner.com/about/index.html.
Teach, E. (1998, February). Look who’s hacking now. CFO, The Magazine for Senior Financial Executives.