Computer Crime Problems Research Center

Fighting Computer Crime

by David Icove, Karl Seger, and William VonStorch

Computer crimes are increasingly in the news. And, why not? When Willie Sutton was asked why he robbed banks, he replied, "Because that's where the money is." Today's criminals have learned where the money is. Instead of settling for a few thousand dollars in a bank robbery, those with enough expertise can walk away from a computer crime with many millions. And they do walk away -- far too often. The National Computer Crimes Squad estimates that between 85 and 97 percent of computer intrusions are not even detected. Fewer than 10 percent of all computer crimes are reported (mainly because organizations frequently fear that their employees, clients, and stockholders will lose faith in them if they admit that their computers have been attacked). And few of the crimes that are reported are ever solved.

Over the past several decades, the amount of money, military and intelligence information, proprietary business data, and even personal communications stored on and transmitted by computer has increased beyond anyone's imaginings. Governments, the military, and the world's economy couldn't operate without computer automation. Increasingly, the computers that transact this huge amount of business are linked to each other via the Internet or various military or financial networks. The numbers are staggering. More than a hundred million electronic messages traverse the world's networks every day. Banking networks transfer trillions of dollars daily.

And all that information being stored and transmitted is vulnerable to attack. Nobody knows the true scope of computer crime, but it is informally estimated to be in the hundreds of millions. Almost every organization has been affected in some way by computer crime. The British National Computer Centre reported that more than 80 percent of British organizations suffered a security breach in the last two years. The increasing use of interconnected networks makes these crimes easier than ever. Four out of every five computer crimes investigated by the FBI in 1993 involved unauthorized access to computers via the Internet.

In this age of automation and connectivity, almost no organization is exempt from computer crime. This article outlines the most common types of computer attacks:

Military and Intelligence Attacks

National security is increasingly in the hands of computers. Computers store information ranging from the positioning of Air Force satellites to plans for troop deployment throughout the world. Just as common criminals have learned that computers are where the money is, espionage agents have learned that computers are where the intelligence information is. More and more, espionage is becoming a game of computer break-ins, computer-based cryptography, and message traffic analysis. The cloak and dagger have become virtual.

In his book, The Cuckoo's Egg, Cliff Stoll describes in fascinating detail how a 75 cent accounting imbalance in California led him to the discovery of a West German cracker who was extracting information from defense computers in more than ten nations. The information was then reportedly sold to the Soviet KGB.

The cracker in Stoll's book is not a lone phenomenon. In June 1988, computer cracker Kevin Mitnick, code-named "Condor," broke in remotely to a Defense Department network. He stole a pre-release version of Digital Equipment Corporation's VMS V5.0 Operating System software and temporarily stored the software on a Navy computer at the Patuxent Naval Air Station. Officials say that no classified information was obtained during the incident -- this time! (As this book was going to press, Kevin Mitnick was arrested after an intensive manhunt.

Intrusion into U.S. government computers is common, despite the best efforts to enforce computer security. In January 1990, three Silicon Valley workers were arrested for breaking into government and telephone company computers. They allegedly broke into systems that provided them with information on military exercises, flight orders, FBI investigations into associates of the late Philippine President Ferdinand Marcos, and instructions on how to eavesdrop on private telephone conversations. Some of the military information that was compromised as a result of the intrusions was previously classified SECRET.

Department of Energy facilities were targeted by attackers in March 1990. The intruders were prevented from obtaining classified information, and an investigation was initiated immediately to identify the source of the attempted intrusions. Several weeks later they were located and identified. They were attempting to break into the computers from outside the United States. Many such attempts and attacks have been reported in the intervening years. It is clear that military and government systems continue to be attractive targets for computer criminals, whatever their motivation.

Business Attacks

Just as the Cold War seems to be ending, a new era of worldwide economic competition has begun. Increasingly, rivalries among national economies make industrial espionage a growing threat. Even "friendly" nations have become our economic enemies. In a recent case, Boeing Aircraft accused the French company, Airbus, of bugging Boeing employees' hotel rooms and airline seats and tapping their phone lines to get secret corporate information.

An Ernst and Young/Information Week survey (reported in the Toronto Financial Post, December 15, 1994) found that 54 percent of companies reported some type of financial loss over the past two years as the result of computer problems -- some crashes and internal problems, but many of them were the result of malicious damage.

Businesses are increasingly the target of both competitors and the curious. Even computer companies like Apple Computer are not immune to attacks by computer criminals. In December 1987, Apple Computer found a virus in its electronic mail system. The virus succeeded in shutting down the system and erasing all of Apple's voice mail. Apple also reported that computer criminals may have reverse-engineered the highly secret code that underlies its Macintosh computers. This copyrighted and seemingly highly protected code could be used to build a clone of the Macintosh computer.

IBM has also been the target of computer abuse. One example was in December 1987, when a creative West German programmer managed to plant a Trojan horse program (many incorrectly labeled it a virus) in the IBM electronic mail systems on five continents. Anytime someone on an affected system typed "Christmas" on his computer, the program displayed a holiday message. It then sent a copy of itself to other network addresses kept in that user's electronic mail file. Anyone who tried to stop the message lost electronic mail and other information that had not been saved. The incident was so severe that IBM had to shut down the system for 72 hours while it purged the message.

Financial Attacks

More and more, our money may seem to be nothing but bits in a computer, numbers on a screen, and ink on an occasional bank statement. Our paychecks are deposited electronically. Our bills may be paid electronically; if not, we write checks, and the dollar amounts get subtracted electronically. It's only fitting that the biggest theft and fraud cases are electronic as well.

Banks are always a tempting target for computer criminals. Back in 1988, seven not-quite-clever-enough criminals hatched a plot against the First National Bank of Chicago. The group used a wire transfer scheme to move $25.37 million belonging to Merrill Lynch and Company, $25 million belonging to United Airlines, and $19.75 million belonging to the Brown-Forman Corporation to a New York Bank and then to two separate banks in Vienna. The transfers were authorized over the telephone, and follow-up calls were made by the bank to verify the requests. All of the follow-up calls were routed to the residence of one of the suspects. On Monday morning, the three companies called the bank to find out what happened to their deposits. Investigators used the telephone records of the verification calls to trace the crime to the suspects. Had these criminals been a little more clever or a little more quick, they may have gotten away with over $70 million.

Financial attacks are often perpetrated by insiders, who know the technical ropes. In 1994, an MCI switch technician was arrested for allegedly selling thousands of credit card numbers. The total cost was estimated at $50 million. Incarcerating criminals can't always prevent computer crime. Toll fraud is one of the oldest forms of computer crime and continues to be a concern to the communications industry. Fifteen inmates at the Metro jails in Davidson County in Nashville, Tennessee were charged in February 1989 with accessing long-distance telephone accounts and charging over $2000 in long-distance charges in just one weekend. Inmates who had access to the codes sold them to others in jail for $5.00 or more, or sold individual calls for $1.25 each.

Terrorist Attacks

Even terrorists have gone high-tech. In the early hours of September 2, 1985, a bomb detonated in front of the Hamburg office of the West German software developer, Scientific Control Systems. Within seconds another explosion occurred at the offices of Mathematischer Beratungs and Programmierungsdienst, another software firm. Terrorists were striking at the computer industry, but not for the first time. The Italian Red Brigade had launched attacks against more than 25 computer and electronics firms in Italy back in the 1970s. Other attacks against computer facilities and high technology firms have taken place in South American and other parts of Europe. It may be only a matter of time before terrorists or other parties target U.S. facilities.

Think about it from the terrorist's point of view: Why blow up a single utility tower -- causing a rather unmemorable blackout -- when you can crack the utilities system and turn out the lights in the Northeast United States for a whole day? How about the anti-tax group that decides to go to the source, attacking the computers of the Internal Revenue Service and the Bureau of Engraving and Printing?

Paranoia? Not really. Among the ranks of today's criminals, spies, and terrorists are plenty of computer-literate individuals. And, while the IRS and the Bureau of Engraving and Printing have taken elaborate measures to protect their systems, there are plenty of other targets in the U.S. and abroad.

Grudge Attacks

Not all computer criminals are after information or out to cause havoc by planting viruses. Some simply want to wreak damage and destruction. One of the better known cases in this category is that of a Texas insurance company employee, Donald Gene Burleson. Burleson was a systems security analyst who worked for his employer for more than two years before being fired. After he left the firm, its IBM System/38 crashed, and the company suffered a major loss of commission records used to prepare the monthly payroll. The program responsible for the problem was traced to Burleson's terminal and his account. Investigators were able to show that he had planted a "logic bomb" in the program while he was still with the company.

In fall of 1994, two computer writers were the target of a "mail bomb" (reported by Time magazine, December 12, 1994). Apparently in retaliation against articles the victims had written about crackers, someone broke into computers at the writers' Internet service provider, IBM, and Sprint. Their home computer mailbox was clogged with thousands of pieces of electronic mail. Their Internet connection was then shut down. Their telephone was reprogrammed so calls were forwarded to an out-of-state number; when callers reached that number, they heard an obscene recording.

"Fun" Attacks

In some ways computer crime is a logical extension of other types of crimes; it simply represents a bigger, faster, and more anonymous way to accomplish the same results -- espionage, attacks on competitors, bank fraud, and terrorism. But in other ways computer crime is very different. It's full of variants and seeming contradictions. At one extreme, computer crime can be much more profitable than other forms of larceny or fraud, so it has a clear attraction to financial criminals. At the other extreme, computer crimes are often perpetrated as intellectual challenges without any profit motive at all.

A lot of computer criminals aren't in it for the money. Except for the fact that what they do breaks the law, you might not think of them as criminals in the traditional sense. The criminals in this category wouldn't dream of holding up the corner convenience store or writing graffiti on bathroom walls, but here they are breaking into military bases, universities, banks, and businesses large and small.

Many of them are kids, sometimes quite young ones, who think of their computers as the next step up from a video game. In June 1989, a 14-year-old Kansas boy used a small home Apple computer to crack the code of an Air Force satellite-positioning system. The teenager, who reportedly began his career as a cracker at age 8, specialized in breaking into Hewlett-Packard's HP3000 minicomputers that were used by businesses and a number of government agencies.

They may be kids, and bright ones at that, but they are breaking the law, endangering both people and businesses, and they need to be stopped from expressing their creativity and spirit of adventure in this way.

The worm that made its way into the Internet in November of 1988 showed the computer world, for perhaps the first time, how dangerous an experiment on the Internet can be. Robert T. Morris, at the time a Cornell University graduate student, says that he planted the worm as a network experiment, but, because of a bug in the program, the worm quickly raged out of control. Once installed, it multiplied across network links, creating procedures and rapidly clogging the individual computers' available space until other work on the affected machines virtually ground to a halt. The worm exploited several UNIX security holes. Although it didn't damage data, the worm created havoc at the machines it invaded. Many system administrators had to shut down computers and network connections. Other work was halted, electronic mail was lost, and research and other business was delayed. Estimates of the cost of testing and repair exceed one hundred million (although the actual cost was probably less).

The Cert

After the Internet worm incident in 1988, elements of the computer community came together to found an organization that would be able to respond quickly to future Internet security attacks. Under the auspices of the Defense Advanced Research Projects Agency (DARPA), the Department of Defense established the Computer Emergency Response Team (CERT) Coordination Center.

Located at Carnegie-Mellon University's Software Engineering Institute in Pittsburgh, the CERT, in cooperation with public and private computer networks, serves as a clearinghouse, helping organizations respond to attacks and to share information about them.

Since the CERT was first established, the organization has reported more computer security incidents each year -- less than 200 in 1989, about 400 in 1991, 1400 in 1993, and around 2000 in 1994. And, the sites reporting break-ins are only a small percentage of those affected.

Criminal Automation

Even when they aren't directly targeting computers or electronic data, criminals -- like so many other people in our technological society -- are automating their operations. Extremist groups like the Aryan Nation have established computer networks to communicate their messages of hate and violence. Drug dealers use computers to store records of transactions and financial dealings. In at least one case, an organized crime group used computers to store intelligence information on local vice and narcotics officers. This information was then sold to other criminals and criminal organizations.

Criminals are learning to take advantage of the latest advances. There have been recent reports that drug dealers, pedophiles, and other types of criminals are using various encryption programs to keep their communications secret from prying eyes even if their files are seized.

What Does It Mean to You?

Computer crime and the use of computers by criminal enterprises is a serious problem. It threatens national security and creates opportunities for modern criminals beyond anything we've previously experienced. Although improvements in computer security are helping to control the computer crime problem, the problem continues to keep pace with technology.

How do all these technological horror stories affect you?

If you are a manager or an owner of a business, you must realize that computer crime can undermine everything you have worked so hard to accomplish within your organization. Computer criminals masquerading as authorized users may be able to figure out how to log in and steal the business plans you've labored over. Secret information about the product you're about to release may help your competitor beat you to market. Disclosure of confidential material may also lead to loss of trade secret status.

If you involved in any type of law enforcement -- as an investigator or a prosecutor, for example, you can expect at some point to deal with either a computer crime investigation or an investigation where computers have been used by those responsible for other crimes. You may have to assist in the preparation of a subpoena for computer crime evidence, participate in the collection of computers and computer media during an arrest or during the execution of a search warrant, or be called upon to conduct a major investigation of a computer crime.

If you are the victim of a computer crime, you may be asked by law enforcement to assist them in tracking a computer trespasser, or putting together data which will later serve as evidence in the investigation and prosecution of a suspected computer criminal.

If you are just an ordinary computer user, realize that you too are vulnerable. If you don't protect your login ID, your files, your disks and tapes, and other computer equipment and data, they might be subject to attack. Even if what you have is not confidential in any way, having to reconstruct what has been lost will cost you hours, days, or longer in productivity and annoyance. And, even if you're not worried about your own data, you have a responsibility, in this era of internetworked computers, to provide some protection for others. Someone who breaks into your account could use your account to become a privileged user at your site. If you are connected to other machines, they could use your system's networking facilities to connect to other machines that may contain even more vulnerable information.

Home | What's New | Articles | Links
Legislation | About Us | Contact

Copyright Computer Crime Research Center, 2001-2002 All Rights Reserved.
Contact the CCRC Office at 380-612-621-472