Cyber-Crime Can Have Real-World Ramifications

Jan 1, 2004 12:00 PM, By Jacqueline Emigh

On almost a daily basis, news headlines blare out tales about crimes committed on the Internet and other computer systems. These cyber-crimes can be every bit as harmful to society as traditional crimes in the physical world. Here are two examples:

• During 2002, an employee of the credit card processing firm Teledata was arrested for allegedly accessing credit reports on more than 30,000 people, and then selling the reports to criminals for $60 a piece.

• In an intellectual property theft from the software firm Valve, hackers stole software code for the game Half-Life 2, and then posted it on the Internet.

“Lots of damage can be done, without anyone ever wielding a gun,” maintains Serge Plotkin, chief technology officer of Decru, a vendor of information security (IS) hardware. Furthermore, experts agree that cyber-criminals can be particularly tough to catch and prosecute.

Why? For one thing, cyber-operations are often much less visible to the naked eye. Secondly, the tools of cyber-crime are complex and constantly changing. Moreover, many perpetrators are disgruntled employees, competitive rivals, and other white collar types, who may never have even seen the inside of a police station, let alone a jail cell.

Meanwhile, legislation is just starting to emerge that is aimed at doing a better job of deterring computer crime and bringing these denizens of the dark to justice. “All together, there's a lower probability of cyber-criminals getting caught,” says Plotkin, a Decru co-founder who is also an associate professor of computer science at Stanford University.

Cyber-Crime is Everywhere

“You can't always see what these guys are doing, until it's already too late,” agrees Niten Ved, president and chief operating officer of netForensics, a security software vendor. Some types of cyber-crime can be performed remotely, without any physical contact.

On the other hand, other new breeds of crime combine both cyber- and physical elements. At a deli in New York City last month, for instance, thieves allegedly rigged an ATM machine to scan and steal debit card numbers and PINs.

Officials charge that, by transferring the stolen information to blank magnetic cards, and using the fake cards at other ATMs, the scofflaws bilked Citibank and JP Morgan Bank out of nearly $225,000.

Tools of Cyber-Crime

What are some of the most common tools of cyber-crime? Under one approach, known as the “denial of service attack,” computer hackers flood a company's Web site with too much computer traffic. Sometimes, this forces the company's computer network to shut down completely until the attack can be brought under control.

Computer viruses, another common tool, plague corporations and consumers alike. These pieces of malicious software are especially written to make computers act in odd and often unpredictable ways.

In April of 1999, for example, David L. Smith was arrested for creating and releasing “Melissa,” a computer virus designed to mail itself out to the first 50 addresses listed in the address book of Microsoft Outlook, an e-mail software application for PCs.

The Melissa virus first struck in March of 1999, after being released to an Internet newsgroup in a Microsoft Word document containing a list of pornographic Web sites. Corporate e-mail sites around the world were soon swamped. Even high-tech giants such as Microsoft, Intel and Lucent Technologies had to shut down Internet access.

Another variety, known as “backdoor viruses,” allow computers to be controlled remotely by attackers. Other varieties are virtually endless.

New Methods Always Lurking

More methods of cyber-crime are always around the corner. Over the past few years, for instance, PCs have become equipped with USB ports. Unlike old-fashioned parallel ports, which were designed mostly for connecting printers, or serial ports, which were used mainly for modems, USBs are meant for plug-and-play connectivity to multiple types of attachable devices: storage products, cameras, and DVDs, for example, along with printers and modems.

Meanwhile, vendors have begun to come out with “key fobs” — tiny but highly capable storage devices that connect to the USB port, for copying computer data.

According to Jon Bair, senior director of development at Guidance Software, key fobs already pose such a security threat that some organizations — including the CIA — are now using glue to seal up the USB ports on all their PCs.

Thieves are getting increasingly bold, too. No longer content to steal individual PCs, criminals are now walking off with huge disks used in large-scale storage systems.

In Canada, for example, an employee of ISM was accused of ripping off a hard drive containing personal information about more than one million customers.

“Social Engineering”

Cyber-criminals also use a variety of “social engineering” maneuvers to obtain users' Internet passwords, and even to get into the inner workings of network servers. In an internal test at the U.S. Defense Department, for example, people posing as outside computer technicians were able to stroll right past the front desk into the computer room, noted Bill Wall, chief security engineer in Harris Corp.'s Security Threat Avoidance Technology (STAT) business unit. Before joining Harris, Wall was responsible for establishing and heading up the AFCERTS initiative for the Air Force and NASA.

Technology For Fighting Back

Fortunately, many technology tools are available for preventing cyber-attacks, as well as for preserving and examining evidence. Experts advise that a company's technology arsenal should include the following, at a minimum:

Anti-virus software

This software is used to find viruses on a computer system, as well as to “quarantine” or “kill” these viruses. Hackers are constantly working on writing new bugs. Consequently, IT departments should see to it that both PCs and larger computers, known as servers, get frequent updates to anti-virus software over the Internet.

Internet firewalls

Available as either hardware or software, Internet firewalls are used to keep private networks separate from the Internet. When set up correctly, firewalls let IT staff control access to the Internet from within a corporate network, in addition to screening and tracking access attempts by outsiders.

Intrusion detection systems

These systems are designed to stay on the lookout for break-ins to the computer network. If a network intrusion is detected, IS personnel can be alerted instantaneously, either by e-mail or pager.

Other information security tools abound. Some organizations, for example, are starting to protect large storage devices and data centers with devices such as Decru's DataFort, which encrypts — or scrambles — the data. The Italian government is one current customer.

Each year, the Computer Security Institute (CSI) and the FBI produce an extensive survey on computer crime and security in the US. In the 2003 study, released in December, 99 percent of the organizations surveyed said they are using anti-virus software, up from 90 percent in 2002. A total of 98 percent used firewalls, in comparison to 89 percent in 2002, while 73 percent has deployed intrusion detection, a substantial increase over the 60 percent tallied the year before.

On the other hand, also according to the survey, about 91 percent of the 2003 respondents said they used physical security to help protect their computer systems, as opposed to only 84 percent in 2002. Also for the year 2003, 92 percent cited access control, while 11 percent used biometrics. Other methods of physical security range from stationing guards at data centers to chaining notebook PCs to desktops, said Ved.

‘Gray Areas’ in Legislation

In the United States, the last few years have seen a barrage of new legislation, targeted at protecting confidential information and deterring crime and other misdeeds.

HIPAA (Health Insurance Portability and Accountability Act) requires the healthcare industry to ensure the “confidentiality, integrity and availability” of computer-based medical records.

Last year, the federal government passed the Sarbanes-Oxley Act, a law designed to protect investors by raising the accuracy of corporate financial statements. Section 802 imposes criminal penalties for altering documents.

In the state of California, the newly minted Senate Bill 1386 goes even further, requiring companies to notify California residents whenever there is a breach in security that results in their personal data being obtained by an unauthorized person. This law applies even if the data is not being stored in California.

All of this legislation, however, is still new, and much of it is untested in the court system. “There are still a lot of gray areas,” said netForensics' Ved. As a result, many companies are taking a wait-and-see attitude about trying to prosecute people who violate these laws.

Meanwhile, though, some vendors — including both Guidance Software and netForensics, for example — are producing forensic software for gathering and analyzing computer evidence.

With Guidance's Encase software, for example, investigators are able to analyze keystrokes, computer files, and other information to tell whether or not an individual has taken “affirmative steps” to break the law, according to Bair.

Take, for instance, the issue of introducing pornographic materials into the workplace. It's quite conceivable that someone might land on a porn site by mistake, Bair acknowledges. “But if someone has set up a special hidden file on his computer, just for pornographic materials, maybe that's another story.”

Policies For ‘Acceptable’ Computer Use

To help curb cyber-crime and other forms of misuse, growing numbers of companies are establishing “acceptable use” policies for their computer systems.

Some policies spell out the corporate use of antivirus software and Internet firewalls, for instance. Others are aimed at employees. Employees might be prohibited, for example, from using Internet chatrooms, sending and downloading e-mail attachments, or posting their network passwords in places where these passwords might be seen by others. Typically, according to Ved, employees are required to sign off on these policies when they first join a company.

Committees Can Work Best

Many experts recommend that, due to the increasing complexities of computer crime, each organization should establish a committee — or at the very least, a point person — to coordinate policy, security tools and regulatory compliance.

“Committees are becoming kind of a trend,” pointed out Rebecca Herold, vice president of privacy services and chief privacy officer for DelCreo Inc, an enterprise risk management company. “There isn't any one ‘common title.’ I've seen them referred to as everything from risk management teams, to risk management oversight groups, to regulatory compliance steering committees.”

Ideally, the committee should include people familiar with law, physical security, human relations, information security, and media relations, according to Herold.

“You need someone who is able to ascertain, for example, that a particular request for information is actually from a law enforcement agency. On the other hand, someone from a company's information systems department might be able to say, ‘Hey, wait a minute! Providing that particular piece of information would require our network to come down for a while. But here's a piece of information, which we can retrieve offline, that would be just as useful for law enforcement purposes.’”

In the murky underworld of cyber-crime, it's still easier for the robbers to stay a few steps ahead of the cops. Some organizations, though, are now starting to get a stronger leg up against the bad guys, by combining the most effective information systems and physical security tools with sound policy management.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue