TYPES OF COMPUTER CRIMES

Computer crimes are criminal activities, which involve the use of information technology to gain an
illegal or an unauthorized access to a computer system with intent of damaging, deleting or altering
computer data. Computer crimes also include the activities such as electronic frauds, misuse of
devices, identity theft and data as well as system interference. Computer crimes may not
necessarily involve damage to physical property. They rather include the manipulation of
confidential data and critical information. Computer crimes involve activities of software theft,
wherein the privacy of the users is hampered. These criminal activities involve the breach of human
and information privacy, as also the theft and illegal alteration of system critical information. The
different types of computer crimes have necessitated the introduction and use of newer and more
effective
security
measures.
Hacking: The activity of breaking into a computer system to gain an unauthorized access is known
as hacking. The act of defeating the security capabilities of a computer system in order to obtain an
illegal access to the information stored on the computer system is called hacking. The unauthorized
revelation of passwords with intent to gain an unauthorized access to the private communication of
an organization of a user is one of the widely known computer crimes. Another highly dangerous
computer crime is the hacking of IP addresses in order to transact with a false identity, thus
remaining
anonymous
while
carrying
out
the
criminal
activities.
Phishing: Phishing is the act of attempting to acquire sensitive information like usernames,
passwords and credit card details by disguising as a trustworthy source. Phishing is carried out
through emails or by luring the users to enter personal information through fake websites. Criminals
often use websites that have a look and feel of some popular website, which makes the users feel
safe
to
enter
their
details
there.
Computer Viruses: Computer viruses are computer programs that can replicate themselves and
harm the computer systems on a network without the knowledge of the system users. Viruses
spread to other computers through network file system, through the network, Internet or by the
means of removable devices like USB drives and CDs. Computer viruses are after all, forms of
malicious codes written with an aim to harm a computer system and destroy information. Writing
computer viruses is a criminal activity as virus infections can crash computer systems, thereby
destroying
great
amounts
of
critical
data.
Cyberstalking: The use of communication technology, mainly the Internet, to torture other
individuals is known as cyberstalking. False accusations, transmission of threats and damage to
data and equipment fall under the class of cyberstalking activities. Cyberstalkers often target the
users by means of chat rooms, online forums and social networking websites to gather user
information and harass the users on the basis of the information gathered. Obscene emails, abusive
phone calls and other such serious effects of cyberstalking have made it a type of computer crime.
Identity Theft: This is one of the most serious frauds as it involves stealing money and obtaining
other benefits through the use of a false identity. It is the act of pretending to be someone else by
using someone else's identity as one's own. Financial identity theft involves the use of a false
identity to obtain goods and services and a commercial identity theft is the using of someone else's
business name or credit card details for commercial purposes. Identity cloning is the use of another
user's information to pose as a false user. Illegal migration, terrorism and blackmail are often made
possible
by
means
of
identity
theft.
Computer crimes involve illegal exploitation of the computer and communication technology for
criminal activities. While the advancing technology has served as a boon to mankind, the
destructively directed human intellects are all set to turn technology into a curse. However, crimes
are sure to end, as it is truth that always triumphs!
Computer crimes range from the catastrophic to the merely annoying. A case of computer-driven
espionage might wreak devastating losses to national security. A case of commercial computer
theft might drive a company out of business. A cracker's prank might not actually cause damage at
all--but might cause a video game company or another computer user some annoyance. Some
computer crimes are perpetrated for kicks, and some for social or political causes; others are the
serious business of professional criminals. There is perhaps no other form of crime that cuts so
broadly across the types of criminals and the severity of their offenses.
Computer attacks.[1] Some are truly crimes, and others are not. Whether a particular attack is
viewed as being a full-fledged crime or is simply dismissed as being a prank will depend upon the
motives of the attacker, the type of organization and data attacked, and other aspects of the
situation that can't be neatly summarized in a chapter of this kind.

There are many ways to categorize computer crimes. You might divide them according to who
commits them and what their motivation might be (e.g., professional criminals looking for financial
gain, angry ex-employees looking for revenge, crackers looking for intellectual challenge). Or, you
might divide these crimes by how they are perpetrated (e.g., by physical means such as arson, by
software modifications, etc.).
Physical security - Protection of the physical building, computer, related equipment, and media
(e.g., disks and tapes).
Personnel security - Protection of the people who work in any organization, and protection of
computer equipment and data from these people and others outside the organization.
Communications security - Protection of software and data, especially as it passes from computer to
computer.
Operations security - Protection of the procedures used to prevent and detect security breaches,
and the development of methods of prevention and detection. In some cases, the boundaries
between these categories may be rather fuzzy, and some attacks may overlap several categories.
Breaches of Physical Security
As we describe in Chapter 6, physical security is concerned with physical protection of the
computer, computer equipment, computer media, and the overall physical facility from natural
disasters, accidents of various kinds, and intentional attacks. That chapter describes the basics of
what is being protected, and provides guidelines that will help keep your facility physically secure.
We've already discussed some obvious breaches of physical security in Chapter 1. Terrorist
bombings on buildings housing computer equipment, arson, and theft and destruction of computer
equipment fall into this category. You may not realize that less obvious attacks, like turning off the
electricity in a computer room, spilling soda on a keyboard, and throwing sensitive papers in the
trash may also invite disaster. This section describes some of these less obvious breaches.
Dumpster Diving
Dumpster diving, or trashing, is a name given to a very simple type of security attack--scavenging
through materials that have been thrown away, as shown in Figure 2-1. This type of attack isn't
illegal in any obvious way. If papers are thrown away, nobody wants them--right? Dumpster diving
also isn't unique to computer facilities. All kinds of sensitive information turns up in the trash, and
industrial spies through the years have used this method to get information about their
competitors.
Computer facilities are especially good places for scavengers who are looking around for
information that might help them penetrate a system (People often write down information that
they shouldn't). Around the offices and in the trash, crackers can find used disks and tapes,
discarded printouts, and handwritten notes of all kinds. Crackers have been known to literally dive
into the dumpsters outside telephone companies and network providers, searching for passwords
and access codes. They may also retrieve printouts, computer manuals, and other documents from
which they extract information needed to crack the system. They'll often share this information with
other crackers by posting it to BBSs or in publications of various kinds. The trash of computer and
telephone companies is of special interest to trashers because it's usually a rich source of helpful
information.
There is another type of computer-related "trash" that you might not consider. In the system itself
are files that have been deleted, but that haven't actually been erased from the system. Computers
and computer operators are oriented towards saving data, not destroying it, and sometimes data is
saved that shouldn't be. Remember the last time the system crashed while you were working on a
project? Even though you might have lost some data, you were probably able to recover using a
backup that you or your system operator or administrator made. If backups aren't made regularly-and your data loss is greater than it might be--you'd complain bitterly. But, when is the last time
you complained because data you thought was erased was still in the computer?
Electronic trashing is easy because of the way that systems typically delete data. Usually,
"deleting" a file, a disk, or a tape doesn't actually delete data, but simply rewrites a header record.
If you are running MS-DOS, for example, you can delete a file via the DEL command; however,
someone can retrieve the contents of the file simply by running UNDELETE. System utilities are
available that make it easy to retrieve files that may seem to be completely gone. This is
sometimes a source of embarrassment. Lieutenant Colonel Oliver North discovered to his dismay
that erasing sensitive Iran-Contra email didn't really remove the files, but simply removed
references to them. The files were easily retrieved and used during the hearings into the IranContra affair.
Although there are methods for truly erasing files and magnetic media, most computer operators
who work on large systems do not take the time to erase disks and tapes when they are finished
with them. They may discard old disks and tapes with data still on them. They simply write the new
data over the old data already on the tape. Because the new data may not be the same length as
the old, there may be sensitive data left for those skilled enough to find it. It is far safer to explicitly
write over storage media and memory contents with random data and to degauss magnetic tapes.

One computer company in Texas that does business with a number of oil companies noticed that
whenever a certain company asked them to mount a temporary storage (scratch) tape on the tape
drive, the read-tape light would always come on before the write-tape light. The ingenious oil
company was scavenging the tape for information that might have been put on it by competitors
that used the tape before them.
Trashing can have deadly consequences. When some old Department of Justice computers were
sold off, they had on their disks information on the whereabouts of witnesses in the Federal Witness
Protection Program. Although the data had been deleted, it had not been completely erased from
the disk. The DOJ was able to get back some of the computers, but not all, and was forced to
relocate the compromised families as a result.
Wiretapping
There are a number of ways that physical methods can breach networks and communications.
Some of the offenses we discuss below overlap with those described in "Breaches of
Communications Security," later in this chapter. Telephone and network wiring is often not
protected as well as it should be, both from intruders who can physically damage it and from
wiretaps that can pick up the data flowing across the wires.
Criminals sometimes use wiretapping methods to eavesdrop on communications. It's unfortunately
quite easy to tap many types of network cabling. For example, a simple induction loop coiled
around a terminal wire can pick up most voice and RS232 communications. More complex types of
eavesdropping can be set up as well. As we describe in Chapter 8, Communications Security, it's
important to physically secure all network cabling to protect it both from interception and from
vandalism.
Telephone fraud has always been a problem among crackers, but with the increasing use of cellular
phones, phone calling cards, and the ordering of merchandise over the phone using credit cards,
this problem has increased dramatically in recent years.
Eavesdropping on Emanations
Electronic emanations from computer equipment is a risk you need to be aware of, although this is
mainly a concern for military and intelligence data. Computer equipment, like every other type of
electrical equipment from hairdryers to stereos, emits electromagnetic impulses. Whenever you
strike a computer key, an electronic impulse is sent into the immediate area. Foreign intelligence
services, commercial enterprises, and sometimes even teenage crackers may take advantage of
these electronic emanations by monitoring, intercepting, and decoding them. This may sound
highly sophisticated, but there have been some embarrassingly easy cases. The original HeathKit
H19 terminals transmitted radio signals that were so strong that they could be picked up by placing
an ordinary television set beside the terminal. As characters were typed on the terminal screen, a
distinctive pattern appeared on the TV screen and could be decoded, Because of the emanation
threat, government computers that are used to store and process classified information require
special physical shielding. The U.S. federal TEMPEST program is designed to develop, test, and
certify specially shielded computer equipment from mainframes to terminals to cabling.
There are other types of emissions as well. Criminals have even recorded the noise from a
computer printer (the key-and-ribbon variety; it can't be done with laser printers) and then play the
recording later to determine which keys were active.
Denial or Degradation of Service
A few security breaches span most of the categories discussed in this chapter. How these breaches
are categorized depends largely on the methods used to prevent or detect them. In security terms,
availability means that the computer facility, the computer itself, and the software and data users
need are all working and available for use. Someone who shuts down service or slows it to a snail's
pace is committing an offense known as denial of service or degradation of service. There are many
ways to disrupt service, including such physical means as arson or explosions; shutting off power,
air conditioning, or water (needed by air conditioning systems); or performing various kinds of
electromagnetic disturbances. Natural disasters, like lightning and earthquakes, can also disrupt
service. Chapter 6, Physical Security, describes these physical disruptions in some detail.
Actually, there are two quite different types of attacks in this category. Some cases of electronic
sabotage involve the actual destruction or disabling of equipment or data. Turning off power or
sending messages to system software telling it to stop processing are examples of the first type of
attack--a classic denial of service.
The other type of attack, known as flooding (or sometimes wedging or spamming) is the type we
saw with the Internet worm. As the worm spread across systems and networks, it kept creating new
processes that so clogged the affected systems that other work couldn't get done. In this type of
attack, instead of shutting down service, the attacker puts more and more of a strain on the
systems' ability to service requests, so eventually they can't function at all. Another example of a
flooding attack was the "electronic mail bomb" that victimized writers Michelle Slatalla and Josh
Quittner, as we described in Chapter 1.
Denial of service doesn't have to be a complex technical attack. Sometimes, it even occurs by
accident. Suppose all of your system administrators get (or are given) food poisoning at a company

lunch. Suppose a determined fax machine ties up your own machine by continuing to dial it.
Suppose a new user starts printing a PostScript file as text on the company's only printer, and
doesn't know how to stop the job. There are many examples of accidental denial of service.
Breaches of Personnel Security
To some extent, nearly all of the attacks we discuss in this chapter could be considered in the realm
of personnel security--after all, people commit the offenses and people ultimately detect them. In
fact, many of the crimes we talk about in terms of computer security happen whether or not
computers are involves--bribery, subversion, extortion, and malicious mischief of all kinds. Only the
targets and the media may differ.
There are a few particular security breaches that merit special discussion here.
Masquerading
Masquerading occurs when one person uses the identity of another to gain access to a computer.
This may be done in person or remotely. We describe basic masquerading in this section, but
masquerading is an attack that spans the boundaries of the categories we've identified in this
chapter. Because operations security methods should be in place to prevent and detect
masquerading, that category is also relevant. In fact, we discuss some technically complex forms of
masquerading in the section called "Breaches of Operations Security" later in this chapter.
There are both physical and electronic forms of masquerading. In person, a criminal may use an
authorized user's identity or access card to get into restricted areas where he will have access to
computers and data. This may be as simple as signing someone else's name to a signin sheet at
the door of a building. It may be as complex as playing back a voice recording of someone else to
gain entry via a voice recognition system. (The 1992 U.S. movie, Sneakers, had some nice scenes
showing how this could work--at least how it could work in Hollywood!)
A related attack, sometimes called piggybacking, involves following an authorized person into a
restricted area--a building or a computer room. For example, someone who wants to gain access to
a restricted area might show up at a secured door, carrying a heavy armload of computer
equipment, at the same time as an authorized employee arrives, and looking as if they belong. The
authorized employee kindly holds the door open, and the intruder tags along into the area. Of
course, there is nothing high-tech about this; it's the same principle burglars follow to gain entry to
apartment houses. It's easy enough to prevent piggybacking: guards and access methods like
turnstiles and mantraps (which allow only one user to enter at a time) usually do the job. User
education is also a very important deterrent.
Electronically, an unauthorized person will use an authorized user's logon ID, password, personal
identification number (PIN), or telephone access code to gain access to a computer or to a
particular set of sensitive data files. There are many ways to obtain this information, some of them
quite simple and others quite complex. For example, they might have obtained this information by
theft (if the authorized user has written down these numbers and codes), eavesdropping
electronically (via password sniffers or other types of monitoring programs), or simply looking over
the shoulder of the user while he or she types. In fact, one gang of juvenile crackers in Atlanta
obtained passwords by using binoculars to look across a street into windows where users were
typing their passwords.
Unauthorized password use is the most common type of electronic masquerading, and it's a very
effective one. If an outsider steals or figures out a password, there is no easy way for the system to
tell whether the person who enters the password is the legitimate, authorized user, or an outsider.
Unfortunately, passwords are often far too easy to crack. People are very likely to pick passwords
that can be easily guessed by intruders or can be cracked by password cracking or dictionary
programs. They pick the names of their spouses, children, or pets, their birthdates or license plates
or astrological signs, or the names of sports teams or fictional characters. (Chapter 8 provides some
good hints for selecting sound passwords.)
To understand how masquerading works, you need to know a few basics about how users gain
access to shared systems via a two-step process known as identification and authentication.
Identification is the way you tell the system who you are. For example, you enter your user account
name in response to a "login" prompt, or you enter your bank account number at an ATM machine.
Authentication is how you prove to the system that you are who you say you are. There are three
classic ways in which you can prove yourself:
Something
you
know
The most common example is a password or a PIN. The theory is that if you know the password or
PIN for an account, you must be the owner of it.
Something
you
have
Examples are keys, tokens, badges, and smart cards that you use to "unlock" a building, a door, a
computer, or an account.
Something
you
are
or
do
Examples are physiological traits, like your fingerprint or voiceprint, or behavioral traits, like your
signature or keystroke pattern.
It's unfortunately very common for computer criminals to steal, guess, or otherwise obtain account

names and passwords. And, once someone is masquerading as you, he can do virtually everything
you can do. Not only can he steal your files (breaching their confidentiality), he can also modify
them (destroying their integrity) or perhaps even delete them completely.
Most damaging of all, a masquerader can pretend to the outside world that he is you, thus
damaging your reputation as well as your data. A few years ago, a Dartmouth student sent forged
electronic mail, supposedly from a professor at the college, saying that a midterm exam had been
canceled because of a family emergency. Half the class believed the email and didn't show up for
the exam. In another case, someone masquerading as a Texas A&M professor sent out many
thousands of electronic copies of racist hate mail; a year later, the victim of this forgery is still
dealing with the consequences.
The principle of repudiation comes into play here. There are ways in software of ensuring that
someone who does something in a system--sends a message, changes a file, etc.--is held
accountable and cannot claim later that he did not do what he did. To make this work--to keep
masquerading from being a problem in your system--your system needs methods of strong
authentication, as well as excellent operations security. (These concepts are beyond the scope of
this book. The references in Appendix A provide sources of additional information.)
Social Engineering
Social engineering is the name given a category of attacks in which someone manipulates others
into revealing information that can be used to steal data or subvert systems. Such attacks can be
very simple or very complex. In one low-tech case we know about, a man posing as a magazine
writer was able to get valuable information over the telephone from the telephone company simply
by asking for it--supposedly for his story. He then used that information to steal more than a million
dollars in telephone company equipment.
Harassment
A particularly nasty kind of personnel breach we've seen lately is harassment on the Internet.
Sending threatening email messages and slandering people on bulletin board systems and
newsgroups is all too common. In a recent harassment case, a student from the University of
Michigan was indicted for posting a particularly graphic story about a sex murder on an Internet
newsgroup. Because he used the name of an actual female student at Michigan, his activities were
initially considered to be harassment. (The case was eventually dismissed.)
These kinds of attacks are not new, and personally threatening remarks can as easily be sent by
letter or posted on a wall, as they can be sent over the Internet. But the electronic audience is a
much larger one, and such messages, sent out from an organization's network domain, may
damage the reputation of the organization as well as that of the particular perpetrator.
Software Piracy
Software piracy is an issue that spans the category boundaries and may be enforced in some
organizations and not in others. Pirated computer programs are big business. Copying and selling
off-the-shelf application programs in violation of the copyrights costs software vendors many
millions of dollars. The problem is an international one, reaching epidemic proportions in some
countries. (As we've said, software piracy was a major issue in the 1995 Clinton trade agreement
with China.) Too many people don't take copyrights seriously. Law-abiding people everywhere think
nothing of copying games to share with friends, or office software for home use.
Bulletin board systems often make pirated software available for downloading or swapping. In a
recent case, an MIT student was accused of running a BBS that was used in this way. Charges
against him were eventually dropped, however, on the theory that the federal wire fraud statute did
not apply to a case involving copyright infringements. Only the copyright statute would apply, and
it was not applicable where the infringing person did not intend to profit from his conduct.
The stealing of proprietary programs is also a major business problem. A company may spend
millions of dollars to develop a specialized program, only to find that its competitor has the same
program--and the competitor hasn't had to invest in the development costs! Remember from
Chapter 1 the fear that Apple Computer had that the source code for its Macintosh computers may
have been compromised. Had this happened, then Macintosh clones could be manufactured
anywhere in the world.
Employees need to be educated about the legalities, ethics, and company policies relating to
software piracy and other forms of unauthorized copying of information. Some breaches of
personnel security occur because procedures have broken down--either the procedures for training
employees or the procedures for dealing with the system and the data after these employees leave
an organization. (In Chapter 7, we'll summarize these procedures.) Some breaches really come
down to policy and policy enforcement. What might be considered a crime in some organizations
might be a minor infraction, or even legitimate, in another. For example, does an organization allow
employees to carry sensitive data outside the office? Can the employee use company software and
databases from a home computer?

Sometimes, policy enforcement is spotty. For example, some organizations that work with sensitive
information prohibit employees from carrying paper copies or disks and tapes home from work. On
the other hand, they encourage those same employees to work from home by giving them modems
to use in accessing company databases. They forget that data can as easily be downloaded to a
home computer as carried out the office door.
Breaches of Communications and Data Security
In this category we include attacks on computer software and on the data itself. The other
categories we've discussed in this chapter are more focused on physical equipment, people, and
procedures.
Data Attacks
There are many types of attacks on the confidentiality, integrity, and availability of data.
Confidentiality keeps data secret from those not authorized to see it. Integrity keeps data safe from
modification by those not authorized to change it. Availability, as we discussed under "Denial or
Degradation of Service" above, keeps data available for use.
The theft, or unauthorized copying, of confidential data is an obvious attack that falls into this
category. Espionage agents steal national defense information. Industrial spies steal their
competitors' product information. Crackers steal passwords or other kinds of information on
breaking into systems.
Two terms you'll hear in the context of data attacks are inference and leakage. With inference, a
user legitimately views a number of small pieces of data, but by putting those small pieces together
is able to deduce some piece of non-obvious and secret data. With leakage, a user gains access to a
flow of data via an unauthorized access route (e.g., through eavesdropping).
We've talked about wiretapping and monitoring electronic emanations in "Breaches of Physical
Security" above. In this section, we discuss attacks on the integrity of the data itself.
Unauthorized Copying of Data
Software piracy, which we discussed in "Breaches of Personnel Security" above, is another attack
that spans the categories we've identified in this chapter. In some sense, piracy is just another
example of the unauthorized copying of data. The methods for detecting and preventing such a
crime are the same whether the copied data is national defense plans, commercial software, or
sensitive corporate or personal data.
Preventing and detecting this type of attack requires coordinated policies among the different
categories of computer security. In terms of personnel security, user education is vital. In terms of
operations security, automated logging and auditing software can play a part as well.
Traffic Analysis
Sometimes, the attacks on data might not be so obvious. Even data that appears quite ordinary
may be valuable to a foreign or industrial spy. For example, travel itineraries for generals and other
dignitaries help terrorists plan attacks against their victims. Accounts payable files tell outsiders
what an organization has been purchasing and suggest what its future plans for expansion may be.
Even the fact that two people are communicating--never mind what they are saying to each other-may give away a secret. Traffic analysis is the name given to this type of analysis of
communications.
In one industrial espionage case, a competitor monitored a company's use of online data services
to find out what questions it had and what information it was collecting on certain types of
metallurgy. The information allowed the competitor to monitor the company's progress on a
research and development project and to use this information in developing its own similar product.
That product reached the market several weeks before the original developer was able to. The
original company's research and development investment and its potential share of the market-many millions--were all but lost.
This kind of analysis isn't confined to sophisticated computer methods. It's an issue whenever
anyone tries to keep a secret. During the U.S. Desert Storm crisis, a number of people in
Washington DC correctly concluded, in the absence of any actual announcement by the White
House, that the United States was about to mount a military operation. How? Government officials
were meeting far into the night to plan their strategy. To fortify themselves, they kept calling a
nearby pizza parlor for provisions. The pizza makers knew something was up--and when the press
corps saw those pies being carried in, they also knew that something big was happening at the
White House.
Covert Channels
One somewhat obscure type of data leakage is called a covert channel. A clever insider can hide
stolen data in otherwise innocent output. For example, a filename or the contents of a report could
be changed slightly to include secret information that is obvious only to someone who is looking for
it. A password, a launch code, or the location of sensitive information might be conveyed in this
way. Even more obscure are the covert channels that convey information based on a system clock

or other timed event. Information could, in theory, be conveyed by someone who controls system
processing in such a way that the elapsed time of an event itself conveys secret information.
Software Attacks
We've talked so far in this section about attacks on data. There are also attacks that subvert
software.
Trap Doors
One classic software attack is the trap door or back door. A trap door is a quick way into a program;
it allows program developers to bypass all of the security built into the program now or in the
future.
To a programmer, trap doors make sense. If a programmer needs to modify the program sometime
in the future, he can use the trap door instead of having to go through all of the normal, customerdirected protocols just to make the change. Trap doors of course should be closed or eliminated in
the final version of the program after all testing is complete, but, intentionally or unintentionally,
some are left in place. Other trap doors may be introduced by error and only later discovered by
crackers who are roaming around, looking for a way into system programs and files. Typical trap
doors use such system features as debugging tools, program exits that transfer control to privileged
areas of memory, undocumented application calls and parameters, and many others.
Trap doors make obvious sense to expert computer criminals as well, whether they are malicious
programmers or crackers. Trap doors are a nifty way to get into a system or to gain access to
privileged information or to introduce viruses or other unauthorized programs into the system.
For example, in 1993 and 1994, an unknown group of computer criminals repetitively broke into
systems on the Internet using passwords captured by password sniffers. Once on the system, they
exploited software flaws to gain privileged access. They installed modified login and network
programs that allowed them reentry even if the original passwords were changed.
The detection of trap doors is an operations security problem--checking to see if the trap doors are
there in the first place, and whether they exist and operations are correct on an ongoing basis.
Session Hijacking
Session hijacking is a relatively new type of attack in the communications category. Some types of
hijacking have been around a long time. In the simplest type, an unauthorized user gets up from his
terminal to go get a cup of coffee. Someone lurking nearby--probably a coworker who isn't
authorized to use this particular system--sits down to read or change files that he wouldn't
ordinarily be able to access.
Some systems don't disconnect immediately when a session is terminated. Instead, they allow a
user to re-access the interrupted program for a short period. A cracker with a good knowledge of
telephone and telecommunications operations can take advantage of this fact to reconnect to the
terminated session.
Sometimes, an attacker will connect a covert computer terminal to a line between the authorized
terminal and the computer. The criminal waits until the authorized terminal is on line but not in use,
and then switches control to the covert terminal. The computer thinks it is still connected to the
authorized user, and the criminal has access to the same files and data as the authorized user.
Other types of hijacking occur when an authorized user doesn't log out properly so the computer
still expects a terminal to be connected. Call forwarding from an authorized number to an
unauthorized number is another method of getting access.
Tunneling
Technically sophisticated tunneling attacks fall into this category as well. Tunneling uses one data
transfer method to carry data for another method. Tunneling is an often legitimate way to transfer
data over incompatible networks, but it is illegitimate when it is used to carry unauthorized data in
legitimate data packets.
Timing Attacks
Timing attacks are another technically complex way to get unauthorized access to software or data.
These include the abuse of race conditions and asynchronous attacks. In race conditions, there is a
race between two processes operating on a system; the outcome depends on who wins the race.
Although such conditions may sound theoretical, they can be abused in very real ways by attackers
who know what they're doing. On certain types of UNIX systems,[2] for example, attackers could
exploit a problem with files known as setuid shell files to gain superuser privileges. They did this by
establishing links to a setuid shell file, then deleting the links quickly and pointing them at some
other file of their own. If the operation is done quickly enough, the system can be made to run the
attacker's file, not the real file.
Asynchronous attacks are another way of taking advantage of dynamic system activity to get
access. Computer systems are often called upon to do many things at the same time. They may, for
example, be asked by different users to analyze data using an application program that can work
with only one set of data at a time. Or they may be told to print data by more users than they can
handle at once. In these cases, the operating system simply places user requests into a queue,

then satisfies them according to a predetermined set of criteria; for example, certain users may
always take precedence, or certain types of tasks may come before others. "Asynchronous" means
that the computer doesn't simply satisfy requests in the order in which they were performed, but
according to some other scheme.
A skilled programmer can figure out how to penetrate the queue and modify the data that is waiting
to be processed or printed. He might use his knowledge of the criteria to place his request in front
of others waiting in the queue. He might change a queue entry to replace someone else's name or
data with his own, or to subvert that user's data by replacing it. Or he could disrupt the entire
system by changing commands so that data is lost, programs crash, or information from different
programs is mixed as the data is analyzed or printed.
Trojan Horses
Trojan horses, viruses, worms, and their kin are all attacks on the integrity of the data that is stored
in systems and communicated across networks. Because there should be procedures in place for
preventing and detecting these menaces, they overlap with the operations security category as
well.
During the Trojan War, the Greeks hid soldiers inside a large hollow wooden horse designed by
Odysseus. When the Trojans were persuaded to bring the horse inside the gates of the city, the
hidden soldiers emerged and opened the gates to allow their own soldiers to attack the enemy.
In the computer world, Trojan horses are still used to sneak in where they're not expected. A Trojan
horse is a method for inserting instructions in a program so that program performs an unauthorized
function while apparently performing a useful one. Trojan horses are a common technique for
planting other problems in computers, including viruses, worms, logic bombs, and salami attacks
(more about these later). Trojan horses are a commonly used method for committing computerbased fraud and are very hard to detect.
Consider this typical situation: A Trojan horse is hidden in an application program that a user is
eager to try--something like a new game or a program that promises to increase efficiency. Inside
the horse is a logic bomb that will cause the entire system to crash the third time the user runs the
new program. If he's lucky, the user will thoroughly enjoy the program the first two times it's run,
because when he tries to use it the third time, the program he was eager to try will disable his
whole system.
Viruses and Worms
People often confuse viruses and worms, so we try to differentiate them in this section. Indeed, they
have many similarities, and both can be introduced into systems via Trojan horses.
The easiest way to think of a computer virus is in terms of a biological virus. A biological virus is not
strictly alive in its own right, at least in the sense that lay people usually view life. It needs a living
host in order to operate. Viruses infect healthy living cells and cause them to replicate the virus. In
this way, the virus spreads to other cells. Without the living cell, a virus cannot replicate.
In a computer, a virus is a program which modifies other programs so they replicate the virus. In
other words, the healthy living cell becomes the original program, and the virus affects the way the
program operates. How? It inserts a copy of itself in the code. Thus, when the program runs, it
makes a copy of the virus. This happens only on a single system. (Viruses don't infect networks in
the way worms do, as we'll explain below.) However, if a virus infects a program which is copied to
a disk and transferred to another computer, it could also infect programs on that computer. This is
how a computer virus spreads.
The spread of a virus is simple and predictable--and it can be prevented. Viruses are mainly a
problem with PCs and Macintoshes. Virus infection is fortunately hard to accomplish on UNIX
systems and mainframes.
Unlike a virus, a worm is a standalone program in its own right. It exists independently of any other
programs. To run, it does not need other programs. A worm simply replicates itself on one computer
and tries to infect other computers that may be attached to the same network.
NOTE: An important distinction between worms and viruses: A worm operates over a network, but
in order to infect a machine, a virus must be physically copied.
Some viruses and worms are nondestructive (comparatively speaking), while others are extremely
malevolent. Many common PC viruses, such as Michaelangelo, cause machine crashes or data loss
as a result of bugs or other unexpected interactions with existing code. The Christmas Tree worm
program which attacked IBM systems started out as nondestructive. But, as it spread itself to other
computers, it became destructive when it proliferated into the system to such a degree that no
other work could be done and the entire network had to be shut down to purge the infection.
The 1988 Internet Worm didn't actually destroy data, but shutting systems and networks down to
clean up after it required a vast amount of system administration time and lost productivity among
users.
A malevolent virus is meant to do damage. Such viruses are sometimes designed to crash an entire
system on a certain date or after so many iterations of self-replication. They may be written to
destroy specific application programs or data. The potential impact of a virus is limited only by the
imagination of the criminal who writes it. Some government people are concerned that viruses

could infect our defense system computers, causing weapons systems to malfunction or become
inoperative. Viruses could also be used to crash law enforcement computers, destroying
intelligence and investigative information. It would be naive not to believe that our adversaries,
both domestic and international, haven't considered these possibilities.
Some crackers see viruses as intellectual challenges. With the advent of freedom in Eastern Europe,
there has been an outbreak of computer viruses apparently planted by individuals who believe that
in one fell swoop they can express their freedom and also strike back at a government that has
oppressed them for years. In Hungary, "Yankee Doodle," "Ivan the Terrible," and "Ping Pong" are all
appearing on computer screens across the country. The "Yankee Doodle" virus plays that familiar
tune when the computer is turned on. The "Ping Pong" virus attacks the computer when it is turned
on but not in use. A ball appears on the screen and bounces back and forth between letters. "Ivan
the Terrible" gets into the system and destroys files.
The best ways to prevent viruses and worms from invading a system are:
Be vigilant about introducing new and untrusted software into a system.
Use virus scanning software to check for viruses.
Do frequent and careful backups.
Employees who bring software to the office from their home machines (usually free software they
have downloaded from bulletin board systems) are the greatest threat.
Salamis
The Trojan horse is also a technique for creating an automated form of computer abuse called the
salami attack, which works on financial data. This technique causes small amounts of assets to be
removed from a larger pool. The stolen assets are removed one slice at a time (hence the name
salami). Usually, the amount stolen each time is so small that the victim of the salami fraud never
even notices.
One theoretical financial salami attack (it's assumed the status of an urban accounting legend and
has never actually been known to have been attempted) involves rounding off balances, crediting
the rounded off amount to a specific account. Suppose that savings accounts in a bank earn 2.3%.
Obviously, not all of the computations result in two-place decimals. In most cases, the new balance,
after the interest is added, extends out to three, four, or five decimals. What happens to the
remainders? Consider a bank account containing $22,500 at the beginning of the year. A year's
worth of interest at 2.3% is $517.50, but after the first month the accumulated interest is $43.125.
Is the customer credited with $43.12 or $43.13? Would most customers notice the difference? What
if someone were funneling off this extra tenth of a penny from thousands of accounts every month?
Although this particular salami hasn't to our knowledge been attempted, salamis that shave a
quarter on up have been tried.
A clever thief can use a Trojan horse to hide a salami program that puts all of the rounded off values
into his account. A tiny percentage of pennies may not sound like much until you add up thousands
of accounts, month after month. Criminals using this scheme have been able to steal many
thousands of dollars. They are sometimes discovered by a bank audit. More often, they are
detected only when they use their new-found gains to entertain a life style that is not supported by
their legitimate income.
Logic Bombs
Logic bombs may also find their way into computer systems by way of Trojan horses. A typical logic
bomb tells the computer to execute a set of instructions at a certain date and time or under certain
specified conditions. The instructions may tell the computer to display "I gotcha" on the screen, or it
may tell the entire system to start erasing itself. Logic bombs often work in tandem with viruses.
Whereas a simple virus infects a program and then replicates when the program starts to run, the
logic bomb does not replicate - it merely waits for some pre-specified event or time to do its
damage.
Time is not the only criterion used to set off logic bombs. Some bombs do their damage after a
particular program is run a certain number of times. Others are more creative. In several cases
we've heard about, a programmer told the logic bomb to destroy data if the company payroll is run
and his name is not on it.; this is a sure-fire way to get back at the company if he is fired! The
employee is fired, or may leave on his own, but does not remove the logic bomb. The next time the
payroll is run and the computer searches for but doesn't find the employee's name, it crashes,
destroying not only all of the employee payroll records, but the payroll application program as well.
Trojan horses present a major threat to computer systems, not just because of the damage they
themselves can do, but because they provide a technique to facilitate more devastating crimes.
Breaches of Operations Security
Because operations security includes the setting up of procedures to prevent and detect all type of
attacks on systems and personnel, we've discusses elements of operations security in most of the
other preceding sections. Here, we describe a few special kinds of breaches of operations security.
Data Diddling
Data diddling, sometimes called false data entry, involves modifying data before or after it is
entered into the computer. Consider situations in which employees are able to falsify time cards

before the data contained on the cards is entered into the computer for payroll computation. A
timekeeping clerk in a 300-person company noticed that, although the data entered into the
company's timekeeping and payroll systems included both the name and the employee number of
each worker, the payroll system used only the employee's number to process payroll checks. There
were no external safeguards or checks to audit the integrity of the data. She took advantage of this
vulnerability and filled out forms for overtime hours for employees who usually worked overtime.
The cards had the hardworking employees' names, but the time clerk's number. Payment for the
overtime was credited to her, as illustrated in Figure 2-4.
In another case, two employees of a utility company found that there was a time lapse of several
days between when meter readings were entered into the computer and when the bills were
printed. By changing the reading during this period, they were able to substantially reduce their
electric bills and the bills of some of their friends and neighbors.
Why do we discuss these very simple attacks in the context of operations security? Because these
attacks should not occur. Operations should be set up in any organization to prevent and detect this
type of crime--safeguards on data modification, audits of changed data to be sure it was modified
with authorization, and so on.
IP Spoofing
In "Breaches of Personnel Security" above, we introduced masquerading attacks, particularly those
involving one person pretending to be another. But there are some more complex masquerading
attacks that can be prevented only by strong operations security.
A method of masquerading that we're seeing in various Internet attacks today is known as IP
spoofing (IP stands for Internet Protocol, one of the communications protocols that underlies the
Internet). Certain UNIX programs grant access based on IP addresses; essentially, the system
running the program is authenticated, rather than the individual user. The attacker forges the
addresses on the data packets he sends so they look as if they came from inside a network on
which systems trust each other. Because the attacker's system looks like an inside system, he is
never asked for a password or any other type of authentication. In fact, the attacker is using this
method to penetrate the system from the outside.
How can an operations security program prevent IP spoofing attacks. Two good ways are to require
passwords in all cases and to prevent trust relationships among systems.
Password Sniffing
We introduced the use of passwords and the way they can be compromised in masquerading
attacks. However, a relatively new type of attack on the Internet is putting even the most carefully
chosen passwords at risk. Password sniffers are able to monitor all traffic on areas of a network.
Crackers have installed them on networks used by systems that they especially want to penetrate,
like telephone systems and network providers. Password sniffers are programs that simply collect
the first 128 or more bytes of each network connection on the network that's being monitored.
When a user types in a user name and a password--as required when using certain common
Internet services like FTP (which is used to transfer files from one machine to another) or Telnet
(which lets the user log in remotely to another machine)--the sniffer collects that information.
Additional programs sift through the collected information, pull out the important pieces (e.g., the
user names and passwords), and cover up the existence of the sniffers in an automated way. Best
estimates are that in 1994 as many as 100,000 sites were affected by sniffer attacks. One-time
passwords and encrypted passwords are good ways to keep password sniffing attacks from
compromising systems.
Scanning
A technique often used by novice crackers, called scanning or war dialing, also is one that ought to
be prevented by good operations security. Remember the 1983 movie War Games, in which the
high school cracker programmed his computer to dial telephone number after telephone number
until it found one that connected to a modem?
With scanning, a program known as a war dialer or demon dialer processes a series of sequentially
changing information, such as a list of telephone numbers, passwords, or telephone calling card
numbers. It tries each one in turn to see which ones succeed in getting a positive response, as
shown in Figure 2-7. In War Games, for example, the program dialed all of the telephone numbers in
a particular region sequentially; if the number was answered by a tone, it was recorded for later
experimentation. The computer doing the calling can make hundreds of telephone calls within
several hours.
Suppose that a computer criminal looks in the telephone book and finds that the telephone
numbers for the Fourth National Bank range from 791-0000 to 791-5578. Before he goes to bed one
night, he programs his computer to call all of the numbers in this range and to record the ones that
are answered by a modem. In the morning, he prints out the successful numbers. He now has a list
of the telephone numbers that are most likely to give him access to the bank's computers. The next
evening, he dials those numbers and tests his skills as a cracker. With skill, determination, and a
little luck, he may eventually use these phone numbers as the opening wedge into a bank
computer--and eventually into some accounts from which he can transfer funds. The programs used

for scanning, called war dialers or demon dialer programs, are available from many bulletin board
systems (BBSs). Successful scanners often post the telephone numbers they've identified on
bulletin boards and in cracker publications.
Excess Privileges
If a cracker breaks into one user's account, he can compromise and damage that user's files, but he
can't ordinarily get beyond the boundaries of the user's account to damage the rest of the system.
Or can he? Sometimes, the answer is yes, and the reason is that, too often, users in a system have
excess privileges--more privileges than they ought to have. An ordinary user on an ordinary system
doesn't need to be able to modify all of the files on that system. And yet, in many systems, a user
has the system privileges that entitle him to do just that. The user may never actually want to
change anyone else's files--he may not even know that he is allowed to--but nevertheless the
privileges are there. If an intruder gets access to the system through the user's account, he can
exploit this weakness.
In UNIX environments, intruders who manage to get "root" or "superuser" privileges can play havoc
with the system. In mainframe systems, abuse of privileges is sometimes called superzapping. The
term comes from Superzap, the name of a utility program that is used in most IBM mainframes.
Superzap lets system administrators or other highly trusted individuals override system security to
quickly repair or regenerate the system, especially in an emergency. Similar utilities are found on
many other types of computer systems. Programs of this kind can be thought of as the master key
to the system. They unlock most other safeguards and controls. In the wrong hands, their use can
be devastating.
In one case of superzapping, the manager of computer operations in a bank was told by his boss to
correct a problem affecting account balances. The problem was originally caused by unanticipated
problems in the changeover of the bank's computer system. While working on the project, the
manager found that he could use the Superzap program to make other account changes as well,
without having to deal with the usual controls, audits, or documentation. He moved funds from
various accounts into the accounts of several friends, netting about $128,000 in all. He was
detected only when a customer complained about a shortage in his account. Because the Superzap
program left no evidence of data file changes, the fraud was highly unlikely to be discovered by any
other means.
Superzapping is not intrinsically a crime or even a misdeed. Use of supervisor or root privileges, or
the running of programs that bypass security checks, may be necessary and fully authorized. The
problem here is in how it is used and why it is not detected and controlled through system logging
and auditing, which we'll discuss later in this book. We discuss the abuse of excess privileges in
terms of operations security because good operations security ought to include an auditing
capability that keeps track of who has what privileges--and makes sure they are needed in each
situation.
The only reliable way to detect this technique is by comparing current data files with previous
generations of the same files.
Ways of Detecting Common Attacks
This section provides a quick summary of how you might be able to anticipate or detect the most
common types of attacks we've discussed in this chapter. Note that this listing is not exhaustive;
too many of the attacks don't fall into neat categories, and too many require a good deal of
technical understanding to anticipate and detect. However, this information will give you some
guidance in analyzing types of computer crimes.
This section briefly summarizes:
Potential offenders--what type of individual (e.g., a programmer, a spy) might commit a
crime of this type.
Methods of detection--how such crimes are found out (e.g., tracing equipment of various
kinds, analyzing log files).
Evidence--trails that might be left by the intruders and that might help in detection (e.g.,
system logs, telephone company records).
Dumpster Diving
Potential Offenders
1. System users.
2. Anyone able to access the trash area.
3. Anyone who has access to computer areas
or areas used to store backups.
Methods of Detection
1. Tracing proprietary information back to its
source (e.g., memos with company names
or logos).
2. Observation (guards may actually see
intruders in action).
3. Testing an operating system to discover
data left over after job execution.
Evidence

1. Computer output media (e.g., may contain

vendor name or identifying page numbers).
2. Similar information produced in suspected
ways in the same form.
3. Characteristics of printout or other media
(e.g., type fonts or logos).
Wiretapping and Eavesdropping
Potential Offenders
1. Communications technicians and engineers.
2. Agents for competitors.
3. Communications employees, former
employees, vendors, and contractors.
4. Agents for foreign intelligence services.
Methods of Detection
1. Voice wiretapping methods.

2. Tracing where the equipment used in the

crime came from (e.g., monitoring
equipment).
3. Tracing computer output (e.g., disks and
tapes) to their source.
4. Observation.
5. Discovery of stolen information.
Evidence

1.
2.
3.
4.
5.

Masquerading
Potential Offenders
1. Potentially everyone.
Methods of Detection
1. Analysis of audit logs and journals (e.g., a
log shows that an authorized user
apparently logged in, but it is known that
the person was away at that time).
2. Observation (e.g., an eyewitness saw an
intruder at an authorized user's terminal).
3. Password violations (e.g., a log shows
repeated failed attempts to use an invalid
password).
4. Report by the person who has been
impersonated (e.g., the authorized person
logs in, and the system tells him that he has
had six unsuccessful logins since the last
time he knows he actually logged in).
Evidence
1. Backups.
2. System audit logs.
3. Telephone company records (pen register
and dialed number recorder (DNR) records).
4. Violation reports from access control
packages.
5. Notes and documents found in the
possession of suspects.

6. Witnesses.
7. Excessively large phone bills (excessive
message units may indicate that someone
is using resources).

Trap Doors
Potential Offenders
1. Systems programmers.
2. Applications programmers.
Methods of Detection
1. Exhaustive testing.
2. Specific testing based on evidence.
3. Comparison of specifications to
performance.
Evidence
1. Programs that perform tasks not specified
for them.
2. Output reports that indicate that programs
are performing tasks not specified for them.
Timing Attacks
Potential Offenders
1. Advanced system analysts.
2. Advanced computer programmers.
Methods of Detection
1. System testing of suspected attack
methods.
2. Complaints from system users that their
jobs are not being performed efficiently.
3. Repeat execution of a job under normal and
safe conditions.
Evidence
1. Output that deviates from normally
expected output of logs.
2. Computer operations logs.
Trojan Horses, Viruses, Worms, Salamis, and
Logic Bombs
Potential Offenders
1. Programmers who have detailed knowledge
of a program.
2. Employees or former employees.
3. Vendor or contractor programmers.
4. Financial system programmers.
5. Computer users.

Voice wiretapping as evidence.

Computer output forms.
Computer audit logs.
Computer storage media.
Characteristics of printout or other media
(e.g., type fonts or logos).
6. Manual after-hours signin/signout sheets.

Software Piracy
Potential Offenders
1. Purchasers and users of commercial
software.
2. Software pirates.
3. Employees who steal proprietary software.
Methods of Detection
1. Observation.
2. Testimony of legitimate purchasers of
software.
3. Search of users' facilities and computers.
Evidence
1. Pictures of computer screens where pirated
software is being executed.
2. The contents of memory in computers
containing pirated software.
3. Copies of media on which pirated software
is found.
4. Printouts produced by pirated software.

6. Computer operators.
7. Crackers.
Methods of Detection
1. Comparison of program code with backup
copies of the program.
2. Tracing of unexpected events of possible
gain from the act to suspected perpetrators.
3. Detailed data analysis, including analysis of
program code (e.g., you may detect a virus
because a file increases in size when it is
modified or because disk space decreases).
4. Observation of financial activities of
possible suspects (especially for salami
attacks).
5. Testing of suspect programs.
6. Examination of computer audit logs for
suspicious programs or pertinent entries
(e.g., log entries that show that many
programs were updated at the same time)
(especially for viruses).
7. Transaction audits.
Evidence
1. Output reports.
2. Unexpected results of running programs.
3. Computer usage and file request journals.
4. Undocumented transactions.
5. Analysis test program results.
6. Audit logs.
Data Diddling
Potential Offenders
1. Participants in transactions being entered or
updated.
2. Suppliers of source data.
3. Preparers of data.
4. Nonparticipants with access.
Methods of Detection
1. Comparison of data.
2. Manual controls.
3. Analysis of computer validation reports.

4. Integrity tests.
5. Validation of documents.
6. Analysis of audit logs.
7. Analysis of computer output.
Evidence
1. Data documents for source data,
transactions, etc.
2. Manual logs, audit logs, journals, etc.
3. Backups and other computer media (e.g.,
tapes and disks).
4. Incorrect computer output control violation
alarms.
Scanning
Potential Offenders
1. Malicious intruders.
2. Spies attempting to access systems for
targeted data.
3. Criminals intent on committing fraud.
Methods of Detection
1. Computer logs that show when telephone
calls were received by the computer and
when attempts were made.
2. Loss of data or transfer of funds or other
assets.

3. Telephone company records.

Evidence
1. Telephone company records (pen register
and dialed number recorder (DNR) records).
2. Possession of war dialing programs.
3. Computer logs.
4. Possession of information compromised as a
result of scanning, including lists of
telephone numbers.
Excess Privileges
Potential Offenders
1. Programmers with access to Superzap-type
programs.
2. Computer operations staff.
Methods of Detection
1. Comparison of files with historical copies.
2. Examination of computer usage logs.
3. Discrepancies noted by those who receive
reports.
Evidence
1. Discrepancies in output reports.
2. Computer usage and file request journals.
3. Undocumented transactions.