Active attacks on the integrity of a computer facility resemble conventional cloak-and-dagger activities. Unauthorized persons can gain access through falsified identification badges and bribery. Once inside, a knowledgeable person can do a lot of damage with magnets and the more common tools of sabotage. Passwords can be read from printouts and the defenses cased. If unwatched, the intruder can use the computer itself to erase memories and call up defensive information. Another weak point is the tape vault where files are kept-often under less stringent guard. So far, the emphasis has been on gaining access to the facilities. The computer itself has hardware and software defenses which can be tampered with, circumvented, or which even fail through natural causes. Software defenses include user identification schemes, various access control programs, bounds controls, etc. Software defenses are usually bypassed with software attacks. These attacks can be made more devastating if inside information can be gained first. Once again, the opportunities are limited only by the imagination of the attacker, Some Typical Assaults on Computer Systems Computerworld for April 4, 1973, detailed how the Chief Teller of the Union Dime Savings Bank, in New York City, manipulated both manual and computer records to "shuffle" $1.5 million to his own purposes. No one is yet sure just how he accomplished this feat or exactly how much he stole. The checks and balances built into the computer hardware and software and a manual auditing system were all foiled. With access to a terminal-not the computer room proper-the thief switched funds between accounts in such a way that the correct amounts always showed at audit time. A now classic and very imaginative example of external penetration was carried out by a young electrical engineer on the West Coast. Posing as a customer, he discovered a way to "sign on" the computerized central supply division at the Pacific Telephone and Telegraph Co. Before some betrayed him, he had illegally ordered and had delivered over $1 million worth of equipment without paying for it. A weak spot in bank computing systems was found by a clerk in a Washington, D.C. bank. Noting that the bank's computer checked only the magnetically coded deposit numbers on the bottoms of incoming deposit slips, he replaced the usual supply of deposit slips on lobby desks with slips coded with his own account number. Depositors using forms from the lobby desks unknowingly added their money to his account. A few days later he made a large withdrawal and disappeared for good. Other examples of fraud abound. One public employee sold raises to fellow workers. He altered payroll records during nighttime runs, draining thousands out of the treasury. Unhappy employees have been known to commit magnetic sabotage, ruining mailing lists and company records on magnetic tapes. Two important generalizations can be made about computeraided crimes: (1) most are inside jobs by employees who could not resist the easy opportunities spread out before them; and (2) most were discovered too late and usually by accident. The inferences are that computer defenses are woefully weak and that we very likely see only the tip of an iceberg. The really smart thieves have not been caught yet. At this moment, tens, perhaps hundreds, of people around the country are using computers to criminal ends. Many times this number, including many scrupulously honest employees, are mentally attacking computer systems-vicarious thrills, but situations that could turn into reality if personal circumstances made it worth the risk. |