💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › CHN › chn-0004.txt captured on 2022-06-12 at 10:39:05.
-=-=-=-=-=-=-
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
* (CHN) Connecticut Hacker Newsgroup (CHN) *
= CHN News File #3 =
* an I.I.R.G. affiliate *
= -=>Present<=- =
* Fundamental Truths About High-Tech Crime *
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
FUNDAMENTAL TRUTHS ABOUT HIGH TECHNOLOGY CRIME
By: Ron Hale
Some members of our society are greatly benefiting from
new technology and are exploiting it in ways never imagined.
Unfortunately, they re employing high technology to further
criminal enterprises. High-technology crime was born almost
simultaneously with legitimate uses Of computers, and continues
to thrive as new, attractive technologies become available.
And it will continue to grow as new user-empowering technologies
are introduced and as more businesses and individuals have access
to information systems.
To understand high-technology crime, and to appreciate its
significance and potential, we must understand some fundamental
truths, about crime and how these relate to high technology.
Truth 1: Crime, like water, follows the path of least resistance
To understand crime you must realize that if an opportunity
exists it will be exploited. Just as cars and the superhighway
systems gave rise to bank robbery rates in the '5Os, the
availability of computer and communications technologies will
increase the incidence of technology-related crimes today.
Computers and communication systems will be instrumental in
completing criminal acts that under other circumstances would be
completed traditionally. Like businesses, criminals in most
cases look to technology for the benefits provided. As our
society becomes more dependent on technology, and as more
individuals, have access to information and communication
systems, criminal exploits naturally will become more technology
intensive.
Truth 2: Highly complex technical crimes are the exception
rather than the rule.
Since the first computer crime was reported, we have been led
to believe that the nature of technology crime was primarily
technical. To gain from a criminal enterprise, offenders needed
to have a significant understanding of inforation system
architectures, system Software, specific applications and network
technologies. This focus led us to believe that system cracking,
infections through viruses and other malicious code, and breaking
application security represented the most significant opportunities,
for crime. Studies predicted potential annual losses in the billions.
In reality, however, although there are spectacular highly technical
crimes resulting in very significant losses, the majority of
technology crime may be less technical than we suspected.
The largest single wire transfer fraud in this country was
possible because of collusion and weaknesses in control procedures.
The mechanism was technical but the means was traditional.
Although spectactir highly technical crime will occur, the greatest
incidence of crime will be less technical in nature.
We must understand that criminals will exploit technology to the
extent necessary to facilitate crime.
Since technology is an effective facilitator, we can expect
technology to be increasingly used as an element of more traditional
crimes. We also must understand, from a national policy standpoint,
that to the extent that crime pervades the information highway,
travelers increasingly will be at risk.
Truth 3: Old crimes take on new meaning with increased technology.
The availability and advantages of high technology may change the
mix of criminal activities. In some cases, crimes that had not been
well practiced may increase as tecnology replaces the need for skill.
With forgery, due to the availability of scanners, color printers,
and special software, an unskilled operator can mimic a master
engraver. The result: document forgery can be practiced by
anyone.
New opportunities for crime may become possible through the
exploitation of technology. These may be variations on a theme in
the sense that the opportunity will be new, but the nature of the
crime will be the same, For example, theft of services has been a
problem as long as services of value could be stolen. A modem
example is communications fraud. When communication companies
controlled long-distance, few were able to exploit the technology
for financial gain. With deregulation, and the decision of
business to manage long-distance and other communication
services through their own Private Branch Exchanges (PBX), a new
opportunity was created.
Weaknesses in the way systems were installed and managed
has given a tremendous opportunity to criminals who make millions
for the effort. Although certain skill is required to gain access
to PBX systems, almost no skill is needed to operate long-distance,
call-sell operations. With annual losses conservatively estimated
at between $3 and $5 billion, there is sufficient motivation for the
technical few to find and compromise systems so that others can sell
the service.
As new technologies are introduced, they are as likely to be
exploited for criminal as well as legitimate use. In some cases
technically oriented individuals may be enlisted to support larger
criminal enterprises. Otherwise law abiding citizens, because of
potential gains, may be motivated to participate in crime. Yet,
for the most part, new crimes will not be created. Old crimes
will become more lucrative because they are easier and more prof-
itable. Additional criminal opportunities may be created because
a new niche will develop out of weaknesses in policy or practice.
In this case technology may spawn opportunities for crime.
Truth 4: Geographic boundaries are meaningless in an electronic age.
Modem law enforcement must deal with the mobile criminal.
Often, agencies cooperatively investigate crimes since sophisti-
cated criminal understand that the risk of arrest increases
with the length of time in any geographic area. Property crimes
are only solved because the offenders have been in an area too
long.
With technology, crime geography is meaningless. With the
speed of an electron you can be around the world. Connections
that require access through successive systems hide both identity
and location. As physical presence becomes less significant,
opportunities for detecting criminal activities and for apprehend-
ing offenders become less frequent.
Without geography, jurisdiction is difficult to determine.
Cooperation among government agencies becomes almost impossible
under the traditional police agency model. A victim may report a
crime, but the agency responsible for investigation will not have
the ability to share information or develop leads indicating a
larger conspiracy. If an offender is caught, the odds of
finding the full extent of the crime are virtually nil. Without
information from the offender, or evidence retrieved from computer
and commmication system records, it may not be possible to
identify other victims. Without such information it is difficult
to get the attention of prosecutors and judges.
To be effective in a technical world, law enforcement agencies
must establish contacts with other investigators, share information
and support prosecutions for crimes committed without regard to
geography. Although criminals have been eager to
accept new opportunities presented through advanced technology,
law enforcement has been hesitant. As violent crimes gain more
attention and resources, nonviolent crimes, in particular
technical crimes, are sometimes forgotten. Few departments have
the trained personnel or resources to dedicate to technical
crimes.
Truth 5: Society is hesitant to impose the controls necessary to
deter or detect electronic criminals.
With the promotion of an electronic frontier available
through an information superhighway, there is little
consideration given to crime or criminal opportunity.
In the days of the wild west, pioneers took risks and brought order
to what had been an unsettled environment. As more people were
attracted to an area, social conventions that had the, force of
law developed through mutual consensus. As the population grew,
elements were attracted that soon required more formalized laws and
a structure for detecting and punishing transgressions.
Our electronic frontier has currently developed conventions. With
the rapid increase in Internet Users, many conventions are challenged
or openly disregarded. The punishment of "flaming" will not be as
effective as the number of new users outnumbers the old-time
pioneers.
Imposing rules and structure over behavior is easier and more
acceptable than limiting personal expressions or electronic access.
Requiring citizens to purchase and display a vehicle license can
be effectively accomplished without creating public outcry.
Requiring licensiiig to identify users across an open network
will be impossible, if driven by the government. Such requirements
appear to impose restrictions that limit what we feel are our
fundamental rights.
Without the ability to ID parties to a communication across an
endless network of systems, electronic commerce cannot be
implemented.
Commercial conventions similar to a signature, cannot be developed.
Unless the users mutually agree to impose and accept certain
limitations, controls cannot be imposed. Without the ability to
positively identify communicating parties, criminal clements will
flourish. They will have free unrestricted access with the
ability to take on any identity required to attract or gain the
confidence of their intended victims.
Unfortunately, users across bullletin boards or information
services tend to tyrust other users and information received because
both they and the party to the communication are part of the
fraternity of users. Crime can flourish in such an environment.
These simple truths lead us to draw cxertain conclusions about the
nature of controls within a technical environment.
Controls. including manual and automated procedures, must be
comprehensive. reliance on a technical control such as access
control systems may not be sufficient when criminals are
attacking from all directions. We know that system crackers rely
on social engineering and dumpster diving to gain information
that facilitates system penetrations. We have seen that criminals
will use technical means for financial gain in ways that mimic
traditional crimes. To develop a reliable and effective control
structure we must blend manual and automated procedures with
technical controls in a way that enables prevention as well as
detection capabilities.
There is a need to accept technologies that ensure correct
identification of communicating parties. The government has been
reluctant to bless current technologies such as public key
cryptography. In an electronic age there are no easy ways to verify
identity without using measures such as public key encryption.
Users may need to trade some of the freedom currently available in
the electronic world to help ensure their own safety and security.
In some commercial cases, positive verification of identity should
be considered a contractual requirement. When identity can be
established, and it can be known positively that messages have not
been compromised, then electronic commerce will be more secure.
Ethical computing needs to be taught at an early age.
Criminologists believe that when rules have not been formalized and
accepted within the population, it is difficult to define ethical
behavior or make individuals accountable. We must accept basic
rules of the road before being admitted to the information super-
highway. Currently there is little agreement as to what is proper
behavior in a computing environment. Some expect rigid controls
while others with equal personal conviction believe that systems
should be open and that cracking is a legitimate intellectual
pursuit.
Most people will find an acceptable position somewhere between
the two stances.
Electronic travelers must be made aware of the dangers.
As long as there are criminals seeking opportunities for fraud,
theft and even child molestation on our networks, we must
encourage vigilance. Users must be aware that electronic travels
require the same degree of vigilance and awareness as do travels
through the physical city. Bulletins should be made generally
available, perhaps in an electronic town square, that warn
about recent criminal activities or post the identity of those
who violate the security of the network or its users. Being aware
is being prepared.
Security and law enforcement personnel must be aware of
opportunities for crime, and must have the skills and equipment
to be able to prosecute technical crimes. Some have predicted
that, as this century closes, public concerns about violent crime
will increase and police attention and involvement with
property crimes will decrease. They have suggested that
private agenecies will be required to take on more
responsibility. Security Officers will increasingly need
to be aware of corporate and individual network connections, how
they are used and what the risks are for their organizations.