History of Computer Crimes
When writing about computer crime, one must ask, “Where to
start”? Since the beginning of digital 0s
and1s, computer crime has been prevalent.
Kaybay (2012), in his seminal Computer Security Handbook, details the
different way criminals have wreaked havoc.
In the early 1960’s and 1970’s, there were multiple instances of direct
damage against computer centers caused by saboteurs. There were credit card frauds, identity thefts,
logic bombs, phone phreaking, data diddling, and extortion. Then, the crooks started to get sophisticated.
In the 1970’s-1990’s, crimes caused by Trojan
horses, worms, viruses, spam, and denial of services events caused $ Billions in damages.
Types of Computer Crime
Computer crimes primarily involve the misuse of computer logic. Crimes against hardware and physical security
are relatively non-existent. The real criminal focus
were on logical security breaches and programmed threats. Spafford, Heaphy and Ferbrache (1986) divided
logical security breaches into the following major categories (excerpted below):
Privacy and confidentiality
Integrity , which assures that data and programs are
not modified without proper authority
Unimpaired service
Consistency, which ensures that the data and behavior we
see today will be the same tomorrow
Controlling access to resources
Programmed threats, also called malicious software, also pose a significant threat to computer security, and also cause $Billions in damages. Spafford (1992) lists the main types of programmed threats (excerpted below):
Viruses, which are inserted into other computer programs
Worms, which can move from machine to machine across networks, and may have parts of themselves running on different machines
Trojan horses, which appear to be one sort of program, but actually are doing damage behind the scenes
Logic bombs, which check for particular conditions and then execute when those conditions arise, and
Bacteria or Rabbits, which multiply rapidly and fill up the computer's memory
In addition to logical
security breaches and programmed threats, there are “hackers”,
who sneak into a computer system without permission to compromise internal
data.
McAfee (2010),
the security software giant, developed a list of the latest, most insidious
computer crimes working their way around cyberspace. A survey of the top 5 crimes
involving the most people over the last decade include:
Scare-ware, which is the the sale of fake antivirus softare
Phishing scams, which involves the tricking of users into giving up personal information (in 2009 alone, over ½ of a million sites were detected); via targeted emails, fake friend requests, spam, and social networking.
Phony websites, which involves fake sites that look real (phony banking sites, auction sites, and e-commerce
Online dating scams, involving viruses such as the “I Love You” virus, whereby the crook creates a personal relationship in order to ask for cash, merchandise or other favors
Nigerian scams, which involves advance fees
Are these scams and malware only a tip
of the iceberg?
Who is winning?
FBI security guru Shawn Henry (now with a private security
firm) said in the Wall Street Journal (see Barrett, 2012) that companies need
to make drastic changes in the way computer systems are used to minimize damage
to national security and the economy. He
says that too many companies fail to recognize the extent of the risk –
financially & legally – and cost of operating vulnerable networks. “"I don't see how we ever come out of
this without changes in technology or changes in behavior, because with the
status quo, it's an unsustainable model. Unsustainable in that you never get
ahead, never become secure, never have a reasonable expectation of privacy or
security,'' Henry said. "In many cases, the skills of the adversaries are
so substantial that they just leap right over the fence, and you don't ever
hear an alarm go off. Companies need to
be hunting inside the perimeter of their network.” What should leadership do to combat
cybercrimes? Henry stated the obvious: "If
leadership doesn't say, 'This is important, let's sit down and come up with a
plan right now in our organization; let's have a strategy,' then it's never
going to happen…”
Barrett, D. (2012, March 28). U.S. Outgunned in
Hacker War. The Wall Street Journal.
Kabay, M. (2012). History of Computer Crime. In Computer
security handbook, 5th edition, 2, 27. Wiley.
McAfee. (2010). A good decade for cybercrime:
McAfee's look back at ten years of cypercrime. Santa Clara, CA: McAfee,
Inc.
Spafford, E. (1992). Are computer hacker break-ins
ethical? Journal of Systems and Software, 17, 41-47.
Spafford, E., Heaphy, K., & Ferbrache, D. (. (1989).
Computer viruses: Dealing with electronic vandalism and programmed threats.
Arlington, VA: ADAPSO (now ITAA).
Great summary. Just this week I read an article in WIRED magazine about password vulnerabilities - it speaks to many of the points you made - http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/
ReplyDeleteWow. What a great read. I wish DoD would take a gander. We're up to 14 characters, with two of everything (vowels, wingdings, etc.). I loved this paragraph: "Look around. Leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another."
DeleteThanks for the link-to.
It’s time to own up…perhaps my biggest single consulting client in my fifteen-plus years in that business was the Central Bank of Nigeria (closely followed by the Nigerian National Petroleum Corporation and several smaller Nigerian government agencies including the Economic and Financial Crimes Commission.) Yes, I’m very familiar with cybercrime. The crime of advance fee fraud is the one most commonly associated with that nation and many have been exposed to only its most crude and laughable forms. I am pleased to say that the Central Bank and the Economic and Financial Crimes commission were really working hard to battle the epidemic of cybercrime, but felt it was an uphill struggle. To large degree, this was because established institutions like the national oil company (NNPC) and numerous government agencies were “home” to some of the practitioners of the fraud, the elaborate schemes revealed to me bordered on the amazing. Advance fee fraud wasn’t the only crime, hackers, technologically enhanced billing schemes, extortion by delaying what should be system driven transactions…all of these were commonly used. It was, without question, a cultural and leadership issue on a massive scale.
ReplyDeleteSo how did my partners and I manage to work with these groups over that long time frame and not fall victim to such fraud and criminal activity? (We never lost a penny…I used to joke that I was the only American who had a Nigerian’s bank account number!) The simple explanation is plain old vigilance and reliance on common sense. Know your market, that’s wise advice for any business practitioner. Know your customer and rely on as much face to face contact as possible. Assume that anything that sounds too good to be true is too good to be true. And understand the technology that enables legitimate business will also be used by the unethical and outright lawless. It took hard work and paying attention.
On another issue somewhat related, I often wonder if we spend so much time and effort looking for hi-tech solutions to hi-tech crimes that we may forget the basics? My wife’s nephew is a principal in a global information technology security firm. He’s authored books and gives training to customers not only domestically but in runaway wild markets like Russia and Cyprus. But one tale he tells with some frequency goes like this; he’s fond of meeting a CEO in his office…by waiting for him there with no one else’s knowledge that’s even in the building. He’s done it more than once. It’s a less than subtle way of saying that even though we need to monitor and repair the possible tech problems, perhaps we need to look at the basics first.
For a laugh (and some serious commentary) centering mainly on the Nigerian situation I recommend
http://www.scamorama.com/ subtitled “the Lads from Lagos”
What a riot: "I used to joke that I was the only American who had a Nigerian’s bank account number!". "Nigerian Bank" became synonomous like Kleenex and Scotch Tape, concerning which, we Scots accept that and whisky as our gifts to Mankind!
DeleteSeriously, you are spot on with regard to fighting cybercrime with common sense and a little basic logic and inquiry. To fight cybercrime, there has to be a wide net cast and a variety of techniques employed, becuase cyber criminals adapt very quickly.
Tom, neat story.
DeleteOne of the better books ever written about the early history of this problem was THE CUCKOO'S EGG, by Clifford Stoll (1989). It is the story of one of the first hackers on the web, who was finally traced to West Germany. I was at the Defense Communications Agency at the time and remember the data guys discussing the case.
http://en.wikipedia.org/wiki/The_Cuckoo's_Egg
Dr. W: I'm a follow-the-money freak Just read Boomerang and The Big Short by Michael Lewis (The Blind Side, Moneyball), and just ordered the above book for shipping and handling ($4). Got to read it. Thanks for the lead. Best, Rope
Delete