A Crimefighter's HandbookBy David Icove, Karl Seger & William VonStorch
1st Edition August 1995
What Are the Crimes?
In this chapter:
Breaches of Physical Security
Breaches of Personnel Security
Breaches of Communications and Data Security
Breaches of Operations Security
Ways of Detecting Common Attacks
Computer crimes range from the catastrophic to the merely annoying. A case of computer-driven espionage might wreak devastating losses to national security. A case of commercial computer theft might drive a company out of business. A cracker's prank might not actually cause damage at all--but might cause a video game company or another computer user some annoyance. Some computer crimes are perpetrated for kicks, and some for social or political causes; others are the serious business of professional criminals. There is perhaps no other form of crime that cuts so broadly across the types of criminals and the severity of their offenses.
This chapter touches on a wide range of computer attacks. Some are truly crimes, and others are not. Whether a particular attack is viewed as being a full-fledged crime or is simply dismissed as being a prank will depend upon the motives of the attacker, the type of organization and data attacked, and other aspects of the situation that can't be neatly summarized in a chapter of this kind.
The attacks discussed in this chapter are those in which the computer itself--or, more likely, the information it stores--is the target of the crime. We do not cover crimes in which the computer is simply used by the perpetrators in their criminal enterprises (for example, drug deals in which a syndicate keeps computerized records). We also do not cover the larceny of computers and computer components.
There are many ways to categorize computer crimes. You might divide them according to who commits them and what their motivation might be (e.g., professional criminals looking for financial gain, angry ex-employees looking for revenge, crackers looking for intellectual challenge). Or, you might divide these crimes by how they are perpetrated (e.g., by physical means such as arson, by software modifications, etc.). In this chapter, we have chosen to divide computer attacks (remember that some of these attacks are not crimes in the legal sense, but annoyances) by the types of computer security that ought to prevent them--the same types of security we explain in Part II of this book:
Protection of the physical building, computer, related equipment, and media (e.g., disks and tapes).
Protection of the people who work in any organization, and protection of computer equipment and data from these people and others outside the organization.
Protection of software and data, especially as it passes from computer to computer.
Protection of the procedures used to prevent and detect security breaches, and the development of methods of prevention and detection.
In some cases, the boundaries between these categories may be rather fuzzy, and some attacks may overlap several categories.
NOTE: Many of the attacks we describe in this chapter are technically complex, and we can't explain them in detail in an introductory book of this kind. In this chapter, we are simply outlining the various types of attacks that you are likely to see when you investigate a computer crime so that you will have some familiarity with the concepts and the terminology. If you need to know the details of any particular type of attack, consult your technical advisors and the technical references listed in Appendix A, Resource Summary.
Breaches of Physical Security
As we describe in Chapter 6, physical security is concerned with physical protection of the computer, computer equipment, computer media, and the overall physical facility from natural disasters, accidents of various kinds, and intentional attacks. That chapter describes the basics of what is being protected, and provides guidelines that will help keep your facility physically secure.
We've already discussed some obvious breaches of physical security in Chapter 1. Terrorist bombings on buildings housing computer equipment, arson, and theft and destruction of computer equipment fall into this category. You may not realize that less obvious attacks, like turning off the electricity in a computer room, spilling soda on a keyboard, and throwing sensitive papers in the trash may also invite disaster. This section describes some of these less obvious breaches.
Dumpster diving, or trashing, is a name given to a very simple type of security attack--scavenging through materials that have been thrown away, as shown in Figure 2-1. This type of attack isn't illegal in any obvious way. If papers are thrown away, nobody wants them--right? Dumpster diving also isn't unique to computer facilities. All kinds of sensitive information turns up in the trash, and industrial spies through the years have used this method to get information about their competitors.
Figure 2-1. Dumpster diving
Computer facilities are especially good places for scavengers who are looking around for information that might help them penetrate a system (People often write down information that they shouldn't). Around the offices and in the trash, crackers can find used disks and tapes, discarded printouts, and handwritten notes of all kinds. Crackers have been known to literally dive into the dumpsters outside telephone companies and network providers, searching for passwords and access codes. They may also retrieve printouts, computer manuals, and other documents from which they extract information needed to crack the system. They'll often share this information with other crackers by posting it to BBSs or in publications of various kinds. The trash of computer and telephone companies is of special interest to trashers because it's usually a rich source of helpful information.
There is another type of computer-related "trash" that you might not consider. In the system itself are files that have been deleted, but that haven't actually been erased from the system. Computers and computer operators are oriented towards saving data, not destroying it, and sometimes data is saved that shouldn't be. Remember the last time the system crashed while you were working on a project? Even though you might have lost some data, you were probably able to recover using a backup that you or your system operator or administrator made. If backups aren't made regularly--and your data loss is greater than it might be--you'd complain bitterly. But, when is the last time you complained because data you thought was erased was still in the computer?
Electronic trashing is easy because of the way that systems typically delete data. Usually, "deleting" a file, a disk, or a tape doesn't actually delete data, but simply rewrites a header record. If you are running MS-DOS, for example, you can delete a file via the DEL command; however, someone can retrieve the contents of the file simply by running UNDELETE. System utilities are available that make it easy to retrieve files that may seem to be completely gone. This is sometimes a source of embarrassment. Lieutenant Colonel Oliver North discovered to his dismay that erasing sensitive Iran-Contra email didn't really remove the files, but simply removed references to them. The files were easily retrieved and used during the hearings into the Iran-Contra affair.
Although there are methods for truly erasing files and magnetic media, most computer operators who work on large systems do not take the time to erase disks and tapes when they are finished with them. They may discard old disks and tapes with data still on them. They simply write the new data over the old data already on the tape. Because the new data may not be the same length as the old, there may be sensitive data left for those skilled enough to find it. It is far safer to explicitly write over storage media and memory contents with random data and to degauss magnetic tapes.
One computer company in Texas that does business with a number of oil companies noticed that whenever a certain company asked them to mount a temporary storage (scratch) tape on the tape drive, the read-tape light would always come on before the write-tape light. The ingenious oil company was scavenging the tape for information that might have been put on it by competitors that used the tape before them.
Trashing can have deadly consequences. When some old Department of Justice computers were sold off, they had on their disks information on the whereabouts of witnesses in the Federal Witness Protection Program. Although the data had been deleted, it had not been completely erased from the disk. The DOJ was able to get back some of the computers, but not all, and was forced to relocate the compromised families as a result.
There are a number of ways that physical methods can breach networks and communications. Some of the offenses we discuss below overlap with those described in "Breaches of Communications Security," later in this chapter. Telephone and network wiring is often not protected as well as it should be, both from intruders who can physically damage it and from wiretaps that can pick up the data flowing across the wires.
Criminals sometimes use wiretapping methods to eavesdrop on communications. It's unfortunately quite easy to tap many types of network cabling. For example, a simple induction loop coiled around a terminal wire can pick up most voice and RS232 communications. More complex types of eavesdropping can be set up as well. As we describe in Chapter 8, Communications Security, it's important to physically secure all network cabling to protect it both from interception and from vandalism.
Telephone fraud has always been a problem among crackers, but with the increasing use of cellular phones, phone calling cards, and the ordering of merchandise over the phone using credit cards, this problem has increased dramatically in recent years.
Eavesdropping on Emanations
Electronic emanations from computer equipment is a risk you need to be aware of, although this is mainly a concern for military and intelligence data. Computer equipment, like every other type of electrical equipment from hairdryers to stereos, emits electromagnetic impulses. Whenever you strike a computer key, an electronic impulse is sent into the immediate area. Foreign intelligence services, commercial enterprises, and sometimes even teenage crackers may take advantage of these electronic emanations by monitoring, intercepting, and decoding them. This may sound highly sophisticated, but there have been some embarrassingly easy cases. The original HeathKit H19 terminals transmitted radio signals that were so strong that they could be picked up by placing an ordinary television set beside the terminal. As characters were typed on the terminal screen, a distinctive pattern appeared on the TV screen and could be decoded, as shown in Figure 2-2.
Figure 2-2. Emanations
Because of the emanation threat, government computers that are used to store and process classified information require special physical shielding. The U.S. federal TEMPEST program is designed to develop, test, and certify specially shielded computer equipment from mainframes to terminals to cabling.
There are other types of emissions as well. Criminals have even recorded the noise from a computer printer (the key-and-ribbon variety; it can't be done with laser printers) and then play the recording later to determine which keys were active.
Denial or Degradation of Service
A few security breaches span most of the categories discussed in this chapter. How these breaches are categorized depends largely on the methods used to prevent or detect them. In security terms, availability means that the computer facility, the computer itself, and the software and data users need are all working and available for use. Someone who shuts down service or slows it to a snail's pace is committing an offense known as denial of service or degradation of service. There are many ways to disrupt service, including such physical means as arson or explosions; shutting off power, air conditioning, or water (needed by air conditioning systems); or performing various kinds of electromagnetic disturbances. Natural disasters, like lightning and earthquakes, can also disrupt service. Chapter 6, Physical Security, describes these physical disruptions in some detail.
Actually, there are two quite different types of attacks in this category. Some cases of electronic sabotage involve the actual destruction or disabling of equipment or data. Turning off power or sending messages to system software telling it to stop processing are examples of the first type of attack--a classic denial of service.
The other type of attack, known as flooding (or sometimes wedging or spamming) is the type we saw with the Internet worm. As the worm spread across systems and networks, it kept creating new processes that so clogged the affected systems that other work couldn't get done. In this type of attack, instead of shutting down service, the attacker puts more and more of a strain on the systems' ability to service requests, so eventually they can't function at all. Another example of a flooding attack was the "electronic mail bomb" that victimized writers Michelle Slatalla and Josh Quittner, as we described in Chapter 1.
Denial of service doesn't have to be a complex technical attack. Sometimes, it even occurs by accident. Suppose all of your system administrators get (or are given) food poisoning at a company lunch. Suppose a determined fax machine ties up your own machine by continuing to dial it. Suppose a new user starts printing a PostScript file as text on the company's only printer, and doesn't know how to stop the job. There are many examples of accidental denial of service.
Breaches of Personnel Security
To some extent, nearly all of the attacks we discuss in this chapter could be considered in the realm of personnel security--after all, people commit the offenses and people ultimately detect them. In fact, many of the crimes we talk about in terms of computer security happen whether or not computers are involves--bribery, subversion, extortion, and malicious mischief of all kinds. Only the targets and the media may differ.
There are a few particular security breaches that merit special discussion here.
Masquerading occurs when one person uses the identity of another to gain access to a computer. This may be done in person or remotely. We describe basic masquerading in this section, but masquerading is an attack that spans the boundaries of the categories we've identified in this chapter. Because operations security methods should be in place to prevent and detect masquerading, that category is also relevant. In fact, we discuss some technically complex forms of masquerading in the section called "Breaches of Operations Security" later in this chapter.
There are both physical and electronic forms of masquerading. In person, a criminal may use an authorized user's identity or access card to get into restricted areas where he will have access to computers and data. This may be as simple as signing someone else's name to a signin sheet at the door of a building. It may be as complex as playing back a voice recording of someone else to gain entry via a voice recognition system. (The 1992 U.S. movie, Sneakers, had some nice scenes showing how this could work--at least how it could work in Hollywood!)
A related attack, sometimes called piggybacking, involves following an authorized person into a restricted area--a building or a computer room. For example, someone who wants to gain access to a restricted area might show up at a secured door, carrying a heavy armload of computer equipment, at the same time as an authorized employee arrives, and looking as if they belong. The authorized employee kindly holds the door open, and the intruder tags along into the area. Of course, there is nothing high-tech about this; it's the same principle burglars follow to gain entry to apartment houses. It's easy enough to prevent piggybacking: guards and access methods like turnstiles and mantraps (which allow only one user to enter at a time) usually do the job. User education is also a very important deterrent.
Electronically, an unauthorized person will use an authorized user's logon ID, password, personal identification number (PIN), or telephone access code to gain access to a computer or to a particular set of sensitive data files. There are many ways to obtain this information, some of them quite simple and others quite complex. For example, they might have obtained this information by theft (if the authorized user has written down these numbers and codes), eavesdropping electronically (via password sniffers or other types of monitoring programs), or simply looking over the shoulder of the user while he or she types. In fact, one gang of juvenile crackers in Atlanta obtained passwords by using binoculars to look across a street into windows where users were typing their passwords.
Unauthorized password use is the most common type of electronic masquerading, and it's a very effective one. If an outsider steals or figures out a password, there is no easy way for the system to tell whether the person who enters the password is the legitimate, authorized user, or an outsider. Unfortunately, passwords are often far too easy to crack. People are very likely to pick passwords that can be easily guessed by intruders or can be cracked by password cracking or dictionary programs. They pick the names of their spouses, children, or pets, their birthdates or license plates or astrological signs, or the names of sports teams or fictional characters. (Chapter 8 provides some good hints for selecting sound passwords.)
To understand how masquerading works, you need to know a few basics about how users gain access to shared systems via a two-step process known as identification and authentication.
Identification is the way you tell the system who you are. For example, you enter your user account name in response to a "login" prompt, or you enter your bank account number at an ATM machine. Authentication is how you prove to the system that you are who you say you are. There are three classic ways in which you can prove yourself:
Something you know
The most common example is a password or a PIN. The theory is that if you know the password or PIN for an account, you must be the owner of it.
Something you have
Examples are keys, tokens, badges, and smart cards that you use to "unlock" a building, a door, a computer, or an account.
Something you are or do
Examples are physiological traits, like your fingerprint or voiceprint, or behavioral traits, like your signature or keystroke pattern.
It's unfortunately very common for computer criminals to steal, guess, or otherwise obtain account names and passwords. And, once someone is masquerading as you, he can do virtually everything you can do. Not only can he steal your files (breaching their confidentiality), he can also modify them (destroying their integrity) or perhaps even delete them completely. Figure 2-3 shows a simple case of masquerading.
Figure 2-3. Masquerading
Most damaging of all, a masquerader can pretend to the outside world that he is you, thus damaging your reputation as well as your data. A few years ago, a Dartmouth student sent forged electronic mail, supposedly from a professor at the college, saying that a midterm exam had been canceled because of a family emergency. Half the class believed the email and didn't show up for the exam. In another case, someone masquerading as a Texas A&M professor sent out many thousands of electronic copies of racist hate mail; a year later, the victim of this forgery is still dealing with the consequences.
The principle of repudiation comes into play here. There are ways in software of ensuring that someone who does something in a system--sends a message, changes a file, etc.--is held accountable and cannot claim later that he did not do what he did. To make this work--to keep masquerading from being a problem in your system--your system needs methods of strong authentication, as well as excellent operations security. (These concepts are beyond the scope of this book. The references in Appendix A provide sources of additional i nformation.)
Social engineering is the name given a category of attacks in which someone manipulates others into revealing information that can be used to steal data or subvert systems. Such attacks can be very simple or very complex. In one low-tech case we know about, a man posing as a magazine writer was able to get valuable information over the telephone from the telephone company simply by asking for it--supposedly for his story. He then used that information to steal more than a million dollars in telephone company equipment.
Special Problems with Masquerading
Skilled intruders may even hide their identities by manipulating telephone and telecommunications systems. Keep in mind, when you are investigating intrusions, that the phone numbers you uncover during an investigation may, in fact, not be the ones used directly by the intruders.
Masquerading is one of the most frequently used methods of gaining criminal access to a computer system. Unfortunately, should the case ever come to trial, masquerading is also one of the hardest to prove. By the very nature of the crime, the records (e.g., system logins, signin sheets, etc.) erroneously show that the authorized person--not the criminal--was using the computer during the time that it was penetrated. Some cases have been successfully prosecuted when eyewitnesses are able to place the suspect at the terminal used to connect to the computer at the time the crime took place. The next best thing is to show that the authorized user was somewhere else during this period. Also, be ready to demonstrate, when possible, how the suspect gained access to the password, personal identification number, or other access code.
An old trick is to make a few phone calls to find out the names of certain key machines in an organization. (With most operating systems, the appropriate networking programs let you find this information online, with no need for human contact.) The attacker can then stroll into the building (perhaps he's timed his visit for the system administrator's lunch hour) and tell the receptionist he's there to service the "SPIRIT" machine, for example. He'll probably be convincing enough that he'll be given free rein of the system.
A particularly nasty kind of personnel breach we've seen lately is harassment on the Internet. Sending threatening email messages and slandering people on bulletin board systems and newsgroups is all too common. In a recent harassment case, a student from the University of Michigan was indicted for posting a particularly graphic story about a sex murder on an Internet newsgroup. Because he used the name of an actual female student at Michigan, his activities were initially considered to be harassment. (The case was eventually dismissed.)
These kinds of attacks are not new, and personally threatening remarks can as easily be sent by letter or posted on a wall, as they can be sent over the Internet. But the electronic audience is a much larger one, and such messages, sent out from an organization's network domain, may damage the reputation of the organization as well as that of the particular perpetrator.
Software piracy is an issue that spans the category boundaries and may be enforced in some organizations and not in others. Pirated computer programs are big business. Copying and selling off-the-shelf application programs in violation of the copyrights costs software vendors many millions of dollars. The problem is an international one, reaching epidemic proportions in some countries. (As we've said, software piracy was a major issue in the 1995 Clinton trade agreement with China.) Too many people don't take copyrights seriously. Law-abiding people everywhere think nothing of copying games to share with friends, or office software for home use.
Bulletin board systems often make pirated software available for downloading or swapping. In a recent case, an MIT student was accused of running a BBS that was used in this way. Charges against him were eventually dropped, however, on the theory that the federal wire fraud statute did not apply to a case involving copyright infringements. Only the copyright statute would apply, and it was not applicable where the infringing person did not intend to profit from his conduct.
The stealing of proprietary programs is also a major business problem. A company may spend millions of dollars to develop a specialized program, only to find that its competitor has the same program--and the competitor hasn't had to invest in the development costs! Remember from Chapter 1 the fear that Apple Computer had that the source code for its Macintosh computers may have been compromised. Had this happened, then Macintosh clones could be manufactured anywhere in the world.
Employees need to be educated about the legalities, ethics, and company policies relating to software piracy and other forms of unauthorized copying of information. Some breaches of personnel security occur because procedures have broken down--either the procedures for training employees or the procedures for dealing with the system and the data after these employees leave an organization. (In Chapter 7, we'll summarize these procedures.) Some breaches really come down to policy and policy enforcement. What might be considered a crime in some organizations might be a minor infraction, or even legitimate, in another. For example, does an organization allow employees to carry sensitive data outside the office? Can the employee use company software and databases from a home computer?
Sometimes, policy enforcement is spotty. For example, some organizations that work with sensitive information prohibit employees from carrying paper copies or disks and tapes home from work. On the other hand, they encourage those same employees to work from home by giving them modems to use in accessing company databases. They forget that data can as easily be downloaded to a home computer as carried out the office door.
Breaches of Communications
and Data Security
In this category we include attacks on computer software and on the data itself. The other categories we've discussed in this chapter are more focused on physical equipment, people, and procedures.
There are many types of attacks on the confidentiality, integrity, and availability of data. Confidentiality keeps data secret from those not authorized to see it. Integrity keeps data safe from modification by those not authorized to change it. Availability, as we discussed under "Denial or Degradation of Service" above, keeps data available for use.
The theft, or unauthorized copying, of confidential data is an obvious attack that falls into this category. Espionage agents steal national defense information. Industrial spies steal their competitors' product information. Crackers steal passwords or other kinds of information on breaking into systems.
Two terms you'll hear in the context of data attacks are inference and leakage. With inference, a user legitimately views a number of small pieces of data, but by putting those small pieces together is able to deduce some piece of non-obvious and secret data. With leakage, a user gains access to a flow of data via an unauthorized access route (e.g., through eavesdropping).
We've talked about wiretapping and monitoring electronic emanations in "Breaches of Physical Security" above. In this section, we discuss attacks on the integrity of the data itself.
Unauthorized Copying of Data
Software piracy, which we discussed in "Breaches of Personnel Security" above, is another attack that spans the categories we've identified in this chapter. In some sense, piracy is just another example of the unauthorized copying of data. The methods for detecting and preventing such a crime are the same whether the copied data is national defense plans, commercial software, or sensitive corporate or personal data.
Preventing and detecting this type of attack requires coordinated policies among the different categories of computer security. In terms of personnel security, user education is vital. In terms of operations security, automated logging and auditing software can play a part as well.
Sometimes, the attacks on data might not be so obvious. Even data that appears quite ordinary may be valuable to a foreign or industrial spy. For example, travel itineraries for generals and other dignitaries help terrorists plan attacks against their victims. Accounts payable files tell outsiders what an organization has been purchasing and suggest what its future plans for expansion may be. Even the fact that two people are communicating--never mind what they are saying to each other--may give away a secret. Traffic analysis is the name given to this type of analysis of communications.
In one industrial espionage case, a competitor monitored a company's use of online data services to find out what questions it had and what information it was collecting on certain types of metallurgy. The information allowed the competitor to monitor the company's progress on a research and development project and to use this information in developing its own similar product. That product reached the market several weeks before the original developer was able to. The original company's research and development investment and its potential share of the market--many millions--were all but lost.
This kind of analysis isn't confined to sophisticated computer methods. It's an issue whenever anyone tries to keep a secret. During the U.S. Desert Storm crisis, a number of people in Washington DC correctly concluded, in the absence of any actual announcement by the White House, that the United States was about to mount a military operation. How? Government officials were meeting far into the night to plan their strategy. To fortify themselves, they kept calling a nearby pizza parlor for provisions. The pizza makers knew something was up--and when the press corps saw those pies being carried in, they also knew that something big was happening at the White House.
One somewhat obscure type of data leakage is called a covert channel. A clever insider can hide stolen data in otherwise innocent output. For example, a filename or the contents of a report could be changed slightly to include secret information that is obvious only to someone who is looking for it. A password, a launch code, or the location of sensitive information might be conveyed in this way. Even more obscure are the covert channels that convey information based on a system clock or other timed event. Information could, in theory, be conveyed by someone who controls system processing in such a way that the elapsed time of an event itself conveys secret information.
We've talked so far in this section about attacks on data. There are also attacks that subvert software.
One classic software attack is the trap door or back door. A trap door is a quick way into a program; it allows program developers to bypass all of the security built into the program now or in the future.
To a programmer, trap doors make sense. If a programmer needs to modify the program sometime in the future, he can use the trap door instead of having to go through all of the normal, customer-directed protocols just to make the change. Trap doors of course should be closed or eliminated in the final version of the program after all testing is complete, but, intentionally or unintentionally, some are left in place. Other trap doors may be introduced by error and only later discovered by crackers who are roaming around, looking for a way into system programs and files. Typical trap doors use such system features as debugging tools, program exits that transfer control to privileged areas of memory, undocumented application calls and parameters, and many others.
Trap doors make obvious sense to expert computer criminals as well, whether they are malicious programmers or crackers. Trap doors are a nifty way to get into a system or to gain access to privileged information or to introduce viruses or other unauthorized programs into the system.
For example, in 1993 and 1994, an unknown group of computer criminals repetitively broke into systems on the Internet using passwords captured by password sniffers. Once on the system, they exploited software flaws to gain privileged access. They installed modified login and network programs that allowed them reentry even if the original passwords were changed.
The detection of trap doors is an operations security problem--checking to see if the trap doors are there in the first place, and whether they exist and operations are correct on an ongoing basis.
Session hijacking is a relatively new type of attack in the communications category. Some types of hijacking have been around a long time. In the simplest type, an unauthorized user gets up from his terminal to go get a cup of coffee. Someone lurking nearby--probably a coworker who isn't authorized to use this particular system--sits down to read or change files that he wouldn't ordinarily be able to access.
Some systems don't disconnect immediately when a session is terminated. Instead, they allow a user to re-access the interrupted program for a short period. A cracker with a good knowledge of telephone and telecommunications operations can take advantage of this fact to reconnect to the terminated session.
Sometimes, an attacker will connect a covert computer terminal to a line between the authorized terminal and the computer. The criminal waits until the authorized terminal is on line but not in use, and then switches control to the covert terminal. The computer thinks it is still connected to the authorized user, and the criminal has access to the same files and data as the authorized user. Other types of hijacking occur when an authorized user doesn't log out properly so the computer still expects a terminal to be connected. Call forwarding from an authorized number to an unauthorized number is another method of getting access.
Technically sophisticated tunneling attacks fall into this category as well. Tunneling uses one data transfer method to carry data for another method. Tunneling is an often legitimate way to transfer data over incompatible networks, but it is illegitimate when it is used to carry unauthorized data in legitimate data packets.
Timing attacks are another technically complex way to get unauthorized access to software or data. These include the abuse of race conditions and asynchronous attacks. In race conditions, there is a race between two processes operating on a system; the outcome depends on who wins the race. Although such conditions may sound theoretical, they can be abused in very real ways by attackers who know what they're doing. On certain types of UNIX systems, for example, attackers could exploit a problem with files known as setuid shell files to gain superuser privileges. They did this by establishing links to a setuid shell file, then deleting the links quickly and pointing them at some other file of their own. If the operation is done quickly enough, the system can be made to run the attacker's file, not the real file.
Asynchronous attacks are another way of taking advantage of dynamic system activity to get access. Computer systems are often called upon to do many things at the same time. They may, for example, be asked by different users to analyze data using an application program that can work with only one set of data at a time. Or they may be told to print data by more users than they can handle at once. In these cases, the operating system simply places user requests into a queue, then satisfies them according to a predetermined set of criteria; for example, certain users may always take precedence, or certain types of tasks may come before others. "Asynchronous" means that the computer doesn't simply satisfy requests in the order in which they were performed, but according to some other scheme.
A skilled programmer can figure out how to penetrate the queue and modify the data that is waiting to be processed or printed. He might use his knowledge of the criteria to place his request in front of others waiting in the queue. He might change a queue entry to replace someone else's name or data with his own, or to subvert that user's data by replacing it. Or he could disrupt the entire system by changing commands so that data is lost, programs crash, or information from different programs is mixed as the data is analyzed or printed.
Trojan horses, viruses, worms, and their kin are all attacks on the integrity of the data that is stored in systems and communicated across networks. Because there should be procedures in place for preventing and detecting these menaces, they overlap with the operations security category as well.
During the Trojan War, the Greeks hid soldiers inside a large hollow wooden horse designed by Odysseus. When the Trojans were persuaded to bring the horse inside the gates of the city, the hidden soldiers emerged and opened the gates to allow their own soldiers to attack the enemy.
In the computer world, Trojan horses are still used to sneak in where they're not expected. A Trojan horse is a method for inserting instructions in a program so that program performs an unauthorized function while apparently performing a useful one. Trojan horses are a common technique for planting other problems in computers, including viruses, worms, logic bombs, and salami attacks (more about these later). Trojan horses are a commonly used method for committing computer-based fraud and are very hard to detect.
Consider this typical situation: A Trojan horse is hidden in an application program that a user is eager to try--something like a new game or a program that promises to increase efficiency. Inside the horse is a logic bomb that will cause the entire system to crash the third time the user runs the new program. If he's lucky, the user will thoroughly enjoy the program the first two times it's run, because when he tries to use it the third time, the program he was eager to try will disable his whole system.
Viruses and Worms
People often confuse viruses and worms, so we try to differentiate them in this section. Indeed, they have many similarities, and both can be introduced into systems via Trojan horses.
The easiest way to think of a computer virus is in terms of a biological virus. A biological virus is not strictly alive in its own right, at least in the sense that lay people usually view life. It needs a living host in order to operate. Viruses infect healthy living cells and cause them to replicate the virus. In this way, the virus spreads to other cells. Without the living cell, a virus cannot replicate.
In a computer, a virus is a program which modifies other programs so they replicate the virus. In other words, the healthy living cell becomes the original program, and the virus affects the way the program operates. How? It inserts a copy of itself in the code. Thus, when the program runs, it makes a copy of the virus. This happens only on a single system. (Viruses don't infect networks in the way worms do, as we'll explain below.) However, if a virus infects a program which is copied to a disk and transferred to another computer, it could also infect programs on that computer. This is how a computer virus spreads.
The spread of a virus is simple and predictable--and it can be prevented. Viruses are mainly a problem with PCs and Macintoshes. Virus infection is fortunately hard to accomplish on UNIX systems and mainframes.
Unlike a virus, a worm is a standalone program in its own right. It exists independently of any other programs. To run, it does not need other programs. A worm simply replicates itself on one computer and tries to infect other computers that may be attached to the same network.
NOTE: An important distinction between worms and viruses: A worm operates over a network, but in order to infect a machine, a virus must be physically copied.
Some viruses and worms are nondestructive (comparatively speaking), while others are extremely malevolent. Many common PC viruses, such as Michaelangelo, cause machine crashes or data loss as a result of bugs or other unexpected interactions with existing code. The Christmas Tree worm program which attacked IBM systems started out as nondestructive. But, as it spread itself to other computers, it became destructive when it proliferated into the system to such a degree that no other work could be done and the entire network had to be shut down to purge the infection.
The 1988 Internet Worm didn't actually destroy data, but shutting systems and networks down to clean up after it required a vast amount of system administration time and lost productivity among users.
A malevolent virus is meant to do damage. Such viruses are sometimes designed to crash an entire system on a certain date or after so many iterations of self-replication. They may be written to destroy specific application programs or data. The potential impact of a virus is limited only by the imagination of the criminal who writes it. Some government people are concerned that viruses could infect our defense system computers, causing weapons systems to malfunction or become inoperative. Viruses could also be used to crash law enforcement computers, destroying intelligence and investigative information. It would be naive not to believe that our adversaries, both domestic and international, haven't considered these possibilities.
Some crackers see viruses as intellectual challenges. With the advent of freedom in Eastern Europe, there has been an outbreak of computer viruses apparently planted by individuals who believe that in one fell swoop they can express their freedom and also strike back at a government that has oppressed them for years. In Hungary, "Yankee Doodle," "Ivan the Terrible," and "Ping Pong" are all appearing on computer screens across the country. The "Yankee Doodle" virus plays that familiar tune when the computer is turned on. The "Ping Pong" virus attacks the computer when it is turned on but not in use. A ball appears on the screen and bounces back and forth between letters. "Ivan the Terrible" gets into the system and destroys files.
The best ways to prevent viruses and worms from invading a system are:
- Be vigilant about introducing new and untrusted software into a system.
- Use virus scanning software to check for viruses.
- Do frequent and careful backups.
Employees who bring software to the office from their home machines (usually free software they have downloaded from bulletin board systems) are the greatest threat.
The Trojan horse is also a technique for creating an automated form of computer abuse called the salami attack, which works on financial data. This technique causes small amounts of assets to be removed from a larger pool. The stolen assets are removed one slice at a time (hence the name salami). Usually, the amount stolen each time is so small that the victim of the salami fraud never even notices.
One theoretical financial salami attack (it's assumed the status of an urban accounting legend and has never actually been known to have been attempted) involves rounding off balances, crediting the rounded off amount to a specific account. Suppose that savings accounts in a bank earn 2.3%. Obviously, not all of the computations result in two-place decimals. In most cases, the new balance, after the interest is added, extends out to three, four, or five decimals. What happens to the remainders? Consider a bank account containing $22,500 at the beginning of the year. A year's worth of interest at 2.3% is $517.50, but after the first month the accumulated interest is $43.125. Is the customer credited with $43.12 or $43.13? Would most customers notice the difference? What if someone were funneling off this extra tenth of a penny from thousands of accounts every month? Although this particular salami hasn't to our knowledge been attempted, salamis that shave a quarter on up have been tried.
A clever thief can use a Trojan horse to hide a salami program that puts all of the rounded off values into his account. A tiny percentage of pennies may not sound like much until you add up thousands of accounts, month after month. Criminals using this scheme have been able to steal many thousands of dollars. They are sometimes discovered by a bank audit. More often, they are detected only when they use their new-found gains to entertain a life style that is not supported by their legitimate income.
Logic bombs may also find their way into computer systems by way of Trojan horses. A typical logic bomb tells the computer to execute a set of instructions at a certain date and time or under certain specified conditions. The instructions may tell the computer to display "I gotcha" on the screen, or it may tell the entire system to start erasing itself. Logic bombs often work in tandem with viruses. Whereas a simple virus infects a program and then replicates when the program starts to run, the logic bomb does not replicate - it merely waits for some pre-specified event or time to do its damage.
Time is not the only criterion used to set off logic bombs. Some bombs do their damage after a particular program is run a certain number of times. Others are more creative. In several cases we've heard about, a programmer told the logic bomb to destroy data if the company payroll is run and his name is not on it.; this is a sure-fire way to get back at the company if he is fired! The employee is fired, or may leave on his own, but does not remove the logic bomb. The next time the payroll is run and the computer searches for but doesn't find the employee's name, it crashes, destroying not only all of the employee payroll records, but the payroll application program as well.
Trojan horses present a major threat to computer systems, not just because of the damage they themselves can do, but because they provide a technique to facilitate more devastating crimes.
Breaches of Operations Security
Because operations security includes the setting up of procedures to prevent and detect all type of attacks on systems and personnel, we've discusses elements of operations security in most of the other preceding sections. Here, we describe a few special kinds of breaches of operations security.
Data diddling, sometimes called false data entry, involves modifying data before or after it is entered into the computer. Consider situations in which employees are able to falsify time cards before the data contained on the cards is entered into the computer for payroll computation. A timekeeping clerk in a 300-person company noticed that, although the data entered into the company's timekeeping and payroll systems included both the name and the employee number of each worker, the payroll system used only the employee's number to process payroll checks. There were no external safeguards or checks to audit the integrity of the data. She took advantage of this vulnerability and filled out forms for overtime hours for employees who usually worked overtime. The cards had the hardworking employees' names, but the time clerk's number. Payment for the overtime was credited to her, as illustrated in Figure 2-4.
In another case, two employees of a utility company found that there was a time lapse of several days between when meter readings were entered into the computer and when the bills were printed. By changing the reading during this period, they were able to substantially reduce their electric bills and the bills of some of their friends and neighbors.
Why do we discuss these very simple attacks in the context of operations security? Because these attacks should not occur. Operations should be set up in any organization to prevent and detect this type of crime--safeguards on data modification, audits of changed data to be sure it was modified with authorization, and so on.
Figure 2-4. Data diddling
In "Breaches of Personnel Security" above, we introduced masquerading attacks, particularly those involving one person pretending to be another. But there are some more complex masquerading attacks that can be prevented only by strong operations security.
A method of masquerading that we're seeing in various Internet attacks today is known as IP spoofing (IP stands for Internet Protocol, one of the communications protocols that underlies the Internet). Certain UNIX programs grant access based on IP addresses; essentially, the system running the program is authenticated, rather than the individual user. The attacker forges the addresses on the data packets he sends so they look as if they came from inside a network on which systems trust each other. Because the attacker's system looks like an inside system, he is never asked for a password or any other type of authentication. In fact, the attacker is using this method to penetrate the system from the outside. (This is the method used in the attack on Tsutomu Shimomura's system, which we describe in Chapter 1.)
Figure 2-5 illustrates a particular type of IP spoofing, an IP sequence number attack.
Figure 2-5. IP spoofing
How can an operations security program prevent IP spoofing attacks. Two good ways are to require passwords in all cases and to prevent trust relationships among systems.
Earlier in this chapter, we introduced the use of passwords and the way they can be compromised in masquerading attacks. Chapter 8 will summarize what makes a good password, and what types of passwords you should avoid. However, a relatively new type of attack on the Internet is putting even the most carefully chosen passwords at risk.
Password sniffers are able to monitor all traffic on areas of a network. Crackers have installed them on networks used by systems that they especially want to penetrate, like telephone systems and network providers. Password sniffers are programs that simply collect the first 128 or more bytes of each network connection on the network that's being monitored. When a user types in a user name and a password--as required when using certain common Internet services like FTP (which is used to transfer files from one machine to another) or Telnet (which lets the user log in remotely to another machine)--the sniffer collects that information. Additional programs sift through the collected information, pull out the important pieces (e.g., the user names and passwords), and cover up the existence of the sniffers in an automated way. Best estimates are that in 1994 as many as 100,000 sites were affected by sniffer attacks.
Figure 2-6 shows password sniffing.
One-time passwords and encrypted passwords are good ways to keep password sniffing attacks from compromising systems.
A technique often used by novice crackers, called scanning or war dialing, also is one that ought to be prevented by good operations security. Remember the 1983 movie War Games, in which the high school cracker programmed his computer to dial telephone number after telephone number until it found one that connected to a modem?
With scanning, a program known as a war dialer or demon dialer processes a series of sequentially changing information, such as a list of telephone numbers, passwords, or telephone calling card numbers. It tries each one in turn to see which ones succeed in getting a positive response, as shown in Figure 2-7. In War Games, for example, the program dialed all of the telephone numbers in a particular region sequentially; if the number was answered by a tone, it was recorded for later experimentation. The computer doing the calling can make hundreds of telephone calls within several hours.
Suppose that a computer criminal looks in the telephone book and finds that the telephone numbers for the Fourth National Bank range from 791-0000 to 791-5578. Before he goes to bed one night, he programs his computer to call all of the numbers in this range and to record the ones that are answered by a modem. In the morning, he prints out the successful numbers. He now has a list of the telephone numbers that are most likely to give him access to the bank's computers. The next evening, he dials those numbers and tests his skills as a cracker. With skill, determination, and a little luck, he may eventually use these phone numbers as the opening wedge into a bank computer--and eventually into some accounts from which he can transfer funds.
Figure 2-7. Scanning
The programs used for scanning, called war dialers or demon dialer programs, are available from many bulletin board systems (BBSs). Successful scanners often post the telephone numbers they've identified on bulletin boards and in cracker publications.
If a cracker breaks into one user's account, he can compromise and damage that user's files, but he can't ordinarily get beyond the boundaries of the user's account to damage the rest of the system. Or can he? Sometimes, the answer is yes, and the reason is that, too often, users in a system have excess privileges--more privileges than they ought to have. An ordinary user on an ordinary system doesn't need to be able to modify all of the files on that system. And yet, in many systems, a user has the system privileges that entitle him to do just that. The user may never actually want to change anyone else's files--he may not even know that he is allowed to--but nevertheless the privileges are there. If an intruder gets access to the system through the user's account, he can exploit this weakness.
In UNIX environments, intruders who manage to get "root" or "superuser" privileges can play havoc with the system. In mainframe systems, abuse of privileges is sometimes called superzapping. The term comes from Superzap, the name of a utility program that is used in most IBM mainframes. Superzap lets system administrators or other highly trusted individuals override system security to quickly repair or regenerate the system, especially in an emergency. Similar utilities are found on many other types of computer systems. Programs of this kind can be thought of as the master key to the system. They unlock most other safeguards and controls. In the wrong hands, their use can be devastating.
In one case of superzapping, the manager of computer operations in a bank was told by his boss to correct a problem affecting account balances. The problem was originally caused by unanticipated problems in the changeover of the bank's computer system. While working on the project, the manager found that he could use the Superzap program to make other account changes as well, without having to deal with the usual controls, audits, or documentation. He moved funds from various accounts into the accounts of several friends, netting about $128,000 in all. He was detected only when a customer complained about a shortage in his account. Because the Superzap program left no evidence of data file changes, the fraud was highly unlikely to be discovered by any other means.
Superzapping is not intrinsically a crime or even a misdeed. Use of supervisor or root privileges, or the running of programs that bypass security checks, may be necessary and fully authorized. The problem here is in how it is used and why it is not detected and controlled through system logging and auditing, which we'll discuss later in this book. We discuss the abuse of excess privileges in terms of operations security because good operations security ought to include an auditing capability that keeps track of who has what privileges--and makes sure they are needed in each situation.
Superzapping is an especially hard problem to track down. Few people confronted with a computer crime expect that this could be the source of the problem. Because superzapping leaves no evidence of file changes, managers may assume that the loss of funds is a data entry or application program problem. The only reliable way to detect this technique is by comparing current data files with previous generations of the same files.
Ways of Detecting Common Attacks
This section provides a quick summary of how you might be able to anticipate or detect the most common types of attacks we've discussed in this chapter. Note that this listing is not exhaustive; too many of the attacks don't fall into neat categories, and too many require a good deal of technical understanding to anticipate and detect. However, this information will give you some guidance in analyzing types of computer crimes and in better understanding the material presented in Part III of this book.
This section briefly summarizes:
- Potential offenders--what type of individual (e.g., a programmer, a spy) might commit a crime of this type.
- Methods of detection--how such crimes are found out (e.g., tracing equipment of various kinds, analyzing log files).
- Evidence--trails that might be left by the intruders and that might help in detection (e.g., system logs, telephone company records).
- System users.
- Anyone able to access the trash area.
- Anyone who has access to computer areas or areas used to store backups.
Methods of Detection
- Tracing proprietary information back to its source (e.g., memos with company names or logos).
- Observation (guards may actually see intruders in action).
- Testing an operating system to discover data left over after job execution.
- Computer output media (e.g., may contain vendor name or identifying page numbers).
- Similar information produced in suspected ways in the same form.
- Characteristics of printout or other media (e.g., type fonts or logos).
Wiretapping and Eavesdropping
- Communications technicians and engineers.
- Agents for competitors.
- Communications employees, former employees, vendors, and contractors.
- Agents for foreign intelligence services.
Methods of Detection
- Voice wiretapping methods.
- Tracing where the equipment used in the crime came from (e.g., monitoring equipment).
- Tracing computer output (e.g., disks and tapes) to their source.
- Discovery of stolen information.
- Voice wiretapping as evidence.
- Computer output forms.
- Computer audit logs.
- Computer storage media.
- Characteristics of printout or other media (e.g., type fonts or logos).
- Manual after-hours signin/signout sheets.
- Potentially everyone.
Methods of Detection
- Analysis of audit logs and journals (e.g., a log shows that an authorized user apparently logged in, but it is known that the person was away at that time).
- Observation (e.g., an eyewitness saw an intruder at an authorized user's terminal).
- Password violations (e.g., a log shows repeated failed attempts to use an invalid password).
- Report by the person who has been impersonated (e.g., the authorized person logs in, and the system tells him that he has had six unsuccessful logins since the last time he knows he actually logged in).
- System audit logs.
- Telephone company records (pen register and dialed number recorder (DNR) records).
- Violation reports from access control packages.
- Notes and documents found in the possession of suspects.
- Excessively large phone bills (excessive message units may indicate that someone is using resources).
- Purchasers and users of commercial software.
- Software pirates.
- Employees who steal proprietary software.
Methods of Detection
- Testimony of legitimate purchasers of software.
- Search of users' facilities and computers.
- Pictures of computer screens where pirated software is being executed.
- The contents of memory in computers containing pirated software.
- Copies of media on which pirated software is found.
- Printouts produced by pirated software.
- Systems programmers.
- Applications programmers.
Methods of Detection
- Exhaustive testing.
- Specific testing based on evidence.
- Comparison of specifications to performance.
- Programs that perform tasks not specified for them.
- Output reports that indicate that programs are performing tasks not specified for them.
- Advanced system analysts.
- Advanced computer programmers.
Methods of Detection
- System testing of suspected attack methods.
- Complaints from system users that their jobs are not being performed efficiently.
- Repeat execution of a job under normal and safe conditions.
- Output that deviates from normally expected output of logs.
- Computer operations logs.
Trojan Horses, Viruses, Worms, Salamis, and Logic Bombs
- Programmers who have detailed knowledge of a program.
- Employees or former employees.
- Vendor or contractor programmers.
- Financial system programmers.
- Computer users.
- Computer operators.
Methods of Detection
- Comparison of program code with backup copies of the program.
- Tracing of unexpected events of possible gain from the act to suspected perpetrators.
- Detailed data analysis, including analysis of program code (e.g., you may detect a virus because a file increases in size when it is modified or because disk space decreases).
- Observation of financial activities of possible suspects (especially for salami attacks).
- Testing of suspect programs.
- Examination of computer audit logs for suspicious programs or pertinent entries (e.g., log entries that show that many programs were updated at the same time) (especially for viruses).
- Transaction audits.
- Output reports.
- Unexpected results of running programs.
- Computer usage and file request journals.
- Undocumented transactions.
- Analysis test program results.
- Audit logs.
- Participants in transactions being entered or updated.
- Suppliers of source data.
- Preparers of data.
- Nonparticipants with access.
Methods of Detection
- Comparison of data.
- Manual controls.
- Analysis of computer validation reports.
- Integrity tests.
- Validation of documents.
- Analysis of audit logs.
- Analysis of computer output.
- Data documents for source data, transactions, etc.
- Manual logs, audit logs, journals, etc.
- Backups and other computer media (e.g., tapes and disks).
- Incorrect computer output control violation alarms.
- Malicious intruders.
- Spies attempting to access systems for targeted data.
- Criminals intent on committing fraud.
Methods of Detection
- Computer logs that show when telephone calls were received by the computer and when attempts were made.
- Loss of data or transfer of funds or other assets.
- Telephone company records.
- Telephone company records (pen register and dialed number recorder (DNR) records).
- Possession of war dialing programs.
- Computer logs.
- Possession of information compromised as a result of scanning, including lists of telephone numbers.
- Programmers with access to Superzap-type programs.
- Computer operations staff.
Methods of Detection
- Comparison of files with historical copies.
- Examination of computer usage logs.
- Discrepancies noted by those who receive reports.
- Discrepancies in output reports.
- Computer usage and file request journals.
- Undocumented transactions.
1. Some of the types of attacks described in this chapter were originally categorized by Donn B. Parker in Computer Crime: Criminal Justice Resource Manual . That manual is a valuable reference for any investigator involved in computer crime investigations.
2. System V-based systems prior to Release 4 and systems derived from BSD UNIX.
Back to: Computer Crime
© 2001, O'Reilly & Associates, Inc.