Previous | TOC | Next

COMPUTER SECURITY AND DATA THEFT

THE HACKERS -- FROM CURIOUS TO CRIMINAL

HI, JUST CALLED TO SAY 1001010010010011001001101001110100

Chicago attorney Paul Bernstein is a lawyer, CPA and computer consultant who ardently believes that every attorney should not only know how to use a computer, but also learn telecommunications and E-MAIL. Furthermore, he believes lawyers who do not learn telecommunications will be at a distinct disadvantage in a competitive field. "In a competitive environment, lawyers who know [about telecommunications and computers] even at a threshold level, can retain and obtain clients," says Bernstein. "Those who do not learn will find that their clients tire and become concerned about paying their lawyers to educate them" Bernstein is president of the Chicago-based LAW MUG, the Lawyers Micro-Computer Users Group, and to emphasize his link to the computer world, his business card does NOT list his voice phone number, but instead lists six access codes to reach him by computer. If you want to reach him using the Source Information Network, the code is TCX488. The monthly Chicago Lawyer newspaper asked Bernstein to explain how attorneys can use telecommunications. His examples illustrate why individual use of telecommunications, especially by professionals, is inevitably going to increase - and why privacy problems are inherent in the system:

    "A not uncommon situation is that a lawyer is on trial in a collar county or in another state. A question of law comes up as the day closes in, let's say, California. The office in Chicago is long since closed and the research is needed that night. If the lawyer had a portable micro with a modem, the lawyer could do the research at night on the available data bases and be more than ready for court the next day."

    "Another example is the same lawyer too far away from the office who has an unexpected question of law come up during trial or while a contested motion is being heard. The Judge adjourns the hearing for two hours so that counsel can go to the library and retrieve citation of authority. Our computerized lawyer remembers that the law firm did a brief on that very topic some months ago. The computerized attorney, with his portable micro in hand, could dial up the law firm's data base, talk to a paralegal on the phone, have a revised draft of the memorandum of law done immediately and have it telecommunicated to him or her for printout and delivery to opposing counsel and the Court when the adjourned hearing recommences."

    "Your tax partner is out of town and very hard to reach as the client matter she is involved with is very significant. However, you have a pretty big problem too and need a quick tax opinion. If the traveling tax attorney was hooked up to the ABA/Net and/or the law firm's own Bulletin Board System, the problem could be communicated and the answer received overnight. Telephone tag is impossible, we've all gone through it over and over again, and telecommunications and electronic mail is the ONLY method of clearly solving the problem today."

    "Your client has some questions for you about their case. They need an immediate answer, but you're on trial! And when you're on trial, not even the President of the United States can get to you. But the client wants an answer. Telecommunications again is the key. You get off trial at 6:00, have dinner, and at midnight your preparation for the next day is over. Why not access your telecommunications network, see your client's inquiry and answer it!"

COMPUTER SECURITY AND DATA THEFT

The problem of the handful of computer "Hackers" who have penetrated military, medical, credit, and other sensitive data bases using home computers hit the headlines hard last year. Computer crime has been with us since we have had computers, and stories about the discovery of illicit fund or data transfer do circulate more frequently now than a few years ago. The increase in publicity about these nefarious abuses unique to the computer age has prompted a long-overdue reaction -- and moves to install better security systems on electronic data bases is well underway. One problem in implementing electronic data security systems has been what Privacy expert Professor George Trubow regards as a "natural technological conflict" especially for those data bases with many clients who need to access a system without specialized training - the simpler and more "user friendly" the system, the easier it is to penetrate ... and conversely, the harder a system is to penetrate, the harder it is to use. This conflict, however, has a technical solution which time, experience, and some talented programming should be able to solve.

In reality, in corporate offices the real data security questions do not revolve around high school students in Wisconsin, but a researcher at a competing firm or worse yet, professional industrial espionage pirates sailing the digital high seas. Much of the information stored in electronic data bases or transmitted electronically on behalf of clients is very sensitive. So too is internal information generated by corporations themselves. How would you like it if some competing firms had your client list?" Asks Trubow, or if you are an attorney, "what if you were preparing for trial and someone obtained your litigation theory in a particular controversy, or your witness list with notations on who was going to prove which elements in a prima facia case?" With penetration of data bases and data transmission a regular feature of the computer age, there needs to be a clarification of laws regarding expectations of privacy and liability, yet the question of ultimate liability for computer data theft is a difficult issue with much disagreement among those studying the issue.

On a practical level, persons who use electronic data transfer systems or who have their computers hooked up the LEXIS, NEXIS, Dow Jones, DIALOG or other services which rely on phone links should investigate security measures. Physical isolation devices, monitoring and logging software, passwords, and data encryption schemes are becoming more readily available from computer and software vendors. For an excellent discussion of the intricacies of property rights and privacy issues in data bases and telecommunication, see the article by Anne Wells Branscomb available at the conference.

THE HACKERS -- FROM CURIOUS TO CRIMINAL

The original computer hackers who broke into databases and networks were careful to leave no traces of their entry and to not disturb the data. This soon changed as less sophisticated and more malicious computer hackers came on the scene. The malicious Hacker horror stories have filled newspapers and magazines for over a year. Often the less responsible computer "hackers" prowl the electronic alleyways at night, when many firms leave their computer systems on and attached to phone lines to transmit large blocks of data when phone rates are cheaper. With nobody in the office, penetration of data bases which lack proper security is often only a matter to time and patience. Some hackers have been amazed to discover that firms which have installed password protection schemes to prevent unauthorized access have failed to change the original password which came with the system -- "PASSWORD." What can happen if your system is easy to penetrate?

While not all Hackers are data thiefs or vandals, some few malicious modem miscreants have been known to penetrate a computer system and not only steal but also scramble the data. Imagine switching on your terminal one morning only to discover 300 pages of text had been transformed into a series of seemingly random numbers? As is often the case, the best sense of Hacking and Hacker morality comes from the literature of that subculture itself. Here are excerpts from three articles in a recent issue (Number 91!) of the original newsletter for Hackers and "Phone Phreaks" called, appropriately "TAP: The Hobbyist's Newsletter for the Communications Revolution."

    DUNN AND BRADSTREET: Do They Know Something That We Don't

    By BOIC Agent 003 and Tuc

    In issue #90, we explained how to use the Dunn and Bradstreet system (which is now known as Dunsprint). A week after the issue was maileed a phellow phreak found out that a copy of the issue had fallen into the hands of our "friends" and D & B. To say the least, they weren't exactly thrilled about it. In fact, they did not even believe that they had a security problem! Well, that just goes to prove that if you are good (or they are incredibly stupid, whichever the case may be) no one will now that you are there! In a big effort to defeat hackers, they called in an outside service to spruce up their "security." Fortunately for us, we were able to find out about the new system! This was not really a problem, though. First, they had the new dial-ups posted when you logged on. Secondly, they have a nice little place on Telenet! (Where we do most of our "work" -- [deleted]) Sorry D & B .... Good news travels fast!

    A Lesson in Phreaking and Hacking Morality:

    By Big Brother

    I find it truly discouraging when people, intelligent people seeking intellectual challenges, must resort to becoming common criminals. The fine arts of hacking and boxing have all but died out. Though you newcomers, you who have appeared on the scene in the last year or two, may not realize it, we had it much better. People didn't recognize our potential for destruction and damage because we never flaunted it, nor did we exercise it. For hacking, it was the intellectual challenge which drove us to do it. The thrill of bypassing or breaking through someone's computer security was tremendous. It wasn't a case of getting a password from a friend, logging on, and destroying an entire database. We broke in for the challenge of getting in and snooping around WITHOUT detection. We loved the potential for destruction that we gave ourselves but never used. Today, after so much publicity, the fun has turned to true criminality. Publicity we have received is abhorring. From WarGames to the headlined October Raids, to the 404's, the Inner Circle, Fargo 4A, and the recent NASA breakins -- not to mention all the local incidents that never made the big newspapers, like breakins at school computers or newspaper computers. TRW credit information services claim hackers used the three stolen accounts to aid them in abusing stolen credit cards. The thrill of entering and looking around has shifted to criminal practicality -- how can I make my bank account fatter -- how may I use this stolen credit card to its fullest -- how could I take revenge upon my enemies.

    By Cheshire Catalyst, Managing Editor

    The corporate types should realize that if a teenager hacker is getting into thier system, an industrial spy could have been logging in regularly for the past 3 years. While I may not particularly care for a TRW or [Citibank] having "Confidential Information" about me, I especially don't like the idea of unauthorized people spreading the data around. There are no quick answers, because computer security is not just a matter of hardware, software, locks and walls. Security is a people problem. When you put in locks, you watch the people you give the keys to (notice an analogy to encryption here). If these people FEEL they're being watched, they may get "disgruntled." Needless to say, a disgruntled employee is worse than almost anything else you could be combating. Any of our corporate subscribers who would like to wake up their management to the vulnerabilities of computer systems should be made aware that I am available for lectures and consulting. Just drop me a line at the TAP maildrop, or via MCI Mail (Username: TAP), or telex number 650-119-5732.

Well, you ask yourself, what are we supposed to learn from that?

· There will be Hackers who manage to penetrate data bases and networks as long as human children (and adults) have the desire to open closed drawers and cookie jars. There is no ultimate technological solution to the problem. It is an ethical/legal problem.

· There is a difference between "Curious Hacking" and "Malicious Hacking" which legislation should recognize.

· Hackers make terrific security consultants. Which is related to the above since sentencing apprehended Curious Hackers to do security consulting has a certain symmetry and elegance. (Although Hackers should only be hired along with other more mainstream security analysts).

· A bill introduced March 7, 1985, in the California Senate by Senator Doolittle (SB 1012) takes these points into account (see Appendix L), and provides a solid foundation for further discussion.

Previous | TOC | Next

Online Articles:

Spotlight On
Explore

Browse Topics | Site Guide | Multimedia Bookstore | Magazine | Publications | Activists Resources

Political Research Associates

Copyright Information, Terms, and Conditions

Please read our Terms and Conditions for copyright information regarding downloading, copying, printing, and linking material on this site; our disclaimer about links present on this website; and our privacy policy.

Updates and Corrections