Previous | TOC | Next
COMPUTER SECURITY AND DATA THEFT
THE HACKERS -- FROM CURIOUS
TO CRIMINAL
HI, JUST CALLED TO SAY 1001010010010011001001101001110100
Chicago attorney Paul Bernstein is a lawyer, CPA and computer consultant
who ardently believes that every attorney should not only know how to use
a computer, but also learn telecommunications and E-MAIL. Furthermore,
he believes lawyers who do not learn telecommunications will be at a distinct
disadvantage in a competitive field. "In a competitive environment,
lawyers who know [about telecommunications and computers] even at a threshold
level, can retain and obtain clients," says Bernstein. "Those
who do not learn will find that their clients tire and become concerned
about paying their lawyers to educate them" Bernstein is president
of the Chicago-based LAW MUG, the Lawyers Micro-Computer Users Group, and
to emphasize his link to the computer world, his business card does NOT
list his voice phone number, but instead lists six access codes to reach
him by computer. If you want to reach him using the Source Information
Network, the code is TCX488. The monthly Chicago Lawyer newspaper asked
Bernstein to explain how attorneys can use telecommunications. His examples
illustrate why individual use of telecommunications, especially by professionals,
is inevitably going to increase - and why privacy problems are inherent
in the system:
"A not uncommon situation is that a lawyer
is on trial in a collar county or in another state. A question of law
comes up as the day closes in, let's say, California. The office in
Chicago is long since closed and the research is needed that night.
If the lawyer had a portable micro with a modem, the lawyer could do
the research at night on the available data bases and be more than
ready for court the next day."
"Another example is the same lawyer too
far away from the office who has an unexpected question of law come
up during trial or while a contested motion is being heard. The Judge
adjourns the hearing for two hours so that counsel can go to the library
and retrieve citation of authority. Our computerized lawyer remembers
that the law firm did a brief on that very topic some months ago. The
computerized attorney, with his portable micro in hand, could dial
up the law firm's data base, talk to a paralegal on the phone, have
a revised draft of the memorandum of law done immediately and have
it telecommunicated to him or her for printout and delivery to opposing
counsel and the Court when the adjourned hearing recommences."
"Your tax partner is out of town and
very hard to reach as the client matter she is involved with is very
significant. However, you have a pretty big problem too and need a
quick tax opinion. If the traveling tax attorney was hooked up to the
ABA/Net and/or the law firm's own Bulletin Board System, the problem
could be communicated and the answer received overnight. Telephone
tag is impossible, we've all gone through it over and over again, and
telecommunications and electronic mail is the ONLY method of clearly
solving the problem today."
"Your client has some questions for you
about their case. They need an immediate answer, but you're on trial!
And when you're on trial, not even the President of the United States
can get to you. But the client wants an answer. Telecommunications
again is the key. You get off trial at 6:00, have dinner, and at midnight
your preparation for the next day is over. Why not access your telecommunications
network, see your client's inquiry and answer it!"
COMPUTER SECURITY AND DATA THEFT
The problem of the handful of computer "Hackers" who have penetrated
military, medical, credit, and other sensitive data bases using home computers
hit the headlines hard last year. Computer crime has been with us since
we have had computers, and stories about the discovery of illicit fund
or data transfer do circulate more frequently now than a few years ago.
The increase in publicity about these nefarious abuses unique to the computer
age has prompted a long-overdue reaction -- and moves to install better
security systems on electronic data bases is well underway. One problem
in implementing electronic data security systems has been what Privacy
expert Professor George Trubow regards as a "natural technological
conflict" especially for those data bases with many clients who need
to access a system without specialized training - the simpler and more "user
friendly" the system, the easier it is to penetrate ... and conversely,
the harder a system is to penetrate, the harder it is to use. This conflict,
however, has a technical solution which time, experience, and some talented
programming should be able to solve.
In reality, in corporate offices the real data security questions do not
revolve around high school students in Wisconsin, but a researcher at a
competing firm or worse yet, professional industrial espionage pirates
sailing the digital high seas. Much of the information stored in electronic
data bases or transmitted electronically on behalf of clients is very sensitive.
So too is internal information generated by corporations themselves. How
would you like it if some competing firms had your client list?" Asks
Trubow, or if you are an attorney, "what if you were preparing for
trial and someone obtained your litigation theory in a particular controversy,
or your witness list with notations on who was going to prove which elements
in a prima facia case?" With penetration of data bases and data transmission
a regular feature of the computer age, there needs to be a clarification
of laws regarding expectations of privacy and liability, yet the question
of ultimate liability for computer data theft is a difficult issue with
much disagreement among those studying the issue.
On a practical level, persons who use electronic data transfer systems
or who have their computers hooked up the LEXIS, NEXIS, Dow Jones, DIALOG
or other services which rely on phone links should investigate security
measures. Physical isolation devices, monitoring and logging software,
passwords, and data encryption schemes are becoming more readily available
from computer and software vendors. For an excellent discussion of the
intricacies of property rights and privacy issues in data bases and telecommunication,
see the article by Anne Wells Branscomb available at the conference.
THE HACKERS -- FROM CURIOUS TO CRIMINAL
The original computer hackers who broke into databases and networks were
careful to leave no traces of their entry and to not disturb the data.
This soon changed as less sophisticated and more malicious computer hackers
came on the scene. The malicious Hacker horror stories have filled newspapers
and magazines for over a year. Often the less responsible computer "hackers" prowl
the electronic alleyways at night, when many firms leave their computer
systems on and attached to phone lines to transmit large blocks of data
when phone rates are cheaper. With nobody in the office, penetration of
data bases which lack proper security is often only a matter to time and
patience. Some hackers have been amazed to discover that firms which have
installed password protection schemes to prevent unauthorized access have
failed to change the original password which came with the system -- "PASSWORD." What
can happen if your system is easy to penetrate?
While not all Hackers are data thiefs or vandals, some few malicious modem
miscreants have been known to penetrate a computer system and not only
steal but also scramble the data. Imagine switching on your terminal one
morning only to discover 300 pages of text had been transformed into a
series of seemingly random numbers? As is often the case, the best sense
of Hacking and Hacker morality comes from the literature of that subculture
itself. Here are excerpts from three articles in a recent issue (Number
91!) of the original newsletter for Hackers and "Phone Phreaks" called,
appropriately "TAP: The Hobbyist's Newsletter for the Communications
Revolution."
DUNN AND BRADSTREET: Do They Know Something
That We Don't
By BOIC Agent 003 and Tuc
In issue #90, we explained how to use the
Dunn and Bradstreet system (which is now known as Dunsprint). A week
after the issue was maileed a phellow phreak found out that a copy
of the issue had fallen into the hands of our "friends" and
D & B. To say the least, they weren't exactly thrilled about it.
In fact, they did not even believe that they had a security problem!
Well, that just goes to prove that if you are good (or they are incredibly
stupid, whichever the case may be) no one will now that you are there!
In a big effort to defeat hackers, they called in an outside service
to spruce up their "security." Fortunately for us, we were
able to find out about the new system! This was not really a problem,
though. First, they had the new dial-ups posted when you logged on.
Secondly, they have a nice little place on Telenet! (Where we do most
of our "work" -- [deleted]) Sorry D & B .... Good news
travels fast!
A Lesson in Phreaking and Hacking Morality:
By Big Brother
I find it truly discouraging when people,
intelligent people seeking intellectual challenges, must resort to
becoming common criminals. The fine arts of hacking and boxing have
all but died out. Though you newcomers, you who have appeared on the
scene in the last year or two, may not realize it, we had it much better.
People didn't recognize our potential for destruction and damage because
we never flaunted it, nor did we exercise it. For hacking, it was the
intellectual challenge which drove us to do it. The thrill of bypassing
or breaking through someone's computer security was tremendous. It
wasn't a case of getting a password from a friend, logging on, and
destroying an entire database. We broke in for the challenge of getting
in and snooping around WITHOUT detection. We loved the potential for
destruction that we gave ourselves but never used. Today, after so
much publicity, the fun has turned to true criminality. Publicity we
have received is abhorring. From WarGames to the headlined October
Raids, to the 404's, the Inner Circle, Fargo 4A, and the recent NASA
breakins -- not to mention all the local incidents that never made
the big newspapers, like breakins at school computers or newspaper
computers. TRW credit information services claim hackers used the three
stolen accounts to aid them in abusing stolen credit cards. The thrill
of entering and looking around has shifted to criminal practicality
-- how can I make my bank account fatter -- how may I use this stolen
credit card to its fullest -- how could I take revenge upon my enemies.
By Cheshire Catalyst, Managing Editor
The corporate types should realize that if
a teenager hacker is getting into thier system, an industrial spy could
have been logging in regularly for the past 3 years. While I may not
particularly care for a TRW or [Citibank] having "Confidential
Information" about me, I especially don't like the idea of unauthorized
people spreading the data around. There are no quick answers, because
computer security is not just a matter of hardware, software, locks
and walls. Security is a people problem. When you put in locks, you
watch the people you give the keys to (notice an analogy to encryption
here). If these people FEEL they're being watched, they may get "disgruntled." Needless
to say, a disgruntled employee is worse than almost anything else you
could be combating. Any of our corporate subscribers who would like
to wake up their management to the vulnerabilities of computer systems
should be made aware that I am available for lectures and consulting.
Just drop me a line at the TAP maildrop, or via MCI Mail (Username:
TAP), or telex number 650-119-5732.
Well, you ask yourself, what are we supposed to learn from that?
· There will be Hackers who manage to penetrate data bases and networks
as long as human children (and adults) have the desire to open closed drawers
and cookie jars. There is no ultimate technological solution to the problem.
It is an ethical/legal problem.
· There is a difference between "Curious Hacking" and "Malicious
Hacking" which legislation should recognize.
· Hackers make terrific security consultants. Which is related to
the above since sentencing apprehended Curious Hackers to do security consulting
has a certain symmetry and elegance. (Although Hackers should only be hired
along with other more mainstream security analysts).
· A bill introduced March 7, 1985, in the California Senate by Senator
Doolittle (SB 1012) takes these points into account (see Appendix L), and
provides a solid foundation for further discussion. Previous | TOC | Next |
Magazine
