In response to Crypt Newsletter's series of articles on "The Nutty Professors" of computer crime and increasing opprobrium from the Internet, David L. Carter's homepage at Michigan State University has had access controls applied to it. The Carter and Katz paper is no longer readable from the Internet. (This is interesting because no other faculty members in the MSU Dept. of Criminal Justice with Webpages have them read protected.
In any case, Crypt Newsletter thought of this possibility months ago and copied the Carter paper off the site.
For your consideration, the parts of interest from it are presented below. Italicized copy are editor's comments.
---------------
Trends and Experiences in Computer-Related Crime: Findings From A National Study A Paper Presented at the Annual Meeting of the ACADEMY OF CRIMINAL JUSTICE SCIENCES Las Vegas, Nevada, 1996 by David L. Carter School of Criminal Justice 560 Baker Hall Michigan State University East Lansing, MI, 48824-1118 david.carter@ssc.msu.edu Andra J. Katz Administration of Justice 1845 Fairmount - Box 95 Wichita State University Whichita, KS, 67260-0095 katz@twsuvm.uc.twsu.edu Copyright 1996 by David L. Carter and Andra J. Katz.
ABSTRACT
A national study of corporate security directors was conducted to examine their experiences with computer crime. Using established survey research methods, the authors assessed the extent of victimization, the character of computer crimes, who the perpetrators were, the introduction of viruses, unauthorized access to computer files, harassment via computers, destruction of virtual property, telecommunications fraud via computers, and computer security counter measures. The results showed the 98.5% of the reporting businesses had been victimized by computer crime with the most common target being the theft or attempted theft of intellectual property. Full-time employees committed the most crimes although a substantial number of incursions by hackers were reported with this threat growing disproportionately. Significant relationships were found between employees introducing viruses into computers and the unauthorized "browsing" of files as pre-cursors to stealing or attempting to steal information. With respect to security counter measures, there were statistically significant relationships for the use of data encryption, operations security, and surveillance of employees when tested against the different security counter measures. Use of authentication software and firewalls did not show significant relationships as security counter measures, most likely because of extraneous variables. The significant findings are discussed with anecdotes and motivations of behaviors.
Introduction
With the growth of technology and the evolution of computerization, we have not only seen new types of crime emerge, but the character of these crimes has changed rapidly as a result of developing technological capacities. Certainly there has been some empirical exploration of these offenses, most of which has been done by private security organizations largely along the lines of a risk assessment for specific industries. While these inquiries have provided new insights, they have generally been narrowly focused and unpublished.
There have been increasing numbers of books and publications on computer-related crime by the National Institute of Justice, Bureau of Justice Statistics, and the Office of Technology Assessment, but many of these are already dated and, similarly, were somewhat narrow in focus. Other publications have occurred in such places as the FBI Law Enforcement Bulletin, the Police Computer Review, news stories, and a few training papers (notably from the Florida Association of Computer Crime Investigators; the High Tech Criminal Investigators Association; and the Federal Law Enforcement Training Center's Financial Fraud Institute), but they tend to address specific issues or cases. In essence, a comprehensive, contemporary, and empirical review of (1) the character of computer-related crime and (2) the consequences of computer-related crime appears not to exist. Given the dramatic economic impact these offenses can have, greater information is needed for policy makers, law makers, and investigators.
Carter and Katz seem almost completely oblivious to the large amount of published literature on computer crime and hacking, much of it available in good bookstores and libraries. Oddly, almost no one who has published regularly in the field of computer crime relies very heavily on publications from the National Institute of Justice, the FBI's Law Enforcement Bulletin or the Government Accounting Office.
Indeed, the growing concern about computer crime and computer security is most visible on the Internet. For example, using Digital's Alta Vista search engine the researchers found 10,000 hits on computer crime and security. Information on the Web is increasingly available on computer crime issues such as CyberLaw (trade mark) (http://www.portal.com/~cyberlaw), CyberCops (http://www.well.com:80/user/kfarrand/index.htm), and inclusion of computer crime issues on Web home pages of the FBI (http://www.fbi.gov) and the National Security Institute (http://nsi.org). These factors are cited to illustrate the breadth of concern. Ironically, however, there is very limited empirical (http://www.portal.com/~cyberlaw6) research on the problem.
Pages of copy not germane to this discussion, deleted.
In the following section, Carter and Katz discuss "unauthorized access to files" as computer crime. Their illustrative example is, astonishingly, a joke article from an April Fool's 1995 issue of Datamation magazine.
Unauthorized Access to Files: "Browsing"
Federal agents arrested 74 computer hackers in various states in an operation named Moon Angel. Mostly teen-agers, the members were a high-tech gang that repeatedly penetrated business and government computer systems and "had their way with them." The hackers reportedly broke into a NASA computer responsible for controlling the Hubble telescope and are also known to have re-routed telephone calls from the White House to Marcel Marceau University, a miming institute. One of the hackers, known as "Brain Dead" said, "getting arrested for hacking is the first significant step in my career goal of becoming a highly paid security consultant." Datamation, April 1, 1995
The next part of Carter and Katz's paper discusses computer viruses, a subject they promptly demonstrate they nothing about.
Again, all the working examples cited do not exist, being jokes taken from April Fool's stories in the computer press. Indeed, when comparing the Carter and Katz copy to the published versions in Datamation, the wording and style are preserved almost exactly.
Virus Introduction
Viruses are created for a wide array of reasons and can have many different effects depending on the creator's intent. As an llustration, several new insidious viruses have been found. "Gingrich" randomly converts word processing files into legalese often found in contracts. The only way to combat this virus is to type your name at the bottom of the infected file, thereby signing it. "Clipper" scrambles all of the data on a hard drive, thereby rendering it useless. "Lecture" deliberately formats the hard drive, destroying all data and then scolds the user for not catching it. "Clinton" is designed to infect programs, but it then eradicates itself when it cannot decide which program to infect. "SPA" examines programs on the hard disk to see whether they are properly licensed. If illegally copied software is detected, the virus seizes the PC's modem and automatically dials 911 and asks for help. (see Datamation, April 1, 1995.)
A programmer fearing the loss of his job at a California defense firm planted a logic bomb in his employer's computer. The secret program was designed to destroy data during a federal holiday and then destroy itself. After that, the man hoped, the firm would find its vital inventory control programs useless and would have to hire him back as a consultant to recover the mysteriously lost computer code. But a co-worker stumbled across the logic bomb before it went off, erased it and alerted federal agents. NewsBytes, AOL, February 5, 1995.
The next paragraph reveals a lack of depth in surveying the published literature on the subject. Many, many, many BBSes containing viruses for download existed in the continental United States as early as 1992. By 1994, many had migrated to Internet Web sites and public FTP directories on assorted commercial and amateur Internet Service Providers.
For those malcontent computer users who are looking for "ready made" viruses there is a BBS in France, accessible via the Internet, which has a large collection of diverse viruses which can be downloaded and then introduced into the targeted computer. Certainly the capacity to infect a computer is available and is occurring on an increasing, although not epidemic, basis.
More discussion deleted.
For example, there is evidence that activists in both the environmental and animal rights movements have infected computers of companies which the activists view as having corporate policies which are harmful to their respective causes.
Evidence? No citation available.
. . . A . . . reason for infecting a computer may simply be called "gamesmanship." In these cases the virus is typically introduced by a hacker to "play with" the system but with no intent to cause permanent damage, such as the "Clinton" virus previously discussed. (But this virus does not exist.)Despite this lack of malice, the business will still suffer some financial loss because of lower productivity while the virus is present and the cost related to eradicating the problem. Moreover, there could be accidental damage caused by the virus itself or attempts to repair the problem.(BUT THIS VIRUS DOES NOT EXIST.)
Remainder of discussion deleted. If you really wish to see complete copies, e-mail Crypt Newsletter.
References
Baum, M.S. (1995). As cited in: Why many businesses can't keep their secrets. Wall Street Journal, November 20, 1995, p. B1. Bishop M. &;D.V. Klein. (1995). Improving system security via proactive password checking. Computers and Security. Vol. 14:233-249. Carter, D.L. (1995). A Typology of Computer-Related Crime. A paper presented at the International Conference n Organized Crime, The Police Staff College, Bramshill House, England. Carter, D.L. (1995). "Computer-Related Crime." FBI Law Enforcement Bulletin. (August). Collinson, H. (1995). Recent literature. Computers and Security. Vol. 14:215-220. Florida Department of Law Enforcement. (1989). Computer Crime in Florida. An unpublished report prepared by the Florida Department of Law Enforcement, Tallahassee, Florida. Katz, A.J. Computers: The Changing Face of Criminality. A doctoral dissertation submitted to the School of Criminal Justice, Michigan State University, East Lansing, Michigan. Kerlinger, F. (1977). Foundations of Behavioral ResearchNew York: Holt, Rinehart and Winston. Manzi, M. (1995). Personal interview with Special Agent Merle Manzi, Florida Department of Law Enforcement and Vice-President of the Florida Association of Computer Crime Investigators (FACCI). Interview on November 11, 1995. Monkerud, D.D. (1995). Computer security and computer crime. Uniforum Magazine. (Electronic E-mail copy). (December). Parker, D. B. (1978). Crime by Computer. New York: Charles Scribner's Sons. Parker, D. B. (1989). Fighting Computer Crime. New York: Charles Scribner's Sons. Rosener, J. (1994). CyberLaw. April, (America Online). Rosener, J. (1995). CyberLaw. October, (America Online). Herfernan, R. (1995). Securing Proprietary Information (SPI) Committee of the American Society of Industrial Security. Committee presentation at the ASIS Annual Meeting, New Orleans, LA, September 12, 1995. Toffler, A. (1990). PowerShift. New York: Bantam Books. Tripp, B. (1995). Survey of the Counterintelligence Needs of Private Industry. Washington, DC: National Counterintelligence Center and the U.S. Department of State Overseas Security Advisory Council. U.N. Commission on Crime and Criminal Justice. (1995). United Nations Manual on the Prevention and Control of Computer-related Crime. New York: United Nations. U.S. Congress. (1995). Annual Report to Congress on Foreign Economic Collection and Industrial Espionage. Washington, DC: Government Printing Office. Van Duyn, J. (1985). The Human Factor in Computer Crime Princeton, NJ: Petrocelli Books, Inc.
Other relevant links: