Fundamental Truths About High-Tech Crime
Connecticut Hacker Newsgroup - Issue 4
By: Ron Hale
Some members of our society are greatly benefiting from new technology and are exploiting it in ways never imagined. Unfortunately, they re employing high technology to further criminal enterprises. High-technology crime was born almost simultaneously with legitimate uses Of computers, and continues to thrive as new, attractive technologies become available. And it will continue to grow as new user-empowering technologies are introduced and as more businesses and individuals have access to information systems.
To understand high-technology crime, and to appreciate its significance and potential, we must understand some fundamental truths, about crime and how these relate to high technology.
Truth 1: Crime, like water, follows the path of least resistance
To understand crime you must realize that if an opportunity exists it will be exploited. Just as cars and the superhighway systems gave rise to bank robbery rates in the '5Os, the availability of computer and communications technologies will increase the incidence of technology-related crimes today. Computers and communication systems will be instrumental in completing criminal acts that under other circumstances would be completed traditionally. Like businesses, criminals in most cases look to technology for the benefits provided. As our society becomes more dependent on technology, and as more individuals, have access to information and communication systems, criminal exploits naturally will become more technology intensive.
Truth 2: Highly complex technical crimes are the exception rather than the rule.
Since the first computer crime was reported, we have been led to believe that the nature of technology crime was primarily technical. To gain from a criminal enterprise, offenders needed to have a significant understanding of inforation system architectures, system Software, specific applications and network technologies. This focus led us to believe that system cracking, infections through viruses and other malicious code, and breaking application security represented the most significant opportunities, for crime. Studies predicted potential annual losses in the billions. In reality, however, although there are spectacular highly technical crimes resulting in very significant losses, the majority of technology crime may be less technical than we suspected.
The largest single wire transfer fraud in this country was possible because of collusion and weaknesses in control procedures. The mechanism was technical but the means was traditional. Although spectactir highly technical crime will occur, the greatest incidence of crime will be less technical in nature.
We must understand that criminals will exploit technology to the extent necessary to facilitate crime. Since technology is an effective facilitator, we can expect technology to be increasingly used as an element of more traditional crimes. We also must understand, from a national policy standpoint, that to the extent that crime pervades the information highway, travelers increasingly will be at risk.
Truth 3: Old crimes take on new meaning with increased technology.
The availability and advantages of high technology may change the mix of criminal activities. In some cases, crimes that had not been well practiced may increase as tecnology replaces the need for skill. With forgery, due to the availability of scanners, color printers, and special software, an unskilled operator can mimic a master engraver. The result: document forgery can be practiced by anyone.
New opportunities for crime may become possible through the exploitation of technology. These may be variations on a theme in the sense that the opportunity will be new, but the nature of the crime will be the same, For example, theft of services has been a problem as long as services of value could be stolen. A modem example is communications fraud. When communication companies controlled long-distance, few were able to exploit the technology for financial gain. With deregulation, and the decision of business to manage long-distance and other communication services through their own Private Branch Exchanges (PBX), a new opportunity was created.
Weaknesses in the way systems were installed and managed has given a tremendous opportunity to criminals who make millions for the effort. Although certain skill is required to gain access to PBX systems, almost no skill is needed to operate long-distance, call-sell operations. With annual losses conservatively estimated at between $3 and $5 billion, there is sufficient motivation for the technical few to find and compromise systems so that others can sell the service.
As new technologies are introduced, they are as likely to be exploited for criminal as well as legitimate use. In some cases technically oriented individuals may be enlisted to support larger criminal enterprises. Otherwise law abiding citizens, because of potential gains, may be motivated to participate in crime. Yet, for the most part, new crimes will not be created. Old crimes will become more lucrative because they are easier and more profitable. Additional criminal opportunities may be created because a new niche will develop out of weaknesses in policy or practice. In this case technology may spawn opportunities for crime.
Truth 4: Geographic boundaries are meaningless in an electronic age.
Modem law enforcement must deal with the mobile criminal. Often, agencies cooperatively investigate crimes since sophisticated criminal understand that the risk of arrest increases with the length of time in any geographic area. Property crimes are only solved because the offenders have been in an area too long.
With technology, crime geography is meaningless. With the speed of an electron you can be around the world. Connections that require access through successive systems hide both identity and location. As physical presence becomes less significant, opportunities for detecting criminal activities and for apprehending offenders become less frequent.
Without geography, jurisdiction is difficult to determine. Cooperation among government agencies becomes almost impossible under the traditional police agency model. A victim may report a crime, but the agency responsible for investigation will not have the ability to share information or develop leads indicating a larger conspiracy. If an offender is caught, the odds of finding the full extent of the crime are virtually nil. Without information from the offender, or evidence retrieved from computer and commmunication system records, it may not be possible to identify other victims. Without such information it is difficult to get the attention of prosecutors and judges.
To be effective in a technical world, law enforcement agencies must establish contacts with other investigators, share information and support prosecutions for crimes committed without regard to geography. Although criminals have been eager to accept new opportunities presented through advanced technology, law enforcement has been hesitant. As violent crimes gain more attention and resources, nonviolent crimes, in particular technical crimes, are sometimes forgotten. Few departments have the trained personnel or resources to dedicate to technical crimes.
Truth 5: Society is hesitant to impose the controls necessary to deter or detect electronic criminals.
With the promotion of an electronic frontier available through an information superhighway, there is little consideration given to crime or criminal opportunity. In the days of the wild west, pioneers took risks and brought order to what had been an unsettled environment. As more people were attracted to an area, social conventions that had the, force of law developed through mutual consensus. As the population grew, elements were attracted that soon required more formalized laws and a structure for detecting and punishing transgressions.
Our electronic frontier has currently developed conventions. With the rapid increase in Internet Users, many conventions are challenged or openly disregarded. The punishment of "flaming" will not be as effective as the number of new users outnumbers the old-time pioneers.
Imposing rules and structure over behavior is easier and more acceptable than limiting personal expressions or electronic access. Requiring citizens to purchase and display a vehicle license can be effectively accomplished without creating public outcry. Requiring licensing to identify users across an open network will be impossible, if driven by the government. Such requirements appear to impose restrictions that limit what we feel are our fundamental rights.
Without the ability to ID parties to a communication across an endless network of systems, electronic commerce cannot be implemented.
Commercial conventions similar to a signature, cannot be developed. Unless the users mutually agree to impose and accept certain limitations, controls cannot be imposed. Without the ability to positively identify communicating parties, criminal elements will flourish. They will have free unrestricted access with the ability to take on any identity required to attract or gain the confidence of their intended victims.
Unfortunately, users across bulletin boards or information services tend to trust other users and information received because both they and the party to the communication are part of the fraternity of users. Crime can flourish in such an environment. These simple truths lead us to draw certain conclusions about the nature of controls within a technical environment.
Controls. including manual and automated procedures, must be comprehensive. reliance on a technical control such as access control systems may not be sufficient when criminals are attacking from all directions. We know that system crackers rely on social engineering and dumpster diving to gain information that facilitates system penetrations. We have seen that criminals will use technical means for financial gain in ways that mimic traditional crimes. To develop a reliable and effective control structure we must blend manual and automated procedures with technical controls in a way that enables prevention as well as detection capabilities.
There is a need to accept technologies that ensure correct identification of communicating parties. The government has been reluctant to bless current technologies such as public key cryptography. In an electronic age there are no easy ways to verify identity without using measures such as public key encryption. Users may need to trade some of the freedom currently available in the electronic world to help ensure their own safety and security. In some commercial cases, positive verification of identity should be considered a contractual requirement. When identity can be established, and it can be known positively that messages have not been compromised, then electronic commerce will be more secure.
Ethical computing needs to be taught at an early age. Criminologists believe that when rules have not been formalized and accepted within the population, it is difficult to define ethical behavior or make individuals accountable. We must accept basic rules of the road before being admitted to the information super- highway. Currently there is little agreement as to what is proper behavior in a computing environment. Some expect rigid controls while others with equal personal conviction believe that systems should be open and that cracking is a legitimate intellectual pursuit.
Most people will find an acceptable position somewhere between the two stances.
Electronic travelers must be made aware of the dangers. As long as there are criminals seeking opportunities for fraud, theft and even child molestation on our networks, we must encourage vigilance. Users must be aware that electronic travels require the same degree of vigilance and awareness as do travels through the physical city. Bulletins should be made generally available, perhaps in an electronic town square, that warn about recent criminal activities or post the identity of those who violate the security of the network or its users. Being aware is being prepared.
Security and law enforcement personnel must be aware of opportunities for crime, and must have the skills and equipment to be able to prosecute technical crimes. Some have predicted that, as this century closes, public concerns about violent crime will increase and police attention and involvement with property crimes will decrease. They have suggested that private agencies will be required to take on more responsibility. Security Officers will increasingly need to be aware of corporate and individual network connections, how they are used and what the risks are for their organizations.