International review of criminal policy - Nos. 43 and 44/The vulnerability of computer systems to crime

D. The vulnerability of computer systems to crime

40. Historically, economic value has been placed on visible and tangible assets. With the increasing appreciation that intangible data can possess economic value, they have become an economic asset that can be targeted for crime. Tangible assets in the computer environment, therefore, often have a double value. The replacement cost of a piece of computer equipment may represent only a small portion of the economic loss caused by the theft of, or damage to, that equipment. Of much greater significance is the value of the information lost or made unaccessible by the misappropriation or damage.

41. Computer systems are particularly vulnerable to threats because of a number of interacting factors. The more significant of these are analysed briefly below.

1. Density of information and processes

42. Storage technology has allowed the development of filing systems that can accommodate billions of characters of data on-line. Providing different access privileges for different users of such systems is often difficult. A further problem lies in the fact that, owing to the methods for accessing stored information, a single error can have widespread impact. This fact can be used to great advantage by a party who wants to corrupt data or disrupt service.

43. At the same time, memory management techniques allow many independent processes to be supported concurrently within a single operating system. Independent data files can be combined to produce new and unforeseen relationships. Data items may be linked to produce a new item with a higher level of sensitivity than the original discrete data components. The centralization of information and processing functions provides an attractive target for the infiltrator or saboteur intent on attacking the functions or information assets of an organization.

44. The density of data stored on such media as tapes, diskettes, cassettes and microfilms means that the loss or theft of such items can be very significant.

2. System accessibility

45. Before security became a significant design criterion, the goal was often to provide the maximum computing capability to the largest possible user community. Access concerns once confined to the restricted computer room area must now be extended to remote terminal locations and interconnecting communications links. However, remote terminal stations and transmission circuits are often not subject to the same controls as those in the main centre. Two forms of attack that exploit remote access are the use of fraudulent identification and access codes to obtain the use of system resources and the unauthorized use of an unattended terminal, logged on by an authorized person.

46. Because of the desire to give system users maximum capability, unrestricted access privileges are often granted rather than allowing only the privileges necessary to perform an intended function. A transaction-oriented system permitting read-only or inquiry-only access offers a greater degree of protection than a system offering full programming capability.

47. Many systems in current use offer very limited ability to control user capabilities related to passive data and programs on a read-only, read-write or execute basis. This situation frequently necessitates operating on the assumption that every user has the capability to use the full computing potential of the operating system. A known penetration technique that utilizes this weakness involves disguising user instructions intended for clandestine purposes as a common utility, such as a file-copying routine, or inserting them into an existing routine. When the illicit code is activated, it performs functions more privileged than were intended for that user.

48. Finally, computer control functions are normally made accessible to numerous support and maintenance personnel. Tampering with software or hardware logic to obtain extended privilege or to disable protection features has been known to occur. The exposure provided through increasingly easy access to electronic data processing (EDP) resources is an important contributor to the vulnerability of modern computer systems.

3. Complexity

49. The typical operating environment of medium- and large-scale systems is characterized by support for local batch, remote batch, interactive and, occasionally, real-time user modes. Typical operating systems contain from 200,000 to 25 million individual instructions. The number of logic states that are possible during execution in a multiprogramming or multiprocessing environment approaches infinity. It is not surprising that such systems are not fully understood by anyone, including the designers, or that they are often unreliable. It is only possible to prove the presence of errors, not their absence, and any system error can result in down time or a potential security fault. Even when systems have been carefully designed, errors in implementation, maintenance and operation can still occur. The prospective infiltrator can be expected to take full advantage of the uncertainties created by system complexity. Incidents have been noted where deliberate attempts to confuse operators, or to interrupt systems by attacking little-known weaknesses, have been instrumental in producing security violations.

4. Electronic vulnerability

50. The reliance of computer systems on electronic technology means that they are subject to problems of reliability, fragility, environmental dependency and vulnerability to interference and interception. On systems using telecommunications, these vulnerabilities extend to the whole communications network in use.

51. Traditional forms of electronic eavesdropping can be readily adapted to exploit data-processing systems. They include wire-tapping and bugging, the analysis of electromagnetic radiations from equipment and monitoring of the cross-talk induced in adjacent electrical circuits. Interconnecting data communications circuits also suffer the same vulnerabilities, and communications on them can be subject to misrouting. A variation on wire-tapping involves the illegal use of a minicomputer to intercept data communications and to generate false commands or responses to other system components.

52. In the commission of a fraud, electronic technology has an advantage over manual data manipulation, which generally leaves behind an audit trail. Computer data, however, can be instantly changed or erased with minimal chance of detection, by, for example, a virus or logic bomb. The computer criminal can easily modify systems to perpetrate the fraud and then cover the evidence of the offence. It is suggested, moreover, that data processing is protected by only one tenth of the controls afforded to the same process in the manual environment, an insufficiency that facilitates the opportunity to commit crime without detection.

53. The performance of EDP systems may also be adversely affected by electromagnetic interference. Conducted or radiated electrical disturbances can interfere with the operation of electronic equipment. The system may suffer only very temporary and intermittent impairment, measurable in microseconds and from which recovery is possible, or it may suffer complete equipment failure, resulting in an inability to process.

54. All hardware is susceptible to failure through ageing, physical damage and environmental change. To ensure that error propagation is confined to non-sensitive functions, i.e., that the system fails safely, malfunctions must be detected immediately. Progress is being made towards this goal, but few designs in current use offer the desired level of reliability.

5. Vulnerability of electronic data-processing media

55. It is sometimes inferred that a degree of security is provided by the inability of humans to translate machine-readable data in the form of punched holes in cards or tape, magnetic states on tapes, drums and disks, and electrical states in processing or transmission circuits. In practice, not only can such computerized information codes be readily interpreted by most technical personnel, but the data obscurity created has the additional negative effect of creating identification and accounting problems.

56. Because the contents of most EDP media are not visually evident, data-processing personnel are often required to handle sensitive files without being aware they are doing so. As a result, the control of data items becomes a problem. Scratched tapes, discarded core memories can all contain residual data that may demand special attention. Because identity and accountability have been lost, safeguards are frequently relaxed for these items even though the same information is protected elsewhere in the system. The ease with which such sources of information can be utilized has resulted in several well-publicized system penetrations.

6. Human factors

57. As discussed above, employees represent the greatest threat in terms of computer crime. It is not uncommon, operators, media librarians, hardware technicians and other staff members to find themselves in positions of extraordinary privilege in relation to the key functions and assets of their organization. A consequence of this situation is the probability that such individuals are frequently exposed to temptation.

58. A further complication is the tendency on the part of management to tolerate less stringent supervisory controls over EDP personnel. The premise is that the work is not only highly technical and specialized but difficult to understand and control. As an example systems software support is often entrusted to a single programmer who generates the version of the operating system in use, establishes password or other control lists and determines the logging and accounting features to be used. In addition, such personnel are often permitted, and sometimes encouraged, to perform these duties during non-prime shift periods, when demands on computer time are light. As a result, many of the most critical software development and maintenance functions are performed in an unsupervised environment. It is also clear that operators, librarians and technicians often enjoy a degree of freedom quite different from that which would be considered normal in a more traditional employment area.

59. There is another factor at play in the commission of computer crime. Criminological research has identified a variation of the Robin Hood syndrome: criminals tend to differentiate between doing harm to individual people, which they regard as highly immoral, and doing harm to a corporation, which they can more easily rationalize. Computer systems facilitate these kinds of crimes, as a computer does not show emotion when it is attached.

60. Situations in which personnel at junior levels are trusted implicitly and given a great deal of responsibility, without commensurate management control and accountability, occur frequently in the EDP environment. Whether the threat is from malicious or subversive activities or from honest errors on the part of staff members, the human aspect is perhaps the most vulnerable aspect of EDP systems.