Computer Fraud and Abuse Techniques计算机欺诈与滥用技术.doc

COMPUTER FRAUD AND ABUSE TECHNIQUESA Trojan horse is a set of unauthorised computer instructions in an authorised and otherwise properly functioning program. It performs some illegal act at a pre-appointed time or under a predetermined set of conditions. Trojan horses are often placed in software that is billed as helpful add-one to popular software programs. For example, several thousand America Online subscribers were sent messages containing an offer of free software. Users who opened the attachments unknowingly unleashed a Trojan horse that secretly copied the subscriber's account name and password and forwarded it to the sender. Another type of Trojan horse monitors a user's keystrokes, captures credit card numbers, and sends them by e-mail to the software's creator.In another case, visitors to adult sites were told to download a special program to see the pictures. This program had embedded code that turned off the volume on their modem, disconnected them from their Internet service provider, and connected them to a service in the former USSR. The program kept them connected to this site, at $2 a minute, until they turned off their computer. Over 800,000 minutes were billed, with some phone bills as high as $3,000, before the scam was detected.The round-down technique is used most frequently in financial institutions that pay interest. In the typical scenario, the programmer instructs the computer to round down all interest calculations to two decimal places. The fraction of a cent that is rounded down on each calculation is put into the programmer's account or one that he or she controls. No one is the wiser, since all the books balance. Over time these fractions of a cent can add up to a significant amount, especially when the interest is calculated daily.With the salami technique, tiny slices of money are stolen over a period of time. For example, a disgruntled chief accountant for a produce-growing company in California used the salami technique to get even with his employer. He used the company's computer system to falsify and systematically increase all the company's production costs by a fraction of a percent. These tiny increments were put into the accounts of dummy customers and then pocketed by the accountant. Every few months the fraudulent costs were raised another fraction of a percent: Because all expenses were rising together, no single account or expense would call attention to the fraud. The accountant eventually was caught when an alert bank teller brought to her manager's attention a check the perpetrator was trying to cash because she did not recognise the name of the company it was made out to.A trap door, or back door, is a way into a system that bypasses normal system controls. Programmers use trap doors to modify programs during systems development and normally remove them before the system is put into operation. When a trap door is not removed before the program is implemented, anyone who discovers it can enter the program and commit a fraud. Programmers can also insert trap doors before they are terminated, allowing them access to the system after they leave.Superzapping is the unauthorised use of special system programs to bypass regular system controls and perform illegal acts. The name of this technique is derived from a software utility, called Superzap, developed by IBM to handle emergencies, such as restoring a system that has crashed.2Software piracy is copying software without the publisher's permission. It is estimated that for every legal copy of software sold, between seven and eight illegal ones are made. Within days of being released, most new software is on a bulletin board and available free to those who want to download it illegally. An estimated 26% of software used in the United States is pirated; in some countries, this figure is over 90%. The software industry estimates the economic losses of piracy at between $15 and $18 billion a year.Piracy is such a serious problem that the Software Publishers Association (which represents more than 500 software publishers) files lawsuits against companies and individuals. One lawsuit claimed the University of Oregon's Continuing Education Center violated copyright law by making illegal and unauthorised copies of programs and training manuals. The university settled the case by agreeing to (1) pay a $130,000 fine; (2) launch a campaign to educate its faculty, staff, and students on the lawful use of software; and (3) host a national conference on copyright law and software use. In another case, the Business Software Alliance found 1,400 copies of unlicensed software at an adult vocational school in the Los Angeles Unified School District. The district may have to pay up to $5 million to settle the case against it.Individuals convicted of software piracy are subject to fines of up to $250,000 and jail terms of up to 5 years. However, the SPA often negotiates more creative punishments. For example, a Puget Sound student caught distributing copyrighted software over the Internet was required to write a 20page paper on the evils of software piracy and copyright infringement. He will also have to perform 50 hours of community service wiring schools for Internet usage. Failure to comply with either item will subject him to a $10,000 fine and result in a lawsuit for copyright infringement.Data diddling is changing data before, during, or after it is entered into the system. The change can be made to delete, alter, or add key system data. For example, a clerk for a Denver brokerage altered a transaction to record 1,700 shares of Loren Industries stock worth about $2,500 as shares in Long Island Lighting worth more than $25,000.Data leakage refers to the unauthorised copying of company data. The Encyclopaedia Britannica claimed losses in the millions of dollars when an employee made copies of its customer list and began selling them to other companies. Ten Social Security Administration employees sold 11,000 Social Security numbers (and other identifying information such as mother's maiden names) to credit card fraudsters.Piggybacking is tapping into a telecommunications line and latching on to a legitimate user before the user logs into a system. The legitimate user unknowingly carries the perpetrator into the system.In masquerading or impersonation, the perpetrator gains access to the system by pretending to be an authorised user. This approach requires a perpetrator to know the legitimate user's ID number and password. Once inside the system, the perpetrator enjoys the same privileges as the legitimate user being impersonated.3In social engineering, a perpetrator tricks an employee into giving him the information they need to get into the system. They might call saying they are conducting a security survey and lull the person into disclosing confidential information. They call help desks and claim to be an employee who has forgotten her password or call users and say they are from network engineering and are testing the system and need your password. They also pose as buyers or salespeople to get plant tours and obtain information that may help them break into the system.A logic time bomb is a program that lies idle until some specified circumstance or a particular time triggers it. Once triggered, the bomb sabotages the system by destroying programs, data, or both. Most bombs are written by disgruntled programmers who want to get even with their company. Donald Burleson, a former security officer, set off a bomb that erased 168,000 sales commissions records. As a result, company paychecks were held up for a month. The program, which was attached to a legitimate one, was designed to go off periodically and erase more records. The bomb was discovered before it could go off again by a fellow programmer who was testing a new employee bonus system. The company's computers were shut down for two days while the bomb was located and diffused.Timothy Lloyd detonated a logic time bomb three weeks after he was fired from Omega Engineering. The bomb caused an estimated $10 million in damages when it erased all of the network's software and the company's data. Lloyd, who functioned as both the system designer and its administrator, also disabled the network's automatic backup and recovery facilities. As a result, the company was unable to recover any of the software and data that were destroyed.Hacking or cracking is the unauthorised access to and use of computer systems, usually by means of a personal computer and a telecommunications network. Hackers do not intend to cause any damage; they are usually motivated by the challenge of breaking and entering and are just browsing or looking for things to copy and keep. Crackers are hackers with malicious intentions. For example, during Desert Storm Dutch crackers broke into 34 different military computer sites and extracted confidential information. Among the information stolen were the troop movements and weapons used in the Iraq war. The group offered to sell the information to Iraq, but they declined, probably because they thought they were being set up.Hackers and crackers have broken into the computers of governmental agencies such as the U.S. Department of Defense, NASA, and the Los Alamos National Laboratory. One 17-year-old cracker, nicknamed Shadow Hawk, was convicted of electronically penetrating the Bell Laboratories national network, destroying files valued at $174,000, and copying 52 proprietary software programs worth $1.2 million. He published confidential information, such as telephone numbers, passwords, and instructions on how to breach AT&T's computer security system, on underground bulletin boards. He was sentenced to nine months in prison and given a $10,000 fine. Like Shadow Hawk, many hackers are fairly young, some as young as 12 and 13.4Scavenging, or dumpster diving, is gaining access to confidential information by searching corporate records. Scavenging methods range from searching trashcans for printouts or carbon copies of confidential information to scanning the contents of computer memory. In one case, Jerry Schneider, a high school student, noticed a trash can full of papers on his way home from school. Rummaging through them, he discovered operating guides for Pacific Telephone computers. Over time his scavenging activities resulted in a technical library that later allowed him to steal a million dollars worth of electronic equipment. In another case, in South America, a man attached a video camera to a car battery, hid it in some bushes, and pointed it at the company president's window. The president had an office on the first floor and his computer monitor faced the window. A significant business acquisition almost fell through as a result of the information on the videotape.Eavesdropping enables perpetrators to observe private communications or transmissions of data. One way to intercept signals is by setting up a wiretap. The equipment needed to wiretap an unprotected communications line is readily available at local electronics stores. One alleged wiretapping fraud involved Mark Koenig, a 28-year-old consultant to GTE, and four associates. Federal agents say they pulled personal identification numbers and other crucial information about Bank of America customers from GTE telephone lines. They used this data to make 5,500 fake ATM cards. They allegedly intended to use the cards over one weekend to withdraw money from banks all over the country. However, authorities were tipped off, and they were apprehended before they could use the cards.Fraud perpetrators are beginning to use unsolicited e-mail threats to defraud people. For example, a company named Global Communications sent a message threatening legal action if an unspecified overdue amount is not paid within 24 hours. The message also said that court action could be avoided by calling Mike Murray at an 809 area code (which is for islands in the Caribbean). People who called got a clever recording that sounded like a live person and responded to the caller's voice. The responses were designed to keep a caller on the phone as long as possible, since they are being billed at $25 per minute.In another instance, a man posed as a woman on a chat line and lured men into erotic conversations. After a while she offered them very revealing pictures of herself. The men who asked for the pictures got, instead, a very angry letter from her “husband“ threatening physical violence unless they paid him money.It is also possible to commit e-mail forgery. One way to do so is to send an email message through a re-mailer who removes the message headers, thereby making the message anonymous. Another way to commit e-mail forgery is to make the e-mail message look as if it was sent by someone else. For example, a former Oracle employee was charged with breaking into the company's computer network, falsifying evidence, and committing perjury for forging an e-mail message to support her charge that she was fired for breaking up a relationship with the company's chief executive. She faces up to six years in jail for her activities.5A denial of service attack occurs when an attacker sends e-mail bombs: so many messages (hundreds per second) from randomly generated false addresses that the Internet service provider's e-mail server is overloaded and shuts down. Other denial of service attacks involve sending so much data to a network or web server that it crashes. These attacks go by such creative names such as Bonk, Boink, Syn-flood, Ping of Death, WinNuke, and LandAttack. One Syn-flood attack shut down more than 3,000 web sites for 40 hours on one of the busiest shopping weekends of the year.Internet terrorism is crackers using the Internet to disrupt electronic commerce and to destroy company and individual communications. For example, a cracker developed a program that erases messages and unleashed it at Usenet, an Internet bulletin board system. The program destroyed 25,000 messages before it could be removed from the system.Internet misinformation is using the Internet to spread false or misleading information about companies. This can be done in a number of ways, including inflammatory messages in on-line chats, setting up web sites, and spreading urban legends. For example, Tommy Hilfiger Corp. was supposedly kicked off the Oprah Winfrey show for making racist remarks. This information, together with a call to boycott the company, quickly spread throughout the world on the Internet. This urban legend was totally false, and Hilfiger quickly went to the net to deny the story. McDonald's spent seven years fighting a large number of false accusations that were spread using pamphlets and web sites. McDonald's finally won the case after 313 days of testimony and an expen