The Silicon Jungle by David H. Rothman

Baird doesn’t blame just the manufacturers for some computers’ sievelike leaks. “Business isn’t willing to pay the price to secure systems,” he says—a complaint echoed in effect by the Computer and Business Equipment Manufacturers Association (CBEMA). It acknowledges the present clash between security and ease of use of computer systems. “If a computer could be designed with various levels of security as options, computer security might well be a marketable commodity,” said a statement from CBEMA to a trade magazine. In recent years there has been much more research in this area, and when 32-bit micros become the norm, it will be much easier to beef up security. When crimes do happen on existing systems, they’re often covered up by top executives panicky over going to court or jail. How’d you like to be the chairman of a corporation faced with an ugly data-security scandal—and the possibility of a stockholders suit? You needn’t be in the scandal personally. Your stockholders could charge you with malfeasance, if not misfeasance, for _letting_ it happen. So could the Securities and Exchange Commission and other feds. When companies hush up computer crimes, it’s not necessarily for high-minded reasons such as protecting assets by playing down vulnerability to electronic crime. Consider Baird’s experiences. Called to a New England firm to do routine theft prevention, Baird merrily put himself on the payroll—not to steal but to demonstrate system weaknesses. “I also,” he says, “nicked the vice-president for participating in a $400,000-a-year kickback.” At another company, an accounting firm did the books at year’s end and had to make an adjustment of $1.2 million. “Then,” said Baird, “we went in some more and really did a number on that company. And we came up with $4.5 million in proven losses. And it all had to do with their computer system.” But, you’re wondering, how about that crook who stole $8 million and got away with it? The story—perhaps apocryphal but told in the sedate _Smithsonian_ magazine—is that bank officials confronted the thief in a restaurant over breakfast. He coolly confessed. If they tried to jail him, why he’d blow the whistle on the bank’s vulnerable computer system. And it would cost more than $8 million to fix. So the bank officials just asked him to step down quietly. Leaving the table, the crook smiled. “I’ll keep the eight million,” he said, “but I’ll pick up the tab for breakfast.” Definitely, then, Donn Parker was on target when he once called computer security “first and last a people problem.” People and Policies: Working with the Right Ones Honest, loyal employees are more important than the latest security gizmos. Use common sense. Beware of the $26,000-a-year programmer who suddenly acquires a posh home and a sports-car collection. Don’t pry. But don’t shut your eyes, either. Start with a sensible hiring policy. Decide on the questions you want to ask applicants and their references—about the prospective employees’ backgrounds and characters. Then bounce them off your legal department. The rule of thumb is that you won’t get in trouble if the questions are related to the job. IBM has said it doesn’t even ask applicants about their ages or marital statuses. If there aren’t legal obstacles, you might invest $25 in a credit-bureau check of a keypunch clerk but perhaps several hundred dollars for a top programmer. Keep in mind the notorious lack of reliability of many reporting services. Check for criminal records when hiring for responsible positions. A Maryland hospital didn’t. It hired a convicted embezzler, a computer operator who later diddled $40,000 out of the system. Granted, there are occasions when you might knowingly hire an ex-con to give him a chance. But ask the normal questions. What’s he done to justify your trust since his sentencing? What are your risks? How much could he steal, and how? Whomever you hire—ex-cons, Harvard grads, or combinations of the two—know how to respond to the common criminal motives. Jay BloomBecker, a top computer crime expert, sums up one of the main motives by quoting the title of a collection of Doonesbury comic strips: _But the Trust Fund Was Just Sitting There_. Reduce the temptation. Let your people know there’ll be surprise audits—and mandatory vacations. A thief busy slicing salami might be loath to take too much time off, lest his or her replacement catch on to what’s happening. Likewise, consider rotating duties every few months and also divvying them. People who write checks with computers, for example, ideally won’t be the ones approving them; in a small business, of course, this might not be possible. The old need-to-know policy, of which the military is so fond, may also increase the criminals’ risks—by increasing the need for collusion. This, too, isn’t always possible, and it could boomerang. If employees aren’t supposed to know what their colleagues are doing, maybe a thief would actually have less chance of being noticed. Also, tell people that stealing—even small amounts from a large company—_will_ hurt. If you can’t prove how it will hurt the corporation noticeably, then you’d better make a good case that it will hurt them. Pretend you’re a department store warning the nimble fingered: “All will be prosecuted.” Well, within bounds. You needn’t fire and prosecute a thirty-year man because he once used a company micro to calculate his average golf score. But do remind your employees of the applicable theft-of-service laws, larceny ones, and others. Not that electronic theft is your only problem. Whiteside tells of a computer-ridden North Carolinian, working for an insurance firm, who reportedly shot a handgun several times at the hated machine. And Harold Joseph Highland offers another cautionary tale. Executives at an East Coast firm fired a crabby woman, then returned the next Monday to find its floppies sliced apart with a paper cutter. They never proved her guilt. Regardless, _someone_ moved the blade up and down, costing the company several hundred thousand dollars in time reentering the paper versions of the records into the computer. And that doesn’t even include the orders canceled by customers angry over the delay. In yet another story, a disgruntled worker short-circuited a terminal by urinating on it. “Hire well,” says Jack Bologna, an expert on the “people” side of computer security, summing up ways to avoid such traumas. “Pay fairly, praise people for good work, give them opportunities for advancement, and make them feel comfortable talking over their problems.” Remember that the line can fuzz between outright sabotage and simple sloppiness induced by poor morale. If there’s a disaster and you’re not sure if it’s accidental or deliberate, however, don’t be too quick to point your finger. You may find it chopped off with a lawsuit filed by your suspect, perhaps for less than $1,000, while your firm must spend several times that to defend itself. Unjustified accusations, also, hurt morale and may even add to security problems. And if you do prove theft or sabotage? Act. Don’t cover up. Rather, cover yourself—legally. Tell your boss what happened. If you’re mum and someone else reports the crime, your superior may consider you among the guilty. Also, don’t discount the possibility that your boss may himself be either guilty or a part of a cover-up because he fears a stockholders’ suit. You may have no choice but to report him to _his_ boss. Press for an independent audit committee if you’re powerful enough and if the size of the crime justifies one. Should you fire someone for a computer-related offense, do it artfully. “If they’re in a critical job position, help them clean out their desk, collect their ID card and any office keys, and walk them to the door or to the personnel department,” says Timothy A. Schabeck, who edits _Corporate and Computer Fraud Digest_ with Jack Bologna. The FBI’s Lewis says as much. If you do prefer instant firing, follow Schabeck’s advice to provide counseling and severance pay. And soften the blow, too, by warning everyone, when hired, that your axes are quick and sharp. Mightn’t instant firing, however, be brutal, anyway? Well, it depends on the amount of damage that a discharged employee could inflict and on how vindictive you perceive him to be. Ideally, you could minimize the damage by having backup disks or tapes out of the your victim’s reach. Also consider how successfully you can keep the fired employee from returning to your computer—by ruse or otherwise? Is your office absolutely physically secured? Can you trust guards or janitors working weekends not to admit a familiar face? It’s all a part of bridging the gap between policy and practices. Don’t just wait until a crime to make your staff security conscious. Too often, warns James A. Schweitzer, a Xerox security expert, people protect information only if it’s on paper. He says, “There have been a number of cases where tapes and disks have mysteriously disappeared from places like desktops.” If need be, designate an employee to make sure others have locked up right by the end of the day. In less than a minute, using a floppy disk, a thief may duplicate hundreds of times as much material as he could on a paper copier. Worry, too, about your people’s use of _modems_—the gizmos that transform your computers digital output into a whiny sound for the phone lines. Don’t let them routinely keep sensitive material on disks that will play back to savvy criminals who happen to dial in. This especially applies to Winchesters. They’re the oxide-coated aluminum disks that remain in the machine housing them, and they stash away many times the amount of information on most plastic floppies. Now imagine the delights awaiting a thief or snoop. Via your auto-answer modem he could rifle thousands of pages of Winchestered documents. Such electronic robberies needn’t happen, but until businesses get burned this way, they will. So if you’re sharing an electronic spreadsheet or mailing list with your branch office, do so if possible at a prearranged time during business hours when you know who’s calling. Tell your people to do the same. You’ll also need a privacy policy—internal and external. Do you, for instance, want salary information on a Winchester disk that any of your company’s computer-users could read? And how about employees’ health records? Good data security should protect your people as well as your company. So limit your computerized records to the essential and tell your executives not to use their home computers to bypass privacy laws. Worry, too, about an external-privacy policy. Are you respecting the rights of your customers, including those, who, by computer, may be transmitting to your company _their_ electronic jewels? It isn’t just decency you want; it’s also good protection against suits, whether from people or client companies. Here again, set a firm policy against your people misusing their personal micros. Alan F. Westin, a Columbia University professor of public law and government, correctly warned in _Popular Computing_, “A financial officer of a bank might store information about the life-style, habits, sexual preferences and other personal behavior of large individual borrowers or key corporate executives.” The banker might do this behind customers’ backs to help decide who was “stable” enough for loans. You’ll also need a policy covering employees who use your computers for, say, maintaining their church’s bingo books. Why not let them? It isn’t the worst public relations. Some companies even allow their employees to play games after hours, tapping into company systems from home, and you, too, might experiment with this, provided it won’t add to your data-security problems. Better a fringe benefit than a crime. On the other hand, you’ve got to draw the line somewhere. Can you estimate how much this extracurricular use of your machines costs in wear and tear—in, eventually, replacement costs? Feel your employees out on this one if you’re running a small business or hold sway over a large one. Would they rather enjoy computer privileges or better health insurance? You might offer cafeteria-style fringe benefits, with computer use as one of the options. Employees not selecting this choice might have to agree to it, anyway, if you discovered them using a company computer for personal purposes. This problem, of course, may lessen as the prices of small computers plummet and their capabilities grow. Whatever the form of potential crime—theft or otherwise—keep remembering one of the basics of data security: It should cost neither more money nor morale than justified. Hardware and Software Now for advice on finding the _most_ crookproof computers and programs. Buy a micro with 16- or 32-bit word lengths and RAMs of 256K or more. Those specifications will let you use more elaborate codes to protect information. What’s more, they might be less cumbersome than codes on an 8-bit machine. Look, too, for electronic design that lets your computer establish privilege levels—reachable through passwords. That way, Sally, the new secretary, can start out getting into the computer only for word processing. Helen, the payroll clerk, can have access to confidential salary information but not a top-secret budget that doesn’t give her the raise she’s been pestering you about. Questions exist about the effectiveness of passwords and codes, at least when the thieves or snoops may be sophisticated, but that’s another story. Most experts will tell you that anything that can be coded can be cracked. The trick is to make it not worth the criminals’ time and resources. Of course, the best safeguard is still the simplest: locking up the disks and computer after you or your people are through. New minis, by the time you’re reading this, may all be 64 bit or higher. They adapt to codes—and fancy electronic logs showing the kind of work done on them—more easily than do micros. And they might justify other costly security measures. Suppose, for instance, you want to follow the many government agencies’ examples and pen in the tiny radio waves that computers emit so that eavesdroppers can’t pick them up with sensitive receivers. A micro fortified this way might cost perhaps $10,000. “What’s the sense of doing that for what’s essentially a throwaway computer?” asks Harold Joseph Highland. The “throwaway,” be assured, is an exaggeration, but his point comes through. Of course, don’t forget the disadvantages of minis. Most machines at the mini level or above need professional programmers, and that’s bad news if you’re trying to stay in complete charge of your business. Also, minis, because of their expense, normally won’t pay for themselves unless they have at least several terminals. And the more terminals you have, the more “doors” through which crooks can “walk.” Still, you normally shouldn’t let security alone determine if you end up with a micro or with a mini. Remember the warning earlier in this chapter that security costs shouldn’t overwhelm you. How often, for instance, is your information so sensitive that you’re worried about criminals lurking in the bushes with the elaborate equipment needed to make sense of the tiny waves your computer emits? Your data might not even justify use of codes. I myself haven’t the slightest need for codes, user-privilege levels, anything other than locking up my disks, since I’m essentially a small businessman who is the sole operator of a micro. Even the FBI doesn’t really worry about security on some computers. At the time I visited the agency’s academy in Virginia, several little Radio Shack models were purring away there—the same kind you’d buy off the shelf. The micros’ software had passwords, but some agents could bypass them, anyway, which wouldn’t be necessary, of course, since, in this case, the FBI _wants_ the machines to be used. Before saddling yourself with fancy electronic precautions, do see if a security service, a good, heavy safe, a locked room, or a burglar alarm would work instead. And what about simply carrying home some duplicates of your most important floppies? That possibility will become increasingly attractive as the disks’ storage capacity increases. This isn’t to say, however, that you should store Exxon’s major corporate secrets in a dirty unlocked drawer next to old underwear. But a small businessman might consider taking his backup disks home. If you buy a safe for your office’s disks or tapes, think about fire protection. Check with your fire department. What makes of safes could be in the middle of the flames without the disks suffering temperatures of more than 115 degrees Fahrenheit? Investigating locks and burglar alarms, you’ll learn that your computer may be able to protect itself. How? Some gadgets can let only card-carrying employees—your people with magnetic cards—enter a room. And they can tie into the computer to save you money. The same applies to burglar alarms. Of course, you might want nothing fancier than a strong lock bolting your computer to a heavy table. Don’t spend more than the data are worth to replace. You might also consider a guard service. The problem is that salaries add up even for quick nighttime checks. After a few months or a year, you may be well on your way to having shelled out the cost of an elaborate electronic security system. Guards normally would be more appropriate for users of large minis and mainframes than for desktop types. One advantage of physical security—most any kind—is that it can protect the computer equipment itself, not just your electronic files. You’ve undoubtedly read of theft of computer chips from Silicon Valley firms. Now be prepared for reports of widespread computer theft, eventually, as the market grows for both legally bought and fenced merchandise. With computers shrinking in size, they may well be an even hotter item for fences than stolen Selectrics. Even Apples several years ago were too intimidating to a burglar, like the one who stole the silverware of an acquaintance of mine but passed over his computer. Be assured, though, that crooks are increasingly computer literate. There’s even talk of the mob moving into computer crime, raiding government files, and, presumably, engaging in less challenging illegalities, like setting up computer-fencing rings. With computer crooks in the future being smarter and more organized, you should think hard before depending on simply passwords or codes to protect you. First, assume that at least some people may try to unravel your puzzles. A whole generation of prodigies right now is practicing by copying the supposedly uncopyable computer games on disks. In effect, notes Churbuck, the New Hampshire lawyer, each disk provides two puzzles. One is the original game. The other is the puzzle of figuring out how to make illicit copies. And at the University of Western Ontario, Prof. John Carroll surveyed students in two advanced computer courses and found that one-third had sought free, illegal computer time. It’s been pointed out that the very best, the very brightest, students have too many legitimate opportunities—on large systems—to worry about pillaging small computers. And that may be true. But by the late 1980s or early 1990s, some journeyman criminals may develop among the second-raters. Second, don’t shrug off a warning from R. E. (Bob) Kukrall, author of the handbook _Computer Auditing, Security and Controls_: “Cracking a computer system’s defenses may be about as difficult as doing a hard Sunday crossword puzzle.” He says that thieves managed in minutes to call up computer files that were protected by a five-digit code number. They just programmed the computer itself to try each of 100,000 combinations. “In effect the speed and capabilities of the computer were used to violate its own security,” Kukrall said in _TeleSystems Journal_. ■ ■ ■ How the _National Enquirer_ Gets Some Security along with Bargain Communications Some _National Enquirer_ reporters send in stories via computers, but there’s little danger of rival tabloids spying on the computer collecting the articles. The reason? There’s no receiving computer, actually—just an auto-answer modem rigged up to a dot-matrix that spews out paper copies at several hundred words a minute. The modem and printer can’t send messages or relay stories elsewhere. But who needs that—not when some computer-smart _National Star_ reporter might give his eye teeth to find out what the competition is up to? To be sure, the scheme has some problems: ● The _Enquirer_ can’t transfer the reporters’ stories to a computer there for editing, since they are on plain old paper but not in an electronic format. Editors, however, heavily rewrite the original stories. Capturing reporters’ key-strokes for the typesetter wouldn’t help as much as at an ordinary newspaper. ● Theoretically someone could still steal the hard copy (just as he or she could sneak off with a floppy disk). ● The system isn’t secure against telephone tappers who could translate the modem whines. Still, the system is dirt-cheap. If knowledgeable, you could probably replicate it for less than $500 for the printer and modem. And you could send to it with just a $400 lap-sized portable. Beyond that, the _Enquirer_’s arrangement may be safer than leaving an unprotected computer on the phone to collect unencrypted files. ■ ■ ■ Then there’s the Dalton school case in New York City in which the four culprits, age thirteen, violated silicon sanctity hundreds of miles away. The feds caught up with them before they could steal Pepsi Cola, by coaxing an order out of a warehouse. But another computer didn’t fare so well. The thirteen-year-olds destroyed more than one-fifth of the 50 million bits in the machine’s memory, inspiring a magazine writer to call them “electronic Huns.” More recently, the 414 Gang out of Milwaukee—named after their telephone area code—broke into computers across the country. These half-dozen or so high school students, tapping on home micros, broke into more than sixty computers and among other things they: ▪ Hooked up with a VAX 11/780 at Sloan-Kettering Cancer Center in New York. Eighty hospitals across the U.S. were using the computer to help treat hundreds of radiotherapy patients.[55] ▪ Broke into an unclassified computer at the Los Alamos nuclear laboratory. ▪ Penetrated a Security Pacific Bank computer in Los Angeles. That may not have been so much a challenge. The account name and password both were “SYSTEM”—a word that many computer manufacturers routinely put in new machines and that their customers often forget to take out. “TEST,” “DEMO,” and “MAINTENANCE” are other old standbys. Footnote 55: The 414 invaders fortunately didn’t alter radiotherapy information. But they reportedly did zap a file used to bill customers a total of $1,500 for computer use. If teenagers can wreak Attilan havoc and snoop on a bank computer, then think of adults. So use passwords and codes, knowing their vulnerabilities. Try, anyway, to give computer crackers a good challenge by avoiding use of obvious passwords like street names or those of wives or children. Consider a two-level password; also, maybe one with two words of pure gibberish; that’s what CompuServe does. And, obviously, purge the computer of standard passwords in the “SYSTEM” vein. If your system permits dialing in through a modem, see if it can limit the number of tries that people can make before the modem hangs up the phone. Your dial-up computer should send its name until the caller has given the right ID. Be careful of overly helpful =prompts= that lead callers on to the next step. “A prompt saying, ‘Hi! This is the Last National Bank Disbursement Department,’ sort of gives the game away, doesn’t it?” says a _Creative Computing_ article laying out precautions. Also, change passwords regularly. And if an employee’s leaving? Change the access codes. Here’s what I’d ponder if shopping for a password or encryption system: