CHRIS WOOD January 25 1988


CHRIS WOOD January 25 1988



During the 1930s and 1940s, at the height of a criminal career that spanned 35 years, the famed U.S. robber Willie Sutton used a gun and a mask to steal a fortune from banks because, he said, “that’s where the money is.”

Now, master criminals are targetting computer systems to achieve the same results with nothing more dramatic than a few strokes on a keyboard. And the illicit gains involved are far larger than the nearly $3 million that Sutton stole. In one illegal operation alone, which may be the largest fraud in European history, a ring of employees at Volkswagen AG’s Wolfsburg, West Germany, headquarters altered computer files in 1984 to hide the theft of $428 million from the automaker, an amount equal to its entire 1985 net profit.

Vulnerable: For the

computer-wise criminal, opportunities have multiplied even faster than the selection of home videogames. And the burgeoning use of personal computers has meant that more companies are storing sensitive information in electronic memories that are vulnerable to nearly untraceable tampering. In addition, increasing numbers of their employees have gained access to those files and accounts—eroding existing standards of computer security. Another threat arises from the so-called hackers, inquisitive and devoted experimenters—many of them teenagers—who are constantly trying to develop new forms of electronic mischief. In response, legislators and law enforcement officials are striving to erect defences against increasingly sophisticated electronic lawbreakers.

Still, their casebooks are increasingly filled with spectacular instances of computer crime:

• In 1982 a manager with access to a computer at the Toronto Board of Education Staff Credit Union Ltd. began altering the electronic record of loans to her lover, property developer Wayne Skinner. When company officials discovered the changes two years later, Patricia McGonegai and her accomplices had stolen nearly $7.8 million. McGonegai began serving a three-year sentence for fraud last November. • In December an unknown prankster inserted a Christ-

mas message into the private electronic mail system run by International Business Machines Corp. The programmer designed the greeting to copy itself from one electronic mailbox to another—an instruction that tied up vast amounts of computer memory. As a result, IBM’s worldwide mail network was snarled for 72 hours.

• Earlier last fall computer hobbyists in Hamburg, West Germany, revealed that they had penetrated the U.S.based computers of the National Aeronautics and Space Administration and examined some of the agency’s secrets. Declared Chaos Computer Club member Wau Holland: “Virtually the whole system was open.”

• On Jan. 25 a county court will sentence businessmen John Stonehouse of Brampton, Ont., and Barry Bryan of Sarnia, Ont., for their parts in an unsuccessful attempt to steal trade secrets from Stonehouse’s employer. The two men duplicated 100,000 computer punch cards containing turbine designs belonging to Carrier Canada Ltd.

So far there is no reliable measure of the yearly costs of computer crime. But many industry observers say they believe that authorities receive reports of less than 10 per cent of incidents. And they add that corporate victims of

Lymburner and Rodrigue; Skinner and McGonegai (below): white-collar criminals, manipulation

computer crime are particularly reluctant to endure the publicity that frequently accompanies disclosure of computer security penetration. John Edward Green, a Torontobased computer crime specialist with the Ontario Provincial Police antirackets branch, estimated that computer crime costs its victims about $100 million yearly across Canada. One indication of the scope of the problems is contained in research by Donn Parker, a senior management consultant and author who writes about the subject from SRI International, a research firm in Menlo Park, Calif. He says that he has accumulated more than 2,000 reports of computer-related crimes and acts of mischief worldwide during the past 18 years.

Fraud: In Metropolitan Toronto alone, police spokesmen say that the 33-member fraud and forgery squad now receives up to 25 complaints of suspected computer fraud weekly—a marked increase from the single complaint per month handled five years ago. Declared Sgt. Patrick Lymburner: “The computer has created incredibly fertile ground for temptation.” He added that white-collar criminals who are skilled in electronic manipulation are “difficult to capture.” Toronto embezzler McGonegal, for one, eluded detection by altering computer records—changing dates and amounts of transactions and moving money among accounts in an electronic shell game. Said Lymburner: “As far as the computer is concerned, the books balance. Carefully done, it could be undetectable.”

The widespread use of what g some observers call electronic I money—funds listed as entries z in a financial institution’s com9 puterized accounts—has further expanded criminal opportunities.

Declared consultant Parker: “A zero doesn’t weigh anything. You might as well add a zero and take $100,000 instead of $10,000.” Spokesmen for the U.S. Federal Bureau of Investigation said that in 1982 financial institutions in the United States lost more than $500 million in computerrelated frauds—eight times greater than the amount lost that year in bank robberies.

Victim: And Susan Nycum, a Palo Alto, Calif.-based lawyer who advises companies that have been victims of computer crimes, said that the huge sums of electronic money flowing between major international banks are an especially tempting target. Declared Nycum, who estimated that banks routinely transfer up to $3 trillion each day in that way: “It would be worth working very hard for one big hit.”

The increasing popularity of desk-

and laptop personal computers has also exposed huge amounts of data to electronic tampering. The adaptable PCs easily communicate with networks linking several computer users. But few PC networks have the kind of security devices that are routinely used in larger mainframe installations—including programs that will demand passwords from each user who seeks access to sensitive files. Experts say that it can be difficult for authorized users to detect trespassers on their network. In addition, PCs linked by telephone to large mainframe computers provide many hackers with powerful platforms from which to launch electronic assaults on targets ranging from giant firms such as IBM to the software of fellow hobbyists.

Unauthorized penetrations of computer systems have grown markedly more destructive since the early 1980s when teenage computer users broke the access codes of large computers simply for the thrill of doing it. In one incident, an unidentified hacker gained access to the computerized patient records of a Los Angeles hospital and changed all intensive-care patients’ entries to double the prescribed drug dosages. Fortunately, hospital officials discovered the penetration before the altered records caused potentially fatal drug overdoses.

Some methods of electronic vandalization have become so widespread that they have earned their own colorful names. Trojan horse programs are software instructions that purportedly will perform a useful task. But hidden inside them is a second, hostile program that will alter or destroy electronic files. Computer users say that Trojan horses are an increasingly common hazard of trading programs through electronic bulletin boards—information exchanges that are accessible by telephone to PC users. Many hackers refer to particularly destructive sets of program instructions as logic viruses because of their electronic ability to replicate and infect targeted programs or files. The electronic chain letter that snarled IBM’s message system last Christmas was one such virus, but a comparatively mild one.

Virus: An even more destructive problem surfaced at a Pennsylvania university. There, sometime last fall, experimenters at Lehigh University in Bethlehem created a virus that was programmed to make four copies of itself on other memory discs. On the fourth use, the virus erased everything on the original disc—while the copied versions continue to repeat the destructive pattern. Authorities say that when they discovered the presence of the virus last November, 80 per cent of the discs in public use at the university had been infected. In one instance a university office lost hundreds of letters and reports that were on a file destroyed by the virus. Bruce Fritchman, Lehigh’s head of computing services, speculated that the electronic virus may now be spreading unchecked through North American computer networks. Declared Fritchman: “The computer virus behaves and spreads like a disease.”

Those developments are causing concern among many expert observers who see in them potential weapons for new generations of computer extortionists, spies, saboteurs, terrorists and killers. As recently as ^ 1983, U.S. military spokesmen dis§ missed the premise of WarGames, a I hit movie in which a teenage hacker broke into the computer network of £ the Pentagon—and almost caused a s nuclear holocaust by sending com-

mands to the central computer. But a real-life incident that year had eerie parallels to WarGames. Proceedings, the official journal of the U.S. Naval Institute in Annapolis, Md., reported that teams of specialists had easily penetrated several department of defence computer systems. The report’s authors said that a saboteur with access to a warship’s computers could swiftly insert instructions that would effectively disarm the ship during hostilities.

Havoc: Palo Alto lawyer Nycum voiced similar concerns, arguing that terrorists could wreak more far-reaching havoc by tampering with computerized financial systems than by aircraft hijackings and sabotage. And the OPP’s Green, noting that hospitals increasingly use computers to control the medication of critically ill patients, said that “homicide could be committed by computer.”

In response, the guardians of military computer systems and hospitals are striving to erect defences against electronic attack—as are corporations. Declared Robert Campbell, president of Virginia-based computer security firm Advanced Information Management Inc.: “We are seeing individuals going after corporate data bases for the purpose of industrial espionage.” To counter those invasions, Campbell’s company attempts to penetrate a client’s computer system in order to gauge the effectiveness of the client firm’s security. Added Campbell: “In 70 per cent of the supposedly secure systems we attack, we are able to take control of the system away from the people who own it.”

Threat: As a result of the threats posed by computer-armed criminals, spies and others, federal legislators in the United States and Canada have strengthened key laws governing computer crime. In 1985 Ottawa made altering or interfering with computer records a criminal offence.

Meanwhile, it amended the Criminal Code to include a new category of computer fraud. Spokesmen for the U.S. National Security Agency announced last April that the agency planned to replace a coding system that is used for communication between the defence department and defence contractors. Washington is also upgrading computer communication lines between government offices and major U.S. banks in an attempt to protect them from electronic invaders.

At the same time, North American police forces have been upgrading the

skills needed to fight computer crime. In Canada, most major police forces send officers to the Canadian Police College in Ottawa for training in computer crime investigation, according to RCMP Sgt. André Rodrigue, co-ordinator of the five-year-old course. The month-long course will be available to 54 officers this year, but, said Rodrigue, “we are not filling 50 per cent of the requests.” And, he added, rapid technological changes practically

ensured that in most computer crime investigations, “the police are trailing.”

Theft: Indeed, legal observers note that the information technology revolution has generated thorny new legal issues—among them, where to draw the line on rights to intellectual property—valuable information or ideas that cannot be protected by existing patent or copyright laws. They note that an emerging appreciation of intellectual property underpinned the November convictions of Stonehouse and Bryan, two employees who were found guilty of attempting to steal secrets from Carrier Canada Ltd. And in a decision that is expected sometime this year, the Supreme Court of Canada could determine that concept’s grounding in law. In that case, the court must decide whether Wayne John Stewart, a union consultant, was proposing a theft when he advised an employee of a Toronto hotel to make a copy of the hotel’s staff list. Whatever the judges decide, the influence of the computer is clear: a machine that has forged society-wide changes offers new methods for committing crime—and in many instances is even altering the definition of crime itself.

— CHRIS WOOD with correspondents’ reports