CHAPTER II
LITERATURE REVIEW
Introduction
Changes in technology have resulted in corresponding changes in white-collar crime in the United States during the past two decades years. Computer crime was
rare twenty years ago, primarily because there were fewer computers. Personal computers were not invented, mid-range computers were becoming more affordable and popular. Computer technology, performance and capacity have changed drastically. Computers are becoming more accessible. With the advent of less expensive personal computers and the popularity of using telecommunications to access other computers via high-speed modems, society is faced with the challenge of computer crime and abuse. This literature review focuses on computer security, crime and abuse. The area of IBM AS/400 security is of special interest.Dollar Impact
The National Center for Computer Crime Data conservatively estimated the cost of computer crime at approximately one billion dollars a year, if the salaries of the
930 years worth of personnel time spent fighting it are included. In one 1988 case, Herbert Zinn, Jr., then age sixteen, used a modem to copy $18,000 worth of programs, developed by AT&T for the U.S. Missile Command in Burlington, North Carolina to his computer in Chicago. Less than a week later, Zinn stole a $1,000,000 artificial intelligence program from the R&D section of Bell Labs in New Jersey by first logging on to a Bell Labs site in Illinois to obtain access to the New Jersey system. (BloomBecker, 1989).North American software companies lose an estimated one billion dollars annually from illegal copying of copyright protected software (Sussman, 1993).
Another source estimated that software piracy is a five billion dollar a year problem (BloomBecker, 1990). Mike Meyers, a writer for the Minneapolis Star Tribune, estimated that between seven and twelve billion dollars per year is lost to software bootleggers (Meyers, 1994 a). In a recent local case, Aaron Y. Chung, a University of Minnesota student, was charged with possessing more than 7,000 bootleg programs, valued at more than one million dollars and perhaps as much as five million dollars. (Meyers, 1994 b).Computer data, thousands of files, including at least 20,000 credit card numbers, were stolen over a two year period by a 31-year-old computer expert, Kevin
Mitnick. The value of the stolen information was estimated at a minimum of one million dollars (Sullivan, 1995). A U.S. attorney remarked that Mitnick "had access to corporate trade secrets worth billions of dollars" ('Most-wanted' hacker nabbed, 1995, p. 24A).Desktop computers are used by cellular phone pirates to "burn" codes into microchips with electronic serial numbers obtained from scanner radios. The microchips are then used in cloned phones to steal cellular phone service. In a recent
Los Angeles case, the U.S. Secret Service disbanded a ring that had allegedly cloned more than 5,000 phones and reaped more than $50 million in stolen service.Nationally, cellular theft has been estimated at close to a half billion dollars a year, with some consultants estimating the loss at almost $1 billion a year. Cellular theft may not be considered a computer crime, however computers are an important tool in the commission of cellular theft. Cellular theft is growing faster than the industry itself (Naik, 1995).
Example Cases
Examples of computer crime and abuse appear in the media on a weekly basis.
The examples cited are intended to give a brief overview of some typical cases
encountered during this review.Cliff Stoll, a former astronomer turned systems manager, discovered a 75-cent system accounting error at the Lawrence Berkeley Lab. This later alerted him to the
presence of an unauthorized user in his system. Stoll became involved in tracking this hacker with little assistance from the government authorities. After many months, Stoll did receive some help from local, national and international government agencies. Over a year after discovering the 75-cent accounting error, authorities arrested an international spy ring that was breaking into numerous computers used by the military, research universities and commercial companies involved with the military. It is believed that those arrested were stealing military related computer information to be sold to governments and special interest groups that are not closely aligned to the United States. (Stoll, 1989).In 1987 it became apparent that Volkswagen, a West German auto manufacturer, was a victim of what is probably the largest computer crime in history.
Few details are known about the fraud which took place in 1984. Volkswagen lost an estimated $260 million in an incident that entailed tampering with computer programs and the erasure of magnetic storage tapes. It is known that Volkswagen terminated the head of its foreign exchange department and suspended four other employees, including the heads of the financial transfer department and the cash and currency clearing sections (Forester & Morrison, 1990).In 1979, Stanley M. Rifkin, a computer consultant to Security Pacific National Bank, was convicted of transferring $10.2 million to a Swiss bank account. Mr. Rifkin
was sentenced to eight years in prison (Betts, 1995).Donald G. Burleson, a systems analyst and computer operations manager for an insurance company, was convicted in 1988 of planting a virus-like 'time bomb' program that deleted 168,000 records of sales commissions at the company. The bomb was triggered two days after Mr. Burleson was fired from the company.
Burleson was sentenced to seven years probation and ordered to pay $11,800 in restitution (Betts, 1995).In a related 1985 case, a Minneapolis programmer was charged with extortion after threatening to trigger a 'time bomb' in his firm's computer system unless he
received $350 per week until he found a new job. Similar examples include a Washington, DC government financial analyst charged, in 1986, with changing the password to the Treasurer's office computer and then refusing to tell his superiors because he did not agree with their policies. In 1987, an Ontario employee was charged with planting a 'logic bomb' in the company's computer which was designed to erase the entire system on a certain date. The employee was unhappy about a delayed salary increase (Forester & Morrison, 1990).A Long Island, NY university data center manager and his assistant were found guilty of using the school's computer to provide computer services to private
businesses. The pair collected fees amounting to $53,000 from one client alone (Betts, 1995).Medford, MA police officer John McLean's area of responsibility includes cyberspace. Officer McLean uses his computer and traditional methods to track down
child molesters, rapists and stalkers who prowl the on-line services for victims. In three years, officer McLean has assisted with a dozen cases in the state of Massachusetts. In March 1994, police arrested John Rex Jr., an engineering student who operated a computer bulletin board. A teen who dialed into the system told police that Rex, then 23, tried to entice him into kidnapping a young boy. Prosecutors say that Rex discussed plans to sexually abuse, kill and even eat the victim. Rex pleaded innocent to a dozen charges (Larrabee, 1994).In a Middlesex County, MA case, Michael Austin, a maintenance worker with a history of sexual assaults, used computer conversations to befriend boys and coax them into face-to-face meetings. Two boys were raped. Austin, 34, was convicted and is currently serving a 20-year prison sentence (Larrabee, 1994).
Medford, MA police raided the home of Alden Baker Jr., 44, a businessman suspected of rape. Police found computers, camera equipment and high-resolution video monitors. Federal authorities say that Baker operated a computer network that
transmitted child pornography. Baker pleaded innocent (Larrabee, 1994).In April 1994, a 19-year-old Texas college student was charged with using his computer to send death threats over electronic mail to President Clinton (Larrabee, 1994). A Minnesota teen used his personal computer fax modem to send threatening
letters to the TV news anchors in the Twin Cities area ("Teen charged", 1994).In July 1994, a Tennessee jury convicted a married couple of distributing pornography via a computer. Robert and Carleen Thomas, both 38, of Milpitas, CA,
were convicted of eleven counts each of interstate transmission of obscenity via their members-only computer bulletin board service. The trial was held in Memphis because sexually explicit computer images were received there by a postal inspector's computer. The defense attorney plans to appeal the decision. The case may be heard by the Supreme Court ("Pair Guilty", 1994).Legal Environment
Computer crime and abuse have caused our legislative bodies and court system to expand some of the older laws to include computer related crimes (Van Duyn, 1985). To supplement these laws, the federal government and most states have passed
computer crime laws. Congress passed the federal Computer Fraud and Abuse Act in 1984. This law made it a federal crime to take anything of value by unauthorized use of a federally owned computer. The law also covered fraud, abuse, information theft and illegal access. The federal law allowed for penalties of up to a year in jail and fines of $5,000 or twice the value of the stolen service or damage (Perry, 1986). The 1984 act did nothing to outlaw unauthorized access to privately owned computers (Baker, 1991).In 1986, the federal law was strengthened. The 1986 law protects against access with intent to defraud, access resulting in more than $1,000 loss, and access to certain medical computer systems. It also prohibits trafficking in computer access
passwords. The 1984 bill lacked coverage of computers operating in interstate commerce. The updated 1986 law now affects interstate commerce (BloomBecker, 1986). The 1986 bill also covers "federal interest" computer systems, including any computers used to process data for the government or its contractors. Federally regulated financial institutions, including banks, savings institutions and stockbrokers are now covered by this act (Baker, 1991).In 1982, Minnesota became one of 47 states to enact a state computer crime law. The first state computer laws were passed in 1978, while most states enacted laws in the 1980's. By 1986, only Arkansas, Vermont and West Virginia had not
passed computer crime laws. Under the current state laws, the class of crime, felony or misdemeanor, depends on the nature of the crime. Often it is determined by a dollar value. The specific acts forbidden by state laws vary by state. The most common areas covered are access or use, tampering, disclosure and distribution. (BloomBecker, 1986). The National Center for Computer Crime Data in Santa Cruz, California publishes detailed information in this area. The "Computer Crime Law Reporter" also produced a table summarizing computer laws by state (BloomBecker, 1989).DeMaio (1992) noted that, "a wide variety of local, state, provincial, national,
international laws, standards, and agreements have been passed relating to information and information resources". He further stated that the subject areas include: "personal privacy, computer crime, national security, environmental protection, occupational safety and health, fair credit practices, fair employment practices and labor regulations, copyright and intellectual property rights, telecommunications law, libel and defamation, freedom of information, freedom of speech, financial disclosure and generally accepted accounting practices, and insider trading and other securities regulations" ( p. 205 ).In Minnesota, it is a crime to damage a computer system or software. Also, it is an offense to intentionally alter a computer system without authorization. It is a crime to gain unauthorized access to obtain services or property or to deprive an owner of computer assets (Baker, 1991). The Minnesota code also covers the distribution of destructive programs. The law has both misdemeanor and felony classes with a maximum ten year imprisonment and $50,000 fine (BloomBecker, 1989).
Prosecutors use computer crime and abuse laws in addition to traditional, white-collar crime laws. Telecommunication law was the basis for convicting a
California married couple of interstate transmission of obscenity (Goldstein, 1994 b). Kevin Mitnick was charged with illegal telephone access as well as computer fraud. Mitnick used a modem connected to a cellular phone to steal computer data ("Most-wanted hacker", 1995).Recently, the Senate approved a measure that prohibits sending indecent material, in any form, including text and images, over the Internet computer network
and restricts children's access to on-line services. The legislation was designed to overhaul the nation's telecommunications laws (Senate targets porn on Internet, 1995). Daniel Pearl (1995) states that "on-line services are bracing for a government crackdown against smut on the Internet-even though nobody's quite sure if the Net can be regulated" (p. 1B).The Internet may face additional legal problems in another area very soon. The Internet recently began offering offshore gambling via the new Internet Casino.
The casino offers digital blackjack, poker, slot machines and other games. Users of the cyberspace casino may be in violation of current laws. Legal jurisdiction questions have risen in regard to which laws, federal or state, may be applicable. On-line services, including the Internet, have and will continue to pose a challenge to the laws currently on the books. Technological changes may serve as a catalyst forcing legislators to strengthen laws that are becoming outdated (Betts & Anthes, 1995 ).Recently, it was reported that uncivilized behavior by some newcomers to the Internet and other on-line services, have caused some longtime users to stop using the
computer services or to avoid news groups or chat rooms where specialized topics are discussed. Some longtime expert users say untrained newcomers are making discourse impossible by flooding the chat lines with naive questions or silly comments, disbursing inaccurate information and taking a hostile, abusive attitude to anyone they disagree with (Chao, 1995) .Freedom of speech laws may be stretched by some fringe groups using on-line services. On-line services offer fast, low-cost communications and large diverse
audiences, both positive and negative in nature. Recently the National Alliance, a white supremacist organization, asked supporters to oppose welfare mothers, homosexuals, Jews, illegal aliens and "minority parasites" (Sandberg, 1994).The Cyberspace Minuteman bulletin board has areas devoted to white/Aryan issues, Klan news and a graphics file area where users can view Klan emblems and demeaning cartoons about blacks and Jews. The Simon Wiesenthal Center has estimated at least 50 hate groups of the 250 they monitor, communicate on-line. Other experts believe the number of hate groups using on-line services to be much higher (Sandberg, 1994).
Categories of Computer Crime and Abuse
The literature review revealed many examples of computer crime and abuse.
Many authors tend to group the activities into categories based on the type of damage
The National Center for Computer Crime Data lists the types of computer crime as money theft, information theft, damage to software, malicious alteration,
deceptive alteration, theft of services, harassment, extortion, trespassing and damage to hardware (BloomBecker, 1989). Other authors use categories with less formal names to describe types of computer crime. Richard Baker noted three major groups with each having sub-categories. "Spies and snoops" consists of scavenging, leakage, piggybacking, impersonation and wiretapping. His "data manipulators" group contains data diddling, the salami technique, the super zap, asynchronous attacks, simulation and modeling. The "retribution and damage" category contains the Trojan Horse, trap doors and logic bombs or time bombs (Baker, 1991). The colorful terms used by Baker may be considered slang that describes programming techniques. These techniques when used may lead to theft or damage of hardware, software, data or services. Two other terms, virus and worm, were noted by many authors (Forester & Morrison, 1990). These terms, usually associated with personal computers, are malicious programs that may alter or delete data or programs. Other sources used categories and terms similar to those listed by Baker, Forester and Morrison.Who Commits Computer Crime and Abuse?
The readings have shown that anyone, with sufficient access, knowledge and motivation,
has the potential to commit computer crime and abuse. There was very little
literature available that studies the violators as a group. Some articles give
interesting background information on individuals involved in certain crimes.
The National Center for Computer Crime Data (NCCCD) stated that "computer crime is
Table 1 Age
Distribution of Computer Crime Arrestees
To be added
(BloomBecker, 1989, p. 27)
The occupations of the 1988 sample included, 26% students, 26% employees with computer access, 19% unemployed or criminal, 10% computer related
occupation, with 6% for each of the three groups, ex-employees, accomplices and members of law enforcement.In the same report, the NCCCD reported that 36% of the victims were commercial users, 17% telecommunications, 17% government, 12% banks, 12% individuals
and 4% universities.The dollar value of the computer crimes in the 1988 were estimated in the following table.
Table 2 Estimated
Dollar Loss per Computer Crime Incident
To be added
(BloomBecker, 1989, p. 28)
For the California arrests, 71% were convicted, 14% dismissed by the court and 15% dismissed by the district attorney (BloomBecker, 1989).
Hardware/software factors
The vast majority of the literature examined did not discuss the names of the hardware and software manufacturers used in the computer crime and abuse cases and none mentioned the IBM AS/400 specifically. The IBM System/38, the predecessor to the AS/400, was cited in a 1988 case. Personal computers and PC based local area networks were mentioned in many articles and books. Computer viruses are usually associated with personal computers. Personal computers and AS/400's have different operating systems. The AS/400 was designed as a multi-user system with substantial security. Personal computers were originally designed as a single-user system with minimal security. Personal computers have become more powerful, with additional security methods available, especially for a network of personal computers.
The literature surveyed did not present a summary relating to the involvement of telecommunications in the committing of computer crime and abuse. Most of the recent cases referenced in this thesis involve telecommunications, and in most cases, the use of a personal computer to access another computer at a remote location.
IBM AS/400
The AS/400, introduced June 22, 1988, was designed to be a multi-user computer system, primarily for non-scientific, business applications. Typical business applications may include accounting, manufacturing and distribution. Over 350,000 systems have been installed world-wide (W. O. Evans, personal communications, July 16, 1995). The AS/400 is available in many configurations, including both a small portable unit and large systems designed to handle large, mainframe applications.
Many former mainframe users have downsized to the AS/400, while large, personal computer based, local area network (LAN) users often move up to the AS/400.
A large amount of security related literature is available concerning the AS/400 family of computers (Lundgren, 1995). International Business Machines offers printed manuals and CD-ROMs that discuss the security related system values and commands (Radding, 1994). Magazines targeted to AS/400 users offer periodic tips and techniques on how to optimize system security to minimize the threat of computer crime and abuse (Evans, 1995 a). Some recent articles were designed to explain the new features added to the latest version of the AS/400 operating system, OS/400 (Heidelberg & Woodbury, 1994). Wayne Evans developed a series of video tapes designed to explain all aspects of AS/400 security (Evans, 1994 a). Evans, a semi-retired, 27 year IBM employee, is a nationally recognized security expert for IBM mid-range systems. Most of the AS/400 literature is technical and is designed for professionals with AS/400 experience (Evans, 1993). The AS/400 is a very secure system however, many sites do not use the OS/400 security features (Lundgren, 1995).
The literature reviewed covered computer crime, computer security and the IBM AS/400. This review was unable to find any literature that addressed computer crime or abuse involving the AS/400. The next chapter discusses the methodology.
