CHAPTER IV
RESULTS
As stated in chapter one, the outcomes for this study were: increased awareness of state and federal laws regarding computer crime and abuse, increased
awareness of the numbers and type of problems that have been reported.|Further outcomes are measuring the awareness of the Twin Cities area mid-range users familiarity with computer laws and possible violations in their organizations.
Lastly, increased awareness of methods to minimize the problem of computer crime and abuse. A final outcome is the list of recommendations to reduce the risk of computer crime and abuse.
Chapter two addressed the first two items, increased awareness of state and federal laws regarding computer crime and abuse, and increased awareness to the
numbers and types of problems that have been reported. Chapter two contains information relating to current law and violations of the law. Chapter four will provide additional details relating to the desired outcomes. A major portion of this chapter is devoted to the results of the survey and interviews.Literature Review
The literature review did not reveal any information directly relating the IBM AS/400 with computer crime and abuse. The review did present categories and
examples of computer crime and abuse, descriptions of the laws covering the subject, the financial impact of computer crime and abuse, as well as technical information describing the implementation of AS/400 system security.An interesting discovery was the periodical, 2600, The Hackers Quarterly.
This publication is targeted at those interested in the unauthorized use of telephone
systems, long distance carriers, voice mail systems and computer systems. The magazine, published since 1984, lists information on 2600 meetings that are held monthly throughout the United States and in five foreign countries. In Minnesota, the first Friday of the month from 5-8pm, local hackers meet at the Mall of America, north side food court, across from Burger King and the bank of pay phones that don't take incoming calls. Members of 2600 and other shoppers are not allowed to accept collect calls on pay phones.A recent 2600 article and letters to the editor have discussed ways of bypassing Microsoft Windows password protection. Another letter to the editor gave the user
ID for the security officer for all AS/400 systems. If password protection is activated, and the required password is known, the security officer has complete control over the resources of the AS/400, including the operating system, application software and data files. During the summer of 1994, between 1,000 and 1,500 people attended a hacker conference, HOPE, in New York City. The event was designed to share information about hacking and about technology (Goldstein, 1994 a).Interviews
The interviewees for this thesis were given a written copy of the questions before the interview. Most interviews were held face-to-face, while those interviewees
living outside of the Twin Cities were interviewed over the telephone. The conversations were not recorded on tape, however, notes were taken as the primary means of documentation. Follow-up questions were asked.The highlights of the of the interviews are presented here. The following section summarizes interviews with three law enforcement officials.
The director of the University of Minnesota Police Department (UMPD) commented that the 'U' has had problems with pirated software, misuse of the Internet,
stolen passwords, scanning of possible obscene material and stalking via computer. The financial investigator for the Hennepin County Sheriff's (HCS) office, said that while the Midwest lags behind the east and west coasts, his office has had encounters with computer hackers, abuse of telephone systems including fax machines, voice mail and unauthorized long distance calling. The HCS representative noted that some phone hackers changed the outgoing greeting and instructional messages on a voice response unit, voice mail, of a Burnsville company. The greeting involved inappropriate language by community standards. The chief of the Eden Prairie Police Department (EPPD), noted there have been very few local examples of computer crime or abuse. The Eden Prairie chief did mention a 1993 case involving an IBM employee, living in Eden Prairie, who was charged with using electronic mail for solicitation of sex from a child living in Eden Prairie.The EPPD chief believes that computer crime and abuse is a problem, although he has not noted any recent trends. The HCS investigator noted that there
have been too few cases, too small a group to notice any trends, patterns or recent changes. The investigator believes that theft or misuse of cellular phones and cellular service will become a problem here. The UMPD chief noted that the cases she was familiar with were unrelated and saw no apparent trends. She also reported that the laws most frequently broken were theft, copyright violation and harassment. She stated, and others concurred that non-computer laws are often used for cases appearing to be violations of computer crime and abuse laws.The HCS representative believes it was difficult to determine which laws were most frequently violated, and that theft and damage to property laws were commonly used in his area. The EPPD chief agreed, that other, non-computer laws are often used. He cited where a recent e-mail violator was charged under the sex crime statutes.
None of the law enforcement officials were able to comment on conviction rates. In general, they said it was difficult to determine, because there were so few cases and because their offices normally do not use conviction rates. Conviction rates
are used by prosecuting attorneys as a measure.All three agreed that many violators go undetected. The Hennepin County investigator said so little is reported in Minnesota and that it is tough to quantify. He
did mention an 1990 Omni magazine that estimated only 11% of computer crime was being reported. The Eden Prairie representative said this is a typical "tip of the iceberg" situation, with 90% of the crimes going unreported. The University of Minnesota representative concurred that there is a great deal that goes undetected and not prosecuted.The UMPD chief said that her staff was more familiar with the state laws covering computer crime and abuse. She mentioned that everyone should have basic
computer skills, especially personal computer knowledge. She said that the prosecuting attorneys are very familiar with the computer related statutes. The EPPD chief said that every police department either has or has access to one or two computer technicians. He also said that few classes are available and that there is a need for additional training.Concerning the current laws, the UMPD official felt that portions of the Minnesota laws may be confusing to police officers and prosecutors. The EPPD
spokesman said that often laws lag behind technology. The sheriff's investigator commented that the current laws are not adequate. He felt that portions of the current law should be strengthened. He said that some of the actions currently covered are classified as misdemeanors. He suggested changing them to gross misdemeanors or felonies. The chief of the EPPD said that penalties may not be adequate.None of the local officials interviewed knew of any computer related crime involving the IBM AS/400.
In investigating the procedure for obtaining the names of any local victims, the HCS representative stated the correct procedure would be to approach victims
through the court system. He was not aware of any currently in Hennepin county. The others stated that after a case is charged and disposed by court, the names of victims would be available in most cases.The HCS official said that he does not have a database to retrieve information about white-collar or computer crime. He said that other agencies do have automated
tracking and retrieval systems. The Eden Prairie police department uses a terminal linked into a State of Minnesota system assisting the tracking and reporting of cases.The University of Minnesota has a number of systems available, most are a product of another agency or a purchased software package or service. The UMPD chief said the reporting systems could offer a database for retrieving categories of crime, if the data was properly coded. She mentioned that most agencies are required to file an annual report of criminal activity with the United States Department of Justice. The federal government tracks and summarizes crime statistics on a national level. A case management tool, CAPERS, is used by the University Police department to track cases. She noted that the Minnesota Bureau of Criminal Apprehension (BCA) also has a state reporting system. The UMPD chief also mentioned the availability of international law enforcement networks used for communicating and tracking.
When asked about steps organizations can take to minimize exposure to computer crime and abuse, the HCS representative said that it is important to know your systems, and to understand the capabilities and limitations of the operating
system and application software. He commented that system managers should know what is normal. Anything outside of the normal ranges should be investigated. He said that some systems are so complex that organizations may not know if there is a problem. The EPPD chief expressed that it is important to protect networks, to do background checks on employees that are involved with sensitive or financial data and to establish a system where people are assigned the responsibility to monitor the system. He also stressed the importance of having outside agencies audit organizations on a regular basis.The three interviewees said that it is very common to use traditional, non-computer related laws as a basis of charging violators. The HCS spokesman noted
an improved educational process is needed to ensure that law enforcement officers, prosecuting attorneys and judges understand the laws and the technologies involved.The EPPD chief said that almost everyone involved in the criminal justice system, from the police departments to the juries, finds traditional laws easier to understand, more convenient and less threatening than legislation related to technology. He felt that it often easier to explain to judges and juries concepts such as theft, harassment or property damage, than to try to explain and get deeply involved in some of the technical complexities of newer laws.
The following section summarizes interviews held with two authors.
The AS/400 was designed, developed and is manufactured in Rochester, Minnesota. Wayne Evans was an employee of IBM in Rochester, Minnesota for 27 years. In 1991, Mr. Evans took an early retirement from IBM. He has moved to Arizona and is now working as an independent consultant. Mr. Evans writes security articles and a monthly column for Midrange Computing magazine. He has authored a series of video tapes specializing is AS/400 security. Wayne Evans is considered to be one of the leading AS/400 security experts in the world.
Wayne Evans (W. O. Evans, personal communications, July 16, 1995) was not aware of any examples of computer crime and abuse in Minnesota, however he was
aware of two examples, both occurring in the state of New York. Both examples involve a crime committed by employees that had internal access and system knowledge. There has been little, if any, media coverage of the following AS/400 examples.The first example occurred in 1989 at a large hospital in New York. An application programmer planted a 'time bomb' in the custom written RPG/400 payroll
program. The program was designed to run payroll only if the programmer was on the payroll file. The programmer was fired. The programmer took the source code with him. The hospital did not have adequate backup tapes, so it was unable to run the payroll system for any employees. Mr. Evans believed that the hospital did not want to publicize the incident. Mr. Evans did not have information regarding the prosecution of the individual. Later, the programmer applied for a job with IBM and was denied. The programmer is now living in Florida.The second case is still under litigation. Within the past nine months, an employee of a major New York bank was prosecuted for accessing and using
credit card and personal identification numbers contained in a AS/400 file, of many of the bank's clients. The FBI investigated the case. The bank also hopes to minimize publicity. Mr. Evans did not have any other details as the case is still open.Wayne Evans was not aware of any trends, patterns or recent changes involving computer crime and abuse. He was not aware of conviction rates in this
area. Mr. Evans feels that 75% of computer crime and abuse is undetected. He has not testified in court, but has advised IBM attorneys on patent cases. Evans feels that the current laws are adequate. He was not sure if prosecutors frequently use "traditional", non-computer related laws as a basis of charging violators.Mr. Evans suggested methods of minimizing exposure to computer crime.
Most of his suggestions were incorporated into the recommendations section. While
most AS/400 sites use level 30 security, Evans suggests using the more secure level40. He mentioned that all companies should have a formal security policy. According to Evans, less than 50% of AS/400 installations have a written security policy. He suggested that we often place too much trust in our employees. He said that often programmers have full, public access to production libraries that contain the actual programs and data that are in use by the organization. He feels this should be restricted. Most programmers only need access to test libraries. Evans said that most unauthorized AS/400 access is made using QSRV, a IBM supplied user ID and password for IBM customer engineers and support staff. He suggested changing the password to all IBM supplied user ID’s at the time password security is implemented and then routinely changing all passwords. Wayne also said that security auditing via journalizing is an good deterrent. This process logs the use and attempted use of the system. He commented that getting and keeping a good staff is very important.The factory default AS/400 log on screen does not the name of the organization. Wayne Evans commented on one case where a hacker dialed into a
bank and received a log on screen that contained the name of the bank. The hacker was not able to sign on, however, he told the press that he had broken into the bank computer, when he only saw the name of the bank sign on the log on screen.Mr. Evans suggested not modifying the log on screen to include the name of the organization. The bank received negative publicity as a result of the incident.
Evans commented that the increasing popularity of personal computers, most sold with internal modems, will increase exposure for abuse and security problems for
midrange and mainframe computer systems.JJ Buck BloomBecker is the director of the National Center for Computer Crime Data (NCCCD) in Santa Cruz, California. The non-profit center was
established in 1978 originally as a resource for attorneys in the state of California, primarily for those in the Los Angles area. Mr. BloomBecker, a nationally recognized author, speaker and general practice attorney. His position at the NCCCD is part-time. Buck BloomBecker is one of the top computer crime authors in this country.Mr. BloomBecker was not aware of any major cases of computer crime or abuse in Minnesota. He had heard of a possible case involving Pillsbury, but he did
not have any details, as it was second or third hand information. BloomBecker did not know of any cases involving the AS/400.BloomBecker offered three suggestions for preventing computer abuse. Mr. BloomBecker said that "good management is good security" (B. BloomBecker,
personal communications, July 18, 1995). His point was that if management listens to employees, communicates with them on a timely basis and treats them fairly, many internal problems can be minimized.Buck BloomBecker mentioned a case where an employer had a history of not paying his employees on time. One employee complained about this many times.
The management would not listen or react. Finally, the disgruntled employee destroyed the payroll master files. The case may have been prevented if the management of the organization treated employees fairly and attempted to pay them on-time (B. BloomBecker, personal communications, July 18, 1995).Mr. BloomBecker suggested doing a risk analysis when looking at computer crime and abuse. Disk crashes, natural disasters, fires or hackers can damage or
destroy computer programs and data files. Having current backup copies of programs and data was offered as method of preventing problems. He also suggested that personal computer users routinely run a virus detection program or avoid behavior that would lead to a possible virus.The third suggestion for prevention was using and changing passwords.
Mr. BloomBecker said that passwords are not always effective, but they should be used.
Mr. BloomBecker thinks that the Internet is a growing area for potential problems in the future. BloomBecker said that the only changes to the statutes he
would recommend would be to define what is appropriate communication in cyberspace. He feels that there is a strong market for Internet related security products at this time. He also commented that the felony sections of the California computer crime law count for the first two of their "three strikes and you're out" law which requires prison time for repeat offenders.Other observations by JJ Buck BloomBecker include: most cases of computer crime come from within an organization. The greater threat comes from employees,
past and present, that have knowledge of the systems and procedures. Hackers from the outside may do damage, but they may have to spend time learning what is on the system. BloomBecker, similar to Evans, thought that 75% of computer crime is undetected.Survey
On Saturday July 22, 1994, I mailed 120 surveys to non-vendor members of QUSER, the Twin Cities IBM AS/400 users group. The initial mailing contained a
cover letter, a six page survey with multiple choice or short answer questions and a postage paid return envelope. The return envelopes were labeled with a sequential number to identify the source of the returned survey. This was used to determine the mailing list for reminder notices. As of September 8, 1994, 57 surveys (47.5%) had been returned. A reminder postcard was mailed to those that had not responded as of August 11th. Only two surveys were returned after August 11th. The appendix contains a sample cover letter, survey and spreadsheets used to track the survey response.The highlights of the survey are presented here. Chapter five discusses the results of the survey. The survey showed:
Familiarity with the law
- Less than 20% of the non-vendor members said they were familiar with state or federal laws dealing with computer crime and abuse.
AS/400 security environment
- More than 89% said they have changed three or more security system values.
- 74% have a system security value of '30' [password required and resource security utilized].
- Less than 30% are using security auditing.
- 91% of those responding said their AS/400 is connected to a uninteruptable power supply (UPS). With 89% saying that their AS/400 is housed in a limited access computer room.
- 60% of the sites responding are audited at least yearly. An equal number have published policies or guidelines.
- Over 87% felt they had adequate off-site backups.
Threat perception
- 34% felt they had inadequate protection against internal threats, while 12% felt they had inadequate protection against external threats.
- Over 86% felt that the greatest threat comes from internal sources.
- Over 28% were unsure if unauthorized computer use was a threat.
- Almost 30% felt that PC viruses were a threat. 28% were unsure.
Remote access
- 75% allow personal computer modem access to the AS/400.
Past problems
- About 16% felt they had been a victim of computer crime and abuse. Almost 11% were not sure.
- About 17% reported having past problems with unauthorized software use, duplication or theft. 16% reported past problems with hardware theft.
- Over 16% said they have had a problem with personal computer viruses in the past. 25% were not sure.
Demographic information
- 85% of those responding had more than ten years of experience.
- 67% were college graduates.
- 69% have the title of MIS manager/director.
This chapter presented the results gathered from the literature review, interviews and survey. Chapter five provides summary discussion and
recommendations for preventing computer crime and abuse.
