Information Systems Security
COMPUTER FRAUD AND ABUSE TECHNIQUES
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
6.1 When U.S. Leasing (USL) computers began acting sluggishly, computer operators
were relieved when a software troubleshooter from IBM called. When he offered to
correct the problem they were having, he was given a log-on ID and password. The
next morning, the computers were worse. A call to IBM confirmed USL’s suspicion:
Someone had impersonated an IBM repairman to gain unauthorized access to the
system and destroy the database. USL was also concerned that the intruder had
devised a program that would let him get back into the system even after all the
passwords were changed.
What techniques might the impostor have employed to breach USL’s internal
security?
The perpetrator may have been an external hacker or he may have been an employee with
knowledge of the system.
It seems likely that the perpetrator was responsible for the sluggishness, as he called soon
after it started. To cause the sluggishness, the perpetrator may have:
Infected the system with a virus or worm.
Hacked into the system and hijacked the system, or a large part of its processing
capability.
To break into the system, the perpetrator may have:
Used pretexting, which is creating and using an invented scenario (the pretext) to
increase the likelihood that a victim will divulge information or do something they
would not normally do. In this case, the perpetrator pretended to be an IBM software
troubleshooter to get a log-on ID and password.
Used masquerading or impersonation, which is pretending to be an authorized user to
access a system. This was possible in this case once the perpetrator obtained the log-on
ID and password. Once inside the system, the perpetrator has all the privileges attached
to the user ID and password given to him.
Infected it with a Trojan horse, trap door, logic or time bomb, or some other
malware.
Made unauthorized use of superzap, a software utility that bypasses regular system
controls.
6-1
, Information Systems Security
What could USL do to avoid these types of incidents in the future?
Determine how the perpetrator caused the sluggishness and implement the controls
need to prevent it from happening again.
Conduct a complete security review to identify and rectify and security weaknesses.
Only reveal passwords and logon numbers to authorized users whose identities have
been confirmed. When someone calls and indicates they are an IBM employee, verify
their identity by calling IBM back on their known and published service number.
Even better would be to call and talk to the IBM representative assigned to USL.
Provide employee training aimed at helping them not fall victim to the many forms of
social engineering.
After providing outsiders with temporary user IDs and passwords, block their use as
soon as the need for them is passed.
Other control considerations that could reduce the incidence of unauthorized access
include:
Improved control of sensitive data.
Alternate repair procedures.
Increased monitoring of system activities.
6-2
, Information Systems Security
6.2 What motives do people have for hacking? Why has hacking become so popular in
recent years? Do you regard it as a crime? Explain your position.
Hacking is the unauthorized access, modification, or use of an electronic device or some
element of a computer system. Hacking represents illegal trespassing and is punishable as
a federal crime under the 1986 Computer Fraud and Abuse Act.
Hacking has increased significantly in popularity for several reasons. Perhaps the most
important is the increasing use of personal computers and the Internet and the
corresponding rise in the number and the skill level of the users. In other words, there are
more systems to break into, and there are more people capable of breaking in.
Most hackers are motivated by monetary rewards. Hackers have found many ways to
profit handsomely from their hacking activities. Others hackers seek to destroy data, to
make unauthorized copies of the data, or to damage the system in some way.
Some hackers are motivated by the challenge of breaking and entering a system and many
do so with no intent to do harm. They may feel that hacking is a "right" enjoyed by
computer users in a "free information" society. Many of these benign hackers also argue
that hacking rarely does any harm to a computer system and is acceptable behavior.
6-3
COMPUTER FRAUD AND ABUSE TECHNIQUES
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
6.1 When U.S. Leasing (USL) computers began acting sluggishly, computer operators
were relieved when a software troubleshooter from IBM called. When he offered to
correct the problem they were having, he was given a log-on ID and password. The
next morning, the computers were worse. A call to IBM confirmed USL’s suspicion:
Someone had impersonated an IBM repairman to gain unauthorized access to the
system and destroy the database. USL was also concerned that the intruder had
devised a program that would let him get back into the system even after all the
passwords were changed.
What techniques might the impostor have employed to breach USL’s internal
security?
The perpetrator may have been an external hacker or he may have been an employee with
knowledge of the system.
It seems likely that the perpetrator was responsible for the sluggishness, as he called soon
after it started. To cause the sluggishness, the perpetrator may have:
Infected the system with a virus or worm.
Hacked into the system and hijacked the system, or a large part of its processing
capability.
To break into the system, the perpetrator may have:
Used pretexting, which is creating and using an invented scenario (the pretext) to
increase the likelihood that a victim will divulge information or do something they
would not normally do. In this case, the perpetrator pretended to be an IBM software
troubleshooter to get a log-on ID and password.
Used masquerading or impersonation, which is pretending to be an authorized user to
access a system. This was possible in this case once the perpetrator obtained the log-on
ID and password. Once inside the system, the perpetrator has all the privileges attached
to the user ID and password given to him.
Infected it with a Trojan horse, trap door, logic or time bomb, or some other
malware.
Made unauthorized use of superzap, a software utility that bypasses regular system
controls.
6-1
, Information Systems Security
What could USL do to avoid these types of incidents in the future?
Determine how the perpetrator caused the sluggishness and implement the controls
need to prevent it from happening again.
Conduct a complete security review to identify and rectify and security weaknesses.
Only reveal passwords and logon numbers to authorized users whose identities have
been confirmed. When someone calls and indicates they are an IBM employee, verify
their identity by calling IBM back on their known and published service number.
Even better would be to call and talk to the IBM representative assigned to USL.
Provide employee training aimed at helping them not fall victim to the many forms of
social engineering.
After providing outsiders with temporary user IDs and passwords, block their use as
soon as the need for them is passed.
Other control considerations that could reduce the incidence of unauthorized access
include:
Improved control of sensitive data.
Alternate repair procedures.
Increased monitoring of system activities.
6-2
, Information Systems Security
6.2 What motives do people have for hacking? Why has hacking become so popular in
recent years? Do you regard it as a crime? Explain your position.
Hacking is the unauthorized access, modification, or use of an electronic device or some
element of a computer system. Hacking represents illegal trespassing and is punishable as
a federal crime under the 1986 Computer Fraud and Abuse Act.
Hacking has increased significantly in popularity for several reasons. Perhaps the most
important is the increasing use of personal computers and the Internet and the
corresponding rise in the number and the skill level of the users. In other words, there are
more systems to break into, and there are more people capable of breaking in.
Most hackers are motivated by monetary rewards. Hackers have found many ways to
profit handsomely from their hacking activities. Others hackers seek to destroy data, to
make unauthorized copies of the data, or to damage the system in some way.
Some hackers are motivated by the challenge of breaking and entering a system and many
do so with no intent to do harm. They may feel that hacking is a "right" enjoyed by
computer users in a "free information" society. Many of these benign hackers also argue
that hacking rarely does any harm to a computer system and is acceptable behavior.
6-3
