Computer Fraud & Security Bulletin

Februarv

How effective is our fraud awareness training

of staff, to assist them with fraud detection
and to appraise them with best industry
practice in fraud management?
Some companies employ a large number of
fraud investigators.
Are they effectively
deployed? Can they do better? How are case
results disseminated
and team members
debriefed
to share case knowledge
experience across investigation teams?

and

In our experience this could be in the form of

a periodic fraud health check -to review current
fraud control practice and to undertake a risk
assessment of the controls and strategy adopted
from end to end to determine the companys
effectiveness in fraud control. New measures will
then be introduced
with cost justification
to
improve current effectiveness.
Acknowledgements
I am grateful for input from a number of
sources, in particularthe 1994 IIR Fraud in Mobile
Telephony
Conference
in which a number of
companies
related their fraud and control
experience. They included Cellnet, Vodac, BT
and FCS from the UK, Detemobil GmbH from
Germany and Telia Mobitel from Sweden.

INTERNET ETHICS
Berni Dwan

Introduction
The issues of hacking, software piracy and
copyright infringement on the Internet are really
inextricably bound, and, therefore, quite difficult
to prise apart and discuss as totally separate
entities.
Software
piracy actually
results in
copyright infringement and its perpetrators are
usually of the hacking variety. All three issues
come under the category of unethical. What can
be said is that hacking, although an ethically
undesirable pursuit, is practised for a mixture of

14

1995

innocent
and questionable
reasons;
the
intellectual challenge, admiration of peers, the
need to cause mayhem and destruction or illicitly
gain software
or data. Software piracy and
copyright
infringement
are more than likely
premeditated from the outset with the aim of
stealing programs and ideas for financial reward,
and what better outlet than the Internet with a
universal customer base.
How the hacker ethic changed
It all began innocently and energetically
in
MIT in the 1950s gained momentum
in the
196Os, moved to the West Coast in the 1970s and
turned bad in the 1980s. Now, on the eve of a new
millennium, we, as par-t of the computer using
community, are faced with outlaws riding on the
crest of the net with a posse of encryption
devices, antiseptic software and security experts
continually in hot pursuit.
So, how did hackers evolve from being nice
guys to being abhorred
by the Internet
community? Once upon a time in MIT, the title
hacker was bestowed only upon those who
excelled
in the art of clever
and elegant
programming; those who could write a beautiful
10 line program (preferably in machine code)
rather than a 20 liner in FORTRAN or PL/l (those
who used compilers were regarded as cheats!).
Hackers vied with each other to write the perfect
chess or space wars game on the early PDPs.
Information
was free. No passwords
were
required. Security was not an issue. Hackers
were invited to continually improve each others
programs, all for the common good and the
advancement of technical excellence. To further
encourage
exploration
and the free flow of
information, ARPA linked the computer systems
of various universities
and research centres
through
a communications
network.
This
ARPAnet would be the precursor of the Internet.
Clifford Stalls relentless pursuit of Markus
Hess, retold in The Cuckoos Egg, Pengos
Project Equaliser, the unsavoury
exploits of
Kevin Mitnick and Robert Morriss Internet worm
are by now classics, which have become part of
computer security folklore.

01995

But, the protagonists

Elsevier Science Ltd

Computer Fraud & Security Bulletin

February 1995

in these classics were of a different genre to the

hacking to be a form of mental challenge.

MIT and Stanford

very fact that they succeed

hackers

of the 1960s and

The

in breaking through

1970s writers of code par excellence.

the security barriers of a new computer system is

By the 1980s hacker had come to mean one

who would misuse whatever technical prowess
they had to infiltrate other systems for purposes

example

reward enough for them. Let us consider a recent

other than the free exchange of information or the

furtherance of computer science. Of course, such
exploits would never have been possible without
the ARPAnets, Easynets and Internets, where
ironically, the goodwill of the users was implicit.
The very Internet that was set up in a spirit of free
enterprise and sharing now itself has mailing lists
dealing with computer
security
issues from
viruses to firewalls. Subscribers from all over the
world discuss and share ideas on how to protect
their networked systems. But how useful can
such mailing lists be if anyone can have access
to them? Surely, if I can easily subscribe to them,
so can anyone with hacking aspirations. Such
individuals can keep up to date with security
loopholes and patches, thus increasing their
success at infiltrating systems.

(UK)

last

year,

information
protective
VALERT-L

you

need

to circumvent

any

strategy. Subscribe to VIRUS-L or

and you will get new ideas for virus

whereby

Government

formally

department

responsible

minutes

joined

after

the

the Internet,

the

for Open Government

was the victim of a hacker. Minutes

live, a student from Edinburgh
into

their

system

improvements.

and

This

after going

University

actually

hacked

made

was an innocent

some
enough

hack and no damage was done. But, to quote the

Minister for Science, The problem is, supposing
somebody

is able

to hack

changes the information

that information.

into the system,

and somebody

Whose responsibility

acts on

is it? I dont

know the answer. But I think you will be reassured

that we at least are posing that question.
Enough of the innocent aspects of computer
hacking.

Let us not forget the more sinister side

of this illicit past-time,

responsible

Subscribe to Firewalls and you will get all the

in The Guardian newspaper

reported

and how all of us who are

for networked

computer

systems

must feel ethically obliged to do everything

in our

power to make them as secure as possible. David

I. Bainbridge

(1990) has suggested that computer

programs. I am asking is it wise or prudent to have

hackers have done the computer industry a great

service by highlighting the security deficiencies of

such mailing lists? Is it not akin to a group of

prison warders inviting all the inmates to a

many computer systems. He further suggests

that rather than subjecting
these hackers to

meeting in order to discuss with them in detail all

preventative escape measures that have not yet

criminal proceedings,
the computer industry
might make use of their skills and expertise, citing

been attended to!

the example
Computer

Now that we are all aware of the risks of using

the Internet, risks we accept along with our new
IP addresses, some ethical questions need to be
asked. If hackers do not feel ethically restrained
from copying or damaging our files, and we as
system managers know this to be the case, is it
ethically correct to have sensitive or important
data on a computer that is linked to the Internet?
Is this not an open invitation to the Internet
outlaws to attempt anything they wish with our
data?
In reality, it would be fair to recognise the fact
that many computer hackers consider the act of

01995

Elsevier Science Ltd

of the co-founder

Corporation

of the Apple

who made a donation

to

the University of Colorado for a computer hacking

scholarship
knowledge
systems!

in 1989 on the basis that it increased

and

understanding

of computer

Software piracy and copyright infringement

Regulation 8 of The Copyright (Computer
Programs) Regulations 1992 (UK) sets out the
rights of lawful users of computer programs.
These include the rights:

To make any necessary

backup copy.

15

Computer

Fraud & Security Bulletin

February

To decompile the program in order to create

new program which can interface with the
program decompiled or another program.

software

to protect

payments

and

functions.

deal

To correct errors
MacQueen 1994).

in the

program

(Bundy,

with

make

royalty

numerous

legal

This mammoth task seems impossible

to all reasonable
l

copyrights,

1995

everything?),

people

(how do you define

but interestingly,

or perhaps

incredulously, the project is being supported by

among others, Autodesk, a large Silicon Valley

The unlawful users of computer programs

have their own set of rights, bestowed upon
themselves by themselves, with no reference to
the lawsof any land. Thevery international nature
of the Internet, spanning borders and continents,
is a haven for those who indulge in the illegal, illicit
and unethical
acts of software
piracy and
copyright infringement. The perpetrators of such
misdemeanours
are probably beyond ethical
rehabilitation,
but what about the receivers of
their goods and services? Those Internet users
around the world who readily download pirated
software onto their hard disks? The fact is, there
are far more receivers
than suppliers.
If a
campaign is to be set up, discouraging software
piracy, perhaps it is the receivers who should be
targeted, but, such a task may be impossible, as
the receivers would have far more to lose (free
software) than to gain (a clear conscience). For
some users, the question of immoral or unethical
behaviour does not even arise, there is just a
desperate need for information and knowledge
about the latest software applications. In the Third
World, for instance, and in India in particular, an
incredibly large percentage of software being
used in day to day business is pirated. In fact,
many of the users may not even realise this,
some who do, may have no other way of
obtaining software. Perhaps the Western World
has an ethical obligation
to help those less
fortunate users in some way, and, perhaps the
Internet could be the legitimate conduit for such
a mission.

company.

Such heavyweight

legitimizes
although

support somewhat

the aims and aspirations

the legal implications

and

privacy will indeed be complex.

On one side of the whole piracy copyright
equation you have pressure groups like SAGE1
and ECIS2, while on the other side you have
groups like The League for Software Freedom.
Richard Stallman, one of the early MIT hackers,
has been a major force in this group, reflecting
his total disagreement with proprietary software.
His own company,
The Free Software
Foundation has been described by Wiredas the
worlds only charitable
organization
with the
mission of developing free software (Levy 1994).
The concepts
behind the projects
and
endeavours
of Nelson and Stallman although
laudable in their adherence to the original true
hacker ethic obviously
raise other ethical
concerns regarding privacy and ownership. The
real challenge for network users and managers
will be to devise a new code of ethics for the
Internet which will define what can be seen and
what can be owned. Such an exercise would then
dictate what should be on the Internet, the final
decision being a compromise between users of
widely diverse views.
Conclusion
The main problem with writing about ethics
on the Internet is to try and avoid conveying a high
moral tone. In the final analysis,

Can data be owned or is it free for all?

of XANADU,

of property

it is important to

has

remember that the Internet did start in a spirit of

generosity, with the free exchange of information

been working for the past decade on the ultimate

database,
XANADU
(Rushkoff
1994). His

and ideas being paramount. If this spirit changed

in any dramatic way the whole raison detre of the

ambition is to compile a database of absolutely

everything. XANADU will have all the necessary

Internet

Ted Nelson, The inventor

16

of Hypertext,

would

have to be questioned

by the

users, and rightly so.

01995

Elsevier Science Ltd

Februarv

Computer Fraud & Security Bulletin

1995

References
Bainbridge,

D., 1990. Compurersandthe

Law, Pitman.

Bundy, A. and MacQueen,

H., 1994. The New
Software Copyright Law. The Computer Journal, 37,
pp. 79-82.
Levy, S., 1994. Hackers,
Revolution, Penguin.

Heroes

of the Computer

Rushkoff, D., 1994. Cyberia. Flamingo Original.

1 Software Action Group Europe: formed
American companies to protect themselves
leaders against European companies.

mainly by
as market

2 European Committee for Interoperable

Software:
formed mainly by smaller European based companies
to protect their position.

FRAUD PREVENTION
AND COMPUTER
SECURITY FOR
FINANCIAL
INSTITUTIONS - Part 1

summarized

two-part

overview

maximizing

report

provides

of current

thinking

the levels of fraud prevention

A computer security breach (abbreviated in

what follows to breach) is any actual breach in
the confidentiality,
integrity and availability of a
computer system and its information. A computer
security hazard is any threat likely to cause a
breach. A computer security prevention measure
is any step taken to prevent a hazard from being
realized.
As might be expected,
most computer
security
activity
is directed
at preventing
breaches.
However,
because
preventive
measures can rarely by 100% successful,
a
computer security strategy must also include:

Measures which can detect the occurrence

a breach.
Corrective
practicable

computer

of

measures which will as far as

remedy the effects of a breach.

What follows now is a summary

James Essinger
This special

This report focuses on how an institution can

protect itself against these and related problems.
Computer Security can be formally defined as
protecting
the confidentiality,
integrity
and
availability
of a computer
system
and its
information.

security

hazards

wholesale

financial

corresponding

preventive

facing

institutions
measures.

of the main
retail

and
and

in
and

computer security for the financial community.

Note that in the area of computer security, it

is particularly true that prevention is much better
than cure.

What must be said at the outset is that no

application of financial technology will help a
financial institution to maximize its revenue and
profitability
and to win it the competitive
advantage
institutions

that is increasingly regarded by many

as the principle
reason
for

implementing

new financial technology-

unless

the application is protected against illicit access,

deliberate interference, disruption to availability
and accidental

01995

Elsevier

damage.

Science

Ltd

Note, too, that this two-part report should not

be seen in any way as a substitute for in depth
advice from experienced security consultants. A
report of this nature can only consider matters in
a general sense rather than by reference to
specific cases, and ultimately what an institution
needs in order to maximize its fraud prevention
and computer security provisions is advice which
focuses on its own specific needs. However, this
report should prove a useful overview of the
subject.

17