HostedDB - Dedicated UNIX Servers

-->
Handbook of Information Security Management:Law, Investigation, and Ethics

Previous Table of Contents Next


Solutions to Eavesdropping and Spying

The two best solutions to eavesdropping are to use computer and communications equipment with reduced emanations and to use cryptography to scramble data. Because both solutions are relatively costly, they are not used unless the risks are perceived to be sufficiently great or until a new level of standard of due care is met through changes in practices, regulation, or law.

In addition, electronic shielding that uses a Faraday grounded electrical conducting shield helps prevent eavesdropping, and physical shielding helps prevent spying. Detecting these forms of abuse and obtaining evidence require that investigators observe the acts and capture the equipment used to perpetrate the crime.

Eavesdropping should be assumed to be the least likely method used in the theft or modification of data. Detection methods and possible evidence are the same as in the investigation of voice communications wiretapping. Exhibit 1 summarizes the potential perpetrators, detection, and evidence in eavesdropping acts.


Exhibit 1.  Detection of Eavesdropping

SCANNING

Scanning is the process of presenting information sequentially to an automated system to identify those items that receive a positive response (e.g., until a password is identified). This method is typically used to identify telephone numbers that access computers, user IDs, and passwords that facilitate access to computers as well as credit card numbers that can be used illegally for ordering merchandise or services.

Computer programs that perform the automatic searching, called demon programs, are available from various hacker electronic bulletin boards. Scanning may be prosecuted as criminal harassment and perhaps as trespassing or fraud if the information identified is used with criminal intent. For example, scanning for credit card numbers involves testing sequential numbers by automatically dialing credit verification services. Access to proprietary credit rating services may constitute criminal trespass.

Prevention of Scanning

The perpetrators of scanning are generally malicious hackers and system intruders. Many computer systems can deter scanners by limiting the number of access attempts. Attempts to exceed these limits result in long delays that discourage the scanning process.

Identifying perpetrators is often difficult, usually requiring the use of pen registers or dialed number recorder equipment in cooperation with communication companies. Mere possession of a demon program may constitute possession of a tool for criminal purposes, and printouts from demon programs may be used to incriminate a suspect.

MASQUERADING

Physical access to computer terminals and electronic access through terminals to a computer require positive identification of an authorized user. The authentication of a user’s identity is based on a combination of something the user knows (e.g., a secret password), a physiological or learned characteristic of the user (e.g., a fingerprint, retinal pattern, hand geometry, keystroke rhythm, or voice), and a token the user possesses (e.g., a magnetic-stripe card, smart card, or metal key). Masquerading is the process of an intruder’s assuming the identity of an authorized user after acquiring the user’s ID information. Anybody with the correct combination of identification characteristics can masquerade as another individual.

Playback is another type of masquerade, in which user or computer responses or initiations of transactions are surreptitiously recorded and played back to the computer as though they came from the user. Playback was suggested as a means of robbing ATMs by repeating cash dispensing commands to the machines through a wiretap. This fraud was curtailed when banks installed controls that placed encrypted message sequence numbers, times, and dates into each transmitted transaction and command.

Detection of Masquerading

Masquerading is the most common activity of computer system intruders. It is also one of the most difficult to prove in a trial. When an intrusion takes place, the investigator must obtain evidence identifying the masquerader, the location of the terminal the masquerader used, and the activities the masquerader performed. This task is especially difficult when network connections through several switched telephone systems interfere with pen register and direct number line tracing. Exhibit 2 summarizes the methods of detecting computer abuse committed by masquerading.


Exhibit 2.  Detection of Masquerading


Previous Table of Contents Next