HostedDB - Dedicated UNIX Servers

-->
Handbook of Information Security Management:Law, Investigation, and Ethics

Previous Table of Contents Next


To avoid the loss, the operating system must save the copy of the computer programs and data in their current state at the checkpoint. The operating system must also save several system parameters that describe the mode and security level of the program at the time of the stop. Programmers or computer operators might be able to gain access to the checkpoint restart copy of the program, data, and system parameters. They could change the system parameters such that on restart, the program would function at a higher-priority security level or privileged level in the computer and thereby give the program unauthorized access to data, other programs, or the operating system. Checkpoint/restart actions are usually well documented in the computer operations or audit log.

Even more complex methods of attack could be used besides the one described in this simple example, but the technology is too complex to present here. The investigator should be aware of the possibilities of asynchronous attacks and seek adequate technical assistance if suspicious circumstances result from the activities of highly sophisticated and trained technologists. Evidence of such attacks would be discernible only from unexplained deviations from application and system specifications in computer output, or characteristics of system performance. Exhibit 11 lists the potential perpetrators, methods of detecting, and evidence of asynchronous attacks.


Exhibit 11.  Detection of Asynchronous Attacks

DATA LEAKAGE

A wide range of computer crime involves the removal of data or copies of data from a computer system or computer facility. This part of a crime may offer the most dangerous exposure to perpetrators. Their technical act may be well hidden in the computer; however, to convert it to economic gain, they must get the data from the computer system. Output is subject to examination by computer operators and other data processing personnel, who might detect the perpetrators’ activity.

Several techniques can be used to secretly leak data from a computer system. The perpetrator may be able to hide the sensitive data in otherwise innocuous-looking output reports — for example, by adding to blocks of data or interspersing the data with otherwise routine data. A more sophisticated method might be to encode data to look like something else. For example, a computer listing may be formatted so that the secret data is in the form of different lengths of printer lines, number of characters per line, or locations of punctuation; is embedded in the least significant digits of engineering data; and uses code words that can be interspersed and converted into meaningful data.

Sophisticated methods of data leakage might be necessary only in high-security, high-risk environments. Otherwise, much simpler manual methods might be used. It has been reported that hidden in the central processors of many computers used in the Vietnam War were miniature radio transmitters capable of broadcasting the contents of the computers to a remote receiver. These were discovered when the computers were returned to the United States.

Detecting Data Leakage

Data leakage would probably best be investigated by interrogating IS personnel who might have observed the movement of sensitive data. In addition, computer operating system usage logs could be examined to determine whether and when data files have been accessed. Because data leakage can occur through the use of Trojan horses, logic bombs, and scavenging, the use of these methods should be investigated when data leakage is suspected.

Evidence will most likely be in the same form as evidence of the scavenging activities described in a preceding section. Exhibit 12 summarizes the detection of crimes resulting from data leakage.


Exhibit 12.  Detection of Data Leakage

SOFTWARE PIRACY

Piracy is the copying and use of computer programs in violation of copyright and trade secret laws. Commercially purchased computer programs are protected by what is known as a shrink-wrap contract agreement, which states that the program is protected by copyright and its use is restricted.

Since the early 1980s, violations of these agreements have been widespread, primarily because of the high price of commercial programs and the simplicity of copying the programs. The software industry reacted by developing several technical methods of preventing the copying of disks; however, these have not always been successful because of hackers’ skills at overcoming this protection and because they are seen as inconvenient to customers.

The software industry has now stabilized and converged on a strategy of imposing no technical constraints to copying, implementing an extensive awareness program to convince honest customers not to engage in piracy, pricing their products more reasonably, and providing additional benefits to purchasers of their products that would not be obtainable to computer program pirates. In addition, computer program manufacturers occasionally find gross violations of their contract agreements and seek highly publicized remedies.

Malicious hackers commonly engage in piracy, sometimes even distributing pirated copies on a massive scale through electronic bulletin boards. Although criminal charges can often be levied against malicious hackers and computer intruders, indictments are most often sought against educational and business institutions, in which gross violations of federal copyright laws and state trade secret laws are endemic.

Detecting Piracy

Investigators can most easily obtain evidence of piracy by confiscating suspects’ disks, the contents of their computer hard disks, paper printouts from the execution of the pirated programs, and pictures of screens produced by the pirated programs. Recent court decisions indicate that piracy can also occur when programs are written that closely duplicate the look and feel of protected computer programs, which includes the use of similar command structures and screen displays. Exhibit 13 summarizes the potential perpetrators, detection methods, and evidence of computer program piracy.


Exhibit 13.  Detection of Software Piracy


Previous Table of Contents Next