Battles Against Computer Crime Out of the Trenches

The corporate war against computer crime has come into the open.

Executives are stepping up efforts to stop computer hackers and disgruntled employees from manipulating their data processing systems to embezzle funds, uncover secrets and destroy data. Among other things, security-conscious businesses are installing sophisticated “access control” gadgetry, bringing in special consultants and working more closely with other companies and law enforcement authorities.

At one time it was practically taboo at some companies to openly discuss safeguards against computer fraud.

“All companies want to be seen as tight and secure. Publicity about a computer crime would raise questions about the professionalism of a company,” explained John Taylor, security manager at Goleta, Calif.-based Applied Magnetics Corp., which makes components for recording equipment.

In fact, many victimized companies have avoided going to the police for help because “they’re embarrassed or afraid of getting ripped off again when people learn of their vulnerability,” said Jay Bloombecker, a security consultant and head of the Los Angeles-based National Center for Computer Crime.

That attitude is changing, however. Although no reliable figures are available, computer crimes are widely believed to have become more frequent and serious, alarming some executives.

“What’s driving the computer security industry is fear--fear of having a loss that is unacceptable,” said Robert McCrie, publisher and editor of a New York-based security newsletter.

Gas Alarms

In tightening computer security, private industry is following government’s footsteps. As storehouses of extremely sensitive information on everything from taxes to military intelligence, government agencies have long gone to exotic lengths to protect their computer data.

Some agencies transmit data on underground fiber-optic telephone cables that are sealed in gas-filled pipes (If someone tries to intercept information by tapping into the line, the gas escapes and sounds an alarm.). At the National Security Agency, officials use encoders that turn written material in computers into difficult-to-decipher digital codes.

Government officials also have promoted computer security in the business world by requiring defense contractors to protect critical data on weapons and aircraft.

Another push for improved computer security may come from a bill passed by a Senate appropriations subcommittee in late July. The bill would set aside $3 million, triple the current budget, to pay for research and development at government agencies that set computer security standards for the private sector.

Businesses already have increased spending on computer security. Five years ago, a company typically would devote about 1% of its computer budget to protecting electronic data, said Richard Rueb, executive director of the Information Systems Security Assn. Now, he said, that figure is in the range of 2% to 5%. Along with protection against fraud, those figures include money spent on safeguards against floods, fires and blackouts.

Frost & Sullivan, a New York research firm, projects that the trend will continue. Lawrence Dietz, a research director for the firm, predicts that spending on computer security will climb from $498 million last year to $588 million this year and will top $1 billion by 1993.

Some of that money is spent on access control equipment, devices designed to allow only designated people to view certain data. Access control can be as simple as a program that demands a password or as sophisticated as futuristic biometric equipment that verifies a person’s identity by analyzing his voice, fingerprint or retina.

High-Tech Concerns

Companies also are spending more on consultants who look for a system’s weak spots and recommend ways to better shield data from possible intruders.

High-technology companies, consultants say, are especially concerned about the computer security risks posed by industrial spies working for competing companies or foreign governments. After tapping into a company’s computers over the telephone lines, these intruders often search for marketing strategies or secret product data.

Computer enthusiasts, or hackers, present a different threat. Like industrial spies, hackers try to gain access over the phone lines with computer communications devices known as modems. But hackers often essentially are pranksters who enjoy breaking passwords and other access control barriers. Once they have gained access to computer files, some hackers--like graffiti artists--leave a trail of vandalism: erased data, mysterious new passwords and oddball messages.

Other hackers commit more serious crimes. They may transfer money from a corporate account to a personal one, erase the record of a debt owed to a company or establish unauthorized credit.

The greatest potential threat, however, is posed by dishonest or disgruntled employees, say consultants and corporate security managers. Employees victimize companies more often and sometimes have the kind of access necessary to do great--and difficult to detect--damage, according to Detective James Black, who heads the computer crime unit at the Los Angeles Police Department.

Black cites the example of John P. Hammond, a former supervisor at a Los Angeles savings and loan who was sentenced in May for embezzling about $9,500. Working on a computer, Hammond spotted an unexecuted order from a customer to transfer money from one mutual fund to another. The S&L;’s foul-up could have been a lucky break for the customer--by remaining in the old fund, his investment yielded $10,000 more than it would have in the other one.

Instead of letting the customer have the extra money, however, the embezzler pocketed it by electronically depositing the money into the bank account of an accomplice’s relative. He covered his tracks by performing the requested transfer and backdating the transaction to the date it was requested.

Theft by Computer

The now-defunct Valley State Bank in Encino also was victimized by an employee. For the last three months of 1986, Donald Kenneth Gray, using the alias of Daniel Ryan Hamilton, worked at the bank as a data processing clerk. He was a popular employee with a “youthful, innocent-looking” appearance, according to Asst. U.S. Atty. Leon Weidman.

While on Valley State’s payroll, however, Gray used his home computer to instruct depositories to send $620,000 in gold bars and coins owned by the bank to a fictitious company at a mail drop in New York, according to Weidman. Using a computer at the bank, Gray intercepted messages confirming the transfer and hid inventory reports reflecting the transaction, Weidman said.

Gray, recently sentenced to eight years in prison, fled the country after the theft but was arrested in February when he tried to re-enter the United States from Tijuana.

One of the most spectacular computer crimes came in 1978, when former Sepulveda resident Stanley Mark Rifkin used a computer to steal $10.2 million from Security Pacific Bank in Los Angeles.

Posing as a representative for the Federal Reserve, Rifkin--then a 32-year-old computer consultant--obtained secret bank codes and transferred millions to an account he kept in Switzerland. Before the bank knew that any money was missing, Rifkin had flown to Switzerland and spent $8.1 million on diamonds.

Rifkin later returned to the United States and confided in a lawyer. The lawyer in turn reported the crime to authorities, and they had Rifkin arrested.

“After the Rifkin incident, everyone said: ‘Wait a minute. We’re vulnerable. . .’ And that was the birth of computer security,” said Carl B. Jackson, computer security specialist for Ford Aerospace in Newport Beach.

Hot Lines for Tipsters

To prevent internal crimes, some companies have established double sign-in procedures. They require at least two people to sign on to a computer with names and passwords before granting access to data.

Companies also have installed toll-free crime hot lines allowing employees to report the illegal activities of colleagues anonymously, according to Jack Balogna, a security consultant based in Plymouth, Mich.

Balogna, editor of the monthly newsletter Computer Security Digest, is an advocate of programs that raise the “security consciousness” of employees at companies with sensitive computer data. The intent is to curb the carelessness that sometimes leads to security breaches. Balogna cited instances when employees share their confidential passwords with dishonest co-workers.

“People who work with computers are not always aware of how important information is to the company,” he said. “A lot of people have entered the computer era and fail to regard information as important because it’s available so easily. They believe that anything available as fast and as cheap as computer data can’t have much value.”

At one time, companies relied on their own resources to ward off high-tech intruders. Today, many are teaming up to wage war on computer crime.

On the legislative front, a committee dominated by computer security managers from major California companies developed and won approval for a law that this year toughened penalties for computer crimes.

Meanwhile, executives and law enforcement authorities have formed groups to share information. They include the High Technology Crime Investigation Assn., which was organized in 1986 by Lt. Lee McCowan, commander of the forgery and fraud unit at the Los Angeles County Sheriff’s Department; the International Information Integrity Institute, a clearinghouse organized by Menlo Park-based SRI International, and the Newport Beach-based Information Systems Security Assn.

Even with all of the information-swapping, however, computer security managers have their hands full.

“One of the problems with this field is that it’s relatively new--only 10 years or so old,” said Hal Tipton, president of the Information Systems Security Assn. “The need for security measures continues to grow rapidly, and it’s very difficult to keep up with the demands because every time you get something set up, someone comes up with a way to beat the system.”