disLEXia

Tuesday, 27. August 2002

Reporting of cybercrime

Research about cybercrime has the same problem as all other research about white-collar crime: we don't now much about what really happens out there. While criminalists are quite confident that they have a reasonable good knowledge about things like murder and robbery we know next to nothing about cybercrime. We don't have statistics who is doing what causing which damage and why is he doing this. There is nearly no data of scientific acceptable quality on cybercrime so people use low quality data like the CSI survey (see here, here and here) and interpret whatever they like into it. So the US government want's industry to share more data on cybercrime incidents. That certainly would give us a more robust data foundation, research would benefit from it which would result in more secure systems. One problem remains: Companies have reasons not to report cybercrime to the police, so how do we know that this reasons don't apply to reporting cybercrime to the police, too? We don't know because there has been no research on this subject. But at least we have hints why they don't report cybercrime. Most often people account fear of leaking information to the competition or of being exposed to the public as being incapable of running a "secure shop" for the reluctance to report such incidents. And laws like the FIOA don't help in dicerting this fears. See: Another View: FOIA and data sharing don't mixÖan industry view [Government Computer News - Security]
01:06 | #

Wednesday, 03. July 2002

Firm Accused of Using Web Auction Sites to Sell Phony Computers

Massachusetts Attorney General Thomas F. Reilly yesterday accused the head of a West Boylston (MA) company of using two auction Web sites to sell $750,000 of Apple (Nasdaq: AAPL) computers that didn't exist. [NewsFactor Cybercrime & Security]
22:33 | #

Firm Accused of Using Web Auction Sites to Sell Phony Computers

Massachusetts Attorney General Thomas F. Reilly yesterday accused the head of a West Boylston (MA) company of using two auction Web sites to sell $750,000 of Apple (Nasdaq: AAPL) computers that didn't exist. [NewsFactor Cybercrime & Security]
22:33 | #

Tuesday, 21. May 2002

Six arrested over 'Nigerian e-mail' fraud

Six people were arrested in South Africa over the weekend on suspicion of being involved in the infamous "Nigerian" e-mail and letter fraud. Four of those detained were Nigerian, one was Cameroonian and the sixth was South African. Police in South Africa believe that the six are part of an international fraud and drug-dealing cartel, sending out thousands of e-mail and letters in an attempt to defraud. Police seized a large amount of drugs, as well as computer equipment and false identification papers. According to published reports from South Africa, officers from the UK's Scotland Yard were also involved in the operation. A Metropolitan police spokesman was unable to confirm this, however. [ZDnet]
11:11 | #

Thursday, 13. December 2001

Cisco accountant's fraud

www.cybercrime.gov: Former Cisco Systems, Inc. Accountants Sentenced for Unauthorized Access to Computer Systems to Illegally Issue Almost $8 Million in Cisco

Stock to Themselves (November 26, 2001)

Press release excerpt:

Judge Whyte sentenced the defendants each to 34 months in federal prison, restitution of $7,868,637, and a three year period of supervised release. The defendants will begin serving their sentences on January 8, 2002.

David S. Weitzel, M.S., J.D., Senior Principal, Mitretek Systems dweitzel@mitretek.org 1-703-610-2970 [david weitzel via risks-digest Volume 21, Issue 82]
00:00 | #

Tuesday, 03. July 2001

Anatomy of an Internet scam

Federal investigators have charged 53-year-old mid-westerner Donald A. English with perpetrating an Internet-based "Ponzi" scheme that bilked tens of thousands of small investors out of $50 million. In a Ponzi scheme, early investors are paid phony "profits" from the money taken from other investors who follow them, after hearing about the huge, fast profits. Since no money is really being earned, the pyramid eventually collapses, when the supply of new investors diminishes. Many of the investors in English's operation, which was called EE-Biz Ventures, were people who are elderly or sick. One of them wrote: "I need at the least a full refund of the $3,000 spent if you do not intend to pay anyone back. Remember, I have cancer and am unable to work for the next six months." [*The New York Times*, 3 Jul 2001, http://partners.nytimes.com/2001/07/03/business/03PONZ.html; NewsScan Daily, 3 July 2001] ["NewsScan" via risks-digest Volume 21, Issue 51]
00:00 | #

Wednesday, 05. June 1996

Re: Cyber-terrorists blackmail banks and financial institutions

>>    Personally, I view this story with marked scepticism. I have no
>>    doubt that it is true to a certain extent, but the idea of banks
>>    forking out ten million pounds (circa $14m [sic]) to a
>>    blackmailer is one I find slightly unrealistic.

This is, of course, disappointing (especially speaking as someone who might attempt to make all that money legitimately designing security systems). However, I don't find it surprising at all. One blackmail payment of this level approximates the daily operating expenses of one of these organizations. Consider this loss alone, ignoring the lost profits and public relations nightmare, and you might pay the blackmail, too.

What these banks are surely not considering is that there are many other advantages to strong information security. Some bans are considering this, but not quickly enough, IMHO.

I've believed for a long time that the people who need security most won't do anything until they personally feel some intense pain. (This is analogous to the multitude of people who didn't believe in regular backups until one of their disks crashed.) If there was another Barings which folded due to inadequate security instead of financial mismanagement, maybe then the banking industry would do something real, and stop complaining at how painful security was. An ounce of prevention, and all that.

[I have some private reports suggesting that the story in RISKS-18.17 is largely overhyped, but no complete denials at this time. I hope someone will eventually set the record straight. PGN] [[Identity withheld by request] via risks-digest Volume 18, Issue 18]
00:00 | #

Thursday, 23. May 1996

TILT! Counterfeit pachinko cards send $588M down the chute

The *Wall Street Journal* of 22 May 1996 (A18) reports that two Japanese firms lost about 55 billion yen when criminals counterfeited the stored money cards that they manufactured. These cards are used to pay for pachinko games, but you can get refunds wired to an account if you cash in a card. If my memory serves me correctly, there is a certain amount of skill involved. If you play well or are lucky, you might even add money to the cards. But I'm not sure about this detail. In any case, the people with the counterfeit cards could get refunds when they didn't pay for the original card.

The Journal mentions three interesting details. First, the cards were pushed by the police as a means to track the flow of cash and stop money laundering. Obviously, there wouldn't be these losses if they could really track the flow. Second, the convenience of the new cards initially boosted profits because it was so much easier to play with the cards that automatically kept track of your money. Finally, the Journal reported that there are 18,244 pachinko parlors in Japan. [pcw@access.digex.net (Peter Wayner) via risks-digest Volume 18, Issue 15]
12:17 | #

Sunday, 05. February 1995

Japanese bank workers steal 140 million yen by PC

>From the Reuters news wire via CompuServe's Executive News Service:

RTw 02/05 0107 Japanese bank workers steal 140 million yen by PC

TOKYO, Feb 5 (Reuter) - A Japanese bank employee and two computer operators have been arrested and charged with allegedly using a personal computer money transfer system to steal 140 million yen ($1.4 million), police said on Sunday.

Police said the 140 million yen was illegally sent in December last year from Tokai Bank Ltd to an account in another bank using a settlement system operated by personal computers. It was withdrawn the same day.

The following day, a total of 1,490 million yen ($14.9 million) was sent from Tokai Bank to accounts in several other banks using the same system. But this time the fraud was discovered before any withdrawals could be made.

According to the article, the suspects include employees of the bank systems group and a computer services supplier. It seems that the scheme was driven in part by debts owed to organized crime groups.

M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn (Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC) ["Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> via risks-digest Volume 16, Issue 79]
19:12 | #

Wednesday, 18. May 1994

Re: Computer Crime on Wall Street (RISKS-16.08)

re: joe jett's alleded fraud:

> It seems to me that this manipulation could only have been accomplished > through extensive computer manipulation by Jett and possibly by others.

I believe this is incorrect.

It probably happened because the accounting system did not handle the trade properly. i would guess that no outright manipulation of data or code was necessary. also, his gross strips position was probably growing larger and larger as time went on. this should have raised some red flags.

mike rosenberg mkr@fid.morgan.com [mkr@fid.morgan.com (Mike Rosenberg) via risks-digest Volume 16, Issue 09]
18:48 | #

Saturday, 14. May 1994

Computer Crime on Wall Street

I'm surprised that no one has commented on the case of Joseph Jett, a managing director/chief government bond trader at Kidder Peabody, who allegedly created an estimated $350 million in phantom profits, resulting in his 1993 performance-based bonus of $9 million. Experts quoted in in recent articles indicate that he must have made something like $35 BILLION in false trades without anyone asking questions or the controls raising alarms. At this time, lots of blaming is going on within Kidder Peabody as well as GE, the corporate parent of Kidder.

Is this a computer crime? It seems to me that this manipulation could only have been accomplished through extensive computer manipulation by Jett and possibly by others. This may turn out to be one of the largest computer crime losses to date. It illustrates several points.

1. The growing problem of high level executives who are not being adequately or in many cases even partially supervised. They are in position to commit crime by instructing others to enter a transaction and then destroying evidence of their instructions or the transaction. This is a growth area for computer crime. Not a hacker in sight for this case.

2. Audit and accounting controls are often insufficient for large financial systems and inadequate review requirements result in many of crimes being overlooked, buried, or disregarded. Wait until companies sign onto the Information Superhighway!

3. Computer crimes and financial misdeeds get some (but inadequate) coverage in the business press but very little in the material read by other relevant people, such as computer professionals. If this is a $9 million crime (his false profits), a $350 million crime (the company's false profits) or maybe an even larger loss (the company's negative reputation and possible financial penalties due to legal proceeding), then how large of a loss must be reached before a crisis is indicated? Even the Volkswagen case of several years ago, where an employee working in foreign currency transactions used his access to computers to cause the loss of the equivalent of $US 256 million, didn't raise many eyebrows in the business or computing communities. If around a quarter of a billion dollar loss doesn't indicate that computer crime is serious, then what figure is enough to decide that the controls and the laws are inadequate to meet the technological challenges?

Finally, anyone want to comment on the following statement of GE Chairman John F. Welch, Jr.? "It's a pity that this ever happened. (Jett) could have made $2 or $3 million honestly."

Sanford Sherizen, Data Security Systems, Natick, MA [Sanford Sherizen <0003965782@mcimail.com> via risks-digest Volume 16, Issue 08]
16:40 | #

Wednesday, 30. March 1994

White collar crime in Australia

>From the Reuter newswire via Executive News Service on CompuServe (GO ENS):

CANBERRA, March 24 (Reuter) - White-collar crime is the most costly crime in Australia, totalling as much as Australian $13.7 billion ($9.8 million) a year, according to a report on Australia's law enforcement agencies.

Key points:

o Committee included "representatives from the Australian Federal Police, the National Crime Authority, the Attorney-General's Department, the Finance Ministry and the Prime Minister's office."

o Most white-collar crime is fraud.

o Fraud "imposes the greatest economic cost on the Australian community of all forms of major and organised crime."

o Annual cost of fraud A$6.9-A$13.7 billion (U$4.9-$9.8 billion) (about 2/3 of cost of all crime in Australia, estimated at A$11-20 billion)

Michel E. Kabay, Director of Education, National Computer Security Assn ["Mich Kabay [NCSA]" <75300.3232@CompuServe.COM> via risks-digest Volume 15, Issue 72]
13:20 | #

disLEXia, a research project by Maximillian Dornseif