The Future of Computer Crime: It Ain't Just Hacking - Page 2
Hunkering down behind technical security measures has been the traditional role for computer security specialists. Find a technical flaw? Institute a technical patch and fix it, a linear solution to a linear problem. But, what do you do about nonlinear problems like deception and psychological warfare? For example, rumor mills, propagated on the Internet, may ruin stock prices, dilute confidence in products, and disrupt sales and marketing plans. We may end up realizing our deepest fears in Sun Tzu's observation that "all warfare is based upon deception." Which is better: to attack an enemy directly or fool them into harming themselves? Tell them the right lies, and they will chop off their own hand, much like General Titus in Shakespeare's Titus Andronicus. With Aaron the Moor's false counsel that Titus' hand will be a ransom for his sons, Titus replies, " Good Aaron, wilt thou help to chop it off?" Twenty-first Century invitations to self-ruin include extorting a Web retailer with the threat to broadcast customer credit card numbers. (Paying the ransom only beckons other attacks.) Or, an e-mail campaign claiming falsely that a manufacturer's medication has been adulterated with a poison drives the company to pull the product from distribution. The resulting loss runs into millions of dollars.
A response to this coming sea of troubles may be a new breed of computer crime investigator. One who understands the technical side of the business and yet has training in social psychology, confidence schemes, and psychological warfare. Perhaps, for those with a love of film noir or mystery fiction, we can envision a computer savvy Jim Rockford who lives by a code that injects badly needed skepticism into the Net.
1. Don't accept breaking information on a Web site unless it's proven elsewhere. (A case in point is the recent phony posting of a merger notice on Aastrom Biosciences Inc. Web site, an ingenious attempt by an outsider to boost Aastrom's stock price and that of its rival, Geron Corp. See the Wall Street Journal, February 18, 2000," Hackers Post Phony Merger, Duping Traders.")
2. Getting investment or business advice from people that you don't know makes Russian Roulette look like a low risk game.
3. The Internet can be fertile ground for any common-law crime. Information divulged there may serve as the basis for a burglary, a robbery, the hijacking of freight, or even murder.
4. Being compromised by a fraud or other crime on the Web often involves a series of seemingly innocent steps, a sequence of calculated moves. Learn to question why a stranger is trying to gain your trust. Beware of e-mail contacts you cannot find by other means later.
5. Use the principle "simplify, simplify" in evaluating claims. When choosing between a complex explanation and a simpler one for an event, pick the simpler one. If someone's story is too involved, they may be pulling your leg. So, go after unfiltered information directly; eliminate information go-betweens. (The SEC recently reached an administrative settlement with Fast-trades.com, a site that allegedly manipulated four securities in February and March 1999 through its stock recommendations. The site attracted over 9,000 users. The lesson becomes avoid the pack and check out the facts on your own.)
6. Always have in place a disaster plan for dealing with rumor mills and extortion plots, especially during sensitive periods like IPO's and new product releases. Obviously, any contingency plan will vary based upon a company's business, but it should include responses to the attack, dealing with the press, and most important, responding to your Internet audience. As the Internet grows in clout, it becomes a sole news source for many. Time may not allow for a traditional media counter-campaign, and even so, it may miss your most vital audience. So plan your Internet response in an emergency carefully, especially if your business is Internet-based. Another chance to put out the fire early may not appear.
Ronald L. Mendell is a Certified Internet Security Specialist. Employed at Netpliance, Inc. in Austin, Texas, he also works as a writer and researcher specializing in security and investigative issues. Charles C. Thomas published his most recent book, Investigating Computer Crime: A Primer for Security Managers, in 1998. (http://www.ccthomas.com)
SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net (tm)