UPDATE on Computer Audit, Control and Security
(HACKING: THE THREATS
ably, the time will come when computer systems will be
widely viewed by extremist groups as useful and worth-
while targets for their attention. As far as a computer sys-
tem is concerned there will be no real difference between
the actions of a terrorist and those of any other hacker
who has accessed a system in 'harmless fun'. Even if the
intentions of the two groups are different, the possible re-
sults of such actions could easily be very similar. Con-
sequently the perceived threat is effectively the same.
Once the door is open then both groups can enter at will.
T h e motives for, and so the type of threat from, hacking
fall into three broad groups
O " Damage
O Financial gain - Fraud, Blackmail, Industrial
Espionage etc.
O 'Harmless' Browsing
Damage to a system includes deletion and alteration of
data or software. T h e most usual source of these actions
xvill be the disgruntled employee or ex-employee. How-
ever mindless, electronic violence cannot be overlooked.
T h e area of financial gain is far more likely and extensive
in possibilities. Financial gain includes electronic funds
transfer and alteration of data, such as accounts, for per-
sonal gain. Computer held information is currently of far
greater value than was considered even a few years ago.
Although not in the public view, this information is be-
coming a currency itself and certainly attracts the atten-
tion of industrial spies and information brokers.
Looking to the future, just as the 'phone freaks' (tele-
phone hackers?) of the '70s have turned into computer
hackers of the '80s, so hacking will become more sophis-
ticated and esoteric. It may be that computer eavesdrop-
ping becomes an integral part of a hacker's skills.
Another possibility is the tapping into satellite links as a
gateway into computer systems (as opposed to hacking
into computer systems to access satellites). T h e scope for
the future is immense and so security controls must be
flexible enough to cope with any such changes in the
threat.
Similarly the law, which still has not effectively caught
up with current technology must be flexible enough in
content or ability to adapt, to cope with the quickly
changing environments of computers. Surely it is not ac-
ceptable to have insufficient legislation in place which
does not effectively relate to computers which are becom-
ing an essential and irreplaceable part of everyday busi-
ness and social life. Indeed this view may also be ex-
tended to insurance and any other computer orientated
service. Users are adapting to computers and the threats
they pose, so must security, the law and insurance.
As with many methods of committing fraud, sabotage
and any other unauthorised acts, hacking may not be the
best, easiest or most effective way of achieving the re-
quired goals. It is however an option that is in many cases
Volume 2 Number 1, 1989
)
as realistic as any other, and will become much more of a
threat with the increasing reliance on computer systems
and their interconnection. Hacking is part of the arsenal
available to any person who wishes to carry out irrespon-
sible acts. As the population in general becomes more
computer literate, hacking will be viewed as an easier op-
tion to be considered. It can be carried out in the relative
comfort of the home or office. There is little, if any, per-
sonal physical risk involved and the chance of detection
whilst testing the security is minimial.
This testing of the security can even be automated and
left for a PC to carry out overnight unassisted, with the
hacker socialising or even asleep. Any planned penetra-
tion can be aborted as late as required with little risk of
exposure.
For armchair dishonesty, professional or amateur, hack-
ing has much to commend itself. Its relative safety and
elusiveness of source combined with the unfortunate
high interest level are enough to ensure that it gains pre-
valence in the future.
(~ Copyright R J Ports PLC Consuhancy Services 1989
R.J. Ports, Director, PLC Consuhancy Services; he
specialises in computer and corporate security issues.
(NEWS 1
ICAEW Information
Technology prize for l g 8 g
goes to anti-viral product
The 1989 Institute of Chartered Accountants Informa-
tion Technology Prize has been awarded to Dr. Fred
Cohen for his anti-viral product ASP ('Advanced Sys-
tem Protection'). It was collected on his behalf at
Chartered Accountants' Hall by J.J. Dearden of PC
Security Ltd.
ASP is based on Fred Cohen's many years of experi-
ence in PC and PC LANS security, but is designed to
protect minis and mainframes as well. As well as pro-
tecting against viruses, the device helps maintain the
integrity of data within a PC system in the event of
media failure or unauthorised modification. It protects
the boot block, interrupt vector table, system files and
any user-defined and data files. Protection is by
means of the application of a crytographic checksum.
This identifies any modifications to protected areas of
the system, enabling them to be dealt with.
As a next step, the product will be hardware embed-
ded.
(Dr. Fred Cohen, PC Security Ltd., The Old Court
House, Marlow, Bucks SL7 3AN.)
15