Professional Documents
Culture Documents
through their activities (Rushkoff, 1994). While (e.g. fraud alone caused losses of over £3 mil-
it can be argued that, in some cases, the perpe- lion), they are nonetheless significant and the
trators may indeed be engaged in simple explo- most likely to be remembered by the public.
ration of the computer network (and, therefore, By comparing the results from all of the
feel that they are doing no real harm to anyone), related Audit Commission surveys since 1984 it
it can increasingly be seen that hacking is being can be seen that malicious abuse has increased
used as a means to achieve other ends. As evi- dramatically in terms of both incidents and
dence of this, it is possible to cite various inci- associated losses. Moreover, the increase in
dents of commercial and political malpractice recent years is far more substantial than in those
involving the use of IT. A number of cases have previously, indicating that abuse is becoming
been well publicized, with the following exam- more widespread and that activities are moving
ples providing good illustrations: away from merely curious exploration. These
• malicious activities conducted by British results are illustrated in Figure 1, which shows
Airways against its rival, Virgin Atlantic the total number of incidents reported in each
(Evans, 1994), surveyed year and the associated overall finan-
• alleged breach of the British Broadcasting cial loss.
Corporation’s BASYS computer system by With all of these statistics it should be
political parties attempting to acquire remembered that they only cover the reported
advance information on the content and incidents and many cases may still be either
running orders of news stories (Culf, 1996). unreported or undiscovered.
Invasion Total
of malicious
Hacking Viruses Sabotage privacy abuse
Number of
incidents 15 261 16 16 308
Total losses 16,220 254,925 104,625 9,400 385,170
63
Computer abuse: vandalizing the information society Internet Research: Electronic Networking Applications and Policy
Steven M. Furnell and Matthew J. Warren Volume 7 · Number 1 · 1997 · 61–66
It can be argued that the one of the most signifi- opportunities can only be realized by an
cant signs of a progression toward an informa- informed population.
tion society in recent years has been the popu-
larity of the Internet and the World Wide Web.
Attitudes for the future
A great many commercial enterprises now use
the latter as a means of promoting their prod- There are plenty of things that can be done in
ucts and services, with a quarter of the world’s terms of introducing proper safeguards in our
top 200 companies now having Web presence computer systems. At a basic level, a large
(Walker, 1996). This has the dual effect of degree of “people-based” abuse could be pre-
recognizing the extent of the existing online vented by ensuring that sufficient user authenti-
population and increasing the breadth of infor- cation procedures are incorporated – if people
mation available on the network. However, even cannot gain access, then that rather limits the
here there have been a number of high profile amount of damage that they can do. Although
security incidents. For example, a great many frequently maligned, traditional passwords are
people may have first heard of the Internet as a entirely adequate for many contexts if imple-
result of the “Internet Worm” incident (Hafner mented correctly. However, problems do occur
and Markoff, 1991), in which a university stu- in that passwords are often:
dent released a self-replicating program that • badly selected (and, therefore, potentially
spread itself throughout systems on the network easily guessed), which includes passwords
at an accelerated rate, slowing them down and that are too short, based on dictionary words
eventually bringing the whole network to a or derived from personal data,
temporary halt. More recently, there has been • infrequently changed,
the breach of encryption on the Netscape • only used at the start of a session and, there-
browser by Berkeley students (Gornall, 1995). by, grant subsequently unrestricted access to
In terms of an organization debating whether to user resources.
invest in IT or Internet connectivity, such bad
publicity may count against the decision – If these problems were addressed, with users
potentially harming future productivity and being properly educated in password principles
competitiveness as a result. and system administrators incorporating appro-
Even restricting the discussion to existing priate mechanisms to monitor/control their use,
Internet users, it can be argued that many have then passwords would provide a much more
very little appreciation of the online world of effective measure of authentication.
which they are a part. They use their e-mail However, passwords are no defense against
systems to communicate and this may be the full the scenario where the legitimate user is also the
extent of their knowledge. They do not under- abuser. A valid account holder acting within his
stand how the system works and they (quite privileges may still perform undesirable activi-
rightly) have no wish to. They may also have ties (e.g. deliberately introducing a virus into
little or no appreciation of the other groups with the system). The traditional approach to discov-
whom they share cyberspace. It will not be ering such behavior is to maintain audit trails of
apparent to them that hackers have established user activity. Unfortunately, this is more of a
their own communities on the Internet, within reactive measure (i.e. shutting the stable door
which they can explore and share their findings after the horse has bolted) and, in addition, will
with others. The fact that hackers have far more normally require some measure of human
of an appreciation of the “virtual world” in intervention in order to identify anomalies.
which they are operating than most other users, The solution may lie with more advanced tech-
makes them better placed to take advantage of niques that monitor user activity in real-time
it. (Mukherjee et al., 1994). These could, for
While a detailed understanding of technology example, compare user activity against histori-
is not necessary for individuals to prosper in the cal patterns of behavior (or profiles) for the
information society, it important that there is individual in question and/or against generic
adequate awareness and confidence. Rheingold rules that might help identify abuse scenarios.
(1994) makes the crucial point that potential Profiles could maintain information on factors
64
Computer abuse: vandalizing the information society Internet Research: Electronic Networking Applications and Policy
Steven M. Furnell and Matthew J. Warren Volume 7 · Number 1 · 1997 · 61–66
such as typical access times/locations and appli- punishment of offenses that are encouraged in
cations most frequently used, whereas the rules conventional society.
would compare behavior against more general In some cases, the dangers from abuse are
indicators (e.g. access outside of normal work- already recognized but the organizations do not
ing hours may be suspicious). Such supervision consider the introduction of security to be cost-
would also act as an ongoing means of user effective (i.e. the cost of a breach is less than that
authentication, in that departures from the of installing comprehensive safeguards) and,
behavior profile might also indicate that an therefore, prefer to adopt a reactive stance.
impostor has accessed the system. For this However, given the increasing dependence on
purpose, some further behavioral factors (e.g. our information networks, a proactive attitude
monitoring of user keystroke rhythms) could may become increasingly essential.
also be incorporated into the profiles. In this Technological changes are occurring faster
way, it would both supplement and strengthen than either the law or the general population are
the protection afforded by the password system. able to appreciate. There is consequently a
With regard to other technical measures, strong argument that we should not attempt to
circumstances unfortunately dictate that virus impose controls and legislation on a society that
scanners must now be a standard feature on all is not yet fully understood (Rheingold, 1994).
systems. They must also be regularly updated if However, we must at least be adequately pre-
they are to remain effective and combat the new pared to take action when necessary. Unfortu-
virus strains that are constantly emerging. Inter- nately, the signs are that currently this is not the
case. For example, the level of specialist
net users are particularly at risk from the spread
computer-crime training in the UK police force
of viruses, owing to the frequent downloading of
is rather low and computer-crime cases are
information from other sources which also
perceived as being less interesting to investigate
provides a path for virus transmission. While
(Collier and Spaul, 1992). In addition, even
network archives should ideally insure that their
where legal provisions do exist, the judiciary
files are virus free, this may place an unrealistic
frequently do not possess a sufficient under-
demand on system administrators in many
standing of IT to appreciate the crucial details
cases. As such, end-users should still be vigilant
of cases. For example, after a two-and-a-half
and assume some level of responsibility for their
year investigation, one of the first prosecutions
own defense.
under the UK Computer Misuse Act ended
In addition to the adoption of such safe-
with the defendant being acquitted on the
guards, there must also be a shift in attitude on grounds of computer addiction (Grossman,
the part of the victims of computer abuse. It is 1993). It has since been suggested that because
often conjectured that the majority of computer the unauthorized access was to a computer
abuse cases may not be reported, as a result of system (as opposed to a physical property) it
organizations’ desires to avoid adverse publicity was not viewed in such a serious manner and
and thereby risk losing the confidence of the that an IT-literate jury would have had more
public or their shareholders (Parker, 1989). An difficulty in accepting the line of defense that
example of this can be cited in terms of a recent was offered.
headline news story in the UK claiming that Such apparent weaknesses will obviously
various financial institutions, including those in have to be overcome as an increasing proportion
the City of London and New York, have given in of crime becomes technology-related. In the
to blackmail by “cyber terrorists” at a cost of meantime, it is worrying that we are so reliant
some £400 million (The Sunday Times, 1996). on technology and yet frequently appear ill-
Such attitudes will not be acceptable if the prepared to deal with problems.
information society is to fulfill its full potential.
With the computer as the very hub of opera-
Conclusion
tions, any nefarious activities will have to be
policed effectively if the society is to succeed. Computer abuse is by no means the only barrier
There should, therefore, be the same moral to the success of the information society –
obligations to assist in the prevention and unfriendly technology, unreliable software and
65
Computer abuse: vandalizing the information society Internet Research: Electronic Networking Applications and Policy
Steven M. Furnell and Matthew J. Warren Volume 7 · Number 1 · 1997 · 61–66
many other such factors will also provide gen- Gates, B. (1995), The Road Ahead, Viking Press, New York,
uine reasons for doubt (Stoll, 1995). However, NY.
computer abuse is different in the sense that it Gornall, J. (1995), “Netscape plugs latest leak,” The Times:
represents a deliberate attempt by one party to Interface Supplement, September 27, p. 4.
inflict damage on others. Grossman, W.M. (1993), “Hacked off,” Personal Computer
It would be unrealistic to expect to be able to World, June, pp. 286-90.
remove the criminal element from the informa- Hafner, K. and Markoff, J. (1991), Cyberpunk: Outlaws and
Hackers on the Computer Frontier, Simon & Schuster,
tion society – within any society there will
New York, NY.
always be an element that is unethical or disrup-
Marchand, M. (1987), La Grande Aventure du Minitel,
tive. However, we must modify our attitudes
Larousse, Paris.
and give the issue a similar level of consideration
Martin, W.J. (1988), The Information Society, Aslib, London.
to that which we already give to other types of
Mukherjee, B., Heberlein, L.T. and Levitt, K.N. (1994), “Net-
crime (e.g. theft from our properties).
work intrusion detection,” IEEE Networks, Vol. 8 No. 3,
In general, an increase in the instances of pp. 26-41.
computer crime must been seen as inevitable, as NCC (1994), IT Security Breaches Survey Summary, National
technology itself becomes more pervasive and Computing Centre Limited, Manchester.
hence the most natural environment in which Parker, D.B. (1989), “Consequential loss from computer
criminal opportunities will be perceived. The crime,” in Grissonnanche, A. (Ed.), Security and
widespread acceptance of this fact will be the Protection in Information Systems, Elsevier Science
first step in ensuring that the information soci- Publishers B.V., North-Holland, pp. 375-9.
ety is a safe place to be. Poster, M. (1990), The Mode of Information: Poststructural-
ism and Social Context, Polity Press, Cambridge.
Rheingold, H. (1994), The Virtual Community – Finding
References Connection in a Computerized World, Secker &
Warburg, London.
Audit Commission (1994), Opportunity Makes a Thief – an
Analysis of Computer Abuse, HMSO Publications Rushkoff, D. (1994), Cyberia – Life in the Trenches of Hyper-
Centre, London. space, HarperCollins, London.
Collier, P.A. and Spaul, B.J. (1992), “The Woolwich Centre for Stoll, C. (1995), Silicon Snake Oil – Second Thoughts on the
Computer Crime Research: addressing the need for UK Information Highway, Macmillan General Books,
information,” Computer Fraud & Security Bulletin, London.
August, pp. 8-12. The Sunday Times (1996), “City surrenders to £400m gangs,”
Culf, A. (1996), “BBC acts to thwart political hackers,” The June 2, pp. 1-24.
Guardian, February 9, p. 1. Toffler, A. (1981), The Third Wave, Pan Books, London.
Evans, D. (1994), “BA in dock over hacking,” Computer Walker, C. (1996), “Brand leaders embrace Web,” Computer
Weekly, April 28, p. 6. Weekly, January 11, p. 6.
66