Bank robbers now online

Willie Sutton understood.

When asked why he robbed banks, Sutton said it is because “that’s where the money is”.

If Sutton were alive today, he’d be online.

Sutton’s heirs reached the same conclusion. Criminals cottoned-on to online early in the piece. They’ve been active almost as long as computers have used telephone lines to swap data.

The early computing underground grew out of phone phreaking – a murky, highly technical game where the aim was to use the world’s telephone lines without paying tolls.

Computer crime started in the 1960s

The first widely reported cases of computer crime Came in the 1960s. During the early days, electronic misdemeanours were usually inside jobs.

An explosion in online communications over the past 15 to 20 years has seen the problem grow in size and scale. Insiders remain a large part of computer crime, but these days the emphasis is more on external activity.

United States Department of Justice statistics show that reported online crime cases increased 43 percent between 1977 and 1999. The statistics also note that online crime is notoriously under reported. This means nobody knows for certain, but anecdotal evidence says that many companies are paying blackmailers and sweeping theft under the carpet in the hope that other online criminals don’t notice their vulnerabilities.

Some hope.

Online crime is everywhere

The tentacles of online crime reach everywhere. A 1998 report by Pricewaterhousecoopers (pwc) found 73 percent of US companies experienced a security breach in the previous year. Incidentally, matching this figure against reported online crime confirms companies only report a fraction of incidents.

The numbers have stayed at roughly the same level for the past decade. A survey conducted earlier this year Forrester Consulting on behalf of Veracode found two-thirds of UK companies reported a security breach in the past year. More recently Beverly Head at iTWire in Australia reported; “Small and medium Australian enterprises are particularly vulnerable to computer security breaches, with the average SME breach costing $37,661”.

Insiders give way to outsiders

The ten-year old pwc report found that authorized employees were responsible for 58 percent of the reported breaches in 1998.

In a later report by the same company, pwc technology risk specialist Mark Lobel noted in 1999 hackers accounted for only 14 percent of reported security breaches. By early 2000 hackers accounted for 50 percent of all online break-ins.

There’s a clear shift away from online crimes committed by disgruntled employees – other surveys have found a correlation between corporate restructuring and internal compromises of computer security – to crimes committed by outsiders.

In part this move away from insider jobs reflects better security rules, tighter control and more all round professionalism on the part of corporate IT departments. Like any effective local policing operation, the main upshot is that the criminals have moved elsewhere.

Yet companies are still in denial about the external threat. Last month SC Magazine reported Businesses skeptical about external hacking. Iain Thomson writes:

A global survey of IT managers from IDC and sponsored by Dimension Data has shown that the majority think that having the company hacked from the outside is highly unlikely.

Changing nature of computer crime

The nature of internal security breaches is also changing. In the past employees would either vandalise their employer’s systems as an act of revenge or use them to steal money.

For example, in May 2000 network administrator Tim Lloyd was found guilty of sabotaging the company network he spent years of his life building. The cost to his employer, Omega Engineering, was more than US$12 million. Lloyd plotted the destruction as his standing in the company diminished. Then, three weeks after his sacking, the system ground to a halt after a software time bomb deleted almost all the company’s programs and data.

These days, external problems are more likely and are criminal money-raising exercises, not retribution.

Called to the dark side

There’s another force coming into play. The kids who were hackers back in the glory days of 1980s were mainly idealistic. They hacked for fun, the approval of their peers or just to show off their skills. Today these people are middle-aged They have mortgages, schools fees and other bills to pay. Many are successful. A minority are not. The temptation to go over to the dark side is strong.

In February 2000, Mark Rasch of Global Integrity Corporation appeared before an US senate appropriations subcommittee and told politicians that today’s employees are more likely to steal sensitive customer or market information before they head off and form and float their own dot.com company.

Underlining his point, Rasch said that theft of proprietary information and intellectual property increased by 15 percent since 1998. He also testified that unauthorized access by insiders has increased 28 percent and system penetration by external parties increased 32 percent from 1998. Both statistics support other data showing the threat is moving outside of companies.

ERP is risky

In his report for pwc, Lobel writes that trade-secret theft and information loss is three times higher in businesses employing electronic supply chains, ERP or e-commerce and that revenue loss is seven times more likely to hit e-commerce sites than non-e-commerce sites.

He writes;

About 60% of those who sell products or services on the Web report at least one or more security breaches a year, 22% experience information loss and 12% suffer data and trade-secret theft. More than half of those with non-transaction sites report one or more incidents. And the number of hits from outsiders is on the rise.

Reports from organizations as diverse as the Australian Federal Police, the Computer Security Institute, the FBI and the United Nations all confirm the rising menace of cybercrime. At the same time as online crime increases in value and number of attacks, it is also increasing in its scope.

Today the range of activities is wider and wilder than ever. For example the early part of the decade saw the rise of denial of service (DOS) attacks. These are events where e-commerce sites are effectively rendered unable to do transactions because a large amount of dummy traffic jams incoming data lines. A spate of DOS attacks in late 1999 and early 2000 took high-profile sites like Yahoo!, eBay and Amazon.com offline.

International crime

Another disturbing trend is the cross border nature of computer attacks. Five years ago almost all computer crime was local – that is criminals and their victims were in the same country. Today crimes are remote. The most visible hot spots are Eastern Europe and the ex-Soviet Union.

And then there’s China. Some experts suspect, with some justification the country’s government is either sponsoring or turning a blind eye to organised computer crime. And China isn’t the only suspect.

Authorities everywhere have finally caught up with the technology. They now recognise the potential to commit crimes using computers and other information technology tools is one of the greatest law enforcement problems of our times.

They could have reached that conclusion quicker if they remembered Willie Sutton – because online is where today’s money is found.