California computer researchers are hurrying to create new systems to beat a newly discovered method of breaking into computer files that may be the most serious security problem ever in the field.
Criminals who know how to break into computer systems have stolen billions of dollars from banks and could interfere with such sensitive functions as air traffic control and surgery. Security specialists say they have no way of knowing how much, if any, of the computer crime in the country has been committed through the newly found technique.
Not all systems are vulnerable, but it is estimated that several thousand computer systems in the United States may be, according to Charles Wood, a computer security specialist at the Stanford Research Institute (SRI), a private computer firm in California. SRI has notified the FBI, the National Security Agency, the Justice Department, and manufacturers about the problem and how it might be corrected.
The newly found break-in technique was discovered last year by an unknown student at the University of California at Berkeley who described it to other students in an anonymous message on the computer system.
The student had found a simple way for anyone on a network of computer terminals to break into and alter the guarded files of anyone else who uses a terminal in the system. Besides being simple--for computer experts--the method is also general enough to apply to many different varieties of computers, according to M. Stuart Lynn, director of computing at Berkeley.
A criminal would have to know enough about the computer system's hardware and programming to know whether it is vulnerable and how to manipulate its coded command system.
The break-in technique would let an unauthorized person sign onto a terminal and perform the functions of any authorized user of the breached terminal, to change information or give orders.
Some bank officers, for example, can examine accounts and order funds transferred or checks written through their computer terminals. Passwords and other code systems keep others on the same computer system, such as tellers or secretaries, from performing these functions.
Here is how the break-in method might be used in a bank theft:
The criminal would first have to sign onto the computer system of the company. In many systems, lower level employes have simple sign-on codewords which may easily be seen or overheard by others. A criminal, once signed on as if he were a low-level employe, through his knowledge of the hardware, programming and codes would then be able to send a bogus sign-on message through the terminal of an officer such as a vice president.
The main computer would believe the vice president had signed on, which would enable the criminal to transfer funds from one account to another, such as a phony savings account or a dummy company he had opened in a false name. Once the transaction was finished, it would be impossible to know who had done it, or from what terminal.
"What worries us now is that this problem arose because of a feature that was offered by manufacturers to increase the flexbility of the terminal," Wood said. "There may be other such features that are not often used that would open other" methods of attack on computer security, he added.
The losses from computer crime apparently are much larger than losses from ordinary bank fraud or embezzlement, Wood said.
"In those kinds of crimes, the average take is about $19,000, but in computer crime the average take is more than twenty times as high--about $450,000."
Wood said that one of the most worrisome aspects of computer crime is that because of widespread computer use, only money is threatened. "They are used in air traffic control and in surgery."
The break-in method may be blocked either by the programming of the main computer or by fixing the terminal itself through installing an altered version of the memory chip--the more effective method. It costs no more than about $60 per terminal.
After the technique was discovered, computer trade associations and computer manufacturers were privately notified.