Bugs in the System

Computer Crime and Punishment

10aStrange things started happening last January at Northwest Hospital and Medical Center in Seattle. For three days, nothing electronic would work properly. Computers in the intensive-care unit shut down without warning...doctors’ pagers froze...and badge readers outside the operating rooms refused to respond to staff keycards. The whole computer system seemed distracted—as if it might be preoccupied with some task other than running Northwest Hospital.

It was. While nurses rushed paper copies of patient files from floor to floor and staff checked IDs manually, 150 of the hospital’s 1,100 computers were taking their orders from a 20-year-old in California. Christopher Maxwell, a part-time Wal-Mart employee, had infected the computers with a virus that allowed him to force them to download pop-up ads from the Internet. The nasty bug then told the computers to look for other machines to infect. In fact, the sick computers were so zealous that they crashed the entire Northwest Hospital computer system.

What was in it for Maxwell? Every time one of the computers under his control displayed a pop-up ad, the advertiser paid him a tiny fee. And the more his viruses crawled around the Internet finding victims, the more those fees added up. At the height of his power, Maxwell’s computer army of invalids had earned him more than $100,000. That’s a hefty sum for a scam that doesn’t involve much more than a few minutes’ work.

For truly spectacular graft, though, you still can’t beat corporate America. Consider Scott Sullivan, chief financial officer at long-distance telephone giant WorldCom. Sullivan, whose pay was tied to WorldCom’s stock price, prowled the company’s computerized financial system looking for dark corners in which to hide billions of dollars in losses. Under the weight of all that subterfuge, WorldCom eventually collapsed in the biggest bankruptcy in U.S. history.

Sullivan and Maxwell are part of a new breed of criminals taking advantage of the flaws in modern technology to line their ownpockets. The power they wield is frightening; they are hard to track down and even harder to convict. Yet despite the intricacies of their exploits, they are no more than con artists, bad actors practicing the world’s oldest crime: fraud.

When Good Things Happen to Bad People

“It’s just too easy to commit crimes with a computer,” says Anthony Skjellum, Ph.D., chair of UAB’s department of computer and information sciences. “And computer crime, on average, is much more lucrative than robbing banks. There are billions of dollars of losses in Alabama alone each year from computer-related crime. You can get away without a lot of risk to yourself, and if you’re even halfway knowledgeable you can cause some pretty serious economic damage.”

NOW THAT COMPUTERS ARE A FAVORITE TOOL OF CRIMINALS, LAW-ENFORCEMENT AGENCIES HAVE BEGUN TREATING THE MACHINES NOT JUST AS PROPERTY TO BE SEIZED, BUT ALSO AS MINI-CRIME SCENES.

Criminals quickly caught on to the power of the microchip. The Federal Trade Commission reports that, as of 2005, Internet-related cases made up 46 percent of all fraud complaints (Alabama is in the middle of the pack among U.S. states in rankings of both victims and perpetrators of online fraud). But an act, however reprehensible, is not a crime unless it violates the law. “There is often a lag between the advent of new technologies and the laws that regulate them,” says John Sloan, Ph.D., chair of UAB’s justice sciences department. “It was years before laws were passed that prohibited hacking, for example—people used to be able to hack legally.”

Legislators took two major steps forward with the Sarbanes-Oxley Act of 2002 and the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act of 2003. CAN-SPAM made sending junk e-mail illegal, opening spammers up to prosecution. Sarbanes-Oxley, which was passed in the wake of the Enron and WorldCom accounting scandals, forced companies to actively search for, and report, in-house fraud.

“Now that we have those laws on the books,” says Sloan, “we’ve got to train the folks who’ll enforce them.” Tracking down digital fraudsters, he says, requires specialists who know how to spot their crimes, how to follow clues through the nooks and crannies of computer systems to collect evidence, and, most important, how to provide convincing testimony in court. Such specialists must know the law, but they must also know computers and accounting. Enter a whole new breed of forensic scientists.

“Today’s forensic scientists are people who take substantive training—in chemistry or biology or pharmacology or computer science or accounting—then apply that knowledge to the investigation, preservation, and introduction of evidence relating to a crime,” says Sloan.

That training is available now at UAB, where two innovative programs are preparing students for careers as computer sleuths. Sloan and Skjellum are leading a collaborative effort between the justice science and computer science departments that has produced Alabama’s first graduate certificate program in computer forensics. And over in the School of Business, Tommie Singleton, Ph.D., is directing a new concentration in forensic accounting and IT auditing that is proving to be popular with students and professionals alike. This is all good news for the cops on the computer-fraud beat, who could certainly use some help.

Now that computers are a favorite tool of criminals, law-enforcement agencies have begun treating the machines not just as property to be seized, but also as mini-crime scenes. For computer scientists and accountants with the right training, forensics is opening the door to a host of glamour jobs; for example, they can suit up as agents with the Federal Bureau of Investigation and the Secret Service, ride herd over thousands of computers at Fortune 500 companies, or go the Sherlock Holmes route and open their own high-tech detective agencies.

Spam I Am

IF I WERE YOU
In the Company of Identity Thieves

No electronic crime seems to generate as much public fear as identity theft, and for good reason. According to the Federal Trade Commission, identity theft represented 37 percent of all fraud complaints filed in 2005, three times as many as the next item on the list, Internet auction fraud. Last year, UAB criminologists Heith Copes, Ph.D., and Lynne Vieraitis, Ph.D. received a grant from the Justice Department to study convicted identity thieves in prisons.

“One of the things they learned is that there seems to be a link between the methamphetamine epidemic and identity theft,” says John Sloan, Ph.D., chair of UAB’s justice sciences department. “The link is that meth addicts realize it’s a whole lot easier to steal someone’s identity and get money by bartering than by knocking off a convenience store. If that’s true—and we still don’t know that for sure—then it’ll be important to start looking for other kinds of links between the drug trade and all of this computer crime.”

Not all identity thieves are small-time street criminals, of course. “It’s been proven that, just like certain charities give money to terrorists, certain hacking activities are fronts for well-known terrorist organizations to get money to commit their acts of violence,” says computer scientist Anthony Skjellum, Ph.D. “Cyber fraud is an aspect of their organizations.”

In January 2004, Microsoft CEO Bill Gates promised a gathering of world movers and shakers that the problem of junk e-mail would be solved in two years. As of mid-2006, it isn’t. The first order of business in most offices these days is to delete all the digital come-ons that arrived the previous night: ads for drugs and cut-rate software, pictures of Hollywood starlets, shady financial deals from long-lost relatives in West Africa; in a word, spam.

These messages, rife with spelling errors and logical holes you could drive fleets of trucks through, are the most visible and irritating face of computer fraud today. They are also big business, and the best (or worst) of e-mail thieves can make millions.

“Originally, most spam was designed to sell you something directly,” says Skjellum. “But now what most of the spammers want is to get you to their Web sites, where they can steal your personal information and then use that to empty your bank accounts, or worse.”

There are plenty of ways to get in trouble online. “Phishers” (creative spelling is a hallmark of the hacker culture) are the ones who send you fake e-mail from eBay or your local bank asking you to click a link and reset your password. If you do, they steal the real one for themselves. “Keylogging” software buried in downloaded pictures or games can record what you type and send your social security number, passwords, and other information back to its creators. Open the wrong file and your computer might become a “zombie,” a virtual slave in a vast network that can be harnessed to attack other computer systems.

The amazing thing is that despite all of the warnings we hear about the dangers of the Internet and the transparent illogic of most of the pitches—after all, surely a huge international bank would take the trouble to spell its own name correctly in its e-mail messages—they are still remarkably effective.

“Two percent of spam e-mails that contain phishing attacks get responded to,” says Skjellum. That may not sound like much of a return, but, for comparison, consider that marketers buying a print ad in a daily newspaper are satisfied with a response rate of 0.5 percent. And spammers are only getting better at making their pitches look real. A recent AOL survey found that more than two-thirds of people who received phishing e-mails thought they were from legitimate companies, and less than half had ever heard of phishing (and of those, only half knew what it meant).

The Secret Sharers

Anyone with a list of e-mail addresses can troll for unsuspecting marks on the high seas of the Internet. The Anti-Phishing Working Group reports that almost 50,000 new phishing Web sites were created in 2005. Their catch can be quite profitable. A Brazilian phishing kingpin named Valdir Paulo de Almeida led a gang that sent out more than three million fake online banking e-mails each day and stole up to $37 million over two years. An American gang calling itself ShadowCrew made its own millions by running an online identity-theft superstore. Members used phishing scams and other techniques to steal information from millions of people, then used that information to print up credit cards, driver’s licenses, and other documents with those identities, selling them through their Web site to the highest bidders.

12aGroups such as these can’t send all that spam from their own computers—Internet service providers like America Online and Earthlink block millions of spam messages a day (AOL deleted 428,579,418 spam messages in one 12-hour period in July 2004). They also summarily shut down accounts with suspiciously high e-mail volumes, and they’re becoming more aggressive in taking offenders to court. In its first lawsuit under the CAN-SPAM Act, AOL seized nearly $100,000 in cash and a Hummer H2 SUV from a major spammer, which it promptly gave away to members in a sweepstakes.

To circumvent these deterrents, spammers use their victims to help by creating “bot nets.” Bot masters such as Christopher Maxwell gain control of their machines by sending out virus-laced e-mails. When an unsuspecting user opens the message, he downloads the virus to his computer, allowing the sender to take over. By the time he was caught, Maxwell controlled more than 50,000 computers across the country.

Reeling in the Years

We know the details of these cases because, fortunately, they ended with arrests and heavy jail time for the offenders. But such successes are still relatively rare. Despite the CAN-SPAM Act, “only a few spammers, for instance, have been caught,” says Skjellum. “The fact that we can actually keep up with prosecutions in the newspaper tells you that there’s a gap. There are lots of creative ways to commit crimes now, and these criminals are at the center of a whole maelstrom of illegality.”

“THERE’S A SIGNIFICANT ORGANIZED-CRIME PRESENCE ON THE INTERNET. IN FACT, THE WORLD COMPUTER-CRIME TRADE NOW GENERATES MORE MONEY FOR CRIMINALS THAN THE WORLD DRUG TRADE. WE HAVE A WAR ON DRUGS—WE NEED A WAR ON COMPUTER CRIME.”

So who exactly are the perpetrators of online crime? As you might suspect, some of it is committed by underage computer freaks such as Christopher Maxwell. But the rogue’s gallery also includes mobsters, terrorists, and meth addicts (see “If I Were You” above).

“All of the stuff that goes on in the physical world goes on in the cyber world too,” says Sloan. “You have everything from the lone individual who steals someone’s identity and runs up $50,000 in credit card charges to highly organized Russian mafioso types who run a world-wide operation involving the thefts of tens of millions of identities.”

“There’s a significant organized-crime presence on the Internet,” adds Skjellum. “In fact, the world computer-crime trade now generates more money for criminals than the world drug trade. We have a war on drugs—we need a war on computer crime.”

Government agencies have taken steps to gear up for such a war. “There’s an entire division of the Federal Bureau of Investigation that’s devoted exclusively to cyber crime,” says Sloan, “and the mandate of the Secret Service has been changed to include cyber crime.” Nevertheless, state and local law enforcement agencies, which see a lot of the cases, don’t have the staff or expertise to handle them.

“Just to give you an example, there are dozens of law-enforcement agencies in the metropolitan Birmingham area, but there are very few officers trained in computer forensics,” says Sloan. “As a result, local law-enforcement agencies often have to send their computer evidence elsewhere for forensic analysis.”

Swimming With the Phishes

Starting this fall, UAB’s graduate-level certificate program in computer forensics will train more troops to fight the scammers. The program is open to students pursuing master’s degrees in criminal justice, forensic science, or computer and information science, with coursework that blends computer science and justice science. A “B” level certificate is also available for in-service training of law-enforcement professionals.

Students in the program will learn to examine both paper and digital documents, searching for evidence of forgery. They’ll also learn about network security—what makes a network vulnerable and what makes it strong. And they’ll learn the elements of traditional forensic science in the areas of chemistry, biology, pharmacology, toxicology, and pathology, spending time in laboratories working on projects with faculty members.

By the time they graduate, students will be ready to work in state crime labs, looking for evidence in seized computers; or as agents for the FBI and the Secret Service, participating in actual raids on suspected spammers; or in the private sector monitoring internal-security for large corporations, fending off attacks from rogue bot nets.

Defense Spending
Teaching the Air Force to Watch Its Wallet

If you were alive in the 1980s, chances are you remember the $600 toilet seat. That was the price the Department of Defense paid contractor Lockheed for the commode lids in each of its P-3 warplanes—which was just one example of billions of dollars of inflated charges for hammers, bolts, and so on that created a major scandal. But greedy contractors aren’t the only problems facing fraud investigators in the armed services, who have the massive job of policing military installations around the world for signs of financial wrongdoing.

A few years ago, the Air Force began enrolling some of its investigators in a specially designed master’s degree program in justice sciences at UAB. At the encouragement of Kathryn Morgan, Ph.D., director of the justice sciences program, Air Force students usually take one or two forensic accounting courses: Tommie Singleton’s IT Audit and Introduction to Forensic Accounting courses, and Richard Turpen’s class on fraud examination.

“One category of fraud is corruption,” notes Singleton, “and within corruption you have conflict of interest, kickbacks, bid rigging, and illegal gratuities. The Air Force investigators are looking for all of these transgressions, and we’re able to give them some very specific education in what those crimes are, how they’re perpetrated, how to detect them, and how to prevent them.”

All of these employers are desperate for specialists who can hit the ground running. “Very soon, the most valuable computer science graduates we produce will be these master’s degree students,” says Skjellum.

But it’s not enough for computer forensics experts to be techno-wizards, says Sloan. They must also be able to introduce evidence in court and provide clear, convincing testimony. “Our classes are geared toward training students to testify about the science behind what they did, so when they get in front of a jury they can explain it in layman’s terms,” he says. “That’s an absolutely critical skill for forensic scientists—because if you can’t talk to a jury in terms that they can understand, you’ll totally lose them.

“Do you remember the O.J. Simpson trial?” he continues. “One reason that went as well as it did for Simpson was because [defense lawyers] Barry Scheck and Henry Lee were able to talk about extraordinarily complex science in a way that 12 average people could understand.”

1 for the Money, 2 for the Show

While it’s challenging for computer forensic scientists to explain techno-jargon to the general public, most people today are at least familiar with computers and somewhat intrigued by their seemingly mysterious powers. Forensic accountants, on the other hand, have a different challenge when trying to communicate with lay audiences: the boredom factor.

“When you talk about accounting, except to accounting majors, people get a glazed look,” says Tommie Singleton, Ph.D., assistant professor in accounting. “So forensic accountants have to be really good at communicating information succinctly and accurately to laypeople so that they’ll understand it and won’t go to sleep.”

Singleton heads UAB’s forensic accounting program, a four-course concentration for accounting students that’s also attracting a lot of interest from professional auditors in the public and private sectors. “We’ve had to turn students away, which we don’t like to do,” says Frank Messina, Ph.D., chair of the accounting department. “But that’s a testament to the demand, and to the teaching of Dr. Singleton and the other professors. We’re very excited about the success of this program.”

Students take courses in forensic accounting and IT (information technology) auditing, fraud examination, and the legal elements of fraud investigation. The last class is a practicum in which they work on actual forensic accounting investigations. Along the way, they hear from real-life forensic accountants about real-life cases—often learning as much about psychology as about numbers.

“A lot of times, our cases come from the insurance world,” says Singleton. (Health and insurance scams are always at the top of the money list when it comes to fraud.) “For example, a motel burned down, and the owners claimed they were owed $6 million in lost revenues. The insurance company didn’t believe they lost that much, so their lawyers called in a forensic accountant to investigate.

“Now, if that accountant gets up in court and starts explaining the debits and credits and the financials and the sales tax records, people will go to sleep,” Singleton continues. “To show our students how to provide effective testimony, we bring in people like Steve Alexander of the AEA Group [a local forensic accounting firm], and he shows them what he did. He did a PowerPoint presentation that consisted of three slides: the occupancy figures before the fire, the figures the motel owners claimed, and the occupancy figures after the fire. And with those three slides, he won. He tells the students: ‘Keep it simple, keep it succinct; make a graphic that anybody can look at and understand.’”

Recipe for a Cooked Book

What really sets UAB’s curriculum apart from the handful of other forensic accounting programs available at U.S. universities is its focus on using technology to audit financial systems and detect fraud. Accountants have traditionally done their work by wading through a sea of paper: purchase orders, receipts, cancelled checks, and so on. Although that process is cumbersome and time-consuming, it does provide a tangible trail to follow to make sure a company’s books add up. But in today’s electronic world, most of that evidence is buried on computer hard drives.

“Just think about a trip to the gas station,” says Singleton. “You drive up, swipe your credit card, pump your gas, tell the machine you don’t need a receipt, and drive off. There is no paperwork, so how do you audit that? The only audit trail you can follow is computerized.”

“[WE ARE] EDUCATING THE PUBLIC SO THEY WON’T FALL VICTIM TO THESE LURES. WE HAVE TO HELP PEOPLE UNDERSTAND THAT THERE ARE NO BUCKETS OF MONEY WAITING ON THE INTERNET FOR THEM TO COLLECT.”

The new, computerized financial world needs a new kind of accountant: the IT auditor. “It used to be that an auditor would look at the information that went into a computer and the information that came out, and he would assume that what happened in between was irrelevant,” says Singleton. “But today, after passage of the Sarbanes-Oxley Act, companies have to follow Section 404, which says that management has to do an evaluation of its internal controls. And 99 percent of those controls are embedded in computer systems.”

Singleton teaches students how to use powerful new software programs to scour electronic accounting records for evidence of fraud. Computers, of course, have a significant advantage over their human counterparts—they can check everything. “All you have to do is select the proper command from the data mining software, and it will read through a column of figures and tell you instantly if there are any gaps,” Singleton explains. “And it has checked 100 percent of the data. So instead of me sitting here for hours going through checks to see if there are any gaps, a computer does that in a few seconds.”

Sometimes accountants have to take their computer sleuthing to extraordinary degrees. “Cynthia Cooper was an internal auditor at WorldCom, and she was suspicious that she had no access to the main computer with the financial information about the company,” Singleton says. “She kept getting pushed into a corner by the CEO about what she could and couldn’t investigate. And she got uncomfortable with that—she felt like something was going on, so she came in at night and actually hacked into her own computer system to get to that information. Then she went to a board meeting and had the unmitigated gall to say, ‘Here’s a billion dollars’ worth of evidence of fraud, and that dude at the end of the table is the one who’s doing it.’”

That dude, WorldCom CEO Bernard J. Ebbers, was eventually convicted of securities fraud, along with Scott Sullivan and a number of other WorldCom executives who helped carry out the mammoth financial deception.

Turn On, Tune In, Opt Out

UAB alumnus Gary Warner is on the front lines in the war on cyber crime. As a top electronic security officer for Energen who also acts as a private-sector liaison with the FBI and Homeland Security, Warner studies the latest tactics of cyber criminals and helps victims repair the damage they cause. He actively shares his knowledge with UAB’s computer forensics classes, lecturing and coaching students in computer security competitions. In a recent presentation to UAB’s Criminal Justice Student Organization, Warner offered chilling examples of just how easy it is for criminals to target vast numbers of potential victims and hide from police on the other side of the globe.

In a popular hacker chat room, spammers can rent a “bulletproof” server (meaning that it can’t be shut down by U.S. authorities) in China from which to send their messages for $650 per month. On the same site, a list of 17 million Yahoo e-mail accounts is available for a mere $250. And as the sales pitch notes, these are “opt-in” accounts that can be flooded with junk mail without violating the CAN-SPAM Act of 2003. (If you have ever checked a box that asks, “Would you like to receive information from our business partners?” on a Web site, you have “opted in.”)

Filtering software has become much better at looking for key words in e-mails that mark them as probable spam, Warner says. But criminals can always find new ways to up the ante: The latest technique is to send their sales pitches as unfilterable pictures and even audio files. But for all their evil-genius reputations, hackers can make dumb mistakes, just like any other criminals. Early this year, a group of Pakistani saboteurs decided to seek revenge on the country’s arch-enemy, India, by breaking into Indian government Web sites and defacing them with obscene rants. The hackers weren’t too careful about what kind of Indians they targeted, however, making the same mistake as Christopher Columbus: One of their victims was the U.S. Bureau of Indian Affairs.

The Hook Brings You Back

The best strategy to reduce corporate fraud, Singleton says, is to increase the number of accounting cops on the beat. “The generally accepted rule in law enforcement is that the best prevention is the perception of detection,” he says. “Street criminals often don’t really care if they go to jail or not. But white-collar criminals are different. Most likely, they have not been in jail. They probably have a personal code of ethics. So if there’s a threat hanging over them of jail time, of the shame of being caught, that is a strong deterrent.”

But what about the hardened cyber-criminals who are cloaked in anonymity and hidden halfway around the world? Most people know that they can’t trust everything that appears on their computer screens. But when an e-mail with an interesting subject line appears, many people just can’t help themselves—and the criminals know it.

“There is the Viagra and Cialis lead, the mortgage lead,” says Skjellum. “You name it. They’re appealing to people’s weaknesses or perceived weaknesses. And apparently their appeals are somehow psychologically effective, given the 2 percent response rate. That’s why it’s also a societal problem. Psychologists need to be involved to figure this out.”

The controversial social psychologist Stanley Milgram’s “small world hypothesis” might shed some light on the power of spam. Based on an experiment involving a chain letter, Milgram suggests that the ties that bind us together are tighter than we think. In short, each of us has a vast network of friends and family that is linked to so many other people’s networks in complex and unforeseen ways that it’s possible to find a connection between anyone and anyone else on the planet in only a few steps. Because of the interconnectedness of the Internet and e-mail, we aren’t surprised to get personal notes from total strangers who wind up being friends of friends of friends. And if an e-mail includes an attachment claiming to be a picture of a Russian tennis star, or an offer of big bucks from Nigeria, why not open it? Spammers can always count on a certain percentage of users thinking along these lines.

“The other aspect of our job, besides offering courses, is educating the public so they won’t fall victim to these lures,” says Skjellum. “We have to help people understand that there are no buckets of money waiting on the Internet for them to collect.”