Privacy and security

How to handle a computer security breach

How do I know whether someone else is, or has been, hacking on my computer?

To know whether someone has been, or is, hacking into your computer is not always easy to tell. But certainly some of the tell-tale signs of possible unauthorised access to your machine may include the following:

  1. The hard drive on your computer starts up for no reason;
  2. The cursor on your computer screen moves slowly or appears temporarily unresponsive as you use your mouse; and
  3. The files or applications on your hard disk have been moved, renamed, updated, lost or changed in any way that you did not expect.

A number of world governments are setting up agencies designed specifically to set standards for security, reporting and skills, and to tackle the increasing cyber-crime situation directly following statistics showing an increase in the number of online security breaches in recent times. In Australia, the statistics show a four-fold increase in 2000 from 1999 according to Brisbane-based non-profit organisation known as the Australian Computer Emergency Response Team (1).

In the US, cyber-defences were recently brought under the umbrella of the National Infrastructure Protection Centre based within the Federal Bureau of Investigation (FBI). In Australia, we have a similar inter-agency online security body called the E-Security Coordination Group.

The aim of these agencies is quite simple: to stop malicious and destructive activity on the Internet because information is now a valuable commodity, especially when we see how much trade can be generated from it.

Is hacking a bad thing?

Well, yes and no. It depends on the intent of the computer hacker. For example, if the computer hacker wants to deliberately damage other people's data or programs, or to steal personal or financial information and use it illegally for their own goals, then hacking is a bad thing.

However, if the aim of the computer hacker is to help uncover security flaws in commercial software programs and nothing more and so help improve our confidence in the things we use in the digital world, then hacking should be seen as a valuable service to the community.

To avoid the negative impact of hacking in society, it should be the responsibility of the community, governments and business professionals to work with computer hackers and ensure that they are well-supported and have exactly what they need to survive. In that way, their skills can be applied for the benefit of, and not against, society.

How will governments control the negative aspects of hacking and other computer-related crime?

According to a wrath of proposed amendments to the Australian NSW and Federal legislation in 2001, it seems the best solution is to impose heavy penalties and, in a highly controversial move, in giving greater powers to the Australian Federal Police (AFP) to inspect or even confiscate computers if their is even the slightest suspicion of foul play by anyone in the computer industry.

For example, the NSW Government has taken a tough stance in the proposed Crimes Amendment Computer Offences Bill introduced into Parliament this year. The Bill states that:

  1. Anyone with access to data and programs, irrespective of whether they are authorised or not, who are intent to damage or impair data or programs for whatever reason;
  2. Anyone found to electronically tamper with credit card information with the aim to defraud; and
  3. Anyone making unauthorised modification to data or programs,

will carry a sentence of between 5 and 10 years, depending on the severity of the crime.

Of particular interest is the controversial amendment by the NSW Government to make it an offence to possess data or programs with the intent of carrying out a computer-related crime. This is equivalent to saying that a person carrying a crowbar is probably intent on committing a crime such as housebreaking. This offence also allows a person to be charged for knowingly assisting another person to commit the offence by supplying the data or programs.

NSW Attorney General Bob Debus had elaborated on this controversial amendment by saying:

"This is a preparatory offence to allow the prosecution of individuals who intend to commit a computer offence and who have taken steps to commit the computer crime by the possession or control of data which would allow the crime to occur, or would allow them to attempt to commit the crime." (2)

Hence the awareness of data or programs capable of causing a crime could be enough for the authorities to inspect and/or confisticate people's computers. And that may also mean hiring poachers to find these people.

All of these changes is said to be at 'the forefront of criminal law in computer offences in the world' in the words of Debus.

A similar draconian approach is also being considered by the Federal (Howard) Government according to an article entitled Outsource plan threat to privacy: Opposition published in The Canberra Times dated 26 May 2001. Here, Australians' privacy would be jeopardised and fraud investigations outsourced to the AFP even if a computer-related crime is found not to have been committed.

Will it work? Perhaps it might and we could see a lowering of the crime rates in the computer industry in the initial stages. But one could see the situation occuring when computer criminals will simply get smarter and more cunning in their approaches to criminal activity as they find ways to survive and/or get their thrills only because they are not really being supported in society for who they are and what they are trying to achieve. Eventually the rate of computer-related crime will probably have to go up.

Then there are the innocent people who could end up in jail for no fault of their own. For example, if several people use the computer, is the owner fully responsible for any breach in the legislation?

And what about the police themselves? Can the police always be trusted with the "evidence" (i.e. the computer) considering how easy digital information can be created or modified?

It really boils down to a question of evidence and the people who manage that evidence. In a law court, it needs to be beyond reasonable doubt whether any computer-related crime has been committed. And this includes whether the judge can have confidence in the authorities gathering the evidence and in knowing the evidence is pure and is not tampered with, and can properly prove the authorities' case.

This is an important point. In the last piece of controversial amendment regarding the intent to commit a computer-related offence by the alleged perpetrator, people can't go around suspecting anyone could be committing a computer crime unless there is evidence. And that will be the crux to the success of the new amendment bill.

What is the basic procedure for dealing with a computer security breach?

A security breach is considered a criminal offence. If you suspect a security breach has taken place on your computer:

  1. Never boot from the original media you wish to examine for computer fraud. Restart the tampered computer's hard disk using a separate systems disk and immediately set the suspect hard disk to read only. This is the crucial step to ensuring there are no further changes made to the original media; (3)
  2. Use a freeware utility like Installer Observer 3.0.3 to check the state of the suspect hard disk before and after the security breach (you should have a log file created by the utility to show the original state of the disk). Has there been additional files installed, changed and/or deleted on the hard disk?
  3. Look more closely at the modified or installed files and programs on the suspect hard disk. What is the internal time and date stamps on the files? This next crucial step should reveal the logon times of the perpetrator. Use the Get Info command on a Macintosh, or the Properties command on a PC under the File menu to gather this important piece of information;
  4. Locate the log files generated during authentication to determine user account details at the time of the suspected computer breach;
  5. Examine more closely all new files. In particular, look at the code of the attacking or new program(s) installed on the hard disk using a freeware utility like Hex Edit 1.5. It may reveal something of the creator's name or anything else left behind by the intruder (e.g. email address etc);
  6. If you believe a security breach has occured, make a bit-by-bit exact backup copy of the original media. Use a clean backup disk when doing so (4). If it isn't a clean backup disk, use a utility like Norton Utilities to wipe the disk clean by writing ones and zeros to the entire media prior to its use;
  7. Make one backup copy for yourself and another for the law enforcement agency who can handle computer-related fraud. You should also have a backup copy of the hard disk before the security breach took place for comparison; (5)
  8. Bring all the relevant managers and personnel together (i.e. senior system/network administrator, department manager, and a representative from human resources) to discuss who was assessing the computer; and
  9. If necessary, contact the law enforcement agency in your area designed specifically to investigate computer crimes. Ask for the computer crimes investigations unit of your local Federal police. These people will have more powerful tools for proper forensic examination, but only if you believe a crime has been committed;

Some of the tools used by a specialist computer crimes investigator almost always include some means of recovering previously deleted files from the suspect's hard disk as well as to examine data fragments in the file slack space.

But in the end, proving that a computer breach has occurred is still a difficult task for the specialist. This is partly because people can nowadays log on to a computer anonymously, and because the security present on computers tend to be poor. That is why it is important to get good security and if a security breach does occur, you should control the act of writing to the examined media for maximum integrity and to maximise the potential for successful prosecution.