A couple of somewhat interesting crypto tidbits. ------- Start of forwarded message ------- [From the NIST Security Bulletin Board] FROM: AFCSC/SRM 250 Hall Blvd, Suite 347 San Antonio TX 78243-7063 SUBJ: THE CONNECTION Information Letter AFOSI COMPUTER CRIME CASES by TSgt Dwayne L. Thomas AFCSC/SRME Destruction of Government Property, Unauthorized Access to Material, Violation of Article 134 of UCMJ Location: CONUS Motive: Personal revenge and vandalism Duty Position: Systems Administrator, Military An investigation was initiated after a CONUS-based research center had reported that various files contained in the center's mainframe computer had been altered. The subject (a Sgt assigned as the Systems Administrator) had created a program that only he was able to access. This resulted in the subject being able to access, extract, and subsequently delete information without being detected. Being the Systems Administrator, the subject had enough knowledge of the passwords, audit trails, and software to manipulate information at will. After the investigation began, subject admitted fixing the computer so that no one else could access the subject's personal program. The subject was upset with upper management for not giving the amount of recognition due for creating another program for the center's use. Subject stated that months had been spent working on this program. Subject also felt pressured because past job performance and two altercations at the NCO Club might cause denial of reenlistment. Subject also was a co-owner in a failing carpet and upholstery cleaning business and stated that building a program that only one person could run would make the subject important to the mission and increase chance for reenlistment. Subject was fined 1 month's pay, denied reenlistment, and given a bad conduct discharge. BOTTOM LINE: It is vitally important that no one person have all the knowledge about how to operate a system because if one day that person is sick, quits, or dies, the organization will be in a world of trouble. Some ways to prevent this are by assigning a primary and alternate administrator, having continuity books available, and having training sessions. Remember, computers are dumb machines and are only as smart as the person who's programming them. Wrongful Use and Conversion of Government Computer, Theft of Government Property, Copyright Violation, Violation of Title 18 of U.S. Code 641 Location: CONUS Motive: Personal financial gain Duty Position: Functional User, Military An investigation was initiated after it was discovered that a SSgt assigned to the Base Data Processing Facility had been misusing government resources for personal profit. The subject was working part time for a local contractor and was making profit by making illegal copies of government purchased software. The subject would take pieces of equipment from the duty section and provide it to the contractor. The subject would copy the government software and provide one copy to the contractor and keep one copy so that it could be replicated and sold for more money. After the investigation began, the subject admitted making copies of the government software and contacting other companies to see if they wanted to purchase copies of the stolen software. Subject also admitted bringing disks in from home and running them on the government systems for evaluation. Subject felt that even though violations had occurred, accountability was questionable because security briefings on the legalities involved with copying government software had not been provided. The extra money had helped the subject with a bad financial situation. The subject resigned from his part-time job, was fined 2 months' pay, given a letter of reprimand, and placed on a control roster. BOTTOM LINE: Even though the Air Force purchases large amounts of software from various companies, it is still subject to copyright laws the same as any individual. We must continue to educate all our personnel that this is a very, very serious offense and complacency is not an acceptable excuse. Also, the risk of introducing viruses from unauthorized software onto a computer system can completely halt an operation. Never allow unauthorized software into your duty section. Remember, taking chances like this with the security of your system is like having a friend with a drinking problem and for his/her birthday you give him/her a shopping spree at a liquor store--it's a no-win situation! COMSEC INCIDENTS by Mr Richard L. Davis AFCSC/SRMP The total number of physical and cryptographic COMSEC incidents reported within the Air Force for the following past 2 years were: CY91 - 480 CY92 - 364 This Trend Summary will compare CY91 with CY92 COMSEC incidents and the previous 6 months with the past 6 months. Data on practices dangerous to security (PDS) will also be included in this summary. The total number of COMSEC incidents reported for the Jan-Jun 92 time frame was 191 as compared to the Jul-Dec 92 total, which was 173. This is a decrease of 18 incidents. The total and type of COMSEC incidents that occurred in CY91 and CY92 are: Type Of Incident 1991 1992 Physical 432 330 Cryptographic 48 34 Total: 480 364 PDSs 74 116 Physical, cryptographic, and PDS COMSEC incidents are categorized into the following types and totals (comparing the past 6 months with the previous 6 months): Physical Categories: Jan-Jul 92 Jul-Dec 92 Totals Loss Control Of COMSEC 53 63 116 Permanent Loss 49 32 81 Unsecured Safes/Workcenters 20 15 35 Destruction Irregularities 19 17 36 Lost Two-Person Integrity 7 14 21 Unauthorized Access/Use 13 4 17 Damaged Packages 4 6 10 Unauthorized Shipping Mode 5 4 9 Unauthorized Reproduction 2 2 4 Facility Construction 1 0 1 Totals: 173 157 330 Cryptographic Categories: Used Superseded Material 1 1 2 Extended Crypto Period 9 8 17 Unauthorized Use Of Material 6 3 9 Unauthorized Maint Performed 2 4 6 Totals: 18 16 34 PDSs: Inadvertent Destruction 18 37 55 Inadvertent Opening 5 5 10 Physical Loss 3 9 12 Destruction Irregularities 13 6 19 Unauthorized Viewing 1 2 3 Material Pulled from Canister 1 0 1 Unauthorized Shipping Mode 2 0 2 Damaged Packages 1 0 1 Loss of Control of COMSEC 4 6 10 Forced Entry Into Safe 0 1 1 Unauthorized Reproduction 2 0 2 Totals: 50 66 116 Now that you have seen the total breakdown of all the COMSEC incidents of the past 2 years and the two 6-month periods, let's compare the previous 6 months with the past 6 months and show some of our major problems (by categories) that have been and still are the leading factors within the COMSEC incident world. Loss of control of COMSEC has been the front-runner of COMSEC incidents in the past 3 years. If you noticed, during the Jan-Jun time frame, there were 53 incidents and in Jul-Dec there were 63. This was an increase of 10 reported incidents. We are supposed to decrease incidents--not increase them. The same types of occurrences are still happening as before, just different personnel are losing the handle. Material is still being left unattended in hallways, government vehicles, and any place you can think of. As you can see, there were 116 incidents of this type in 1992. We had 116 people go "brain dead" for some reason. This can be the only logical reason for leaving their COMSEC material unsecured/unattended. Permanent loss of COMSEC material is still the second runner-up. There was a decrease of 17 incidents when comparing the two 6-month periods. During the first 6 months, there were 49 COMSEC incidents; and during the latter 6 months, there were 32, with a grand total of 81 for the year. People are very, very careful not to lose their money or paycheck, so why can't they apply the same rules and hard-nosed controls when it comes to protecting their COMSEC? The primary reason for lost COMSEC material is not paying attention to details. Unsecured safe/workcenter incidents decreased by five in the latter 6 months as compared to the first 6 months. There were 20 reported incidents in the first 6 months, while 15 incidents were reported for the latter months. People are still not checking their safes at the end of the day. They are assuming it's locked or secured. One day their assumptions will prove them wrong. The COMSEC Managers must instill in all their users to take that extra minute to check safes and stop the rushing. Remember, speed can cause a COMSEC incident. Destruction irregularities decreased by two for this reporting period. There were 19 incidents for the last reporting period as compared to 17 incidents this period. Single signatures on destruction reports at the users' level, material claiming to be destroyed but later found intact, and falsification of signatures on destruction reports are some of the reasons for the 36 incidents for the year. Loss of two-person integrity was on the down swing, but somehow it's back again and on the increase. The first 6 months there were only seven incidents of this type reported. However, for the last 6-month period, we doubled, with a total of 14 incidents. Even though the total count for 1992 was 21 as compared to 29 for 1991, each 6-month period should show some type of decline, not double its quantity from the last reporting period. It shows we completely fell off track and must get back to where we started the first 6 months. COMSEC users must be retrained on two-person integrity procedures. Unauthorized access/use showed a definite decline for this period as compared to the last reporting period. For this period there were only four incidents compared to 13 for the first reporting period. This low count of incidents can be contributed to unauthorized personnel being stopped at the door, individuals being checked before any material is handed to them, and using the proper material for the right purpose. Damaged packages were due mostly to the inner wrapper splitting open from the heavy weight of the material or to overpacking. There was a total of six incidents for this period as compared to our incidents for the latter period. The grand total for the year was 10 incidents. Unauthorized shipping mode for this period accounted for four incidents, and the latter 6 months had five incidents. Even though there were only 10 incidents for the year, shipping COMSEC material by the correct mode of transportation is a must. Unauthorized reproduction remained the same for both periods with two incidents each. Users are beginning to understand that they must obtain the controlling authorities' approval prior to any reproduction. Use of superseded material also remained the same for both reporting periods with one incident each. Users must check their COMSEC material before it's put into effect. Extended crypto period had a total of 17 violations for the year. There were nine incidents for the first 6 months, while for the latter months there were eight incidents. Both terminal ends are held responsible for incidents of this type. It seems that the one end is waiting for the other to make the call, but somehow no one calls until after the grace period. Unauthorized use of COMSEC material declined by three this reporting period. The majority of these incidents were caused by individuals accidentally using the wrong COMSEC material on equipment not authorized for its use. This type of incident could be totally eliminated if individuals took the time to check the COMSEC material before inserting it into the equipment. Unauthorized maintenance performed on COMSEC equipment is a definite, "no-no," so why do Mr Goodwrenchs who work on cars, coffee pots, and toasters think they are crypto maintenance personnel? There was a total of six incidents for the year. During the last 6 months, we had four personnel who thought they were maintenance personnel. Please inform them to leave COMSEC equipment alone. PDSs are on the rise. Even though no case numbers are assigned to these incidents, they show the Air Force's weakness in handling their COMSEC material. Please notice the category Inadvertent Destruction. People are destroying material with their eyes shut. Perhaps they figure since it's the end of the month, they must destroy something. COMSEC material should be checked more than once before it is put into destruction status. Make sure the right material is being destroyed. All COMSEC incidents could be prevented if everyone followed established procedures and rules for protecting COMSEC material. Also, retraining some of our COMSEC users is a must because the majority of COMSEC incidents are caused by the users. Every effort must be made to continue educating every user within the Air Force. Every COMSEC Manager knows who his/her weak links are. As managers, you must go directly to those weak links and strengthen them with knowledge about COMSEC. If we all work together and continuously educate all COMSEC users, COMSEC incidents will be reduced considerably. ------- End of forwarded message -------