Is it possible that my computer could be lying to me?" Robert Marr, treasurer of a family-owned business in Shreveport, La., was on the telephone to the man who had sold him his machine. Weeks of vague anxiety about his company, National Bonded Money Co., had suddenly crystallized: Marr now knew. His programmer, a man he had befriended and trusted, a man whom he had helped out of a jam, had corrupted the computer. Money was missing from the bank, but the machine kept telling him that all was well.
"First thing you do," the dealer said, "you run off a copy of your hard disk and get it the hell out of the building -- now!"
The dealer tracked down the source of the lie in six hours. Hidden away in National Bonded's processing program was a Trojan horse, several lines of undocumented code scattered throughout a program, which for five months in 1980 and '81 had been munching up stolen money orders at the rate of almost $1,000 a day without setting off so much as a beep of alarm. And the man who put it there was Robert Marr's friend, an odd but likable programmer by the name of Michael Murray. Total losses, an auditor announced after weeks of research, came to $141,000.
Three years later, in April 1984, the Marr family sold National Bonded. They had owned it for 20 years, and had built it into the largest Louisiana-based independent money-order company. All of them had been proud of it: Robert Marr; his brother, Jimmy; their father; and an uncle. But they had had to sell it. In 1980, just before Murray introduced them to the perils of the electronic office, the Marrs had sold the family tobacco company, so they had the cash to cover the $141,000 loss. But the stolen funds had resulted in a negative balance at the bank, and receipts had never been able to catch up. Having a negative balance at the bank was costing them about $2,000 a month, increasing by 50% the cost of the theft to the company by the spring of 1984. And with that, the Marr family gave up.
"A lot of it was our fault," Robert Marr admits. "But we got screwed."
The National Bonded case is one of a growing number of computer crimes in small businesses. Headlines are made by the "biggest evers" -- computer-related scams of monstrous proportions ($21 million from Wells Fargo, $67 million from Saxon Industries, $270 million from Chase Manhattan) that have been dazzling crime fans for years now. But small businesses, many security experts believe, are probably more at risk than giant corporations. For them the moral of the Marrs' story is as plain as a printout.
Computer security is the real issue for small business. Offices are being wired into the electronic age at a prodigious rate. Fifty-seven percent of the companies that subscribe to INC. magazine now have personal computers, and 35% have minicomputers. Personal computers are used by 5% to 6% of the work force of the Fortune 2,000, says Future Computing Inc. analyst Bill Ablondi, and among smaller companies the number is 7% to 8%. Aaron Goldberg, research manager of International Data Corp., a computer industry market research firm adds: "The increase in personal-computer penet-ration of small businesses over the past year ranges from 2% to 80%, depending on the industry." Ablondi reckons that by the end of 1985, American business will be equipped with some 10 million personal computers, about 75% of them in small and medium-size businesses. The transformation opens new vistas for owners and managers, prospects of commercial power and resourcefulness beyond imagining a few years ago. But the transformation also opens other doors -- to pricey equipment, priceless knowledge, and the bank vault.
In a newly computerized company, managers often find that while they may have more information, more readily available, they also may have less direct control over company procedures. Traditional management controls over the manual office -- separation of functions, systematic interruptions of transactions (maker/checker/signer procedures) -- are often disrupted, diminished, or even discarded. New positions of high trust are created within the company. Programmers, even clerks who enter data, gain new power and have greater responsibilities, which managers may not recognize, reward, or audit. Most important is the technology itself. The very concentration of data that the technology makes possible -- a floppy diskette can hold 100 pages of manual typing, a hard disk can hold the data of about 25 floppies -- opens the electronic office to havoc on a scale inconceivable in the old days of scattered files. A few floppies left in the sun, a burglarized hard disk, a sabotaged program -- any one of these could do the damage of a major fire.
No business community has had a more humiliating reminder of the vulnerabilities of this new environment than the 30-odd organizations in Atlanta that last year fell prey to three young boys who dubbed themselves "the Assassins." The Assassins exist no more, but until their arrests early in 1984, they were teenagers who launched their burglaries from the homes of their parents scattered through the city's northern suburbs. They hit at night, on foot, sometimes the same office half a dozen times in the same night, scuttling back and forth to stash the stolen goods in apartment house basements. And they were clever. They took machines apart and rewired them in interesting ways. They used a telephoto camera lens and snapped pictures of the computer codes and network passwords that had been carelessly posted on office walls, visible through first-floor windows.
What they took amounted to about $250,000 worth of hardware. This theft was destructive: Company operations were disrupted for days, sometimes weeks. But the loss of computers and terminals was scarcely an annoyance compared with the theft of often uninsured company data, stored on the floppies and hard disks that the Assassins walked off with. The hardware was insured and some of it was returned. It was the loss of data that terrified the victims. Why, they asked, would anyone want all this information -- most of it useless to anyone but the company that had so laboriously accumulated it? No one had thought that thieves, mindless of what was stored on them, would simply want all the $4 disks they could lay their hands on -- many of which they would erase to record a collection of pirated computer games. Yet it is there, right in its knowledge plexus, that the computerized organization is most seriously at risk.
At Cives Corp., which last year earned $85 million selling structural steel to private industry, the Assassins literally walked off with seven Apple Lisa microcomputers with hard disks -- some $140,000 worth of hardware. But they also walked off with baskets of floppy diskettes. Forty of the disks, Cives told police, contained "valuable" company data; 10 of them were described as "crucially important." The company's practice was to reduce their key business records to floppies, but backup and security procedures were evidently lax. Randi Fitch, the detective who broke the case, recalled that Cives executives had asked for the names of any suspects whom police couldn't arrest, so the company could make a private offer to ransom the vital diskettes. John Donovan, Cives vice-president for finance, said the boys "took every diskette they could find, including backup copies" when they ransacked the office.
Cives was luckier than many other victims. After police arrested the Assassins last January, the company recovered its equipment; it even recovered its data intact. "We wouldn't have been dead without it," Donovan said, "but we were, of course, very glad to get it back."
The Institute of Nuclear Power Operations was not so lucky. INPO is a nonprofit creation of the nuclear power industry, whose function it is to recommend safety and reliability procedures for nuclear power plants. After the Assassins raided their office last summer, say police, INPO employees reported that among the missing equipment were two diskettes, labeled TMI, which held highly restricted data on the Three Mile Island power station. The floppies were not recovered. The INPO officials now insist that they contained nothing secret, "just some training material we borrowed from TMI." Even so, as Fitch suggested, computer hackers across the country may even now be enjoying a privileged inside view of the most famous nuclear power plant.
Another company that failed to recover precious data is U.S. Coupon Directory Co., a small, three-year-old business that publishes quarterly booklets of discount coupons for 11 regional markets. "Your first emotion is fear," recalls company president Robert Rowland. "You wonder whether it was thieves, or was it a competitor?" The Assassins had stolen one Apple computer, two disk drives, all the programs, training manuals, and paper -- and with all this went a list of client prospects and notes on past contacts, the work of several years, on which USCDC had placed much of its hope for growth. "We pulled it all back together," says Rowland's wife, June, "but it was difficult."
Wherever the Assassins struck, they left behind a sudden, unpleasant appreciation of the inadequacies of the companies' security measures. Many of the victims, said police, had made backup copies of vital information -- and left them to be stolen, too. But the Atlanta story illustrates only one of the vulnerabilities of the electronic office. "Very few people steal proprietary data," says Robert Courtney Jr., former director of privacy and security programs at IBM, "but an awful lot of people manipulate the files for their own personal benefit."
It is an old problem, of course. Abundant and painful experience with white-collar crime has left businesspeople with a fairly clear portrait of the potential white-collar criminal. He or she is a trusted employee of long tenure, but has recently become a gambler, a boozer, or a helpless victim of love. He or she has a sick spouse, hungry kids. He or she is overwhelmed, most commonly by debt but occasionally by an unappeasable longing for the rich life. He or she is disappointed, disgruntled, torn apart by resentment and envy. He or she is not just anyone -- clerk, manager, teller, salesperson, friend, relative, or anonym in the stockroom -- but anyone, under certain circumstances, could be he or she.
The coming of the electronic office has changed this portrait only slightly, for the simple reason that it hasn't yet changed human nature. What it has changed is that owners and managers, confronted by a new and powerful technology, are less able than they once were to understand and audit the actions of subordinates who are masters of the electronic environment. Audit procedures in government agencies, for example, are probably no worse than in private industry, yet a Reagan Administration task force found that half of all reported incidents of fraud and abuse in such agencies were discovered only by accident. Members of the Data Processing Management Association, a guild of big business data-processing managers, reported in a 1984 survey that only 65% of their companies even had a budget for data security. "It's not like [computer security] problems have been solved in medium or large companies," said Dennis Steinauer, a computer scientist with the U.S. Bureau of Standard's Institute for Computer Sciences and Technology. "Probably just the opposite. The difference is, in small business, management could be betting the business on a little $5,000 piece of iron."
Computer security experts have defined three types of crime in the computerized office. According to Timothy Schabeck, editor of Computer Crime Digest, the most common is the "input scam." The data is manipulated, changed, or fabricated -- "diddled," in programmer slang -- while being entered into the system. The possibilities are plentiful. Two years ago, for instance, an accounts payable clerk at Magnetic Peripherals Inc., a subsidiary of Control Data Corp., stole $150,000 by fabricating invoices from a fictitious vendor company that she and her boyfriend had set up. She left the company and spent the money traveling with her paramour. When he jilted her, she returned to confess the crime and incriminate the cad.
"Output scams" are the least esoteric of the crimes waiting to be committed in the electronic office. The thief simply steals what the computer has done -- anything of value, either for resale to competitors, extortion of the proprietor, or for the thief's own use. Last year, for example, a salesman for a national wine distributor that offers high-quality vintages to connoisseurs "borrowed" his employer's computerized master list of clients to set up a company of his own. The owners got the list back, but only after threatening to sue. Back in the late 1960s, thieves stole an IBM "on-order" list, a magnetic tape that detailed which customers wanted what equipment, from the back of a truck parked in New Jersey. "That," a former IBM executive recalled, "gave us a lot of impetus to starting encrypting all movable data files."
Input and output scams require little technical know-how. "Thruput scams," on the other hand, usually require a high degree of expertise. Here, we are in a truly futuristic Wonderland, where the computer itself is the scene of the crime, the software having been internally modified to skew the data running through it. Michael Murray's Trojan horse, secreted away in National Bonded's processing program, was a thruput scam. The Trojan horse may also be fused with a "logic bomb," a device that can be timed to go off in a precise number of days or years in the future, or on the occurrence of some specific event (the attainment, say, of a corporate goal on the balance sheet). The intention may be to steal, to sabotage the company during a strike, to fudge the profit sheets for a particular division, or to fulfill a Mad Scientist's dream.
In 1982 and '83, security consultants reported several incidents in which disgruntled programmers left "bombs" in company payroll programs that cut or increased employee paychecks six months after the programmers' names were deleted from the employee list. At National CSS, a large remote processing service bureau owned by Dun & Bradstreet, a technician planted a bomb in the programs governing an NCSS West Coast computer so that he would be sent cross-country to repair the system -- and thus get a free trip to California just as he was to go on vacation. In another case, a service bureau found a "bomb" that would have destroyed data in its files three years after one of its former employees had left the firm.
As businesspeople begin to appreciate the peculiar vulnerabilities of the electronic office, it would be understandable if they were to respond with paranoia. But awareness of the risks in this new environment is in itself a big advantage: Prudence is the child of knowledge. It is also true that small business often has an edge over big business in dealing with white-collar crime. People commit crimes, and a small business person -- just because he knows his key employees -- may sometimes recognize the personal crisis that usually motivates people to loot the company.
The technology is also responding to the users' growing sensitivity to their vulnerability. Nothing takes the place of commonsense measures of physical security, or of systematic backup procedures, but the industry has developed a number of ingenious file-protection devices for microcomputers, a slew of new techniques to block unauthorized copying or diddling floppy-based data, and several coding or encryption systems to protect either stored data or data communications. Although there are a number of software products that purport to provide personal computers with the sort of restrictive "access controls" common in larger computers, their effectiveness is limited. "For the most part," warns Steinauer of the U.S. Bureau of Standards, "you can't implement sophisticated access controls on most PCs," because the simplified PC architecture can't physically isolate the protected program and its guardian program.
In the final analysis, the manager of the electronic office has to rely on the same useful devices that came to hand in the manual office. Donn Parker, senior management consultant of SRI International's computer security group, has concluded that the real challenge in automating a business is to translate "the same levels of control we had in the manual system into the automated system." In small businesses, which can't afford the refined separation of task functions that large organizations enjoy, the challenge Parker spoke of may be difficult, demanding of management a new vision, new definitions of what is happening in the company, and new guidelines for checks and balances in office procedure.
Transition periods -- when companies change from manual to computerized systems, or even from one computer to another -- are particularly dangerous times. Prudence argues for keeping the old system in place until the new one has assumed the burden; but small companies, where money is tight, sometimes take risks and run without their normal business controls.
National Bonded Money Order took that risk. "We knew the files would be trashed for a while," Robert Marr recalls. "We knew the books wouldn't balance for a while, but we figured we would eventually get it all straightened out."
The Marr family had been paying an accounting firm "a pretty piece of change" to reconcile the blank checks mailed out to the company's 160 sales agents, the returned copies of the money orders it had sold, the cash flow from the agents to the company, and the bank draw as the money orders were cashed. There were also thousands of loose ends to be tied up -- checks issued to agents but not sold, checks sold by agents but not yet recorded by National Bonded, money orders cashed by the bank. Building the files would require weeks of data entry, and Marr now realizes that they should have brought someone in to do the job. But to save money, they decided to do it themselves. They also decided to cut out the accounting firm. He had all the information coming into the office, Marr reasoned, and when he had completed feeding it into the computer, the program would be able to reconcile everything.
The Marrs had bought their Datapoint minicomputer in 1978 for the tobacco company. Michael Murray, who was then working for the dealer, Gary Honeycutt, had programmed it for them. Robert Marr was office manager, so he and Murray worked together on the six-month project. During that time they became friends, Marr says, and even after the job was over Murray would stop by the office every few days "to shoot the bull."
Naturally, then, when the time came two years later to write a new program for National Bonded, Marr called Honeycutt: He wanted Murray's services again. In the spring of 1980, Murray was almost 30 years old, divorced, a college dropout -- "a little strange " says Marr, "but basically a nice guy." He was a loner. He liked to sleep all day and work all night. But that sort of strangeness was no more than the folklore allowed for. Like many programmers, Murray had unconventional notions about property rights in the programs he wrote and the data they manipulated, but unlike most of his fellows, he had taken illicit advantage of his special powers and access. He once presented Honeycutt with proprietary information he had obtained illicitly from a service bureau he had worked for. "I can get anything I want to out of that system," he boasted. Honeycutt dropped the printout in the wastebasket. But Robert Marr knew nothing of that episode. Murray wrote "clean code," as they say, and after two months on the National Bonded project, he went back to his desk in Honeycutt's office.
Meanwhile, however, Murray's personal life had begun to disintegrate. His fiancee, a Fundamentalist, had broken their engagement. The church apparently disapproved of him. "He got real moody," Honeycutt recalls. "He'd be sitting at his desk, and all of a sudden he would start crying." Honeycutt sympathized with Murray, but after three months of unproductivity, he fired him. Remembering the episode with the stolen service-bureau data, he also barred him from the office.
Two weeks later, Murray again went to work for Robert Marr. Not long after, he slipped the Trojan horse into the whorls of National Bonded's processing program.
"I thought I could do something for him in his troubles," Robert Marr recalls. He had given his friend a few small programming jobs. They eventually petered out, but the man seemed grateful, and throughout the summer, the fall, and early winter, Murray was in and out of the office almost daily. He wasn't really an employee; he was more like family helping out. "They thought it took hours to maintain the system. They thought he was just doing them a favor, without charge," Honeycutt remembers.
Actually, when Murray would sit down at the terminal for a moment -- "just checking something," he would say -- he was issuing money orders to a bogus agent. (They were coded E, "for 'expropriation,' " says Marr.) He had already stolen an agent's certification stamp from a drawer in the National Bonded office, and he was regularly pocketing blank checks from the unprotected stock in the back of the building. With a number of credit cards he already had, legitimately, he could borrow $2,000 in cash, then pay the bills with the E-coded money orders. He took to gambling at the track and speculating in gold and silver options. He even started a small business of his own, selling satellite TV antennas. He called it "Earth Station One."
All this time, Robert Marr was worried about his friend being out of work for so long. "I asked him how he was getting along. He said he had odd jobs and was doing some contract programming for various companies." Marr was also worried now -- in January 1981 -- about the unaccountable drop in his company's bank balance. He mentioned it to Murray, who replied, "You ought to look into that."
Because the computer said there were no irregularities in the money-order traffic, Marr wondered whether the bank might be at fault. In February, heasked his auditor to trace the problem. But it was tax season; the auditor was backed up with work. "We didn't feel any particular urgency," Marr confesses. But the drain on the account continued. When Marr started talking about auditors, it increased dramatically.
In May, when the auditor finally got around to National Bonded, the end came quickly. The night after she started to look over the books, the office was broken into. Missing were $50 in cash and some computer printouts. Suddenly, Marr's fears snapped into focus. He called Honeycutt, then the police. Murray was arrested two days later. He is now serving seven years at hard labor in the Louisiana penal system.
For his part, with National Bonded now sold off, Robert Marr plans to go to business school, thereafter to start up another company. Something to do with computers, he says. His father, 69, has retired. His brother, Jimmy, has started a new business, a nursery school in Shreveport.
As for Michael Murray, who was interviewed recently at the Caddo Detention Center, he is bitter. Bitter about being denied parole, about the length of his sentence, about the Marrs turning him in. "The Marrs bend the rules themselves," he charges. "They could have their hustle. I just wanted the temporary use of some cash." The antenna business would have paid off eventually, he says, and it would have kept him honest. That was why he went into it: "I had so compromised my ethics, to such a degree, that I knew I couldn't trust myself. So I got out of computers." The funny thing is, since he has been in prison, he has had several job offers for when he gets out. "Programming," he says. "Yeah, programming."
CORRECTION-DATE: August, 1984
In "Of Trojan Horses, Data Diddling, and Logic Bombs" (June), Timothy Schabeck was identified as editor of Computer Crime Digest. Richard J. O'Connell is editor and publisher. Schabeck is a vice-president of Computer Protection Systems Inc.