Detection of Superzapping

Unauthorized use of Superzap programs can result in changes to data files that are usually updated only by production programs. Typically, few if any controls can detect changes in the data files from previous runs. Applications programmers do not anticipate this type of fraud; their realm of concern is limited to the application program and its interaction with data files. Therefore, the fraud is detected only when the recipients of regular computer output reports from the production program notify management that a discrepancy has occurred.

Furthermore, computer managers often conclude that the evidence indicates data entry errors, because it would not be a characteristic computer or program error. Considerable time can be wasted in searching the wrong areas. When management concludes that unauthorized file changes have occurred independent of the application program associated with the file, a search of all computer use logs might reveal the use of a Superzap program, but this is unlikely if the perpetrator anticipates the possibility. Occasionally, there may be a record of a request to have the file placed online in the computer system if it is not typically in that mode. Otherwise, the changes would have to occur when the production program using the file is being run or just before or after it is run.

Superzapping may be detected by comparing the current file with parent and grandparent copies of the file. Exhibit 5 summarizes the potential perpetrators, methods of detection, and sources of evidence in superzapping abuse.

Exhibit 5.  Detection of Superzapping

SCAVENGING

Scavenging is a method of obtaining or reusing information that may be left after processing. Simple physical scavenging could involve searching trash barrels for copies of discarded computer listings or carbon paper from multiple-part forms. More technical and sophisticated methods of scavenging include searching for residual data left in a computer, computer tapes, and disks after job execution.

Computer systems are designed and operators are trained to preserve data, not destroy it. If computer operators are requested to destroy the contents of disks or tapes, they most likely make backup copies first. This situation offers opportunities for both criminals and investigators.

In addition, a computer operating system may not properly erase buffer storage areas or cache memories used for the temporary storage of input or output data. Many operating systems do not erase magnetic disk or magnetic tape storage media because of the excessive computer time required to do this. (The data on optical disks cannot be electronically erased, though additional bits could be burned into a disk to change data or effectively erase them by, for example, changing all zeros to ones.).

In a poorly designed operating system, if storage were reserved and used by a previous job and then assigned to the next job, the next job might gain access to the same storage area, write only a small amount of data into that storage area, and then read the entire storage area back out, thus capturing data that was stored by the previous job.

Detection of Scavenging

Exhibit 6 lists the potential perpetrators of, methods of detection for, and evidence in scavenging crimes.

Exhibit 6.  Detection of Scavenging

TROJAN HORSES

The Trojan horse method of abuse involves the covert placement or alteration of computer instructions or data in a program so that the computer will perform unauthorized functions. Typically, the computer still allows the program to perform most or all of its intended purposes.

Trojan horse programs are the primary method used to insert instructions for other abusive acts (e.g., logic bombs, salami attacks, and viruses). This is the most commonly used method in computer program-based frauds and sabotage.

Instructions may be placed in production computer programs so that they will be executed in the protected or restricted domain of the program and have access to all of the data files that are assigned for the program’s exclusive use. Programs are usually constructed loosely enough to allow space for inserting the instructions, sometimes without even extending the length or changing the checksum of the infected program.