[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
USAF Incident Summary
A couple of somewhat interesting crypto tidbits.
------- Start of forwarded message -------
[From the NIST Security Bulletin Board]
FROM: AFCSC/SRM
250 Hall Blvd, Suite 347
San Antonio TX 78243-7063
SUBJ: THE CONNECTION Information Letter
AFOSI COMPUTER CRIME CASES
by TSgt Dwayne L. Thomas
AFCSC/SRME
Destruction of Government Property, Unauthorized Access to
Material, Violation
of
Article 134 of UCMJ
Location: CONUS
Motive: Personal revenge and vandalism
Duty Position: Systems Administrator, Military
An investigation was initiated after a CONUS-based research
center had reported that various files contained in the center's
mainframe computer had been altered. The subject (a Sgt assigned
as the Systems Administrator) had created a program that only he
was able to access. This resulted in the subject being able to
access, extract, and subsequently delete information without being
detected. Being the Systems Administrator, the subject had enough
knowledge of the passwords, audit trails, and software to
manipulate information at will. After the investigation began,
subject admitted fixing the computer so that no one else could
access the subject's personal program. The subject was upset with
upper management for not giving the amount of recognition due for
creating another program for the center's use. Subject stated that
months had been spent working on this program. Subject also felt
pressured because past job performance and two altercations at the
NCO Club might cause denial of reenlistment. Subject also was a
co-owner in a failing carpet and upholstery cleaning business and
stated that building a program that only one person could run would
make the subject important to the mission and increase chance for
reenlistment.
Subject was fined 1 month's pay, denied reenlistment, and given
a bad conduct discharge.
BOTTOM LINE: It is vitally important that no one person have all
the knowledge about how to operate a system because if one day that
person is sick, quits, or dies, the organization will be in a world
of trouble. Some ways to prevent this are by assigning a primary
and alternate administrator, having continuity books available, and
having training sessions. Remember, computers are dumb machines
and are only as smart as the person who's programming them.
Wrongful Use and Conversion of Government Computer, Theft of
Government Property, Copyright Violation, Violation of Title 18 of
U.S. Code 641
Location: CONUS
Motive: Personal financial gain
Duty Position: Functional User, Military
An investigation was initiated after it was discovered that a
SSgt assigned to the Base Data Processing Facility had been
misusing government resources for personal profit. The subject was
working part time for a local contractor and was making profit by
making illegal copies of government purchased software. The
subject would take pieces of equipment from the duty section and
provide it to the contractor. The subject would copy the
government software and provide one copy to the contractor and keep
one copy so that it could be replicated and sold for more money.
After the investigation began, the subject admitted making copies
of the government software and contacting other companies to see if
they wanted to purchase copies of the stolen software. Subject
also admitted bringing disks in from home and running them on the
government systems for evaluation. Subject felt that even though
violations had occurred, accountability was questionable because
security briefings on the legalities involved with copying
government software had not been provided. The extra money had
helped the subject with a bad financial situation.
The subject resigned from his part-time job, was fined 2
months' pay, given a letter of reprimand, and placed on a control
roster.
BOTTOM LINE: Even though the Air Force purchases large amounts of
software from various companies, it is still subject to copyright
laws the same as any individual. We must continue to educate all
our personnel that this is a very, very serious offense and
complacency is not an acceptable excuse. Also, the risk of
introducing viruses from unauthorized software onto a computer
system can completely halt an operation. Never allow unauthorized
software into your duty section. Remember, taking chances like
this with the security of your system is like having a friend with
a drinking problem and for his/her birthday you give him/her a
shopping spree at a liquor store--it's a no-win situation!
COMSEC INCIDENTS
by Mr Richard L. Davis
AFCSC/SRMP
The total number of physical and cryptographic COMSEC incidents
reported within the Air Force for the following past 2 years were:
CY91 - 480
CY92 - 364
This Trend Summary will compare CY91 with CY92 COMSEC incidents
and the previous 6 months with the past 6 months. Data on
practices dangerous to security (PDS) will also be included in this
summary.
The total number of COMSEC incidents reported for the Jan-Jun
92 time frame was 191 as compared to the Jul-Dec 92 total, which
was 173. This is a decrease of 18 incidents.
The total and type of COMSEC incidents that occurred in CY91
and CY92 are:
Type Of Incident 1991 1992
Physical 432 330
Cryptographic 48 34
Total: 480 364
PDSs 74 116
Physical, cryptographic, and PDS COMSEC incidents are
categorized into the following types and totals (comparing the past
6 months with the previous 6 months):
Physical Categories: Jan-Jul 92 Jul-Dec 92 Totals
Loss Control Of COMSEC 53 63 116
Permanent Loss 49 32 81
Unsecured Safes/Workcenters 20 15 35
Destruction Irregularities 19 17 36
Lost Two-Person Integrity 7 14 21
Unauthorized Access/Use 13 4 17
Damaged Packages 4 6 10
Unauthorized Shipping Mode 5 4 9
Unauthorized Reproduction 2 2 4
Facility Construction 1 0 1
Totals: 173 157 330
Cryptographic Categories:
Used Superseded Material 1 1 2
Extended Crypto Period 9 8 17
Unauthorized Use Of Material 6 3 9
Unauthorized Maint Performed 2 4 6
Totals: 18 16 34
PDSs:
Inadvertent Destruction 18 37 55
Inadvertent Opening 5 5 10
Physical Loss 3 9 12
Destruction Irregularities 13 6 19
Unauthorized Viewing 1 2 3
Material Pulled from Canister 1 0 1
Unauthorized Shipping Mode 2 0 2
Damaged Packages 1 0 1
Loss of Control of COMSEC 4 6 10
Forced Entry Into Safe 0 1 1
Unauthorized Reproduction 2 0 2
Totals: 50 66 116
Now that you have seen the total breakdown of all the COMSEC
incidents of the past 2 years and the two 6-month periods, let's
compare the previous 6 months with the past 6 months and show some
of our major problems (by categories) that have been and still are
the leading factors within the COMSEC incident world.
Loss of control of COMSEC has been the front-runner of COMSEC
incidents in the past 3 years. If you noticed, during the Jan-Jun
time frame, there were 53 incidents and in Jul-Dec there were 63.
This was an increase of 10 reported incidents. We are supposed to
decrease incidents--not increase them. The same types of
occurrences are still happening as before, just different personnel
are losing the handle. Material is still being left unattended in
hallways, government vehicles, and any place you can think of. As
you can see, there were 116 incidents of this type in 1992. We had
116 people go "brain dead" for some reason. This can be the only
logical reason for leaving their COMSEC material
unsecured/unattended.
Permanent loss of COMSEC material is still the second
runner-up. There was a decrease of 17 incidents when comparing the
two 6-month periods. During the first 6 months, there were 49
COMSEC incidents; and during the latter 6 months, there were 32,
with a grand total of 81 for the year. People are very, very
careful not to lose their money or paycheck, so why can't they
apply the same rules and hard-nosed controls when it comes to
protecting their COMSEC? The primary reason for lost COMSEC
material is not paying attention to details.
Unsecured safe/workcenter incidents decreased by five in the
latter 6 months as compared to the first 6 months. There were 20
reported incidents in the first 6 months, while 15 incidents were
reported for the latter months. People are still not checking
their safes at the end of the day. They are assuming it's locked
or secured. One day their assumptions will prove them wrong. The
COMSEC Managers must instill in all their users to take that extra
minute to check safes and stop the rushing. Remember, speed can
cause a COMSEC incident.
Destruction irregularities decreased by two for this reporting
period. There were 19 incidents for the last reporting period as
compared to 17 incidents this period. Single signatures on
destruction reports at the users' level, material claiming to be
destroyed but later found intact, and falsification of signatures
on destruction reports are some of the reasons for the 36 incidents
for the year.
Loss of two-person integrity was on the down swing, but somehow
it's back again and on the increase. The first 6 months there were
only seven incidents of this type reported. However, for the last
6-month period, we doubled, with a total of 14 incidents. Even
though the total count for 1992 was 21 as compared to 29 for 1991,
each 6-month period should show some type of decline, not double
its quantity from the last reporting period. It shows we
completely fell off track and must get back to where we started the
first 6 months. COMSEC users must be retrained on two-person
integrity procedures.
Unauthorized access/use showed a definite decline for this
period as compared to the last reporting period. For this period
there were only four incidents compared to 13 for the first
reporting period. This low count of incidents can be contributed
to unauthorized personnel being stopped at the door, individuals
being checked before any material is handed to them, and using the
proper material for the right purpose.
Damaged packages were due mostly to the inner wrapper splitting
open from the heavy weight of the material or to overpacking.
There was a total of six incidents for this period as compared to
our incidents for the latter period. The grand total for the year
was 10 incidents.
Unauthorized shipping mode for this period accounted for four
incidents, and the latter 6 months had five incidents. Even though
there were only 10 incidents for the year, shipping COMSEC material
by the correct mode of transportation is a must.
Unauthorized reproduction remained the same for both periods
with two incidents each. Users are beginning to understand that
they must obtain the controlling authorities' approval prior to any
reproduction.
Use of superseded material also remained the same for both
reporting periods with one incident each. Users must check their
COMSEC material before it's put into effect.
Extended crypto period had a total of 17 violations for the
year. There were nine incidents for the first 6 months, while for
the latter months there were eight incidents. Both terminal ends
are held responsible for incidents of this type. It seems that the
one end is waiting for the other to make the call, but somehow no
one calls until after the grace period.
Unauthorized use of COMSEC material declined by three this
reporting period. The majority of these incidents were caused by
individuals accidentally using the wrong COMSEC material on
equipment not authorized for its use. This type of incident could
be totally eliminated if individuals took the time to check the
COMSEC material before inserting it into the equipment.
Unauthorized maintenance performed on COMSEC equipment is a
definite, "no-no," so why do Mr Goodwrenchs who work on cars,
coffee pots, and toasters think they are crypto maintenance
personnel? There was a total of six incidents for the year.
During the last 6 months, we had four personnel who thought they
were maintenance personnel. Please inform them to leave COMSEC
equipment alone. PDSs are on the rise. Even though no case
numbers are assigned to these incidents, they show the Air Force's
weakness in handling their COMSEC material. Please notice the
category Inadvertent Destruction. People are destroying material
with their eyes shut. Perhaps they figure since it's the end of
the month, they must destroy something. COMSEC material should be
checked more than once before it is put into destruction status.
Make sure the right material is being destroyed.
All COMSEC incidents could be prevented if everyone followed
established procedures and rules for protecting COMSEC material.
Also, retraining some of our COMSEC users is a must because the
majority of COMSEC incidents are caused by the users. Every effort
must be made to continue educating every user within the Air Force.
Every COMSEC Manager knows who his/her weak links are. As
managers, you must go directly to those weak links and strengthen
them with knowledge about COMSEC. If we all work together and
continuously educate all COMSEC users, COMSEC incidents will be
reduced considerably.
------- End of forwarded message -------