Incident 2 (Phreaking Database Security)
The Bombay Martini Bet:
How Did a CPA Firm’s Assurance Team Phreak a Non-networked
Information System of a High Tech Client Needing a "Wake Up Call"?
Robert E. Jensen, Department of Business Administration, Trinity University
Bruce Sidlinger, Sidlinger Computer Corporation
Table of Contents
Albert Puentes Seeks Assurance
Requirements and Recommendations for Incident 2
This incident can be read in ten minutes or less. Proposing a plan to penetrate an "impenetrable" information system will take much longer. Incident 2 really happened under slightly disguised circumstances in San Antonio. The solution to the case is written by the young man who proposed and executed such a penetration. The solution is so simple that it is frightening, especially for public accounting firms seeking to provide assurances that such things are not likely without insider conspiracies. Because the solution is so simple, technical facts in the case are kept at a minimum. Students best not get bogged down in devising highly technical plans geared to the specific type of information system. Focus should instead be placed upon a more general type of security risk that cuts across virtually all computerized database systems. The solution to the case that actually transpired reveals an immense weakness in virtually all technology systems that are in a never-ending state of change.
Incident 2 entailed a friendly wager that a CPA firm’s assurance team could not crack or phreak an "impenetrable" database security system of a large client. When the lowest-ranking member of the team, a newly minted Trinity University graduate, phreaked the system with relative ease, it made the public accounting firm who hired him sit up and think about what can be safely "assured." For a discussion of phreaking, see Appendices 1 and 2.
The case is especially timely in this formative era of assurance services. Providing assurances of information system security is becoming a large and highly complex revenue growth area for public accountancy firms. Opportunities for profit are subject to risk caused by the vulnerabilities of centralized databases, networking, and incessant technological change.
It is easy to run a secure computer system. You merely have to disconnect all dial-up connections and permit only direct wired terminals, put the machine and its terminals in a shielded room and post a guard at the door.
F. T. Grampp and R.H. Morris
Security Resources
http://www.cs.uidaho.edu/~horn8852/sec-main.html
Texmed Engineered Health Management Association (TEHMA) manages privately funded health insurance plans across Texas. Customers are mainly commercial and nonprofit organizations that underwrite their own employee health care plans managed by TEHMA, including prescription medication and dental insurance plans. Partly due to fears of the Year 2000 problem in its aging COBOL databases, TEHMA installed an IBM DB2 Universal Database (UDB). The UDB system is web enabled. Customers can scale from desktop or laptop systems to massively parallel processors located in the TEHMA home offices in San Antonio, Texas.
"When the events of this case transpired, we had about 120 Gb of data residing on our UDB," says Albert Puentes, the Chief Accounting Officer at THEMA. In September of 1997, TEHMA contracted with IBM Corporation to become a Beta tester of the new DB2 Universal Database system. By the end of 1998, TEHMA expects to have almost one Tb (terabyte) of raw data coded into the system.
With IBM’s new UDB system, TEHMA can build a data warehouse that integrates data from more than a dozen operational systems giving users the ability to do cross-service analyses. A side benefit is the ability of the UDB system to accommodate non-standard data types and object technology.
What worries Albert Puentes most is the security of the new UDB system. The old COBOL smoke stacked systems were, in his opinion, highly secure. "The newer networked UDB system has many risk exposures that make it harder for me to sleep nights," he complains. "Our new Data Processing (DP) manager appears to be overconfident regarding the invulnerability of the security procedures in effect and one goal was to quickly invade the system as a much-needed wake-up call from outside experts."
Mr. Puentes was formerly an audit partner in the Dallas office of the A&K LLP international public accounting firm. He knows a great deal about internal control design, but he is not an expert on network database system controls. Internal controls in general can be either preventive controls or detective controls. Preventive controls aim to prevent the occurrence of errors and fraud; detective controls aim to detect problems after the fact. Historically, auditors focused primarily on detecting problems after the fact. This historical focus was due to the predominantly manual nature of accounting systems where little could be done to prevent human errors from occurring. Internal controls were always evaluated and recommendations were made to discourage fraud. For example, good internal control system had division of labor, rotation of duties, mandatory vacations, etc.
With new computerized information systems, the issue becomes one of designing software inside black boxes to minimize risks of fraud and errors occurring. Database technology allows a database oriented accounting system to have an extensive array of controls built into the system. Most errors are caught at the point of data entry. Mr. Puentes tends to worry about systems that he does not fully understand. The new UDB system is exceedingly complex and relies upon controls that only systems engineers can comprehend.
Albert Puentes Seeks Assurance
His former CPA firm, A&K LLP, now offers a wide array of assurance services. Albert Puentes persuaded the CEO of TEHMA to engage A&K to independently test the internal controls in the new IBM UDB system installed in TEHMA by a highly reputable systems engineering company experienced in installation of IBM and other network database systems. Deborah Coulter headed a team of A&K professionals assigned to write an internal control assurance report on TEHMA’s new UDB system. Her team included a recent Trinity University computer science graduate named Bruce Sidlinger.
Ms. Coulter and her team made a careful study of the Exhibit 1 aspects of the new UDB system:
Exhibit 1
Controls ChecksGeneral Controls Checks
B1a01 Hardware controls -- read after write check
B1a02 Hardware controls – echo check
B1a03 Hardware controls -- parity check
B1a04 Hardware controls -- dual read check, read-after-write check
B1a05 Access controls – physical controls
B1a06 Access controls -- encryption
B1a07 Access controls -- segregation of duties, authorization matrix
B1a08 Access controls -- complex passwords
B1a09 Organization of the systems function -- personnel firing procedures, logical access controls
B1a10 Program change controls -- off-line testing of program changes
B1a11 Backup procedures -- off-site backups, business continuity plan, hot or cold site identification
B1a12 Operations controls -- daily data processing schedule, console log, review of operating statistics
B1a13 Backup procedures -- backup power supply, dynamic backup
Input Controls Check
B2a20 Input control -- completeness check, prompting, required field
B2a21 Input control -- range check
B2a22 Input control -- field check (numeric data type)
B2a23 Input control -- valid combinations check
B2a24 Input control -- validity check
B2a25 Input control -- closed loop verification
B2a26 Input control -- system generated data
TEHMA invested heavily in controls. Ms. Coulter pondered what her team could possibly recommend to improve the system. Physical controls were amazing. TEHMA installed physical controls that rival controls of a military installation. All employees entering TEHMA premises were admitted only if they were cleared by a high technology hand identification system that is vastly superior to picture ID hang tags. However, employees also are required to wear ‘active badges" that signal their locations at all times. All employees, especially those employees given data entry permissions in computer systems, are thoroughly screened and bonded.
Ms. Coulter had never encountered a system with better controls in every area listed in Exhibit 1. She lamented to her assurance services team that she could not imagine how the team could provide that DP security "wake up call" requested by Mr. Puentes. That evening, the newest and youngest member of the team, Bruce Sidlinger, asserted that he could phreak TEHMA’s information system. At that moment the team was in the midst of an attitude adjustment at The Frog Pond Lounge in a San Antonio hotel. On impulse while drinking her own diet Sprite, Deborah wagered an unspecified number of Bombay Martinis that Bruce could not plant a phony medical claim in the new TEHMA UDB database system. After receiving her tentative handshake on the deal, Bruce revealed his scheme to Deborah Coulter.
Following the scheme proposed in The Frog Pond, Deborah Coulter briefed Albert Puentes regarding the Bombay Martini wager that she made with Bruce Sidlinger. The TEHMA Chief Accounting Officer was delighted with the proposed "wake up call" schemed by Sidlinger.
The challenger (Bruce Sidlinger) was given ten days to invade TEHMA’s new UDB system. In that ten-day period, the entire Deborah Coulter team remained in Dallas. Ms. Coulter assured Mr. Puentes that prior to the team’s departure from San Antonio, no phony claim was planted by the team into the TEHMA information system. To make the wager even more interesting, the TEHMA’s Data Processing Manager was made aware of the Bombay Martini wager and was requested to make a daily search for a phony claim from a physician. The Data Processing Manager was, thereby, put on alert to take all possible security measures.
Albert Puentes reports that he had more than his usual trouble sleeping after "celebrating" Bruce Sidlinger’s winning Bombay Martini Bet with Deborah Coulter’s team in The Frog Pond Lounge. Bruce Sidlinger slept soundly that night. However, both he and Mr. Puentes downed aspirin tablets the following morning (for different reasons). The DP manger at TEHMA did not discover how a phony medical claim penetrated the system until Bruce Sidlinger explained the hoax.
TEHMA’s DP manager resigned about three months after the incident, purportedly for reasons other than the embarrassment of Sidlinger’s success in cracking the UDB security system. Albert Puentes looks more tired than usual since TEHMA expanded the UDB system. Deborah Coulter still works in technology security assurance services, but her once long fingernails have become bitten and stubby. Bruce Sidlinger now owns an information systems consulting firm in San Antonio, Texas. His company’s web site is located at the following URL:
TEHMA is a disguised name for the real client in this case. That client did not want any publicity about this incident and did not want the incident registered with CERTŪ at
The CERTŪ Coordination Center is part of the Networked Systems Survivability program in the Software Engineering Institute. The Software Engineering Institute is operated by Carnegie Mellon University for the Department of Defense. CERTŪ maintains a database of all registered security violations (whether criminal or pranks) and descriptions of when and how the systems were breached. Since the incident in this case is not registered with CERTŪ, it is not possible to look up the solution to the case at CERTŪ. However, students are encouraged to visit the above CERTŪ web site. Among other things, CERT issues alerts to the world regarding security risks. There is also an emergency response team that will investigate incidents deemed serious to the security and economy of the United States. CERTŪ is interested in most any type of new and interesting scheme to invade computer and networking systems.
Requirements and Recommendations for Incident 2
Question 2.1
Given the facts provided in the case and assuming no conspiracy with a TEHMA employee,
devise alternative proposals to win the Bombay Martini Bet. Show how computer security is
not as "easy" as implied by the introductory quotation of this case that is
repeated below:
It is easy to run a secure computer system. You merely have to disconnect all dial-up connections and permit only direct wired terminals, put the machine and its terminals in a shielded room and post a guard at the door.
F. T. Grampp and R.H. Morris
Security Resources
http://www.cs.uidaho.edu/~horn8852/sec-main.html
Question 2.2
Readers may want to consult Appendices 1-3 plus Professor Jensen's Technology Glossary at
Question 2.3
Readers may read more about network databases and security
issues and links at
Question 2.4
In particular, consider the variety of ways that the TEHMA system might have been cracked
by Bruce Sidlinger. These include Information Warfare Weapons discussed at
Question 2.5
Weapons of particular note when learning about security assurance services are
Computer Viruses
Worms
Trojan Horses
Logic Bombs
Trap Doors
Chipping
Nano Machines and Microbes
Electronic Jamming
HERF Guns - EMP Bombs
Question 2.6
It is recommended that students be divided into teams. In Class 1 each student team can
make a presentation of that team’s "best" proposed solution for winning the
wager in this case. Presentation times can vary with class size, but with handouts and
presentation aids it is possible to limit each presentation to fifteen minutes or maybe
even less.
After Class 1, each team’s solution can be assigned to another team. Class 2 can then be devoted to presentations by teams showing how the assigned security penetration solutions can be made to fail with proper prevention and detection security in the information system. Discussions should be allowed to spread to topics such as information warfare and assurance service risks.