Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Early Discussions of Computer Security in the Media InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Early Discussions of Computer Security in the Media

Published: 2006-09-10
Last Updated: 2006-09-10 19:04:52 UTC
by Lenny Zeltser (Version: 3)
0 comment(s)

What's the earliest computer security incident reported in the general media? I was curious.

Now that Google's News Archives Search includes 200 years worth of publications, it's even easier to search printed records without having to go to the library and sift through micro films. Google's archive doesn't include all media records, but I think it is a good indication of the general state of the media's coverage of computer security. [Update: Libraries often offer the ability to search historical records for free without having to deal with micro films, and often without having to visit the library building. See a note at the bottom of this post for more information.]

I performed a search for articles that match "computer" and "security" and examined the results. Here are the earliest incidents I came across:

  • The earliest computer-aided fraud: National City Bank of Minneapolis, 1966
  • The earliest external intrusion: Federal Energy Administration, 1977
  • The earliest large-scale identity theft breach: TRW Inc., June 1984
The earliest reported fraud incident involving a computer seems to date back to 1966, according the a December 1972 article in the Time Magazine:
Minneapolis Programmer Milo Arthur Bennett, whose firm handled computer work for the National City Bank of Minneapolis, programmed the computer in 1966 to ignore an overdraft in his own account at the bank.
This article highlighted the increasing profitability of computer crimes. It explained that a "handful of keypunch crooks have already thought of some ingenious ways to defraud the Brain, with varying results." The text also mentioned the following incident, which was motivated by the desire to use someone else's computer for monetary gain.
Palo Alto Programmer Hugh Jeffrey Ward learned, from customers of a computer firm in Oakland, code numbers that enabled him to give orders to the firm's computer. ... He told the Oakland computer to print out a program for plotting complex aerospace data in graph form. ... His company presumably planned to market the program, which was valued at $12,000 or more, to the Oakland firm's own customers. ...
Five years later, in August 1977, the Time Magazine published an article that included the earliest mention of an external computer intrusions I could find:
The conviction of one man, accused of stealing confidential information from a Federal Energy Administration computer in Maryland, was possible only because the thief had dialed into a system from his office a few miles away in Virginia.
Another intrusion mentioned in the article occurred at an identified company and involved brute-force password guessing. The article also mentioned the challenge of striking the right balance between security and usability:
One computer, protected by a five-digit code number, was illegally entered in minutes when the thief ordered the computer to begin trying every one of the 100,000 possible combinations. But tighter security would cost both money and time. Says Robert Courtney of I.B.M. "If you're running thousands of transactions a day, you don't want to spend ten seconds or so every time arguing with the computer about who you are."
After a multi-year gap, the next computer security mention I found dates to 1981. A June 1981 article in the New York Times describes how an employee misused a computer to set up a race-track betting system:
His activities were uncovered by the school board's auditor general, who turned the case over to a specialist in computer security for the city's Department ... The arrested programmer 'was described by a New York City investigator as ''a good employee"' ... [Note: This article excerpt was indexed by Google.]
Two years later, in August 1983, an external intrusion caught the public's eye in a way that it hasn't earlier. Multiple media articles described a computer security break-in to the Los Alamos National Laboratory. The intruders were youths, apparently inspired by the War Games movie. Here are a few excerpts from the articles that discussed this incident:
The apparent electronic penetration of an unclassified computer in a nuclear weapons laboratory by a group of young people was not a threat to national security, telecommunication experts said today. But they said the incident illustrated the extraordinary difficulty of guaranteeing the security of any information ...

"There's no security in it or nothing. ... Los Alamos has a computer connected to TELENET, a computer communications network" ...

Officials at the Los Alamos National Laboratory in Los Alamos, N.M., said no classified data had been uncovered by the computer users, who reached a lab computer by telephone from Milwaukee. ...

The Security Pacific National Bank of Los Angeles computer also was entered, apparently by the same young people, but no one's account was affected ...
This incident was a big deal because it demonstrated the importance of computer security to the general public. The sentiment is expressed by an August 1983 article in the New York Times:
Corporate executives and telecommunications experts said yesterday that the recent breach of computer security at the Los Alamos National Laboratory in New Mexico had renewed fears about entrusting proprietary information to data networks that are easily accessible by telephone. ...

Most companies are reluctant to discuss their computer security systems, or even acknowledge the extent to which they are dependent on computer systems ... [Note: This article excerpt was indexed by Google.]
Such factors highlighted the need for commercial computer security products. About a month after the Los Alamos incident, a September 1983 article in the Miami Herald described Datacryptor, which sounds like the first commercial VPN product I came across:
Racal-Milgo, a Miami computer company, thinks its $2,000 black box may be just the answer for businesses worried about computer crime. The Datacryptor, as the device is known, is an electronic scrambler that turns sensitive computer talk into undecipherable gibberish. But even the Datacryptor isn't immune to computer crime.
A New York Times article, published the same month, noted that "the market for computer security software is booming," according to the article excerpt indexed by Google.

Another article, dated to October 1983 and published by the New York Times, introduced the readers to the role of a computer security specialist. The article was titled "New Breed of Workers: Computer Watchdogs" and contained the following description:
Processing manager for a major corporation suddenly notices unusual levels of activity on his company's computer. He investigates, and discovers that the system has been tampered with over telephone lines. Corporate panic follows as company officials try to determine what was disclosed, what was damaged and how vulnerable their ...
Update: An ISC reader shared with me an ad for a Computer Security Manager position, published by the New York Times in November 1970. "Starting salary $15,000 to $20,000 range." (Thanks, Gary!)

If you're wondering when the first identity theft-related breach caught the media's eye, look no further than June 1984. A security breach at credit-reporting agency led to the disclosure of a password used to protect credit reports. Here are a few excerpts from the articles that described the incident:
A password that could permit access to the credit histories of 90 million people was stolen and posted on an electronic bulletin board, TRW Information Systems said yesterday. ...

Through the theft of a code, the credit ratings of the 90 million people tracked by TRW Inc. were used by credit-card thieves armed with home computers, offering the potential to cash in on other people's credit, company officials said yesterday. "We found out about that code a couple weeks ago, and the code is no longer valid," said Geri Schanz of TRW's Information Services Division ...

Computer raiders used a stolen access code to tap into the files of the nation's largest credit rating bureau for more than a year but company officials say the "hackers" could not have altered the records. TRW Information Services, whose computers hold credit ratings and other records on 90 million people, said yesterday the raiders could have used information from the files to fraudulently obtain credit cards.

The subsequent years lead to a surge in computer use, the emergence of the Internet, and the shaping of the computer security landscape as we know it today.

Update: If you're interested in searching through historic news archives, keep in mind that Google is not the only way to do this. As an ISC reader pointed out, many libraries offer thousands of full text archived articles for free without having to go to the library and wade through microfilm. This capacity is described in the Forbes article "Google Isn't Everything". Also, the ResourceShelf site offers an in-depth look at Google's News Archives Search, and provides pointers to other sources of historic news records.

-- Lenny

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com

Keywords: history
0 comment(s)
Diary Archives