ACCT341, Chapter 11
A. Skim through Ch. 11 and answer the following questions. Note that surveys of accountings and
finance executives consistently show that cybersecurity is one of their top concerns regarding
operational risks and internal controls.
1. Do you think Adrian Lamo should have been arrested? Why or why not?
2. What is a logic bomb? T or F: Donald Burleson created a deadly logic bomb
that exploded, although damage was less than it could have been.
3. How did the manager at King Soopers supermarket steal $2 million?
Adrian Lamo
4. Why should IRS processing centers not have windows near their computers?
5. When managers fire disgruntled employees, why should they give a surprise notice in person,
allow the employees time to clean out their desks/offices, ask for their keys, have IT change
their passwords, and otherwise be physically present with them until they leave the premises?
6. Common approaches to obtaining passwords include phishing and social engineering. Do you
think it is illegal to obtain a password, even if you don’t end up using it?
7. What is data diddling and how did TRW (Experian) employees diddle the data?
8. For what reasons do people hack? What is the maximum penalty for hacking? What is an
ethical hacker?
9. T or F: Though the Slammer Worm cost over $1 billion, they did eventually catch and punish
the culprit.
10. What is the difference between a computer virus and a worm?
11. Apparently hackers love Trojans.
(A) What is a Trojan?
(B) If you remember history at all, why are these viruses called “Trojan Horses?”
12. What is social engineering and how can these efforts be thwarted?
13. Kevin Mitnick is likely the world’s most famous hacker who used social engineering to gain
access to information. For example, he would pretend to be an employee who forgot the
password and would ask for it. After serving about 5 years in jail, he was released in 2003.
According to the article below:
(A) What is Mitnick doing today?
(B) What was Mitnick’s first illegal act at the age of 12.
(C) What did Mitnick do at a 2014 conference in Las Vegas to prove how easy it is to
perpetrate identify theft?
14. What is a lockout system? Have you personally ever been locked out?
15. If you prepared official-looking but bogus invoices for under $300 of office supplies and
mailed the invoices to hundreds of companies, how many companies do you think would
actually pay the fake invoice? (This actually happened! See Case-in-Point 11.7)
16. When you get rid of an old computer, why should the disk drives be reformatted (either
formally or with a sledge hammer? (See Case-in-Point 11.9).
17. Does most computer fraud succeed because of the failure or the absence of controls? Why?
18. (A) According to your text, what do forensic accountants (or fraud auditors) do and who do
they usually work for?
(B) For the next few questions refer to the article at the end of this document. What are the
future job prospects for forensic accountants?
(C) What skills do forensic accountants need?
(D) What credentials does forensic accounting require?
19. (A) Define dumpster diving, phishing and smishing.
(B) Have you ever been phished before? Explain.
(C) At the end of this document is an email that I received supposedly coming from Bank of
America. Do you think this is a legitimate email from Bank of America?
20. At the end of this document is short piece explain the Salami Technique.
(A) What is the Salami Technique and how did it get its name?
(B) Complete Problem 11-14 from the back of the chapter.
Kevin David Mitnick
Kevin Mitnick (born August 6, 1963) is a controversial computer hacker and convicted criminal in the United States.
Mitnick was convicted in the late 1990s of illegally gaining access to computer networks and
stealing intellectual property. Though Mitnick has been convicted of computer related crimes and
possession of several forged identification documents, his supporters argue that his punishment
was excessive. In his 2002 book, The Art of Deception, Mitnick states that he compromised
computers solely by using passwords and codes that he gained by social engineering. It is
notable that Mitnick did not use software programs or hacking tools for cracking passwords or
otherwise exploiting computer or phone security.
Mitnick served five years in prison, of which four and a half years were pre-trial, and eight months
were in solitary confinement.[1] He was released on January 21, 2000. During his supervised release, which ended on
January 21, 2003, he was initially restricted from using any communications technology other than a landline telephone.
Mitnick fought this decision in court, and the judge ruled in his favor, allowing him to access the Internet. Today, Mitnick
now runs Mitnick Security Consulting, a computer security company that tests corporate security systems.
Early life
Kevin Mitnick began social engineering or perhaps discovered his first engineerable situation at the age of 12. He
realized he could bypass the punchcard system used for the Los Angeles bus system: by buying his own punch, he
could get free bus rides anywhere in the greater LA area. Social engineering became his primary method of obtaining
information, whether it be user names and passwords, modem phone numbers or any number of other pieces of data.
In high school, he was introduced to phone phreaking, the activity of manipulating telephones which was often used to
evade long distance charges for his benefit. Mitnick also became handy with ham radios; using such equipment, Mitnick
reportedly managed to gain unauthorized access to the speaker systems of nearby fast food restaurants, that way when
drive-thru customers gave their orders, Mitnick would heap insults upon them.
Computer hacking
Mitnick gained unauthorised access to his first computer network in 1979, when a friend gave him the phone number for
the Ark, the computer system at Digital Equipment Corporation (DEC) used for developing their RSTS/E operating
system software. He broke into DEC's computer network and copied DEC's software, for which he was later convicted.
This was the first of a series of run-ins with the law. Mitnick gained unauthorized access to dozens of computer
networks while he was a fugitive. He used cloned cellular phones to hide his location and, among other things, copied
valuable proprietary software from some of the country's largest cellular telephone and computer companies. Mitnick
also intercepted and stole computer passwords, altered computer networks, and broke into and read private e-mail.
Mitnick was apprehended on February 15, 1995, in Raleigh, North Carolina. He was found with cloned cellular phones,
more than 100 clone cellular phone codes, and multiple pieces of false identification.
Acts by Kevin Mitnick
Using the Los Angeles bus transfer system to get free rides
Evading the FBI
Hacking into DEC system(s) to view VMS source code (DEC reportedly spent $160,000 in cleanup costs)
Gaining full admin privileges to an IBM minicomputer at the Computer Learning Center in LA
Hacking Motorola, NEC, Nokia, Sun Microsystems and Fujitsu Siemens systems
Alleged
Stole computer manuals from a Pacific Bell telephone switching center in Los Angeles
Read the e-mail of computer security officials at MCI Communications and Digital
Wiretapped the California DMV
Made free cell phone calls
Hacked SCO, PacBell, Pentagon, Novell, CA DMV, USC and Los Angeles Unified School District systems
Recent activity
Kevin Mitnick is now a professional computer consultant (doing business as Mitnick Security Consulting, LLC), and has
co-authored three books on computer security: The Art of Deception (2002) (Co-authors William L. Simon and Steve
Wozniak), which focuses on social engineering; The Art of Intrusion (2005) (Co-author William L. Simon), focusing on
real stories of security exploits; and Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker, a
autobiography. At the 2014 annual Las Vegas hackers convention DEF CON, Kevin Mitnick asserted that he could
steal anyone's identity in 3 minutes. He defended this assertion by discovering online the Social Security number of a
single volunteer from the DEF CON audience.
Forensic Accountants
By Peter Vogt
An employee embezzles millions of dollars from his company, but he doesn't know his firm is on to him. To
combat his schemes, the company brings in a forensic accountant, a professional with a combination of
financial expertise and investigative prowess, to determine exactly what's going on.
Eventually, the forensic accountant uncovers the fraud, gathers evidence, and turns it over to the FBI. The
employee gets convicted and goes to prison.
This is not the plot of the latest Hollywood blockbuster, or the latest corporate accounting scandal for that
matter. This is a typical example of a day's work for a forensic accountant.
Given the amount of money organizations lose to fraud and abuse -- an estimated $1 trillion billion last year
alone, according to a study by the Association of Certified Fraud Examiners (ACFE) -- it's no wonder forensic
accounting is one of the fastest-growing sectors, not just of the accounting field but of the world of work as a
whole.
According to Accounting Today, nearly 40 percent of the top 100 accounting firms in the US are now
expanding their forensics-related services. US News & World Report calls forensic accounting one of the "20
hot job tracks of the future," and two-thirds of the companies that responded to a national study by Kessler
International, a forensic accounting and investigation firm based in New York City, say they've either used the
services of a forensic accountant already or have considered doing so in the recent past.
"Fraud can sometimes be the difference between a company posting a profit or a loss," says Michael Kessler,
president and CEO of Kessler International. "Our survey's results are indicative of the tightening economy
that is causing companies to hunt down any threat to their financial well-being."
Private companies aren't the only ones asking forensic accountants to hunt for wrongdoing. Government
agencies like the FBI, the Internal Revenue Service, and the Bureau of Alcohol, Tobacco and Firearms have
forensic accountants who investigate everything from money laundering and identity-theft-related fraud to
arson for profit and tax evasion. Law firms often use forensic accountants to help divorcees uncover their
exes' hidden assets. In recent months, forensic accountants have uncovered instances of companies cooking
the books to falsely inflate company profits, minimize losses or divert large amounts of money to company
leaders.
Well, it's no wonder that the number of forensic accountants is on the rise. If you'd like to join their ranks,
here's what you can do now to prepare for this field.
Develop Your Detective Abilities and Your Financial Skills
"Forensic accountants must have the skills of both a private investigator and an accountant," says Kessler.
That means your analytical abilities and research skills will be as essential to your success as your eventual
financial experience, including knowledge of accounting procedures (proper and improper).
Get the Appropriate Credentials
Most forensic accountants have a bachelor's degree in accounting, and many have additional academic
preparation in fields like criminal justice or law enforcement. The field generally requires that you have your
Certified Public Accountant (CPA) designation.
Expect to earn anywhere from up to $65,000 a year in your first entry-level position in the forensic accounting
field. Once you've accumulated a few years of experience, you will usually see an annual salary of six figures.
It's not uncommon for veteran forensic accountants to make several hundred thousand dollars a year.
To increase your value as a forensic accountant, you can take the Certified Fraud Examiner (CFE) exam,
administered by the ACFE. By earning this credential, you'll show prospective employers that you "exemplify
the highest moral and ethical standards" of the profession and you have, in ACFE's terms, "the ability to
conduct complete, efficient, thorough and ethical fraud investigations."
Exclusively
for:
Bruce J. Toews
Consolidate your balances. You could
make just one monthly payment.*
Complete a balance transfer today, and you
could make just one monthly payment.
It's time to make things simple. Managing your
finances can be a breeze when you consolidate
your balances online. You could have just one
monthly payment, it's the perfect opportunity to:



Take a well-deserved vacation.
Consolidate higher-rate bills.
Free up money for other expenses.
It only takes a moment to transfer balances to
your Bank of America® credit card. With a click,
you can transfer higher-rate balances. It's a
great way to make life easier. Just click to open
a world of new possibilities for yourself. Go to
bankofamerica.com/easybt to transfer balances.
Your account number ending in:
XXXX
Your credit line is:
$XXXXX
Click here to:



Complete a balance
transfer.
Simplify your finances.
Have one convenient
monthly payment.
SALAMI TECHNIQUE
Origins: As the banking industry replaced manual bookkeeping with computerized systems as a
means of keeping track of customer accounts, they unknowingly opened the door to a type of
embezzlement that had previously been difficult (if not impossible) to successfully pull off on a large
scale: the 'salami' technique. This was a scheme by which a bank employee (usually a computer
programmer) could surreptitiously stockpile a substantial amount of money not by grabbing large
sums all at once, but by 'slicing' off 'thin' amounts of cash from many different customers' accounts
and diverting them to one central account (which he controlled), thereby building up a tidy nest egg
while minimizing the risk that any single instance of his theft would be detected and investigated.
Thomas Whiteside reported a supposedly real example of this technique in action in 1978's Computer Capers:
The embezzler was evidently using the bank's computer to transfer twenty or thirty cents at a time, at random, from 300 checking
accounts at the bank and diverting the money to a dummy account for his own use. The computer criminal was careful never to
divert sums from any particular account more often than three times a year. Because a customer was unlikely to notice such a small
discrepancy in his monthly bank statement — or, if he did notice it, to find it worth his while to go to the bank and argue over it —
the embezzlement was likely to go on and on.
One way of taking the salami technique a step further was for the embezzler to cover his tracks by making even his small thefts of
a few cents at a time look legitimate:
Two programmers who were employed by a big New York garment firm instructed the company's computer to increase by two
cents the amount withheld from their fellow-employees' paychecks each week for federal taxes. They further programmed the
computer to direct the two cents per employee per week to their own federal withholding accounts. The result was that at the end
of the year they received the money in the form of refund checks from the Internal Revenue Service, which had been acting as an
unwitting bagman for the embezzled sums.
Even better was a variation of this technique in which the vanished sums were so unnoticeably small that they could be uncovered
only through the most rigorous of audits:
One way in which the computer criminals might employ the salami technique is to round down any sums ending in fractions to the
nearest whole number — for example, fractions of pennies as these are computed in interest-bearing accounts. In the meantime,
the criminal has established a dummy account at the same bank, and he programs the computer to divert the surplus from the
round-downs to this account. Quietly accumulating year in and year out, these fractional sums can mount handsomely, and usually
neither the bank nor the depositors know what is going on.
Legend has it that one unlucky thief who tried this last method fell victim to a fluke of a company promotion and was caught:
A programmer working at a mail-order sales company had its computer round down odd cents in the company's sales-commission
accounts and channel the round-downs into a dummy sales-commission account he had established under the name of Zwana. He
had invented the name Zwana because he knew that the computer processed the company's accounts in alphabetical order, and he
could easily program the computer to transfer all the round-downs into the last account in the computing sequence. The system
worked perfectly for three years, and then it failed — not because of a logical error on the culprit's part, but because the company,
as a public-relations exercise, decided to single out the holders of the first and last sales-commission accounts on its alphabetical
list for ceremonial treatment. Thus Zwana was unmasked, and his creator fired.
Sightings: The salami scheme is a factor in the plot of several films: 1983's Superman III, 1995's Hackers, and 1999's Office Space.
Read more at http://www.snopes.com/business/bank/salami.asp