Incident 1 (Network Security)

Risks of CPA Assurance of WebTrustSM Electronic Seals

and of DataTrust Privacy of Cookie Jars

John E. Howland, Department of Computer Science, Trinity University

Robert E. Jensen, Department of Business Administration, Trinity University

Table of Contents

Abstract

Introduction to Incident 1

A Phony DARE Hand in the Cookie Jar

Carmen Cassidy Seeks Assurance

Questions and Assignments

Footnotes to Incident 1

Incident 1 Case Incident 1 Solution Top of Present Document
Incident 2 Case Incident 2 Solution Top of Present Document
Appendix 1 to Case Appendix 2 to Case Appendix 3 to Case
Bob Jensen's Documents ACCT 5342 Documents Technology Glossaries

Abstract

This part of the case introduces students to a typical setting in need of WebTrustSM assurance services available from an increasing number of accounting firms in the United States and Canada. Many firms have trepidation about offering WebTrust assurance services for reasons reflected in the following quotation from the case:

Deborah Coulter is keenly aware that what worries her superiors the most are the inventive ways in which hackers and crackers are able to break into the most secure computer and networking systems on earth, including the most secure systems in the Pentagon. See Footnote 1.  Whereas hackers invade systems as a challenge without evil intentions, crackers break into systems intending to steal from or otherwise injure the system. Stealing can be parasitic over time or a single-incident theft. Smart crackers are patient and resist stealing or otherwise letting intentions be known for long periods of time. Sometimes there is only information theft from the host (e.g. stealing cookies) that is later used to steal from or otherwise harm innocent third parties. In the early part of 1998 when the Pentagon was moving war planes into the Persian Gulf, mysterious hackers were invading and leaving trap doors (for exiting and re-entry) in classified databases. On June 1, 1998 Newsweek reported the following on Page 60:


The hackers turned out to be a couple of teenagers in Cloverdale, Calif., coached by a third teenager living in Israel; they were just having some fun. But to America's national-security establishment, the threat of information (IW) is deadly serious.


If Pentagon systems can be cracked by whiz kids, what is the risk of A&K assurance services to DARE? Also, what is the risk that a disgruntled employee will leave the cookie jar open or sell passwords or other confidential information to criminals?

 

Introduction to Incident 1

In a PBS television broadcast of Life on the Internet in the early part of 1997, Carmen Cassidy discovered how art galleries and bookstores around the world are closing down in order to become virtual businesses on the Internet. Many such businesses are much more successful online than they were in fixed locations. The lead was initially taken by online bookstores attempting to build virtual communities among parties interested in each book. See Footnote 2.  Subsequently, galleries and other businesses discovered that virtual communities are both sources of inspiration for authors and artists and sources of renewed interest of customers in products.

Ms Cassidy invested heavily in her online Disabled Artist Resource Emporium (DARE) headquartered in Dallas, Texas. DARE’s mission is to both help artists with disabilities produce works of art and to help sell their finished products. Products include traditional paintings and computer art as well as sculptures, music recordings, books, poems, and handicraft items. Carmen Cassidy herself was an artist until she became quadriplegic following an automobile accident.

Ms Cassidy eventually closed her six DARE outlet stores in major cities across the nation and moved the entire DARE operation into cyberspace via the Internet. One of the key motivations was to focus on the formation of "virtual communities" around the leading artists under her sponsorship. She now provides web space for anyone who wants to evaluate any artist’s work and/or comment on that work or the artist in general. She also provides web chat rooms where an artist can communicate at scheduled times in spontaneous dialog with admirers, critics, customers, students, and fellow artists.

There are actually two virtual communities that form around each DARE artist. The "output" community centers on the past, present, and future works of art of a given artist. That is the community described above. The second virtual community is called the "input" community. The latter community attempts to bring the artist into communication with anyone that can help an artist improve upon his or her craft. For example, persons keen on tracking disabilities technologies can communicate with artists about leading edge and emerging products for such disabilities as sight impairment, hearing impairment, motor control impairment, and other types of impairments that make it difficult but not impossible to generate high quality pieces of art and music.

DARE profits both from purchases of hardware/software to assist artists, and from sales of works from artists. DARE has brokerage contracts with various vendors of products for disabled persons and brokerage contracts with the artists attempting to sell their crafts. DARE has been successful because of trust and professionalism on all sides of transactions. DARE tests vendor products and, on occasion, hires independent testing firms to evaluate newer types of inventions. DARE has a staff of two professional art critics and also hires independent consultants to appraise the works of art displayed in various galleries at the DARE web site. DARE also holds several patents on devices intended to aid artists with certain types of disabilities. In addition, DARE conducts both on site and online training courses for artists.

A Phony DARE Hand in the Cookie Jar

Carmen Cassidy received a disturbing message on March 9, 1998. A customer who had purchased several items in February revealed that, by using a web search engine, he had stumbled onto two domain names with identical DARE opening pages. Ms Cassidy discovered that an unscrupulous scoundrel had downloaded all of the DARE documents and images in order to create a phony DARE web site.

The customer complained that a telephone solicitation had been received announcing a changed DARE phone number and offering a discount based upon the amount of the February purchase. The customer started to place another order but became suspicious after being informed that "DARE" would no longer accept credit cards. Only cash and money orders were to be transmitted. The fact that "DARE" encouraged sending cash though the mails is what made the customer suspicious enough to conduct a web search for DARE sites.

Ms Cassidy expressed deep gratitude to the customer for discovering the phony DARE site. The customer, however, remained irate about privacy issues. What made the customer especially upset with Carmen Cassidy is that the phony "DARE" con artist somehow had DARE’s cookie data regarding the customer’s name, address, phone number, email address, and details regarding the February purchase from the legitimate DARE web site. Somehow unauthorized hands were in the DARE cookie jar. The systems engineers that designed and installed the DARE web site made it possible to send out cookies to customer and artist computers.  See Footnote 3.

Even though authorities in New Jersey shut down the phony DARE web operation in a matter of days, Carmen Cassidy grew exceedingly distraught. She had closed all of the DARE outlet stores around the nation and plunged heavily into the virtual DARE web site. Not until March 9 did she discover how truly vulnerable her virtual DARE was to fraud and corruption. When the word spread, her long-established goodwill with artists and the public might take a plunge from which she could not recover without abandoning her web business and reopening outlet stores at considerable trouble and expense.

As chance would have it on March 9, Sam Burke was in her office working on both her corporate and personal tax returns. Sam worked out of the Dallas office of the A&K LLP public accounting firm. Sam informed Ms Cassidy that his firm had an assurance service team that could help save her online DARE.

Carmen Cassidy Seeks Assurance

. Deborah Coulter received a call from her colleague Sam Burke on March 9. Sam put his client, Carmen Cassidy, on the line. Ms Coulter informed the distressed Carmen Cassidy that, by using the AICPA’s WebTrustSM Electronic Seal, A&K will authenticate that designated web site is the official DARE site. The service for logo authentication is termed LogoTrust by A&K. The accounting firm also offers its DataTrust assurances to users that DARE cookie information on customers and artists would remain confidential. DataTrust is the term used by A&K for assurances that privacy rights to information are protected. DataTrust is the third principle under the AICPA’s WebTrustSM Electronic Seal. Furthermore, DARE could purchase other assurance services that would provide the world with greater confidence when dealing with DARE over the Internet. Among these services are TransTrust from A&K. TransTrust is the term used by A&K to depict the second principle of the WebTrustSM Electronic Seal.

On March 11, Deborah Coulter organized a team of professionals to meet with both employees of DARE and the systems engineers who designed the online DARE operations. Getting the engagement would only be half the battle for Ms Coulter. The other half of the battle in this new line of business was in convincing A&K partners that the initial and annual fees eventually agreed upon for the DARE assurance services outweighed the risks to A&K in providing such services. This new line of business was still looked upon with skepticism by most audit and tax partners.

On the up side, there is a driving force of change in public accounting practices around the nation. Consulting revenues of large international accounting firms like A&K are growing at much faster rates than traditional audit and tax services. In addition, consulting profit margins are enormous compared to thinning margins from audit and tax engagements.

On the downside, A&K partners feel more in control of the lawsuit and reputation risks in auditing and tax services. Some newer assurance services do not pose a serious threat in the eyes of A&K partners. For example, elder care assurance services do not appear to be especially risky since A&K can schedule random visits to care centers and pay whistle blowing rewards to employees of care centers.

Deborah Coulter is keenly aware that what worries her superiors the most are the inventive ways in which hackers and crackers are able to break into the most secure computer and networking systems on earth, including the most secure systems in the Pentagon. See Footnote 4.  Whereas hackers invade systems as a challenge without evil intentions, crackers break into systems intending to steal from or otherwise injure the system. Stealing can be parasitic over time or a single-incident theft. Smart crackers are patient and resist stealing or otherwise letting intentions be known for long periods of time. Sometimes there is only information theft from the host (e.g. stealing cookies) that is later used to steal from or otherwise harm innocent third parties. If Pentagon systems can be cracked by whiz kids, what is the risk of A&K assurance services to DARE? Also what is the risk that a disgruntled employee will leave the cookie jar open or sell passwords or other confidential information to criminals?

Questions and Assignments

Question 1.1
What is the WebTrustSM Electronic Commerce Seal that is now offered by an increasing number of public accounting firms who provide assurance services? What are the three broad categories of WebTrustSM? How did WebTrustSM come about and what is the AICPA/CICA relationship with VeriSign?
[Hint: Start your search at the AICPA web site at
http://www.aicpa.org/news/p091697a.htm and then go to the VeriSign web site at http://www.verisign.com ]

Question 1.2
How do the logo assurance services of the BBB Online program at
http://www.bbb.com and the Truste DataTrust assurance services at http://www.truste.com differ? What comparative advantages do public accounting firms have vis-à-vis these two competitors who are not public accounting firms?
[Hint: See G.G. Gray and R. Debreceny, "The Electronic Frontier," Journal of Accountancy, May 1998, 32-38.]

Question  1.3
What are the risks to consider when providing WebTrustSM assurance services to DARE?

Question  1.4
What are the risks to consider when providing DataTrust assurance services regarding confidentiality of DARE cookies?
[Hint: Cookies are explained at
http://www.trinity.edu/~rjensen/245glosf.htm#Cookies1 ]

Question  1.5
What types of computing and network assurance services might the A&K CPA firm contemplate providing to DARE? Discuss each service both in terms of comparative advantages of CPA firms in providing the service and the inherent risks of having CPAs offer that service.
[Hint: See
http://www.aicpa.org/assurance/scas/newsvs/index.htm and http://www.us.kpmg.com/irm/main.html ]

Question  1.6
Explain and illustrate the difference between information security policies versus security mechanisms.
[Hint: See Appendix 3 by John Howland or go to
http://ariel.cs.trinity.edu/~jhowland/security/security .]

Question  1.7
What are the advantages and drawbacks of a password encryption system?
[Hint: See Appendix 3 by John Howland or go to http://ariel.cs.trinity.edu/~jhowland/security/security .]

Question  1.8
Explain how the Internet works in terms of IP addresses, packets, and routers.
[Hint: See Appendix 3 by John Howland or go to
http://ariel.cs.trinity.edu/~jhowland/security/security .]

Question  1.9
Define the major network protocols and explain the role of each protocol.
[Hint: See Appendix 3 by John Howland or go to
http://ariel.cs.trinity.edu/~jhowland/security/security .]

Question  1.10
Discuss each of the following threats to network security:

Cracking Passwords
sendmail
Denial of Service
Repeated Attack
CGI Scripts
Windows NT Security
Denial of Service
Weak Passwords, Authentication Attacks
Privilege Escalation
Noncaptive Environments
Cracking a fire-wall

[Hint: See Appendix 3 by John Howland or go to http://ariel.cs.trinity.edu/~jhowland/security/security .]

Footnotes to Incident 1

Footnote 1
See Footnote 4.

Footnote 2
The Amazon web site is at www.amazon.com
, and the Barnes and Nobel web site is at www.barnesandnoble.com/index.asp?userid=5QWF0OIYYQ. Virtual bookstores offer server space to readers and authors who want to share opinions and ideas about particular books.


Footnote 3
Cookies are explained at http://www.trinity.edu/~rjensen/245glosf.htm#Cookies1 .

Footnote 4
For example, on April 22, 1998 the following was reported:

Source: Reuters on CNET.News at http://www.news.com/News/Item/0%2C4%2C21357%2C00.html?dd.ne.tx.wr

audio SAN FRANCISCO-A shadowy group of computer hackers has apparently succeeded in breaking into a U.S. computer system that controls military satellites, officials and security experts said. The group, calling itself MOD or Masters of Downloading, has proof of its electronic snooping-secret files allegedly pirated from the Information Systems Network (DISN), computer security expert John Vranesevich said. Lt. Col. Tom Begines, a Defense Department spokesman, said military officials were "aware of the intrusion and looking into the matter."

 

 

Incident 1 Case Incident 1 Solution Top of Present Document
Incident 2 Case Incident 2 Solution Top of Present Document
Appendix 1 to Case Appendix 2 to Case Appendix 3 to Case
Bob Jensen's Documents ACCT 5342 Documents Technology Glossaries