Computer Expert Witness
Graham Dilloway CITP MBCS
Computer Expert Witness

Chartered IT Professional and Member of British Computer Society

Listed in Register of Expert Witnesses


Member of the Academy of Experts


View Graham Dilloway's profile on LinkedIn

Unauthorised Access and Computer Misuse

I prepared letters and an expert witness report discussing access to a computer and issues of authorisation under the Computer Misuse Act.

A bank employee, Mr D, was charged under the Computer Misuse Act with unauthorised access to the bank’s computer systems. It was alleged that Mr D was an associate of drug dealers and that he had accessed computer records for the bank accounts of various dealers.

I prepared chronologies of Mr D’s access to computer records, hours of work and other activities.

It was never clear how the Prosecution would show that access to bank records was unauthorised when the bank accounts belonged to known villains and there was no evidence to show that the villains had asked Mr D to access the accounts or evidence to show that they had not asked Mr D to access the accounts.

The Prosecution also had evidence to show that Mr D had accessed the account of a serving police officer and had a witness statement from the officer to say that he had not requested this access.

I prepared letters discussing the evidence and a formal expert witness report.

Letter Discussing Audit Log & Transaction History

Dear Mr S

Mr D

Thank you for your email of 1 December and the enclosed Defence Statement.

The evidence includes …

• Computer system Audit Log data. The bank system records data for each access to account information. I would expect that Mr D had no access to this audit data. Exhibit BS40A is an example of this audit data.

• Account Transaction History. Records of transactions for an account including, for example, debit card purchases and cash withdrawals. The information that would be found on a traditional bank statement. Exhibit BS26AC is an example of a transaction history.

• Paper documents. Including account application forms with checklists and other working documents completed by bank staff.

A chronology would list the events recorded in the various logs and histories together with any account numbers or other identifiers.

In my attempts to better understand the Computer Misuse Act, I came upon the Computer Misuse Act page of the Crown Prosecution Service website. The CPS say, “Prosecutors dealing with CMA cases involving employees should assess carefully the employee's contract of employment together with any surrounding information (for example oral advice given or office practices amongst others) in order to determine whether the employer had clearly defined the limits of the employee's authority. Such cases normally depend on whether the evidence available demonstrates sufficiently strongly that the conduct complained of was unauthorised.”

It may be that a detailed chronology of the alleged actions when accessing bank computers will assist in determining whether any actions by Mr D exceeded his authority.

I enclose lists of the Exhibits in the bundle enclosed with your letter dated 16 October 2012 and of the Exhibits referred to in the statements in that bundle. Some of the Exhibits referred to in the statements are not in the bundle. It may be that these Exhibits are not relevant.

I look forward to hearing from you.

Yours sincerely

Letter Showing Timeline and Missing Evidence

Dear Mr S

Mr D

I enclose two copies of a chronology of the actions indicated by the Exhibits that I have.

The content of each copy of the chronology is identical excepting that the entries are ordered …

• In order of the Exhibits in the bundle that I have.

• In order of the date that an action appears to have occurred.

The Defence Statement that I have says that Mr D is alleged to have been in breach of the Computer Misuse Act on dates that include …

• 15 September 09

• 16 September 09

• 5 October 10

• 14 October 10

I have seen no evidence regarding computer access on these dates.

The list of Exhibits enclosed with my letter dated 12 December 2012 (and sent by email) shows that I have a bundle that does not include all of the Exhibits.

It is likely that, for example, Exhibits BS40D through BS40K include computer audit trail records that relate to the dates in the charges for which I have no evidence of computer access.

A couple of items caught my eye …

• Keith is written as Kieth on some forms and as Keith on other forms.

• On 10 September 2009, account information appears to have been accessed using the Bank's back office software at a time when Mt D was not at work. Do we know whether Exhibit BS48 is a record of when Mr D should have been at work (i.e. prepared in advance to tell Mr D when to work) or a record of when Mr D was at work (i.e. records based on time-clocks or signing-in sheets)?

• The charges appear to include an offence committed on 14 October 2010 when Mr D was not at work.

• The audit trail records in Exhibit BS40 do not identify the specific computer used to access the account records.

What is it that causes an action by Mr D to be so “unauthorised” that the action is a crime? Let us suppose that a friend of Mr D could not be bothered with the Bank's call centre telephone queue. The friend might send to Mr D a mobile phone text message asking Mr D to text back the balance on the friend's account. Would Mr D be breaking the law if he looked up the balance and texted the balance to his chum?

Mr A says, in his statement dated 5 July 2011, at Cont. Sheet 18, “There is no evidence that the customers … instructed D using the Bank phone system ...”. The phone records are not produced as an Exhibit. What evidence did Mr A not find in the telephone records? Did Mr A check , for example, fifty random transactions on the same day to find “evidence that the customers … instructed” someone “using the Bank phone system ...”? How did the transactions that are complained of differ from valid transactions?

The Defence Statement mentions an offence on 5 October 2009. Should this be 5 October 2010?

I would welcome the opportunity to discuss this further.

I look forward to hearing from you.

Yours sincerely

Letter Regarding Indictment

Dear Mr S

Mr D

I enclose two copies of an updated chronology of the actions indicated by the Exhibits. I have added transaction from BS53 (re. D's account). I have also added work records from BS48 and corrected work records that were incorrect in a previous version of this document.

I have not found any evidence for an offence committed on 14 October 2010.

The work rota records (BS48) appear to indicate that Mr D was at work at the times of all accesses to the back office system as shown in the audit trails produced in BS40A, BS40B, BS40C and BS53.

It may be that the Bignell judgement that I referred to is made obsolete by …

http://www.publications.parliament.uk/pa/ld199899/ldjudgmt/jd990805/bow.htm

Counts 1, 2, 3 and 4 are alleged to have occurred in 2009. BS48 (work rota) does not contain records for 2009. I have seen nothing to show that Mr D was at work on the dates for Counts 1, 2, 3 and 4.

Count 5 is alleged to have occurred on 14 October 2010. I have found no evidence of any transaction on 14 October 2010. BS48 (work rota) indicates that Mr D was not at work on 14 October 2010.

Counts 6, 7, 8, 9, 10 and 11 are alleged to have occurred between 27 November 2010 and

1 February 2011.

Counts 1, 6, 7, 8, 9, 10 and 11 are alleged to relate to “Keith X” accounts.

Counts 2, 3 and 4 are alleged to relate to a D account.

For completeness, there are a couple of matters that caught my eye.

In an interview transcript, at (mechanically printed) Page 584, of an event on 31 January 2011, an officer says, “ … this ATM withdrawal was at 2.07, so according to your work rota you were in work ...”. It may be that the officer is referring to a withdrawal on 30 January detailed in BS26AC (X Bank is part of Z Bank). I have seen nothing to show where the officer got the time of 2.07 from.

It may be that the content of BS48 is ambiguous. For example, the record for 15 November 2010 shows hours of work as 14.30 to 22.00 and shows this day as a day of holiday. Does the record show the hours that would have been worked if Mr D had not been on holiday?

The record for 12 November 2010 shows hours of work as 09.30 to 17.30 and shows this day as a “trade” day. Does the record show the hours that would have been worked if Mr D had not “traded” this period of work?

How are actual hours of work recorded? Are there time clocks or signing in books? Did Mr D ever do last-minute “trades” and swap shifts in a way that does not show in BS48?

I would welcome the opportunity to discuss this further.

I look forward to hearing from you.

Yours sincerely

Formal Report

Mr D

Author

1. This report was prepared by Graham Dilloway of 39 Conham Hill Bristol BS15 3AW. I am a Member of the British Computer Society, the chartered professional body for the computer industry in the UK. I am a member of the Academy of Experts. I have worked with computers for more than 35 years. This work has all involved the implementation and configuration of computers, their operating systems and the core software applications of a computer environment (e.g. word processors and spreadsheets). I have worked with personal computers almost exclusively for more than twenty years

Instructions

2. I have discussed my instructions with S Solicitors and I understand my instructions to be that I should report on the Bank audit trail records.

Exhibits

3. I received a bundle of witness statements and Exhibits enclosed with a letter from S Solicitors and dated 16 October 2012..

Bank Audit Trail

4. Exhibit BS40 contains audit trail records from Bank computer systems.

5. I have seen nothing to identify the computer used by the person performing the transactions that caused the audit trail records in Exhibit BS40 to be generated.

Passwords

6. I have accounts with two banks. I can perform transactions for both accounts using the Internet.

7. One bank requires that I logon by entering a username and password and that I additionally enter three characters from a second password.

8. One bank requires that I logon by entering a username and password and that I additionally enter a six digit number generated and displayed by a small device supplied by the bank.

9. I understand Cnet to be a reputable publisher of news and information regarding computers. An article on the Cnet website at “news.cnet.com/8301-10784_3-6156737-7.html” dated February 2007 says, “For years, Microsoft Chairman Bill Gates has said that passwords are the weak link in the computer security chain. For years also he has called on computer users to move away from passwords to smart cards or other authentication methods. Gates did it again on Tuesday as he kicked off this year's RSA Conference in San Francisco. "Passwords are not only weak, passwords have the huge problem that if you get more and more of them, the worse it is," Gates said. The time is now really right to do away with passwords, according to Gates.”

10. It is my understanding that the widely held view in the computer industry is that a single password alone should not be regarded as a secure method of protecting a user account.

Summary

11. I have seen nothing to identify the computer used by the person performing the transactions that caused the audit trail records to be generated.

12. It is my understanding that the widely held view in the computer industry is that a single password alone should not be regarded as a secure method of protecting a user account.

13. I understand my duty to the Court and I confirm that I have complied with and will continue to comply with that duty.

14. I confirm that insofar as the facts stated in my report are within my own knowledge I have made it clear which they are and I believe them to be true, and that the opinions I have expressed represent my true and complete professional opinion.

This computer expert witness report was prepared by

Graham Dilloway
Computer Expert Witness

39 Conham Hill

Bristol BS15 3AW