Digital Stealth Secrets and the Act

Corporate accountability (Section 302, 404 and 409 of SOA) has moved to priority status for most businesses. This article has as its core just one premise: understanding the risks associated with digital stealth fraud in the workplace, and what it can do to your company.

Digital stealth fraud could be lurking in the air, hiding on computer hard disk drives, laptops, servers, Internet, Intranet, digital devices and other media. These have become the digital fraudster's favorite tools. Your basic sensibilities regarding the potential for fraud in the workplace will be transformed and you will become prepared for these risks in the digital age.

Cooperation

Your worst nemesis in the attempt to annihilate fraud is the knee-jerk reluctance to give management and professionals the cooperation they deserve without first asking, “What is this going to cost?” Internal auditors, accountants, fraud examiners and forensic accountants are now involved in the business of detection of fraud. Companies have invested in the latest technology to automate the financial reporting process so that the numbers are transparent to those that need to know. Many private companies have instituted similar changes to improve accounting practices in response to SOA.

Hidden Secrets

Sir Francis Bacon (1561-1626) said, “He who hath a secret to keep must first keep it secret.” Most instances of fraud discovered in the corporation will involve to some degree the use of computers and related media (in some cases more and others less). Consider this: It is not difficult to hide financial information on electronics in the workplace. In fact it has become so easy to hide information that you might wonder why we don't read or hear about it on the news. Willie Sutton probably said it best, when he answered why he robbed banks: “That's where the money is.”

The problem is fairly simple (how do you hide digital information), but the solution for detection becomes quite complex. Many of the auditors walking around, examining and checking their lists twice have probably never heard of the digital stealth fraud that is introduced in this article, or at least they do no not routinely evaluate and investigate for it. It can co-exist on computer hard disk drives, laptops, servers, digital devices, Internet, Intranet and other media and go completely unnoticed forever. Most alarming is that digital stealth fraud is not detected using conventional audit tools.

Internal controls do need to be designed to discover and detect digital stealth fraud. Two questions need to be asked: 1) Exactly how will the corporation and the auditors examine the contents of digital stealth files that cannot be seen? And 2) What should the auditors look for in order to determine if digital stealth fraud exists in the company?

'Digital Steganography'

One of the most feared digital technologies in the company is “Digital Steganography.” This is taken from the Greek word for writing or hiding secret messages, and has been around for more than 2500 years. Digital steganography or “stego,” if used in the corporation by a digital fraudster, will hide whatever he or she can define. (Before you go to your keyboard and search for steganography, you never heard of it, right?) Stego is pure digital stealth that requires no assembly by the fraudster. This author has been directly involved in the investigation, detection and research of digital steganography in accounting and bankruptcy fraud. Beware of the use of stego software, because digital stealth files could be hiding anywhere. How is that done? Easily. Stego software will hide the digital information that is often encrypted inside normal looking computer files. Consider that digital steganography was reportedly used in the planning the 9/11 attacks by hiding messages in pornographic pictures placed on the Internet.

Digital Fraudsters

Stego may or may not be on your company's computer system, but how are you going to know for sure? Remember, its existence is invisible. If a streaming video or audio hid that second set of books for one of your subsidiaries, how will you know it? Does the fraudster need to hide spreadsheets, off-balance sheet accounts, and insider transactions? It's easy using stego. If you fail to discover that an employee who was using wireless technology and stego was continually taking and distributing your proprietary research and development, would the audit committee and board have a problem with that?

The digital fraudster only needs to define what digital information to hide using stego software. His or her most pressing issue is not to get caught. Remember, digital fraudsters are not going to leave a trail behind them if they can help it, and they have more than enough help with “covered writing” using steganography.

Digital fraudsters are often already inside the company, using computers and digital devices. If Willie Sutton were alive today, he would have the latest laptop (wireless, PCMCIA hard disk drive, USB flash drive etc) and PDA when he went to work. Modern-day fraudsters are ready, able and have easy access to your digital information (or know someone who does have access – so how long have you been using the same password?). All of the above is what the digital fraudster expects. This speaks to the detection of digital fraud in the enterprise, and when stego is being used, you probably don't want to wait to find out that it was flourishing on your watch (Section 302, 404 and 409 of SOA).

Solution Found in Steganalysis

Hiding digital information is not limited to just stego. You also need to be aware of other digital hiding techniques, including encryption, alternative data streams, key loggers, and tool kits (not sold at Home Depot). Because of the almost unlimited potential for hiding digital financial data through steganography and other concealment techniques, it will be important to evaluate this potential threat to the business. Those involved with the integrity of the financial reporting and digital information security should consider evaluating the risks related to the steganography.

Steganalysis is the inspection of digital data to detect steganography. This process has as its foundation specific levels of review, and examination of the media is dependent upon the specific risks related to digital fraud facing the company. Additionally, the steganalysis will provide the necessary assurance that the CEO, CFO, Directors, attorneys, auditors and others involved with the business are not sleeping on the job and have complied with the Sarbanes-Oxley Act requirements related to internal controls.

The possibility that steganography could be hiding digital fraud presents an enormous challenge to almost every business. It was this necessity for awareness and detection of steganography in the workplace that prompted the author to host a steganography investigator-training course at the offices of the U.S. Secret Service in Brooklyn, NY, this past December.

However, without the latest in digital forensic stealth sleuthing technology on your side, you and your corporation may overlook the existence of steganography. The most widely used steganography detection software is self-regulated and is used by agencies such as the U.S. Secret Service, FBI and the U.S. Air Force. A detailed discussion of discovery of steganography and numerous other digital hiding techniques is beyond the scope of this article. However, the role of digital forensic accounting technology has taken on new meaning in the fight against corporate fraud.

Conclusion

Consider this article an early morning wake-up call regarding the potential for steganography in the company and the need to evaluate this threat as it relates to effective internal controls demanded under the Sarbanes-Oxley Act. The crux of any successful detection of steganography in the company will depend on the methodologies used to determine the investigative process and the experience of the digital forensic investigators with the detection steganography.

Corporate accountability (Section 302, 404 and 409 of SOA) has moved to priority status for most businesses. This article has as its core just one premise: understanding the risks associated with digital stealth fraud in the workplace, and what it can do to your company.

Digital stealth fraud could be lurking in the air, hiding on computer hard disk drives, laptops, servers, Internet, Intranet, digital devices and other media. These have become the digital fraudster's favorite tools. Your basic sensibilities regarding the potential for fraud in the workplace will be transformed and you will become prepared for these risks in the digital age.

Cooperation

Your worst nemesis in the attempt to annihilate fraud is the knee-jerk reluctance to give management and professionals the cooperation they deserve without first asking, “What is this going to cost?” Internal auditors, accountants, fraud examiners and forensic accountants are now involved in the business of detection of fraud. Companies have invested in the latest technology to automate the financial reporting process so that the numbers are transparent to those that need to know. Many private companies have instituted similar changes to improve accounting practices in response to SOA.

Hidden Secrets

Sir Francis Bacon (1561-1626) said, “He who hath a secret to keep must first keep it secret.” Most instances of fraud discovered in the corporation will involve to some degree the use of computers and related media (in some cases more and others less). Consider this: It is not difficult to hide financial information on electronics in the workplace. In fact it has become so easy to hide information that you might wonder why we don't read or hear about it on the news. Willie Sutton probably said it best, when he answered why he robbed banks: “That's where the money is.”

The problem is fairly simple (how do you hide digital information), but the solution for detection becomes quite complex. Many of the auditors walking around, examining and checking their lists twice have probably never heard of the digital stealth fraud that is introduced in this article, or at least they do no not routinely evaluate and investigate for it. It can co-exist on computer hard disk drives, laptops, servers, digital devices, Internet, Intranet and other media and go completely unnoticed forever. Most alarming is that digital stealth fraud is not detected using conventional audit tools.

Internal controls do need to be designed to discover and detect digital stealth fraud. Two questions need to be asked: 1) Exactly how will the corporation and the auditors examine the contents of digital stealth files that cannot be seen? And 2) What should the auditors look for in order to determine if digital stealth fraud exists in the company?

'Digital Steganography'

One of the most feared digital technologies in the company is “Digital Steganography.” This is taken from the Greek word for writing or hiding secret messages, and has been around for more than 2500 years. Digital steganography or “stego,” if used in the corporation by a digital fraudster, will hide whatever he or she can define. (Before you go to your keyboard and search for steganography, you never heard of it, right?) Stego is pure digital stealth that requires no assembly by the fraudster. This author has been directly involved in the investigation, detection and research of digital steganography in accounting and bankruptcy fraud. Beware of the use of stego software, because digital stealth files could be hiding anywhere. How is that done? Easily. Stego software will hide the digital information that is often encrypted inside normal looking computer files. Consider that digital steganography was reportedly used in the planning the 9/11 attacks by hiding messages in pornographic pictures placed on the Internet.

Digital Fraudsters

Stego may or may not be on your company's computer system, but how are you going to know for sure? Remember, its existence is invisible. If a streaming video or audio hid that second set of books for one of your subsidiaries, how will you know it? Does the fraudster need to hide spreadsheets, off-balance sheet accounts, and insider transactions? It's easy using stego. If you fail to discover that an employee who was using wireless technology and stego was continually taking and distributing your proprietary research and development, would the audit committee and board have a problem with that?

The digital fraudster only needs to define what digital information to hide using stego software. His or her most pressing issue is not to get caught. Remember, digital fraudsters are not going to leave a trail behind them if they can help it, and they have more than enough help with “covered writing” using steganography.

Digital fraudsters are often already inside the company, using computers and digital devices. If Willie Sutton were alive today, he would have the latest laptop (wireless, PCMCIA hard disk drive, USB flash drive etc) and PDA when he went to work. Modern-day fraudsters are ready, able and have easy access to your digital information (or know someone who does have access – so how long have you been using the same password?). All of the above is what the digital fraudster expects. This speaks to the detection of digital fraud in the enterprise, and when stego is being used, you probably don't want to wait to find out that it was flourishing on your watch (Section 302, 404 and 409 of SOA).

Solution Found in Steganalysis

Hiding digital information is not limited to just stego. You also need to be aware of other digital hiding techniques, including encryption, alternative data streams, key loggers, and tool kits (not sold at Home Depot). Because of the almost unlimited potential for hiding digital financial data through steganography and other concealment techniques, it will be important to evaluate this potential threat to the business. Those involved with the integrity of the financial reporting and digital information security should consider evaluating the risks related to the steganography.

Steganalysis is the inspection of digital data to detect steganography. This process has as its foundation specific levels of review, and examination of the media is dependent upon the specific risks related to digital fraud facing the company. Additionally, the steganalysis will provide the necessary assurance that the CEO, CFO, Directors, attorneys, auditors and others involved with the business are not sleeping on the job and have complied with the Sarbanes-Oxley Act requirements related to internal controls.

The possibility that steganography could be hiding digital fraud presents an enormous challenge to almost every business. It was this necessity for awareness and detection of steganography in the workplace that prompted the author to host a steganography investigator-training course at the offices of the U.S. Secret Service in Brooklyn, NY, this past December.

However, without the latest in digital forensic stealth sleuthing technology on your side, you and your corporation may overlook the existence of steganography. The most widely used steganography detection software is self-regulated and is used by agencies such as the U.S. Secret Service, FBI and the U.S. Air Force. A detailed discussion of discovery of steganography and numerous other digital hiding techniques is beyond the scope of this article. However, the role of digital forensic accounting technology has taken on new meaning in the fight against corporate fraud.

Conclusion

Consider this article an early morning wake-up call regarding the potential for steganography in the company and the need to evaluate this threat as it relates to effective internal controls demanded under the Sarbanes-Oxley Act. The crux of any successful detection of steganography in the company will depend on the methodologies used to determine the investigative process and the experience of the digital forensic investigators with the detection steganography.