- Email: [email protected]
Marketplace
Computer Fraud & Security Bulletin
users and manufacturers are not facing up to their responsibilities and taking adequate steps to secure the data stored on their machines. “We believe that the Law Commission’s vision has been limited and only represents a small step towards solving the problem,” he continues. “It should become a legal responsibility for computer users to take adequate steps to secure the data held on
December 1989
MARKETPLACE SWIFT has recently released SURE (SWIFT User Risk Evaluation), an auditing software package for SWIFT systems. The package is based on RiskPAC and runs as an automated questionnaire on MS-DOS or PC-DOS version 2.0 or higher. For further information contact the Chief Inspector’s Office in Belgium on +32 2 655 31 11.
their systems. The Data Protection Act was one step in this direction. We should go further.” The UK’s Data Protection Registrar, Eric Howe, has already said that he would oppose moves to declare illegal hacking that does not involve theft or deception. “An offence should
Data Innovation - part of the Zergo Group - launched a new addition to the CG500 host security modules at Compsec 89. The CG510-VSM is a revised VISA security module aimed at ATM and EFTPoS networks, using smartcard technology for high level key management. For more information contact Robert Peters on +44 734 441349.
be related to an intent by the hacker to gain some advantage for himself or another, or to damage another person’s interests,” Howe says. “I believe it would be wrong to criminalize those who have no criminal intent and create no hazard.” Importantly, the Commission rejected submissions that the rules governing the admissibility of computer print-outs as evidence were too strict. The Commission replied “We see no reason for exempting the prosecution from the requirement imposed by section 69 of showing that the computer was, apart from the alleged interference of which evidence will be given, otherwise operating properly.” However, legal precedents were set last December when two convictions, based on the evidence of computer print-outs, came to the Court of Appeal. In t? vs Minors, the print-out was a building society account. In R vs Harper, a list of lost travel cards. Neither print-out was held to be admissible by the Court of Appeal, because the prosecutions had not shown that the conditions of section 69 had been met. By contrast, if a litigant alleges that an ordinary paper document is inaccurate, it is left up to the court to decide its admissibility.
Westinghouse Management Systems in the UK has announced a highly advanced security system for IBM mainframes called NC-PASS. The company claims that the product is the first IBM mainframe security software designed to support physical identification devices, or ‘tokens’ from a variety of vendors. The product is designed to fully integrate with other VTAM products in the Westinghouse range and to interface with products such as RACF and ACF2. NC-PASS is available from Westinghouse for both MVS and VM operating systems and prices start at f 10 000. For more information contact David Hart on +44 1 951 1615. Computer Security Ltd of Brighton, UK launched three new security products at this year’s Compsec exhibition: PC-GUARD version 2.0; the S4000 - an access control system for dial-up networks; and the S25 smartcard - for use with CSL’s S7000 crypto-controller. For more information contact Mark Hope on +44 273 672191. Delphius Network Management in the UK has introduced a new network controller, Tumstyle, which acts as an electronic library from which programs may be checked out for use. When all copies are in use Turnstyle will
01989
Elsevier Science Publishers Ltd
December 1989
Computer Fraud & Security Bulletin
prevent further access from other terminals, thus preventing infringements of software licenses. Tumstyle will operate on the four major LAN networks: Novell Netware, 3 Corn 3+, IBM and Bayan VINES. For more information contact Colin Milne on +44 798 5644.
was mostly due to the imminent triggering of the Datacrime virus - Friday 13 coincided with the last day of the conference. Wednesday afternoon’s virus workshop was therefore particularly timely, with Hans Gliss, Fred Cohen and Jan Hruska leading the discussion.
Tulip Computers has developed the System Control Manager (SCM) facilii which controls the PC’s operation independently of the operating system. It provides passwording security as well as system security such as keyboard lock, system reset and power on/off features. Systems supplied with SCM also get a CPU case lock and a protective metal casing over the on/off switch and power cord. For
Elsewhere, a seminar on resilience planning was given by the consultancy firm Touche Ross. They have found that most organizations consider disaster planning too late in the development cycle, and consider only the backup arrangements and recovery plan. Touche Ross propose that disaster recovery should be considered at the system design stage, and should also consider impact reduction and prevention. It is then possible to build considerable resilience into the systems architecture, which would reduce the impact of a disaster, enabling the organization to continue processing, albeit on a reduced scale.
more details contact Andy West on +44 293 562323. MGB Computer Services Ltd have recently developed the Dial-back Security Controller. Two log-on ports allow the user to input password and ID, which are then checked against user details stored in the system. The system is not connected to the host mainframe, so users cannot access the host data. The system has been developed with three log-on methods, interactive for either asynchronous or SNA/SDLC users, or voice response. This allows it to be operated in a network, where a variety of protocols are in use. For more information contact Georgina Heathcote on +44 442 212511.
COMPSEC
‘89
The sixth annual Computer Security Conference was held jointly this year with the EDP Auditors Association’s European Conference, and took place in London, UK in mid-October. Apart from being the largest security conference held in Europe for some years, it was also notable for the number of TV crews present. The unusual media interest
01989
Elsevier Science Publishers Ltd
A keynote address by Rod Perry, director of the Information Systems Security Group at Coopers & Lybrand, covered “Information systems security - the challenge for Europe”. Many findings from a Europe-wide survey of top companies and their security procedures revealed a great divergence in computer security awareness. But a big shift has occurred in the last two to three years as more companies have started to become concerned with the issues involved. Most significantly the survey revealed that all companies have significant pockets of weaknesses. Although strong in some areas everyone could learn from each other. There is however a need for a generally accepted definition of information systems security to ensure objectives can be clearly set. Above all is the need for businesses to ensure that security is no longer viewed as an overhead but as a par-l of efficient information processing. Sally Meglathery, director for information systems security, contingency planning and EDP auditing at the New York Stock Exchange spoke on audit and security in a global trading market. The problems of internationalization with the growth in telecommunications and the changes to the business environment were
5
users and manufacturers are not facing up to their responsibilities and taking adequate steps to secure the data stored on their machines. “We believe that the Law Commission’s vision has been limited and only represents a small step towards solving the problem,” he continues. “It should become a legal responsibility for computer users to take adequate steps to secure the data held on
December 1989
MARKETPLACE SWIFT has recently released SURE (SWIFT User Risk Evaluation), an auditing software package for SWIFT systems. The package is based on RiskPAC and runs as an automated questionnaire on MS-DOS or PC-DOS version 2.0 or higher. For further information contact the Chief Inspector’s Office in Belgium on +32 2 655 31 11.
their systems. The Data Protection Act was one step in this direction. We should go further.” The UK’s Data Protection Registrar, Eric Howe, has already said that he would oppose moves to declare illegal hacking that does not involve theft or deception. “An offence should
Data Innovation - part of the Zergo Group - launched a new addition to the CG500 host security modules at Compsec 89. The CG510-VSM is a revised VISA security module aimed at ATM and EFTPoS networks, using smartcard technology for high level key management. For more information contact Robert Peters on +44 734 441349.
be related to an intent by the hacker to gain some advantage for himself or another, or to damage another person’s interests,” Howe says. “I believe it would be wrong to criminalize those who have no criminal intent and create no hazard.” Importantly, the Commission rejected submissions that the rules governing the admissibility of computer print-outs as evidence were too strict. The Commission replied “We see no reason for exempting the prosecution from the requirement imposed by section 69 of showing that the computer was, apart from the alleged interference of which evidence will be given, otherwise operating properly.” However, legal precedents were set last December when two convictions, based on the evidence of computer print-outs, came to the Court of Appeal. In t? vs Minors, the print-out was a building society account. In R vs Harper, a list of lost travel cards. Neither print-out was held to be admissible by the Court of Appeal, because the prosecutions had not shown that the conditions of section 69 had been met. By contrast, if a litigant alleges that an ordinary paper document is inaccurate, it is left up to the court to decide its admissibility.
Westinghouse Management Systems in the UK has announced a highly advanced security system for IBM mainframes called NC-PASS. The company claims that the product is the first IBM mainframe security software designed to support physical identification devices, or ‘tokens’ from a variety of vendors. The product is designed to fully integrate with other VTAM products in the Westinghouse range and to interface with products such as RACF and ACF2. NC-PASS is available from Westinghouse for both MVS and VM operating systems and prices start at f 10 000. For more information contact David Hart on +44 1 951 1615. Computer Security Ltd of Brighton, UK launched three new security products at this year’s Compsec exhibition: PC-GUARD version 2.0; the S4000 - an access control system for dial-up networks; and the S25 smartcard - for use with CSL’s S7000 crypto-controller. For more information contact Mark Hope on +44 273 672191. Delphius Network Management in the UK has introduced a new network controller, Tumstyle, which acts as an electronic library from which programs may be checked out for use. When all copies are in use Turnstyle will
01989
Elsevier Science Publishers Ltd
December 1989
Computer Fraud & Security Bulletin
prevent further access from other terminals, thus preventing infringements of software licenses. Tumstyle will operate on the four major LAN networks: Novell Netware, 3 Corn 3+, IBM and Bayan VINES. For more information contact Colin Milne on +44 798 5644.
was mostly due to the imminent triggering of the Datacrime virus - Friday 13 coincided with the last day of the conference. Wednesday afternoon’s virus workshop was therefore particularly timely, with Hans Gliss, Fred Cohen and Jan Hruska leading the discussion.
Tulip Computers has developed the System Control Manager (SCM) facilii which controls the PC’s operation independently of the operating system. It provides passwording security as well as system security such as keyboard lock, system reset and power on/off features. Systems supplied with SCM also get a CPU case lock and a protective metal casing over the on/off switch and power cord. For
Elsewhere, a seminar on resilience planning was given by the consultancy firm Touche Ross. They have found that most organizations consider disaster planning too late in the development cycle, and consider only the backup arrangements and recovery plan. Touche Ross propose that disaster recovery should be considered at the system design stage, and should also consider impact reduction and prevention. It is then possible to build considerable resilience into the systems architecture, which would reduce the impact of a disaster, enabling the organization to continue processing, albeit on a reduced scale.
more details contact Andy West on +44 293 562323. MGB Computer Services Ltd have recently developed the Dial-back Security Controller. Two log-on ports allow the user to input password and ID, which are then checked against user details stored in the system. The system is not connected to the host mainframe, so users cannot access the host data. The system has been developed with three log-on methods, interactive for either asynchronous or SNA/SDLC users, or voice response. This allows it to be operated in a network, where a variety of protocols are in use. For more information contact Georgina Heathcote on +44 442 212511.
COMPSEC
‘89
The sixth annual Computer Security Conference was held jointly this year with the EDP Auditors Association’s European Conference, and took place in London, UK in mid-October. Apart from being the largest security conference held in Europe for some years, it was also notable for the number of TV crews present. The unusual media interest
01989
Elsevier Science Publishers Ltd
A keynote address by Rod Perry, director of the Information Systems Security Group at Coopers & Lybrand, covered “Information systems security - the challenge for Europe”. Many findings from a Europe-wide survey of top companies and their security procedures revealed a great divergence in computer security awareness. But a big shift has occurred in the last two to three years as more companies have started to become concerned with the issues involved. Most significantly the survey revealed that all companies have significant pockets of weaknesses. Although strong in some areas everyone could learn from each other. There is however a need for a generally accepted definition of information systems security to ensure objectives can be clearly set. Above all is the need for businesses to ensure that security is no longer viewed as an overhead but as a par-l of efficient information processing. Sally Meglathery, director for information systems security, contingency planning and EDP auditing at the New York Stock Exchange spoke on audit and security in a global trading market. The problems of internationalization with the growth in telecommunications and the changes to the business environment were
5