- Email: [email protected]
Bombs destroy computer system
September
199 7
network has an equivalent but unrelated system for routing calls between switches in different parts of the country. Some experts suggest that more telephone disruptions and software related failures will occur in the future. “The number of problems is increasing”, says Dolores R. Wallace of NIST. “We know there are a lot of things out there waiting to happen.” The Federal Communications Commission of the US Government is assembling a special investigative team to deal with any future software faults which disrupt the telephone networks.
Computer declares woman dead three times The US Social Security Administration (SSA), which administers US Government payments to retirees, the disabled and Medicare participants, has demonstrated an unhappy willingness to periodically declare some of its still living benefits recipients dead. However, this time it has done so for the third time to the same person. The subject of this repetitious error is Katherine Estelle Ward, a 65-year-old very much alive, Madison, TN, widow. The SSA computer system declared her dead for the third time on 28 December 1990. (The first two times had been in 1983 and 1987, respectively, when Ward’s first and second husbands died.) This type of SSA data processing error does more than just distress the beneficiary. (The person is usually an elderly retired person or handicapped individual.) The computer fault can cause this person serious financial problems. The program that issues what SSA calls a death determination also sends notices of its action to the affected person’s relatives, insurers, private pension administrator and bank. In an attempt to reclaim purported already paid benefits this program also issues an attachment order that blocks the individual’s access to needed funds. Typically it will take upwards of 90 to 150 days to have the attachment order withdrawn by the SSA and the funds restored to the beneficiary.
01991
Elsevier Science Publishers Ltd
Computer Fraud 8 Security Bulletin
During these weeks the affected individual is usually unable to pay for food, housing and medical care. The SSA has proven to be reluctant to admit to making an error and offers no compensation for the financial problems that its action may have caused. And, unfortunately, the US Court System provides no relief for someone harmed by this type of Federal Government agency error. Belden Menkus
Bombs destroy computer system Malcolm Gardner, computer services manager with Tendring District Council near Clacton-on-Sea, UK, was fined f9000 damages for sabotaging an ICL Series 39 system with a ‘time-bomb’. Gardner blamed pressure of work for his actions, he commented, “I’d had enough. I was running up the hours and stressed, and I was fed up with the system security.” He had written the bomb on a Sunday after handing in his resignation and it went off on a Bank Holiday, destroying Sysman system manager, rates, HBIS housing benefits and Comcis community charge software. Gardner says that he had constantly warned that system security was not tight enough. “I told the staff that if I left I would plant a time-bomb. They should have noticed the program in the job schedule. It could have been a flashing neon sign. I even asked them if they had anything to ask me about the schedule, but no-one noticed it,” he says. The same trick worked even less well for Michael Lauffenburger, a former employee of the General Dynamics Space Systems Division plant in San Diego, USA. Lauffenburger has been arrested and accused of creating a virus which was intended to destroy large parts of data in the US government’s Atlas Missile Program. Police said that Lauffenburger felt he had not been given sufficient recognition in his work for the company, and he had planned to resign from his job and then return as a highly paid consultant in order to repair the damage caused by the
5
Computer Fraud & Security Bulletin
‘bomb’. The malicious program, called Cleanup, was uncovered when a General Dynamics employee found he was unable to access certain files, discovered the logic-bomb and deactivated it. Lauffenburger is charged with unauthorized access of a federal-interest computer and attempted computer fraud.
September 1991
Marksdata Computer Ltd has announced a virus protection board to prevent and detect viruses. Supreme Shield HX008 scans the PC BUS to monitor the status of the PC, and triggers if abnormal changes occur. It is compatible with IBM PC/XT, AT, 236,386 and networks thereof. For more details contact Marksdata on +852 728 9287 or fax +852 728 9891.
Marketplace Unix System Laboratories Inc (USL) has challenged selected system vendors and major corporations to put the new security features of Unix System V Release 4 to the test. Those who accept the challenge will be given dial-up logins on an AT&T 3B2 computer running the system, and must then demonstrate that they have achieved one of the following: (a) Read/Write a secure file, (b) Execute an unauthorized program, or (c) Downgrade Read/Write authorizations on a secure file. “The security paradigm will shift in the 1990s from mainly physical approaches to more reliance on software security,” said Roe1 Pieper, executive vice president at USL. “And the foundation of software security is an inherently secure operating system. Only in this way can you be sure that the people, data and programs in a distributed system interact in a disciplined and secure environment.” The source code for AT&T 382 is now generally available to industry vendors. Source code for the Intel 386/486 and additional processors will be announced by USL at a later date. For more information contact: Dick Muldoon on +l 908 522 6274. Micronyx has been awarded certification to UK level 2 for its Trispan secure workstation management system under the national IT security evaluation scheme run jointly by the Communications & Electronics Security Group (CESG) and the Department of Trade & Industry. Confidence rating UKt2 is the highest level of certification awarded to a PC product to date. Trispan is the only PC security product to have achieved this level. The valuation on version 1.1213 of Trispan was performed by Logica, who are one of the two evaluation centres apponted under the scheme. For more information contact Louis Oley on +44 (0)908 604152.
6
CONFERENCE
REPORT
Privacy Laws 81 Business Conference This conference took place from 2nd to 4th July at Jesus College, Cambridge, UK, in the extremely atmospheric setting of a marquee tent on the verdant Backs of the River Cam. With the sun streaming through the canvas, the UK Data Protection Vice-Registrar, Francis Aldhouse, began the first morning session with a run down of the major issues concerning data protection in the UK. Problems with the EC draft directive, and the resulting discussions of the various national Registrars featured prominantly here. Indeed, it tended to dominate the entire conference. Other problems included an overview of the legal actions taken by the Registrar so far, and the confidentiality of health records with the increasing computerization of the Health Service. A valiant attempt to display slides was, however, doomed in the bright light of the marquee. This session was followed by a less than constructive review of the implications of the EC draft directive on the UK, presented by Philip Stevens from the UK Home Office, who felt that implementing the directive would be too complex and costly. There followed a rather muted reply by Ulla lhnen of the European Commission, who emphasized that the business impact of the directive continued to be an important consideration. A more robust view was taken by an Australian member of the audience, who commented that the UK had a lot to learn about respecting the privacy of its citizens.
01991
Elsevier Science Publishers Ltd
199 7
network has an equivalent but unrelated system for routing calls between switches in different parts of the country. Some experts suggest that more telephone disruptions and software related failures will occur in the future. “The number of problems is increasing”, says Dolores R. Wallace of NIST. “We know there are a lot of things out there waiting to happen.” The Federal Communications Commission of the US Government is assembling a special investigative team to deal with any future software faults which disrupt the telephone networks.
Computer declares woman dead three times The US Social Security Administration (SSA), which administers US Government payments to retirees, the disabled and Medicare participants, has demonstrated an unhappy willingness to periodically declare some of its still living benefits recipients dead. However, this time it has done so for the third time to the same person. The subject of this repetitious error is Katherine Estelle Ward, a 65-year-old very much alive, Madison, TN, widow. The SSA computer system declared her dead for the third time on 28 December 1990. (The first two times had been in 1983 and 1987, respectively, when Ward’s first and second husbands died.) This type of SSA data processing error does more than just distress the beneficiary. (The person is usually an elderly retired person or handicapped individual.) The computer fault can cause this person serious financial problems. The program that issues what SSA calls a death determination also sends notices of its action to the affected person’s relatives, insurers, private pension administrator and bank. In an attempt to reclaim purported already paid benefits this program also issues an attachment order that blocks the individual’s access to needed funds. Typically it will take upwards of 90 to 150 days to have the attachment order withdrawn by the SSA and the funds restored to the beneficiary.
01991
Elsevier Science Publishers Ltd
Computer Fraud 8 Security Bulletin
During these weeks the affected individual is usually unable to pay for food, housing and medical care. The SSA has proven to be reluctant to admit to making an error and offers no compensation for the financial problems that its action may have caused. And, unfortunately, the US Court System provides no relief for someone harmed by this type of Federal Government agency error. Belden Menkus
Bombs destroy computer system Malcolm Gardner, computer services manager with Tendring District Council near Clacton-on-Sea, UK, was fined f9000 damages for sabotaging an ICL Series 39 system with a ‘time-bomb’. Gardner blamed pressure of work for his actions, he commented, “I’d had enough. I was running up the hours and stressed, and I was fed up with the system security.” He had written the bomb on a Sunday after handing in his resignation and it went off on a Bank Holiday, destroying Sysman system manager, rates, HBIS housing benefits and Comcis community charge software. Gardner says that he had constantly warned that system security was not tight enough. “I told the staff that if I left I would plant a time-bomb. They should have noticed the program in the job schedule. It could have been a flashing neon sign. I even asked them if they had anything to ask me about the schedule, but no-one noticed it,” he says. The same trick worked even less well for Michael Lauffenburger, a former employee of the General Dynamics Space Systems Division plant in San Diego, USA. Lauffenburger has been arrested and accused of creating a virus which was intended to destroy large parts of data in the US government’s Atlas Missile Program. Police said that Lauffenburger felt he had not been given sufficient recognition in his work for the company, and he had planned to resign from his job and then return as a highly paid consultant in order to repair the damage caused by the
5
Computer Fraud & Security Bulletin
‘bomb’. The malicious program, called Cleanup, was uncovered when a General Dynamics employee found he was unable to access certain files, discovered the logic-bomb and deactivated it. Lauffenburger is charged with unauthorized access of a federal-interest computer and attempted computer fraud.
September 1991
Marksdata Computer Ltd has announced a virus protection board to prevent and detect viruses. Supreme Shield HX008 scans the PC BUS to monitor the status of the PC, and triggers if abnormal changes occur. It is compatible with IBM PC/XT, AT, 236,386 and networks thereof. For more details contact Marksdata on +852 728 9287 or fax +852 728 9891.
Marketplace Unix System Laboratories Inc (USL) has challenged selected system vendors and major corporations to put the new security features of Unix System V Release 4 to the test. Those who accept the challenge will be given dial-up logins on an AT&T 3B2 computer running the system, and must then demonstrate that they have achieved one of the following: (a) Read/Write a secure file, (b) Execute an unauthorized program, or (c) Downgrade Read/Write authorizations on a secure file. “The security paradigm will shift in the 1990s from mainly physical approaches to more reliance on software security,” said Roe1 Pieper, executive vice president at USL. “And the foundation of software security is an inherently secure operating system. Only in this way can you be sure that the people, data and programs in a distributed system interact in a disciplined and secure environment.” The source code for AT&T 382 is now generally available to industry vendors. Source code for the Intel 386/486 and additional processors will be announced by USL at a later date. For more information contact: Dick Muldoon on +l 908 522 6274. Micronyx has been awarded certification to UK level 2 for its Trispan secure workstation management system under the national IT security evaluation scheme run jointly by the Communications & Electronics Security Group (CESG) and the Department of Trade & Industry. Confidence rating UKt2 is the highest level of certification awarded to a PC product to date. Trispan is the only PC security product to have achieved this level. The valuation on version 1.1213 of Trispan was performed by Logica, who are one of the two evaluation centres apponted under the scheme. For more information contact Louis Oley on +44 (0)908 604152.
6
CONFERENCE
REPORT
Privacy Laws 81 Business Conference This conference took place from 2nd to 4th July at Jesus College, Cambridge, UK, in the extremely atmospheric setting of a marquee tent on the verdant Backs of the River Cam. With the sun streaming through the canvas, the UK Data Protection Vice-Registrar, Francis Aldhouse, began the first morning session with a run down of the major issues concerning data protection in the UK. Problems with the EC draft directive, and the resulting discussions of the various national Registrars featured prominantly here. Indeed, it tended to dominate the entire conference. Other problems included an overview of the legal actions taken by the Registrar so far, and the confidentiality of health records with the increasing computerization of the Health Service. A valiant attempt to display slides was, however, doomed in the bright light of the marquee. This session was followed by a less than constructive review of the implications of the EC draft directive on the UK, presented by Philip Stevens from the UK Home Office, who felt that implementing the directive would be too complex and costly. There followed a rather muted reply by Ulla lhnen of the European Commission, who emphasized that the business impact of the directive continued to be an important consideration. A more robust view was taken by an Australian member of the audience, who commented that the UK had a lot to learn about respecting the privacy of its citizens.
01991
Elsevier Science Publishers Ltd