- Email: [email protected]
Companies found guilty face criminal prosecutions
Computers and Security, Vol. 17, No. 6
a data network remains secure and private unless a network operator is served with a legal warrant. Proponents of the plan said that the operator action technology offers a better alternative to key escrow. The new method allows law enforcement agencies to access data through a ‘private door’ rather than giving them the ‘house keys’, officials from the vendor group said. Law enforcement officials could get a search warrant and have a network operator access a network control switch that filters messages delivered over a private network or the Internet. Illtcrrlct Wcrk,_l~,l)~ 20, 2998, p. 14. Warning for UK authorities over data matching. The UK’s Data Protection Kegistrar, Elizabeth France, has voiced serious concerns about the actions of a number of local authorities who have demanded the wholesale disclosure of staff payroll information from local employees.The local authorities concerned seem to be acting in the mistaken belief that the Social Security Administration (Fraud) Act 1997 gives them an automatic right to this information. Although this Act allows the comparison of benefit and tax records held by local authorities, the IXS and some central government organizations in order to identi$ possible cases of benefit fraud, and does allow for local authority inspectors to conduct investigations where they may believe that someone has been attempting to commit benefit fraud, it does not give anyone the right to make other searches. Among the employers approached by local authorities are supermarkets, The Post Office, a central government department and a brewery. Mrs France said, “Wholesale data matching exercises are a major invasion of the private lives of people of whom no suspicion of any wrongdoing attaches. In passing the Fraud Act, Parliament has set down clear rules as to the circumstances under which their data may be matched. Employees have a right to expect that their employers will keep their personal data securely and not disclose them unless required to do so by law.” Corr~p~rtcv Fmrd G Scarrity, AI~(TUS~ 1998, p. 2. Firewalls aren’t failsafe, FEZI&Hqcs. Ever since databases began to be stored in computerreadable form, it has been IS’s job to protect them.That doesn’t just mean managing the technology to protect the
data. It means protecting data.The big news this year isn’t new security holes in TCP/ll’ or scndmail or Windows NT, the big news is that YOLIdon’t have to be a technolog Dark Lord to breach firewalls, crash servers, and otherwise wreak havoc on corporate information systems. This year ‘social engineering’ is back in a big way. Take the example given by Ira Winkler of how he cracked a bank’s security using only a phone. First, he called an executive’s secretary, posing as a human resources employee, and grilled her for infornlation on the executive.Then he called HI<, posing as the executive whose identity he had just stolen, and talked a gullible employee out of a list of new employees and their I11 numbers. Finally, he called the employees, posing as an IS employee and talked dozens of them into divulging their log-ins and passwords. So if you’re going to protect data, you’ll have to start doing some social engineering of your own. Staff must not divulge key infcmnation to anyone they don’t know. Corrr~,~rtc,nr,(,~/n,A~!qrr~r IO, 1998, I’. 12. Hacker defaces German pol site, :zbq~ Lisbetll D’Ar&). A hacker break-in caused havoc on the World Wide Web site of Germany’s centre-right Free 11emocratic Party (FDP). The unidentified hacker broke in to five servers that belong to the Fl)P causing substantial darnage.Thc servers had to be taken out of operation to be put right.The attack destroyed files that contained the FDP’s political credo, set up icons that led nowhere and scrambled the site’s hyperlinks so that they brought users to the home page of another (;crman political party. C:orrrt,~rt~nr,c,uln,_IIJ~ 20, 1998, [‘. .37. Companies found guilty face criminal prosecutions, Badma ~hylcr, The Software Publishers Association (SPA) has decided to play hardball with software pirate corporations. It is now going to go for criminal prosecutions and make public the names of errant companies. According to a report released at the end of June bv the SPA and the 13usiness Software Alliance (USA), 228 million of the 574 million new business software applications - or four in every 10 installed globally during 1997, were pirated. This represents an increase of two niillion more new applications being pirated than in 19%.
517
Abstracts of Recent Articles and Literature
Up to this time, the greater number of piracy cases, which often involve use of one copy of a program on multiple machines, were settled either by a fine or confidentiality agreement. But now the group says it will begin pressing criminal charges and posting the names of the pirates. Peter Beruk, director of antipiracy efforts at the SPA, said, “I don’t like doing that, but if they want to keep ripping off our members, why should we treat them nicely?” Most software companies agree the small fines have not been much of a restraint for the pirating. According to the BSA, Budget Rent a Car recently paid $403 500 to settle claims that the company had unlicensed software installed on its computers.This is the second time in less than one year that USA has announced a settlement. Profound, a North Carolina, USA distributor of online information databases, settled earlier this year, with the BSA, to the tune of $150 000. In a voluntary audit of its computers, Budget Rent a Car divulged it had more copies of software programs, that it had licenses to support. “The problem extends from small, local companies all the way up to international corporations with household names,” said Bob Kruger, USA vice president of enforcement. “All companies must put software copyright compliance on their checklist of important issues to address.” Revenue losses to the worldwide software industry due to piracy were estimated at $11.4 billion in 1997, LIP from $11.2 billion in 19%. North America, Asia and Western Europe accounted for the majority, 84X, of revenue losses. By dollar losses to piracy, the US market was the worst at $2.7 billion, followed by China at $1.4 billion, then rounding out the top 10 Japan, Korea, Germany, France, Brazil, Italy, Canada and the United Kingdom. “Software piracy continues unabated. We call on governments around the world to ratify the WIIQ Copyright Treaty, which would provide much-needed remedies against software piracy tools,” said Ken Wasch, president of the Software Publishers Association. Computer Fraud G Secwity, Aqwsf 1998, p. 3. Novell remote security freebie now for sale, Ldilva DiDio. Novell Inc. has released a security package to help cut administration time and money by centrally managing remote network access via Novell
518
Directory Services (NIX). The Border Manager Authentication Service is an enhanced version of the RADIUS for NDS package.The software is based on the Remote Authentication Dial-In User Service (RADIUS) protocol which ensures interoperability with RADIUS-compliant devices from remote access vendors, Internet Service Providers and firewall vendors. It adds centralized auditing and accounting, which will help businesses cut administration time. Complrteru~orl~,_luly 27, 1998, p. 54. Encryption plan targets export restriction, Brett Merldel. They may no longer have the keys, but they can still come knocking on the door. This would be the case under the ‘private doorbell’ proposal offered by a group of 13 companies led by Cisco Systems.The initiative would replace the US Government’s current export policy, which requires compliance with the much-criticized ‘key escrow’. Such restrictions would be eliminated from US exports, while the Government would retain the ability to access suspicious data, similar to the Government’s method of wiretapping to eavesdrop on telephone calls.The plan, which involves features in existing hardware that let network administrators turn off network-level encryption, has users and experts fearful that this could open networks unnecessarily to both the Government and the unsavoury elements being kept out in the first place. Even if the group’s proposal alleviates the export restrictions on encrypted goods, proponents of the doorbell solution, by their own admission, say that is only a partial answer to a complex issue. At the least, it is slightly more secure than key escrow, and, even at the network device level, it still encompasses the lion’s share of traffic. The proposal still leaves some users uneasy about the potential impact on the overall security of their networks. LANTimcs, August 3, 2998, p. 1, 9.
Security, management converge, RutvellYasin. The worlds of security and enterprise management have converged as Hewlett-Packard and Tivoli Systems have unveiled integrated packages designed to help administrators consolidate tasks. The two companies claim to be responding to user demand for tighter links between security tools and central management consoles. Analysts said that the consolidation makes
a data network remains secure and private unless a network operator is served with a legal warrant. Proponents of the plan said that the operator action technology offers a better alternative to key escrow. The new method allows law enforcement agencies to access data through a ‘private door’ rather than giving them the ‘house keys’, officials from the vendor group said. Law enforcement officials could get a search warrant and have a network operator access a network control switch that filters messages delivered over a private network or the Internet. Illtcrrlct Wcrk,_l~,l)~ 20, 2998, p. 14. Warning for UK authorities over data matching. The UK’s Data Protection Kegistrar, Elizabeth France, has voiced serious concerns about the actions of a number of local authorities who have demanded the wholesale disclosure of staff payroll information from local employees.The local authorities concerned seem to be acting in the mistaken belief that the Social Security Administration (Fraud) Act 1997 gives them an automatic right to this information. Although this Act allows the comparison of benefit and tax records held by local authorities, the IXS and some central government organizations in order to identi$ possible cases of benefit fraud, and does allow for local authority inspectors to conduct investigations where they may believe that someone has been attempting to commit benefit fraud, it does not give anyone the right to make other searches. Among the employers approached by local authorities are supermarkets, The Post Office, a central government department and a brewery. Mrs France said, “Wholesale data matching exercises are a major invasion of the private lives of people of whom no suspicion of any wrongdoing attaches. In passing the Fraud Act, Parliament has set down clear rules as to the circumstances under which their data may be matched. Employees have a right to expect that their employers will keep their personal data securely and not disclose them unless required to do so by law.” Corr~p~rtcv Fmrd G Scarrity, AI~(TUS~ 1998, p. 2. Firewalls aren’t failsafe, FEZI&Hqcs. Ever since databases began to be stored in computerreadable form, it has been IS’s job to protect them.That doesn’t just mean managing the technology to protect the
data. It means protecting data.The big news this year isn’t new security holes in TCP/ll’ or scndmail or Windows NT, the big news is that YOLIdon’t have to be a technolog Dark Lord to breach firewalls, crash servers, and otherwise wreak havoc on corporate information systems. This year ‘social engineering’ is back in a big way. Take the example given by Ira Winkler of how he cracked a bank’s security using only a phone. First, he called an executive’s secretary, posing as a human resources employee, and grilled her for infornlation on the executive.Then he called HI<, posing as the executive whose identity he had just stolen, and talked a gullible employee out of a list of new employees and their I11 numbers. Finally, he called the employees, posing as an IS employee and talked dozens of them into divulging their log-ins and passwords. So if you’re going to protect data, you’ll have to start doing some social engineering of your own. Staff must not divulge key infcmnation to anyone they don’t know. Corrr~,~rtc,nr,(,~/n,A~!qrr~r IO, 1998, I’. 12. Hacker defaces German pol site, :zbq~ Lisbetll D’Ar&). A hacker break-in caused havoc on the World Wide Web site of Germany’s centre-right Free 11emocratic Party (FDP). The unidentified hacker broke in to five servers that belong to the Fl)P causing substantial darnage.Thc servers had to be taken out of operation to be put right.The attack destroyed files that contained the FDP’s political credo, set up icons that led nowhere and scrambled the site’s hyperlinks so that they brought users to the home page of another (;crman political party. C:orrrt,~rt~nr,c,uln,_IIJ~ 20, 1998, [‘. .37. Companies found guilty face criminal prosecutions, Badma ~hylcr, The Software Publishers Association (SPA) has decided to play hardball with software pirate corporations. It is now going to go for criminal prosecutions and make public the names of errant companies. According to a report released at the end of June bv the SPA and the 13usiness Software Alliance (USA), 228 million of the 574 million new business software applications - or four in every 10 installed globally during 1997, were pirated. This represents an increase of two niillion more new applications being pirated than in 19%.
517
Abstracts of Recent Articles and Literature
Up to this time, the greater number of piracy cases, which often involve use of one copy of a program on multiple machines, were settled either by a fine or confidentiality agreement. But now the group says it will begin pressing criminal charges and posting the names of the pirates. Peter Beruk, director of antipiracy efforts at the SPA, said, “I don’t like doing that, but if they want to keep ripping off our members, why should we treat them nicely?” Most software companies agree the small fines have not been much of a restraint for the pirating. According to the BSA, Budget Rent a Car recently paid $403 500 to settle claims that the company had unlicensed software installed on its computers.This is the second time in less than one year that USA has announced a settlement. Profound, a North Carolina, USA distributor of online information databases, settled earlier this year, with the BSA, to the tune of $150 000. In a voluntary audit of its computers, Budget Rent a Car divulged it had more copies of software programs, that it had licenses to support. “The problem extends from small, local companies all the way up to international corporations with household names,” said Bob Kruger, USA vice president of enforcement. “All companies must put software copyright compliance on their checklist of important issues to address.” Revenue losses to the worldwide software industry due to piracy were estimated at $11.4 billion in 1997, LIP from $11.2 billion in 19%. North America, Asia and Western Europe accounted for the majority, 84X, of revenue losses. By dollar losses to piracy, the US market was the worst at $2.7 billion, followed by China at $1.4 billion, then rounding out the top 10 Japan, Korea, Germany, France, Brazil, Italy, Canada and the United Kingdom. “Software piracy continues unabated. We call on governments around the world to ratify the WIIQ Copyright Treaty, which would provide much-needed remedies against software piracy tools,” said Ken Wasch, president of the Software Publishers Association. Computer Fraud G Secwity, Aqwsf 1998, p. 3. Novell remote security freebie now for sale, Ldilva DiDio. Novell Inc. has released a security package to help cut administration time and money by centrally managing remote network access via Novell
518
Directory Services (NIX). The Border Manager Authentication Service is an enhanced version of the RADIUS for NDS package.The software is based on the Remote Authentication Dial-In User Service (RADIUS) protocol which ensures interoperability with RADIUS-compliant devices from remote access vendors, Internet Service Providers and firewall vendors. It adds centralized auditing and accounting, which will help businesses cut administration time. Complrteru~orl~,_luly 27, 1998, p. 54. Encryption plan targets export restriction, Brett Merldel. They may no longer have the keys, but they can still come knocking on the door. This would be the case under the ‘private doorbell’ proposal offered by a group of 13 companies led by Cisco Systems.The initiative would replace the US Government’s current export policy, which requires compliance with the much-criticized ‘key escrow’. Such restrictions would be eliminated from US exports, while the Government would retain the ability to access suspicious data, similar to the Government’s method of wiretapping to eavesdrop on telephone calls.The plan, which involves features in existing hardware that let network administrators turn off network-level encryption, has users and experts fearful that this could open networks unnecessarily to both the Government and the unsavoury elements being kept out in the first place. Even if the group’s proposal alleviates the export restrictions on encrypted goods, proponents of the doorbell solution, by their own admission, say that is only a partial answer to a complex issue. At the least, it is slightly more secure than key escrow, and, even at the network device level, it still encompasses the lion’s share of traffic. The proposal still leaves some users uneasy about the potential impact on the overall security of their networks. LANTimcs, August 3, 2998, p. 1, 9.
Security, management converge, RutvellYasin. The worlds of security and enterprise management have converged as Hewlett-Packard and Tivoli Systems have unveiled integrated packages designed to help administrators consolidate tasks. The two companies claim to be responding to user demand for tighter links between security tools and central management consoles. Analysts said that the consolidation makes