- Email: [email protected]
Encryption slow to catch on
-6-
I think knuckles. should do and this excepting theft of it very clear that
the idea is to say this is what we think we is how we are going to do it. Now that's services which is obviously wrong. We made theft of services is a crime.
Q A
How widespread do you think theft of services is? The only indication I have is the GAO report of the Sandia Labs where they found that approximately a third of the staff were using the computer without authorisation and taking up 25% of the system storage.
Q A
Is that typical, do you think? I have no idea but I think it is widespread to some minimal extent.
Q A
What are the priorities in your program? First was getting the policy directive out, second looking for evidence of theft of tangible assets such as money being diverted, and then misuse of computer time.
Q A
Does the City have an acceptable back-up plan? Yes, I think so.
Q A
Was the Directive issued at your initiative? Yes. I drafted it and the Mayor signed it. I believe it is the first of its kind in the country.
Q A
How does it compare with the Federal Privacy Act? The Federal Privacy Act deals with personal data privacy. The Directive addresses theft of computer services and property rights in City-developed programs and data as well. Our emphasis is on prevention first and investigation after the fact second.
We believe for several reasons that the New York City EDP security program is a good example of getting solid results with a minimum of manpower: COMMENT :
1. 2. 3.
The Mayor has taken the time to get involved and make clear what his expectations are. Mr Moulton has been careful to get consensus from influential data processing managers before publishing his standards. The program has been undertaken in a very positive way.
We expect that this program will yield positive benefits to the taxpayers in reduced losses. As the Index to the System Security Standards may suggest action areas to our readers we have arranged that complete sets of the Standards are available on request from the City of New York. Send $5.00 per set to: City Record Municipal Building, One Centre Street, Room 2223, NY 10007, USA, and request the System Security Standards, Revised 9/81. Overseas readers should enclose additional postage sufficient for 14 oz.
ENCRYPTION TO CATCH
SLOW ON
For some years now industry experts have been predicting a massive expansion of the data encryption device market. Two years ago a user survey from International Resource Development Inc, indicated that about one third of major users had set up some type of formal
Volume 4 Number 2
-7study group to look at the advisability of data encryption. The promulgation of the National Bureau of Standards' Data Encryption Standard (DES), coupled with the introduction of DES encryption equipment by IBM and other major vendors, had been expected to trigger interest in the use of such equipment. But few seemed to have followed up this interest and the overall market for encryption devices, according to IHD's latest report Data, Text and Voice Encryption, is expected to remain relatively small, reaching some US$180 in 1991, compared with the current US$70 level.
Little change in ten years
The new IRD study indicates that most of the encryption activity is attributable to the military, the oil companies and certain other well-defined user activities ’ "pretty much the same folks that were using encryption techniques ten years ago". As can be expected banks rank high in the 'other users' category with the use of encrypted data tranmission on automatic teller machines being the main applications area. In view of the (small) size of the existing and projected markets it seems surprising that no less than eight semiconductor vendors have introduced DES chips or chip sets. With an expected annual market by 1991 of only 10 000 chips it would appear that there is little to interest IBM (who already report disappointing sales of their 3845 and 3846 DE devices) or Motorola, and that the smaller, specialty vendors such as Datotek, Controlonics, Technical Communication Corp and Mieco will maintain their position in the marketplace. For further information contact IHD Inc, at 30 High Street, Norwalk, CT 06851, USA.
PASSWORD
BREAKING
Computer Freaks have hit upon what they claim to be an effective way of breaking passwords to online computers with dial-up access. Recent penetration success includes the database of one large computer hardware manufacturer. This holds records of all the faults reported by their engineers and includes details of problems, their repercussions and methods of correcting them; all good stuff that enables to freaks to freak out even further. It seems that the old dodge of entering small programs that divide '0' by negative 1 into other peoples computers, thus locking everyone else out, have been superseded by even greater wheezes, based on knowledge of confidential engineering information. The victim of the latest caper was not prepared to talk about the alleged incident (as they said, "if, indeed there was such an incident"), but informed sources told us that the database has to be freely available over dial-up lines so that engineers can access it directly from customers' premises.
Offer to swap
One person we spoke to who said his nom de plume was 'Freak' claims to have more than 100 numbers of computer dial ports, ranging from banks to motor spares suppliers and local government. He was not prepared to tell us exactly what numbers he has although he did offer to do a swap on a one for one basis! He claims to have programmed his microcomputer to dial ten of his hundred numbers in sequence. On each connection the micro generates a random password. If it is successful the machine
pM?UT~R~
Volume 4 Number 2
CclElsewer
Internatmnal
Bulletins
I think knuckles. should do and this excepting theft of it very clear that
the idea is to say this is what we think we is how we are going to do it. Now that's services which is obviously wrong. We made theft of services is a crime.
Q A
How widespread do you think theft of services is? The only indication I have is the GAO report of the Sandia Labs where they found that approximately a third of the staff were using the computer without authorisation and taking up 25% of the system storage.
Q A
Is that typical, do you think? I have no idea but I think it is widespread to some minimal extent.
Q A
What are the priorities in your program? First was getting the policy directive out, second looking for evidence of theft of tangible assets such as money being diverted, and then misuse of computer time.
Q A
Does the City have an acceptable back-up plan? Yes, I think so.
Q A
Was the Directive issued at your initiative? Yes. I drafted it and the Mayor signed it. I believe it is the first of its kind in the country.
Q A
How does it compare with the Federal Privacy Act? The Federal Privacy Act deals with personal data privacy. The Directive addresses theft of computer services and property rights in City-developed programs and data as well. Our emphasis is on prevention first and investigation after the fact second.
We believe for several reasons that the New York City EDP security program is a good example of getting solid results with a minimum of manpower: COMMENT :
1. 2. 3.
The Mayor has taken the time to get involved and make clear what his expectations are. Mr Moulton has been careful to get consensus from influential data processing managers before publishing his standards. The program has been undertaken in a very positive way.
We expect that this program will yield positive benefits to the taxpayers in reduced losses. As the Index to the System Security Standards may suggest action areas to our readers we have arranged that complete sets of the Standards are available on request from the City of New York. Send $5.00 per set to: City Record Municipal Building, One Centre Street, Room 2223, NY 10007, USA, and request the System Security Standards, Revised 9/81. Overseas readers should enclose additional postage sufficient for 14 oz.
ENCRYPTION TO CATCH
SLOW ON
For some years now industry experts have been predicting a massive expansion of the data encryption device market. Two years ago a user survey from International Resource Development Inc, indicated that about one third of major users had set up some type of formal
Volume 4 Number 2
-7study group to look at the advisability of data encryption. The promulgation of the National Bureau of Standards' Data Encryption Standard (DES), coupled with the introduction of DES encryption equipment by IBM and other major vendors, had been expected to trigger interest in the use of such equipment. But few seemed to have followed up this interest and the overall market for encryption devices, according to IHD's latest report Data, Text and Voice Encryption, is expected to remain relatively small, reaching some US$180 in 1991, compared with the current US$70 level.
Little change in ten years
The new IRD study indicates that most of the encryption activity is attributable to the military, the oil companies and certain other well-defined user activities ’ "pretty much the same folks that were using encryption techniques ten years ago". As can be expected banks rank high in the 'other users' category with the use of encrypted data tranmission on automatic teller machines being the main applications area. In view of the (small) size of the existing and projected markets it seems surprising that no less than eight semiconductor vendors have introduced DES chips or chip sets. With an expected annual market by 1991 of only 10 000 chips it would appear that there is little to interest IBM (who already report disappointing sales of their 3845 and 3846 DE devices) or Motorola, and that the smaller, specialty vendors such as Datotek, Controlonics, Technical Communication Corp and Mieco will maintain their position in the marketplace. For further information contact IHD Inc, at 30 High Street, Norwalk, CT 06851, USA.
PASSWORD
BREAKING
Computer Freaks have hit upon what they claim to be an effective way of breaking passwords to online computers with dial-up access. Recent penetration success includes the database of one large computer hardware manufacturer. This holds records of all the faults reported by their engineers and includes details of problems, their repercussions and methods of correcting them; all good stuff that enables to freaks to freak out even further. It seems that the old dodge of entering small programs that divide '0' by negative 1 into other peoples computers, thus locking everyone else out, have been superseded by even greater wheezes, based on knowledge of confidential engineering information. The victim of the latest caper was not prepared to talk about the alleged incident (as they said, "if, indeed there was such an incident"), but informed sources told us that the database has to be freely available over dial-up lines so that engineers can access it directly from customers' premises.
Offer to swap
One person we spoke to who said his nom de plume was 'Freak' claims to have more than 100 numbers of computer dial ports, ranging from banks to motor spares suppliers and local government. He was not prepared to tell us exactly what numbers he has although he did offer to do a swap on a one for one basis! He claims to have programmed his microcomputer to dial ten of his hundred numbers in sequence. On each connection the micro generates a random password. If it is successful the machine
pM?UT~R~
Volume 4 Number 2
CclElsewer
Internatmnal
Bulletins