- Email: [email protected]
First states implement EC software copyright directive
Computer Fraud & Security Bulletin
60% from the amount reported in the previous year and almost double the figure attributed to US credit card fraud in 1989. However, the Nilson Report estimated that $784 million should have been added to the reported 1991 loss to give a true figure for the overall fraud experience. This loss was largely accounted for by fraud-related card holder bankruptcies and by various types of fraudulent activities by the merchants who accept credit cards. Commonly, these losses are buried in the statistics disclosed by the card issuers for nonpayment of outstanding receivables. Mastercard and Visa experienced almost two-thirds of the overall US credit card fraud loss, according to the Nilson Report account.
September 1992
Angeles City Government Data Processing Center. Its staff worked under Police guard during the riots. Third shift Center workers were prevented by a Citywide curfew from reporting to work. This forced other staff members to work 12 hours shifts for several days. The Center's seven PDP-11/70s were reportedly overloaded by thousands of reports of looting, assault, and arson. Data on riot and looting arrests were transferred to the Los Angeles County computer facility. During the rioting the telecommunication links were lost between the City Water Department's downtown data center and the Department's offices in South Central Los Angeles, where most of the rioting was centered. Belden Menku5
Belden Menkus
Belgium opts for electronic voting The Belgian government has decided to extend its trial of electronic voting machines for use in general and regional elections. The decision follows an embarrassing re-allocation of seats in the general election at the end of last year, after the discovery of software errors in programs distributing seats in Belgium's complex proportional voting system. In two separate incidents untested software, from IBM and an Antwerp based software house, allocated seats to the wrong parties. The mistakes were discovered by manual checks. The errors seem not to have diminished Belgian enthusiasm for computerizing its elections. Paul Gannon
Riots raise new contingency issues Many Los Angeles area computing facilities were forced to limit their operations during the May riots that followed the verdict in the Rodney King police brutality trial. The most extreme situation appears to have been that of the Los
4
First states implement EC software copyright directive In both Germany and the Netherlands, the governments have presented legislation implementing the EC's directive on software copyright, agreed by the Council of Ministers last year. In both cases the text follows closely the EC's directive, which gives software protection as 'literary work'. All member states are required to implement legislation by the end of this year. The wider influence of EC legislation on computer issues is demonstrated by Austria, not yet an EC member. It is also legislating over software copyright, and its draft legislation follows the EC directive almost word for word. The Business Software Alliance, meanwhile, has called for a toughening of Europe's customs laws to prevent the importation and sale of pirated software. The BSA claims that piracy in Europe costs its members $6 billion a year in lost revenues. Pirated software is sold, sometimes by organized crime syndicates, through standard distribution outlets. The group claims that a warehouse raided in Italy earlier this year held 200 000 pirated software disks and associated documents such as user manuals. The company that owned the store, one of the largest PC
©1992 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
September 1992
software companies in Italy, showed sales of $1a million in the previous month. The BSA wants tougher seizure laws at EC borders. Paul Gannon
US benefits subject to multiple frauds Multiple thefts of benefits funds have been discovered at the US Department of Veterans Affairs' Philadelphia benefits processing facility. Two incidents blamed on poor internal controls have been disclosed, but informed sources indicate that the overall problem is much larger. Both of the workers involved in the reported incidents have been prosecuted successfully. Both events stemmed from a failure to enforce conventional separation of duties, to check on the prior work experience and for criminal records of these individuals before they were employed. One person had been prosecuted by a former employer before joining the VA staff. The other individual had been involved in criminal drug-related activities. The two reported frauds involved more than $426 000. One scam went undetected for more than three years. The fraudster created fraudulent insurance policy records in the facility's master database, included his own address for each policy, mailed 157 dividend payments to himself, and eventually deleted the policy records. The other scam was more straightforward. This perpetrator simply changed the addresses on legitimate policies and sent the dividend payments to an accomplice.
Ampersand Typesetters, which he claimed owed him £2000, in fees tampered with the computer to deny people access to company information without a specific password. The judge heard that his lock-out cost the company £36 000 in lost business and an additional £1000 for the services of a computer expert. Goulden, who pleaded guilty under section three of the Act, which enables criminals to be imprisoned for up to five years, was fined £1650 and given a conditional discharge. The jUdge told him, "What you did was at the very lowest end of seriousness". Ampersand went out of business last year.
Marketplace A new information security group is being formed in the UK. It aims to be an independent, unaligned group for individuals in the information security profession. Its specific objectives are: •
to provide a forum for security issues of interest to UK based industry and commerce;
•
to stimulate solutions to information security problems;
•
to foster liaison with other relevant organizations, especially in Europe;
•
to inform members of relevant European legislation, regulations and standards, and of the activities of other information security organizations; and
•
to provide members with early warning of security vulnerabilities.
Belden Menkus
UK Act fails prosecutors again At another test case in the UK courts, the UK Computer Misuse Act has again failed to become a major deterrent to hackers, according to a recent report in ISM. Richard Goulden, a freelance typesetter with a grudge against
©1992 Elsevier Science Publishers Ltd
The group is called the Independent Information Security Group (IISyG). It intends to publish a series of information sheets and a quarterly newsletter, and has already established working groups on Risk Analysis. Data Ownership and Information Security and Society, All input is welcome. For further information
5
60% from the amount reported in the previous year and almost double the figure attributed to US credit card fraud in 1989. However, the Nilson Report estimated that $784 million should have been added to the reported 1991 loss to give a true figure for the overall fraud experience. This loss was largely accounted for by fraud-related card holder bankruptcies and by various types of fraudulent activities by the merchants who accept credit cards. Commonly, these losses are buried in the statistics disclosed by the card issuers for nonpayment of outstanding receivables. Mastercard and Visa experienced almost two-thirds of the overall US credit card fraud loss, according to the Nilson Report account.
September 1992
Angeles City Government Data Processing Center. Its staff worked under Police guard during the riots. Third shift Center workers were prevented by a Citywide curfew from reporting to work. This forced other staff members to work 12 hours shifts for several days. The Center's seven PDP-11/70s were reportedly overloaded by thousands of reports of looting, assault, and arson. Data on riot and looting arrests were transferred to the Los Angeles County computer facility. During the rioting the telecommunication links were lost between the City Water Department's downtown data center and the Department's offices in South Central Los Angeles, where most of the rioting was centered. Belden Menku5
Belden Menkus
Belgium opts for electronic voting The Belgian government has decided to extend its trial of electronic voting machines for use in general and regional elections. The decision follows an embarrassing re-allocation of seats in the general election at the end of last year, after the discovery of software errors in programs distributing seats in Belgium's complex proportional voting system. In two separate incidents untested software, from IBM and an Antwerp based software house, allocated seats to the wrong parties. The mistakes were discovered by manual checks. The errors seem not to have diminished Belgian enthusiasm for computerizing its elections. Paul Gannon
Riots raise new contingency issues Many Los Angeles area computing facilities were forced to limit their operations during the May riots that followed the verdict in the Rodney King police brutality trial. The most extreme situation appears to have been that of the Los
4
First states implement EC software copyright directive In both Germany and the Netherlands, the governments have presented legislation implementing the EC's directive on software copyright, agreed by the Council of Ministers last year. In both cases the text follows closely the EC's directive, which gives software protection as 'literary work'. All member states are required to implement legislation by the end of this year. The wider influence of EC legislation on computer issues is demonstrated by Austria, not yet an EC member. It is also legislating over software copyright, and its draft legislation follows the EC directive almost word for word. The Business Software Alliance, meanwhile, has called for a toughening of Europe's customs laws to prevent the importation and sale of pirated software. The BSA claims that piracy in Europe costs its members $6 billion a year in lost revenues. Pirated software is sold, sometimes by organized crime syndicates, through standard distribution outlets. The group claims that a warehouse raided in Italy earlier this year held 200 000 pirated software disks and associated documents such as user manuals. The company that owned the store, one of the largest PC
©1992 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
September 1992
software companies in Italy, showed sales of $1a million in the previous month. The BSA wants tougher seizure laws at EC borders. Paul Gannon
US benefits subject to multiple frauds Multiple thefts of benefits funds have been discovered at the US Department of Veterans Affairs' Philadelphia benefits processing facility. Two incidents blamed on poor internal controls have been disclosed, but informed sources indicate that the overall problem is much larger. Both of the workers involved in the reported incidents have been prosecuted successfully. Both events stemmed from a failure to enforce conventional separation of duties, to check on the prior work experience and for criminal records of these individuals before they were employed. One person had been prosecuted by a former employer before joining the VA staff. The other individual had been involved in criminal drug-related activities. The two reported frauds involved more than $426 000. One scam went undetected for more than three years. The fraudster created fraudulent insurance policy records in the facility's master database, included his own address for each policy, mailed 157 dividend payments to himself, and eventually deleted the policy records. The other scam was more straightforward. This perpetrator simply changed the addresses on legitimate policies and sent the dividend payments to an accomplice.
Ampersand Typesetters, which he claimed owed him £2000, in fees tampered with the computer to deny people access to company information without a specific password. The judge heard that his lock-out cost the company £36 000 in lost business and an additional £1000 for the services of a computer expert. Goulden, who pleaded guilty under section three of the Act, which enables criminals to be imprisoned for up to five years, was fined £1650 and given a conditional discharge. The jUdge told him, "What you did was at the very lowest end of seriousness". Ampersand went out of business last year.
Marketplace A new information security group is being formed in the UK. It aims to be an independent, unaligned group for individuals in the information security profession. Its specific objectives are: •
to provide a forum for security issues of interest to UK based industry and commerce;
•
to stimulate solutions to information security problems;
•
to foster liaison with other relevant organizations, especially in Europe;
•
to inform members of relevant European legislation, regulations and standards, and of the activities of other information security organizations; and
•
to provide members with early warning of security vulnerabilities.
Belden Menkus
UK Act fails prosecutors again At another test case in the UK courts, the UK Computer Misuse Act has again failed to become a major deterrent to hackers, according to a recent report in ISM. Richard Goulden, a freelance typesetter with a grudge against
©1992 Elsevier Science Publishers Ltd
The group is called the Independent Information Security Group (IISyG). It intends to publish a series of information sheets and a quarterly newsletter, and has already established working groups on Risk Analysis. Data Ownership and Information Security and Society, All input is welcome. For further information
5