- Email: [email protected]
Hacking bill widens police powers
Computer Fraud & Security Bulletin
June 1990
A$750 for gaining access to a computer without lawful authority. While working for a computing company the accused had copied business record systems without permission from his employer. During the trial the defence argued that the computer trespass law could be viewed in the same light as ordinary trespass, where it was necessary to prove not merely that the incident had happened, but also that there had been criminal intent. If this distinction was not drawn with equal force in the case of computer trespass, then thousands of schoolchildren and employees going about their business could be breaking the law. The magistrate, however, disagreed: the law clearly applied in this case and was not confined to cases where there was clearly criminal intent, such as theft. He held that the law had been enacted precisely because of the harm done by mere access, and that prosecutions such as the one before the court were necessary because they involved programs of great value. Nonetheless, the magistrate conceded that the application of the computer trespass law would require common sense. Frank Rees
Virus epidemic disrupts India Indian newspapers, university departments, software developers, military bases and banks are all suffering the depredations of computers viruses, according to a recent report in Asia Technology. One large corporation in Bangalore lost nearly all its data and had to shut down for three days to remove the offending virus. Unfortunately, the company did not keep replacement back-ups of the files and is having to rebuild its data from scratch. The Independent of Bombay, an up-market daily produced entirely on computer, was crippled for six hours last December. A badly written modification of the Jerusalem virus didn’t destroy any files, but locked up the system and
corrupted the Indian-made software. Engineers at the newspaper offices say the virus was loaded onto the system from bootleg floppy disks containing computer games. The 7 December issue of the newspaper eventually appeared containing only eight rather than the usual 16 pages. Earlier in the year a virus called Ashar erased files and corrupted data at the University of Delhi’s department of physics and astrophysics, and at the Indian Institute of Technology in Delhi. Ashar, a word that has no known meaning in India, is thought to have originated at the university itself. Another virus, the Pakistani Brain, had previously caused havoc at the navy’s Southern Command headquarters at Vishakhapatanam. Other places to be affected have included two Bangalore computers schools, a bank and a major software company in Bombay. The software house had to withdraw a financial accounting package from the market for two weeks when it discovered that a virus had infected the disks, including the master copies. To counter the epidemic, the National Association of Software & Service Companies has launched a set of 14 vaccines, the first such software to be distributed in India. NASSCOM members receive the set free, and non-members can also purchase the software for the nominal fee of $5.40. Vijay Mukhi, one of programmers who developed the vaccines, claims that India has so far got off very lightly. “Luckily, most computers in India are stand-alone systems,” explains Mukhi, “with networks, the spread of viruses could have been much faster.” This advantage appears to be only temporary, as at least two nationwide networks are now being organized in India.
Hacking bill widens police powers The UK Government’s proposed Computer Misuse bill has been amended to allow police t0
01990 Elsevier Science Publishers Ltd
June 1990
enter and search premises where hackers are suspected to be working. The amendment, which was supported by the Government, means that police can now obtain a warrant from a Justice of the Peace which will allow entry, search and seizure. Previously, the police would have had to arrest the suspects before having these powers. Emma Nicholson MP proposed further amendments to give the police much wider powers and to link the Bill to the Police &Criminal Evidence Act and the Interception of Communications Act, which deals with electronic eavesdropping. She also attempted to give British Telecom and Mercury, the telecommunications duopoly, a legal obligation to assist police in investigations. None of these extra amendments was accepted by the interparty committee of 18 MPs which is working on the Bill. Other questions raised at the committee stage of the Bill include the definition of a computer, compensation for victims of hacking and the scope of the offences. The Bill will next pass through the report stage and will then get a third reading, which will give Parliament a chance to debate the issue further. If it is then passed into law, police forces around the country will have to assess their ability to respond to this new type of crime. New Scotland Yard in London has already agreed to double the numbers of officers in its Computer Crime Unit if the .anti-hacking legislation is passed. Unfortunately this only means that the unit will grow from four investigators to a grand total of eight. Detective inspector John Austin, who heads the unit, admits that he is already stretched to investigate the most major computer crimes that occur in London. One case that the unit is currently working on is the extradition of Dr Joseph Popp from the US. Popp was arrested earlier this year in connection with the mailing of the AIDS blackmail disk to 20 000 PC users last December. The disks were mailed from various locations around south west London.
01990 Elsevier Science Publishers Ltd
Singapore tackles computer crime Singapore is to introduce new legislation to combat computer crime, including hacking, sabotage, theft of data or services, and the introduction of viruses. The new laws are being drawn up following recommendations made in a recent report by an interministerial committee which has been looking into the problem. The committee, which was set up by the government in response to external lobbying, consisted of representatives from the country’s Criminal Investigation Department, the Commercial Crime Division, Attorney General’s Chambers, the Auditor General’s Office, the National Computer Board and the Monetary Authority of Singapore. The report is currently being distributed to public and professional bodies for comment. More detailed proposals will then be put to the Cabinet by the Minister for Law and Home Affairs, Professor S. Jayakumar. Professor Jayakumar, in reply to a series of questions from MPs, said that he hoped to see the legislation enacted during the course of the year.
Hacker flaunts E-mail decryption An unidentified hacker has caused a serious security breach for an estimated 400 000 users of cc:Mail, a popular E-mail program for LANs, that is marketed by CC:Mail, Inc., of California. According to a report in the US newspaper Computerwodd, the problem was discovered when the hacker posted the utility on an electronic bulletin board run by Hayes Microcomputer Products. The utility, which is described as “quite sophisticated”, allows a hacker to break the encryption on an E-mail message in under 10 minutes. The current version of the E-mail program contains a single encryption key and only one security level. CC:Mail is now stepping up plans to release a new version of its software, which will include
3
June 1990
A$750 for gaining access to a computer without lawful authority. While working for a computing company the accused had copied business record systems without permission from his employer. During the trial the defence argued that the computer trespass law could be viewed in the same light as ordinary trespass, where it was necessary to prove not merely that the incident had happened, but also that there had been criminal intent. If this distinction was not drawn with equal force in the case of computer trespass, then thousands of schoolchildren and employees going about their business could be breaking the law. The magistrate, however, disagreed: the law clearly applied in this case and was not confined to cases where there was clearly criminal intent, such as theft. He held that the law had been enacted precisely because of the harm done by mere access, and that prosecutions such as the one before the court were necessary because they involved programs of great value. Nonetheless, the magistrate conceded that the application of the computer trespass law would require common sense. Frank Rees
Virus epidemic disrupts India Indian newspapers, university departments, software developers, military bases and banks are all suffering the depredations of computers viruses, according to a recent report in Asia Technology. One large corporation in Bangalore lost nearly all its data and had to shut down for three days to remove the offending virus. Unfortunately, the company did not keep replacement back-ups of the files and is having to rebuild its data from scratch. The Independent of Bombay, an up-market daily produced entirely on computer, was crippled for six hours last December. A badly written modification of the Jerusalem virus didn’t destroy any files, but locked up the system and
corrupted the Indian-made software. Engineers at the newspaper offices say the virus was loaded onto the system from bootleg floppy disks containing computer games. The 7 December issue of the newspaper eventually appeared containing only eight rather than the usual 16 pages. Earlier in the year a virus called Ashar erased files and corrupted data at the University of Delhi’s department of physics and astrophysics, and at the Indian Institute of Technology in Delhi. Ashar, a word that has no known meaning in India, is thought to have originated at the university itself. Another virus, the Pakistani Brain, had previously caused havoc at the navy’s Southern Command headquarters at Vishakhapatanam. Other places to be affected have included two Bangalore computers schools, a bank and a major software company in Bombay. The software house had to withdraw a financial accounting package from the market for two weeks when it discovered that a virus had infected the disks, including the master copies. To counter the epidemic, the National Association of Software & Service Companies has launched a set of 14 vaccines, the first such software to be distributed in India. NASSCOM members receive the set free, and non-members can also purchase the software for the nominal fee of $5.40. Vijay Mukhi, one of programmers who developed the vaccines, claims that India has so far got off very lightly. “Luckily, most computers in India are stand-alone systems,” explains Mukhi, “with networks, the spread of viruses could have been much faster.” This advantage appears to be only temporary, as at least two nationwide networks are now being organized in India.
Hacking bill widens police powers The UK Government’s proposed Computer Misuse bill has been amended to allow police t0
01990 Elsevier Science Publishers Ltd
June 1990
enter and search premises where hackers are suspected to be working. The amendment, which was supported by the Government, means that police can now obtain a warrant from a Justice of the Peace which will allow entry, search and seizure. Previously, the police would have had to arrest the suspects before having these powers. Emma Nicholson MP proposed further amendments to give the police much wider powers and to link the Bill to the Police &Criminal Evidence Act and the Interception of Communications Act, which deals with electronic eavesdropping. She also attempted to give British Telecom and Mercury, the telecommunications duopoly, a legal obligation to assist police in investigations. None of these extra amendments was accepted by the interparty committee of 18 MPs which is working on the Bill. Other questions raised at the committee stage of the Bill include the definition of a computer, compensation for victims of hacking and the scope of the offences. The Bill will next pass through the report stage and will then get a third reading, which will give Parliament a chance to debate the issue further. If it is then passed into law, police forces around the country will have to assess their ability to respond to this new type of crime. New Scotland Yard in London has already agreed to double the numbers of officers in its Computer Crime Unit if the .anti-hacking legislation is passed. Unfortunately this only means that the unit will grow from four investigators to a grand total of eight. Detective inspector John Austin, who heads the unit, admits that he is already stretched to investigate the most major computer crimes that occur in London. One case that the unit is currently working on is the extradition of Dr Joseph Popp from the US. Popp was arrested earlier this year in connection with the mailing of the AIDS blackmail disk to 20 000 PC users last December. The disks were mailed from various locations around south west London.
01990 Elsevier Science Publishers Ltd
Singapore tackles computer crime Singapore is to introduce new legislation to combat computer crime, including hacking, sabotage, theft of data or services, and the introduction of viruses. The new laws are being drawn up following recommendations made in a recent report by an interministerial committee which has been looking into the problem. The committee, which was set up by the government in response to external lobbying, consisted of representatives from the country’s Criminal Investigation Department, the Commercial Crime Division, Attorney General’s Chambers, the Auditor General’s Office, the National Computer Board and the Monetary Authority of Singapore. The report is currently being distributed to public and professional bodies for comment. More detailed proposals will then be put to the Cabinet by the Minister for Law and Home Affairs, Professor S. Jayakumar. Professor Jayakumar, in reply to a series of questions from MPs, said that he hoped to see the legislation enacted during the course of the year.
Hacker flaunts E-mail decryption An unidentified hacker has caused a serious security breach for an estimated 400 000 users of cc:Mail, a popular E-mail program for LANs, that is marketed by CC:Mail, Inc., of California. According to a report in the US newspaper Computerwodd, the problem was discovered when the hacker posted the utility on an electronic bulletin board run by Hayes Microcomputer Products. The utility, which is described as “quite sophisticated”, allows a hacker to break the encryption on an E-mail message in under 10 minutes. The current version of the E-mail program contains a single encryption key and only one security level. CC:Mail is now stepping up plans to release a new version of its software, which will include
3